Skip to content

Commit

Permalink
Update django-hijack to 3.x (#2384)
Browse files Browse the repository at this point in the history
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
annagav and renovate[bot] authored Sep 6, 2024
1 parent db8bf2b commit 955de3c
Show file tree
Hide file tree
Showing 12 changed files with 55 additions and 46 deletions.
2 changes: 1 addition & 1 deletion authentication/pipeline/user.py
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ def forbid_hijack(strategy, backend, **kwargs): # pylint: disable=unused-argume
backend (social_core.backends.base.BaseAuth): the backend being used to authenticate
"""
# As first step in pipeline, stop a hijacking admin from going any further
if strategy.session_get("is_hijacked_user"):
if bool(strategy.session_get("hijack_history")):
raise AuthException("You are hijacking another user, don't try to login again") # noqa: EM101
return {}

Expand Down
4 changes: 2 additions & 2 deletions authentication/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ def get_serializer_cls(self): # pragma: no cover

def post(self, request):
"""Processes a request"""
if request.session.get("is_hijacked_user", False):
if bool(request.session.get("hijack_history")):
return Response(status=status.HTTP_403_FORBIDDEN)

serializer_cls = self.get_serializer_cls()
Expand Down Expand Up @@ -90,7 +90,7 @@ def get_serializer_cls(self):

def post(self, request):
"""Verify recaptcha response before proceeding"""
if request.session.get("is_hijacked_user", False):
if bool(request.session.get("hijack_history")):
return Response(status=status.HTTP_403_FORBIDDEN)
if settings.RECAPTCHA_SITE_KEY:
r = requests.post( # noqa: S113
Expand Down
4 changes: 2 additions & 2 deletions authentication/views_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -589,7 +589,7 @@ def test_login_email_error(client, mocker):
def test_login_email_hijacked(client, user, admin_user):
"""Test that a 403 response is returned for email login view if user is hijacked"""
client.force_login(admin_user)
client.post(f"/hijack/{user.id}/")
client.post("/hijack/acquire/", {"user_pk": user.id})
response = client.post(
reverse("psa-login-email"),
{"flow": SocialAuthState.FLOW_LOGIN, "email": "anything@example.com"},
Expand All @@ -600,7 +600,7 @@ def test_login_email_hijacked(client, user, admin_user):
def test_register_email_hijacked(client, user, admin_user):
"""Test that a 403 response is returned for email register view if user is hijacked"""
client.force_login(admin_user)
client.post(f"/hijack/{user.id}/")
client.post("/hijack/acquire/", {"user_pk": user.id})
response = client.post(
reverse("psa-register-email"),
{"flow": SocialAuthState.FLOW_LOGIN, "email": "anything@example.com"},
Expand Down
1 change: 1 addition & 0 deletions cms/models_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ def test_course_page_context( # noqa: PLR0913
"can_access_edx_course": is_authenticated and has_relevant_run,
"finaid_price": finaid_price,
"product": product,
"hijack_logout_redirect_url": "/admin/users/user",
"instructors": []
if not has_instructor
else [
Expand Down
15 changes: 15 additions & 0 deletions frontend/public/scss/common.scss
Original file line number Diff line number Diff line change
Expand Up @@ -261,3 +261,18 @@ button.btn-secondary.unstyled {
.display-none {
display: none !important;
}

.djhj {
position: relative !important;
top: 0;

.djhj-message, .djhj-actions {
width: fit-content;
}

.djhj-notification {
max-width: unset;
background: $navy-blue;
margin: 0;
}
}
4 changes: 2 additions & 2 deletions main/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -200,9 +200,8 @@
# "compliance",
"openedx",
# must be after "users" to pick up custom user model
"compat",
"hijack",
"hijack_admin",
"hijack.contrib.admin",
"ecommerce",
"flexiblepricing",
"micromasters_import",
Expand Down Expand Up @@ -235,6 +234,7 @@
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"django.contrib.sites.middleware.CurrentSiteMiddleware",
"django_user_agents.middleware.UserAgentMiddleware",
"hijack.middleware.HijackUserMiddleware",
"main.middleware.CachelessAPIMiddleware",
"wagtail.contrib.redirects.middleware.RedirectMiddleware",
)
Expand Down
5 changes: 3 additions & 2 deletions main/templates/base.html
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{% load static hijack_tags js_interop %}
{% load static hijack js_interop %}
{% load wagtailcore_tags startswith noindex_meta banner %}
{% load render_bundle from webpack_loader %}
<!DOCTYPE html>
Expand Down Expand Up @@ -33,7 +33,8 @@
<div class="main-panel">
<a href="#main" class="visually-hidden visually-hidden-focusable">Skip to main content</a>
{% include "partials/gtm_body.html" %}
{% hijack_notification %}

{% include 'hijack/notification.html' %}
{% if not request.path|startswith:'/certificate/' %}
{% banner %}
{% block headercontent %}
Expand Down
20 changes: 20 additions & 0 deletions main/templates/hijack/notification.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<!-- hijack/notification.html -->

{% load static %}
{% if request.user.is_hijacked %}
<link rel="stylesheet" type="text/css" href="{% static 'hijack/hijack.min.css' %}" media="screen">
<div class="djhj" id="djhj">
<div class="djhj-notification">
<div class="djhj-message">
You are currently working on behalf of <em>{{ request.user.username }}</em>.
</div>
<form action="{% url 'hijack:release' %}" method="POST" class="djhj-actions">
{% csrf_token %}
<input type="hidden" name="next" value="{{ hijack_logout_redirect_url }}">
<button class="djhj-button" type="submit">
release
</button>
</form>
</div>
</div>
{% endif %}
1 change: 1 addition & 0 deletions main/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ def get_base_context(request): # noqa: ARG001
context["domain_verification_tag"] = (
settings.GOOGLE_DOMAIN_VERIFICATION_TAG_VALUE
)
context["hijack_logout_redirect_url"] = settings.HIJACK_LOGOUT_REDIRECT_URL

return context

Expand Down
39 changes: 6 additions & 33 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ django-countries = "^7.2.1"
django-filter = "^2.4.0"
django-fsm = "^2.8.0"
django-fsm-admin = "^1.2.4"
django-hijack = "^2.1.10"
django-hijack-admin = "^2.1.10"
django-hijack = "^3.0.0"
django-ipware = "^4.0.0"
django-oauth-toolkit = "^1.7.0"
django-redis = "^5.0.0"
Expand Down
3 changes: 1 addition & 2 deletions users/admin.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
from django.contrib import admin
from django.contrib.auth.admin import UserAdmin as ContribUserAdmin
from django.utils.translation import gettext_lazy as _
from hijack_admin.admin import HijackUserAdminMixin
from hijack.contrib.admin import HijackUserAdminMixin
from mitol.common.admin import TimestampedModelAdmin

from users.models import BlockList, LegalAddress, User, UserProfile
Expand Down Expand Up @@ -88,7 +88,6 @@ class UserAdmin(ContribUserAdmin, HijackUserAdminMixin, TimestampedModelAdmin):
"email",
"name",
"is_staff",
"hijack_field",
"last_login",
)
list_filter = ("is_staff", "is_superuser", "is_active", "groups")
Expand Down

0 comments on commit 955de3c

Please sign in to comment.