Fix one missed case in AJAX request cert auth prevention

Addition to 058fd28d.

Fix one missed case in AJAX request cert auth prevention
90377265 · Tanner Prestegard · GraceDB · 3d9a9094 · 90377265
Commit 90377265 authored 5 years ago by Tanner Prestegard Committed by GraceDB 5 years ago
--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -222,6 +222,7 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
    Authentication based on a full X509 certificate. We verify the
    certificate here.
    """
+    allow_ajax = False
    api_only = True
    www_authenticate_realm = 'api'
    cert_header = getattr(settings, 'X509_CERT_HEADER',
@@ -233,6 +234,13 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
        if self.api_only and not is_api_request(request.path):
            return None

+        # Don't allow this auth type for AJAX requests - this is because
+        # users with certificates in their browser can still authenticate via
+        # this mechanism in the web view (since it makes API queries), even
+        # when they are not logged in.
+        if request.is_ajax() and not self.allow_ajax:
+            return None
+
        # Try to get certificate from request headers
        cert_data = self.get_certificate_data_from_request(request)