mirror of
https://github.com/simple-login/app.git
synced 2024-09-27 20:31:30 +02:00
Only allow authenticated and enabled users to accept a OAuth post request
This commit is contained in:
parent
be161d0778
commit
3e983e3557
@ -1,7 +1,7 @@
|
|||||||
from typing import Dict
|
from typing import Dict
|
||||||
from urllib.parse import urlparse
|
from urllib.parse import urlparse
|
||||||
|
|
||||||
from flask import request, render_template, redirect, flash
|
from flask import request, render_template, redirect, flash, url_for
|
||||||
from flask_login import current_user
|
from flask_login import current_user
|
||||||
from itsdangerous import SignatureExpired
|
from itsdangerous import SignatureExpired
|
||||||
|
|
||||||
@ -144,6 +144,12 @@ def authorize():
|
|||||||
Scope=Scope,
|
Scope=Scope,
|
||||||
)
|
)
|
||||||
else: # POST - user allows or denies
|
else: # POST - user allows or denies
|
||||||
|
if not current_user.is_authenticated or not current_user.is_enabled:
|
||||||
|
LOG.i(
|
||||||
|
"Attempt to validate a OAUth allow request by an unauthenticated user"
|
||||||
|
)
|
||||||
|
return redirect(url_for("auth.login", next=request.url))
|
||||||
|
|
||||||
if request.form.get("button") == "deny":
|
if request.form.get("button") == "deny":
|
||||||
LOG.d("User %s denies Client %s", current_user, client)
|
LOG.d("User %s denies Client %s", current_user, client)
|
||||||
final_redirect_uri = f"{redirect_uri}?error=deny&state={state}"
|
final_redirect_uri = f"{redirect_uri}?error=deny&state={state}"
|
||||||
|
Loading…
Reference in New Issue
Block a user