Merge pull request #1446 from TOMToolkit/1445-adding-password-reset-to-login-page

Match path prefixes in locked auth strategy

Author: jchate6

docs/common/customsettings.rst

@@ -165,8 +165,8 @@ details and available hooks.
 Default: []
 
 With an `AUTH_STRATEGY <#auth-strategy>`__ value of **LOCKED**, urls in
-this list will remain visible to unauthenticated users. You might add
-the homepage (‘/’), for example.
+this list will remain visible to unauthenticated users. You can also use wild cards to open an entire path.
+You might add the homepage (‘/’), for example, or anything with a path that looks like '/accounts/reset/*/'.
 
 `TARGET_PERMISSIONS_ONLY <#target-permissions-only>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

tom_base/settings.py

@@ -310,7 +310,7 @@
 # Define custom DataProcessor class
 # DATA_PROCESSOR_CLASS = 'mytom.custom_data_processor.CustomDataProcessor'
 
-# Authentication strategy can either be LOCKED (required login for all views)
+# Authentication strategy can either be LOCKED (required login for all views, bypassed with OPEN_URLS)
 # or READ_ONLY (read only access to views)
 AUTH_STRATEGY = 'READ_ONLY'
 
@@ -330,8 +330,8 @@
     "name", "type", "observations", "saved_data"
 ]
 
-# URLs that should be allowed access even with AUTH_STRATEGY = LOCKED
-# for example: OPEN_URLS = ['/', '/about']
+# URLs that should be allowed access even with AUTH_STRATEGY = LOCKED. Can use wildcards.
+# for example: OPEN_URLS = ['/', '/about', '/accounts/reset/*/']
 OPEN_URLS = []
 
 HOOKS = {

tom_common/middleware.py

@@ -1,3 +1,4 @@
+import fnmatch
 from django.conf import settings
 from django.contrib import messages
 from django.http import HttpResponseForbidden
@@ -35,11 +36,13 @@ def __init__(self, get_response):
         self.open_urls = [reverse('login')] + getattr(settings, 'OPEN_URLS', [])
 
     def __call__(self, request):
-        if settings.AUTH_STRATEGY == 'LOCKED':
-            if not request.user.is_authenticated and request.path_info not in self.open_urls:
-                return HttpResponseForbidden()
-
-        return self.get_response(request)
+        if settings.AUTH_STRATEGY == 'LOCKED' and not request.user.is_authenticated:
+            for url in self.open_urls:
+                if fnmatch.fnmatch(request.path_info, url):
+                    return self.get_response(request)
+            return HttpResponseForbidden()
+        else:
+            return self.get_response(request)
 
 
 class Raise403Middleware:

tom_common/tests.py

@@ -247,6 +247,49 @@ def test_user_can_access_view(self):
         self.assertContains(response, 'Create Targets')
 
 
+class TestAuthStrategyMiddleware(TestCase):
+    login_url = '/accounts/login/'
+
+    @override_settings(AUTH_STRATEGY='LOCKED', OPEN_URLS=[])
+    def test_locked_unauthenticated_request_redirects_to_login(self):
+        # Raise403Middleware converts the 403 from AuthStrategyMiddleware to a redirect
+        response = self.client.get(reverse('tom_targets:list'))
+        self.assertRedirects(
+            response, self.login_url + '?next=' + reverse('tom_targets:list'), status_code=302
+        )
+
+    @override_settings(AUTH_STRATEGY='LOCKED', OPEN_URLS=['/accounts/reset/*/'])
+    def test_locked_password_reset_wildcard_matches_uid_token(self):
+        # /accounts/reset/abc123xyz/ should match the wildcard
+        response = self.client.get('/accounts/reset/abc123xyz/foobarfoo/')
+        self.assertNotEqual(response.status_code, 302)
+
+    @override_settings(AUTH_STRATEGY='LOCKED', OPEN_URLS=['/accounts/reset/*/'])
+    def test_locked_password_reset_wildcard_does_not_match_unrelated_path(self):
+        # /accounts/profile/ should not match /accounts/reset/*/
+        response = self.client.get('/accounts/profile/')
+        self.assertRedirects(
+            response, self.login_url + '?next=/accounts/profile/', status_code=302
+        )
+
+    @override_settings(AUTH_STRATEGY='LOCKED', OPEN_URLS=[])
+    def test_locked_login_url_always_open(self):
+        response = self.client.get(reverse('login'))
+        self.assertNotEqual(response.status_code, 302)
+
+    @override_settings(AUTH_STRATEGY='LOCKED', OPEN_URLS=[])
+    def test_locked_authenticated_user_allowed(self):
+        user = User.objects.create_user(username='testuser', password='password')
+        self.client.force_login(user)
+        response = self.client.get(reverse('tom_targets:list'))
+        self.assertEqual(response.status_code, 200)
+
+    @override_settings(AUTH_STRATEGY='READ_ONLY', OPEN_URLS=[])
+    def test_read_only_unauthenticated_allowed(self):
+        response = self.client.get(reverse('tom_targets:list'))
+        self.assertEqual(response.status_code, 200)
+
+
 class CommentDeleteViewTest(TestCase):
     def setUp(self):
         self.site = Site.objects.get_current()

tom_setup/templates/tom_setup/settings.tmpl

@@ -328,7 +328,7 @@ GENERAL_SEARCH_FUNCTIONS = {}
 # This list can be used to add custom target parameters to the output from the target selection tool
 SELECTION_EXTRA_FIELDS = []
 
-# Authentication strategy can either be LOCKED (required login for all views)
+# Authentication strategy can either be LOCKED (required login for all views, bypassed with OPEN_URLS)
 # or READ_ONLY (read only access to views)
 AUTH_STRATEGY = 'READ_ONLY'
 
@@ -348,8 +348,8 @@ TARGET_LIST_COLUMNS = [
     "name", "type", "observations", "saved_data"
 ]
 
-# URLs that should be allowed access even with AUTH_STRATEGY = LOCKED
-# for example: OPEN_URLS = ['/', '/about']
+# URLs that should be allowed access even with AUTH_STRATEGY = LOCKED. Can use wildcards.
+# for example: OPEN_URLS = ['/', '/about', '/accounts/reset/*/']
 OPEN_URLS = []
 
 HOOKS = {