mirror of
https://github.com/simple-login/app.git
synced 2024-09-28 20:51:29 +02:00
Merge pull request #803 from acasajus/fix/sentry-APP-ZP
Only allow authenticated and enabled users to accept a OAuth post request
This commit is contained in:
commit
e55c3a155b
@ -1,7 +1,7 @@
|
||||
from typing import Dict
|
||||
from urllib.parse import urlparse
|
||||
|
||||
from flask import request, render_template, redirect, flash
|
||||
from flask import request, render_template, redirect, flash, url_for
|
||||
from flask_login import current_user
|
||||
from itsdangerous import SignatureExpired
|
||||
|
||||
@ -144,6 +144,12 @@ def authorize():
|
||||
Scope=Scope,
|
||||
)
|
||||
else: # POST - user allows or denies
|
||||
if not current_user.is_authenticated or not current_user.is_active:
|
||||
LOG.i(
|
||||
"Attempt to validate a OAUth allow request by an unauthenticated user"
|
||||
)
|
||||
return redirect(url_for("auth.login", next=request.url))
|
||||
|
||||
if request.form.get("button") == "deny":
|
||||
LOG.d("User %s denies Client %s", current_user, client)
|
||||
final_redirect_uri = f"{redirect_uri}?error=deny&state={state}"
|
||||
|
Loading…
Reference in New Issue
Block a user