From 903772656e55fde83b14ae58e9ee94cbf8841404 Mon Sep 17 00:00:00 2001
From: Tanner Prestegard <tanner.prestegard@ligo.org>
Date: Wed, 10 Apr 2019 12:52:25 -0500
Subject: [PATCH] Fix one missed case in AJAX request cert auth prevention

Addition to 058fd28db8d6abcab9c5fa88bb207f534bb54d95.
---
 gracedb/api/backends.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gracedb/api/backends.py b/gracedb/api/backends.py
index 5b2d2fffe..6a202e3cd 100644
--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -222,6 +222,7 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
     Authentication based on a full X509 certificate. We verify the
     certificate here.
     """
+    allow_ajax = False
     api_only = True
     www_authenticate_realm = 'api'
     cert_header = getattr(settings, 'X509_CERT_HEADER',
@@ -233,6 +234,13 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
         if self.api_only and not is_api_request(request.path):
             return None
 
+        # Don't allow this auth type for AJAX requests - this is because
+        # users with certificates in their browser can still authenticate via
+        # this mechanism in the web view (since it makes API queries), even
+        # when they are not logged in.
+        if request.is_ajax() and not self.allow_ajax:
+            return None
+
         # Try to get certificate from request headers
         cert_data = self.get_certificate_data_from_request(request)
 
-- 
GitLab