Ensure user is redirected to login page after failed login. #6704

2025-02-25 18:55:31 -06:00 · 2023-08-25 10:38:50 +05:30
parent e8283173ba
commit cd613ded0a
3 changed files with 26 additions and 11 deletions
--- a/web/pgadmin/authenticate/init.py
+++ b/web/pgadmin/authenticate/init.py
@@ -18,15 +18,15 @@ from flask import current_app, flash, Response, request, url_for, \
    session, redirect, render_template
 from flask_babel import gettext
 from flask_security.views import _security, _ctx
-from flask_security.utils import get_post_logout_redirect, logout_user,\
-    config_value
+from flask_security.utils import logout_user, config_value

 from flask_login import current_user
 from flask_socketio import disconnect, ConnectionRefusedError


 from pgadmin.model import db, User
-from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect
+from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
+    get_safe_post_logout_redirect
 from pgadmin.utils.constants import KERBEROS, INTERNAL, OAUTH2, LDAP,\
    MessageType
 from pgadmin.authenticate.registry import AuthSourceRegistry
@@ -135,7 +135,7 @@ def _login():
                          'Administrator.'),
                  MessageType.WARNING)
            logout_user()
-            return redirect(get_post_logout_redirect())
+            return redirect(get_safe_post_logout_redirect())

    # Validate the user
    if not auth_obj.validate():
@@ -161,7 +161,7 @@ def _login():
                    flash_login_attempt_error = None
                flash(error, MessageType.WARNING)

-        return redirect(get_post_logout_redirect())
+        return redirect(get_safe_post_logout_redirect())

    # Authenticate the user
    status, msg = auth_obj.authenticate()
@@ -177,7 +177,7 @@ def _login():
                    'authenticate.kerberos_login'), url_for('browser.index')))

            flash(msg, MessageType.ERROR)
-            return redirect(get_post_logout_redirect())
+            return redirect(get_safe_post_logout_redirect())

        session['auth_source_manager'] = current_auth_obj

--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@@ -16,13 +16,14 @@ from flask import current_app, url_for, session, request,\
    redirect, Flask, flash
 from flask_babel import gettext
 from flask_security import login_user, current_user
-from flask_security.utils import get_post_logout_redirect, logout_user
+from flask_security.utils import logout_user

 from pgadmin.authenticate.internal import BaseAuthentication
 from pgadmin.model import User
 from pgadmin.tools.user_management import create_user
 from pgadmin.utils.constants import OAUTH2, MessageType
-from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect
+from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
+    get_safe_post_logout_redirect
 from pgadmin.utils.csrf import pgCSRFProtect
 from pgadmin.model import db

@@ -69,11 +70,11 @@ def init_app(app):
    @pgCSRFProtect.exempt
    def oauth_logout():
        if not current_user.is_authenticated:
-            return redirect(get_post_logout_redirect())
+            return redirect(get_safe_post_logout_redirect())
        for key in list(session.keys()):
            session.pop(key)
        logout_user()
-        return redirect(get_post_logout_redirect())
+        return redirect(get_safe_post_logout_redirect())

    app.register_blueprint(blueprint)
    app.login_manager.logout_view = OAUTH2_LOGOUT