Commit 90377265 authored by Tanner Prestegard's avatar Tanner Prestegard Committed by GraceDB
Browse files

Fix one missed case in AJAX request cert auth prevention

Addition to 058fd28d.
parent 3d9a9094
...@@ -222,6 +222,7 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication): ...@@ -222,6 +222,7 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
Authentication based on a full X509 certificate. We verify the Authentication based on a full X509 certificate. We verify the
certificate here. certificate here.
""" """
allow_ajax = False
api_only = True api_only = True
www_authenticate_realm = 'api' www_authenticate_realm = 'api'
cert_header = getattr(settings, 'X509_CERT_HEADER', cert_header = getattr(settings, 'X509_CERT_HEADER',
...@@ -233,6 +234,13 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication): ...@@ -233,6 +234,13 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
if self.api_only and not is_api_request(request.path): if self.api_only and not is_api_request(request.path):
return None return None
# Don't allow this auth type for AJAX requests - this is because
# users with certificates in their browser can still authenticate via
# this mechanism in the web view (since it makes API queries), even
# when they are not logged in.
if request.is_ajax() and not self.allow_ajax:
return None
# Try to get certificate from request headers # Try to get certificate from request headers
cert_data = self.get_certificate_data_from_request(request) cert_data = self.get_certificate_data_from_request(request)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment