Skip to content

Commit 6564f9a

Browse files
authored
Secure cookies on production, check next redirect, permission checks for partials (#4843)
1 parent 3f6fd48 commit 6564f9a

6 files changed

Lines changed: 20 additions & 17 deletions

File tree

docs/setup/administrators/configuration.md

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -283,14 +283,6 @@ On Heroku, set to true if deploying to Heroku.
283283

284284
----
285285

286-
Secure cookies
287-
288-
Set this to enable Djangos settings for secure cookies.
289-
290-
COOKIE_SECURE = env.bool('COOKIE_SECURE', False)
291-
292-
----
293-
294286
Machine translation settings for applications
295287

296288
See [here](machine-translations.md) for more information on setting up machine translations

docs/setup/deployment/production/stand-alone.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,6 @@ Here is a list of settings that can be set as environment variables or in a `hyp
236236

237237
```text
238238
CACHE_CONTROL_MAX_AGE: 14400
239-
COOKIE_SECURE: true
240239
DJANGO_SETTINGS_MODULE: hypha.settings.production
241240
EMAIL_HOST: example.org
242241
ORG_EMAIL: hello@example.org

hypha/apply/determinations/views.py

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
from django.urls import reverse_lazy
1010
from django.utils import timezone
1111
from django.utils.decorators import method_decorator
12+
from django.utils.http import url_has_allowed_host_and_scheme
1213
from django.utils.translation import gettext as _
1314
from django.views.generic import CreateView, DetailView, UpdateView
1415
from wagtail.models import Site
@@ -261,10 +262,14 @@ def form_valid(self, form):
261262
return response
262263

263264
def get_success_url(self):
264-
try:
265-
return self.request.GET["next"]
266-
except KeyError:
267-
return reverse_lazy("apply:submissions:list")
265+
next_url = self.request.GET.get("next")
266+
if next_url and url_has_allowed_host_and_scheme(
267+
next_url,
268+
allowed_hosts={self.request.get_host()},
269+
require_https=self.request.is_secure(),
270+
):
271+
return next_url
272+
return reverse_lazy("apply:submissions:list")
268273

269274

270275
@method_decorator(staff_required, name="dispatch")

hypha/apply/funds/views/partials.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,9 @@
5050
@login_required
5151
def partial_submission_lead(request, pk):
5252
submission = get_object_or_404(ApplicationSubmission, pk=pk)
53+
has_permission(
54+
"submission_view", request.user, object=submission, raise_exception=True
55+
)
5356
return render(
5457
request, "submissions/partials/submission-lead.html", {"submission": submission}
5558
)
@@ -296,6 +299,9 @@ def partial_reviews_decisions(request: HttpRequest) -> HttpResponse:
296299
@login_required
297300
def partial_meta_terms_card(request, pk):
298301
submission = get_object_or_404(ApplicationSubmission, pk=pk)
302+
has_permission(
303+
"submission_view", request.user, object=submission, raise_exception=True
304+
)
299305
meta_terms = submission.meta_terms.all()
300306
ctx = {"meta_terms": meta_terms, "submission": submission}
301307
return render(request, "submissions/partials/meta-terms-card.html", ctx)

hypha/settings/base.py

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -617,10 +617,6 @@
617617
"SECURE_REFERRER_POLICY", "strict-origin-when-cross-origin"
618618
)
619619

620-
if env.bool("COOKIE_SECURE", False):
621-
SESSION_COOKIE_SECURE = True
622-
CSRF_COOKIE_SECURE = True
623-
ELEVATE_COOKIE_SECURE = True
624620

625621
# Django Elevate settings
626622
# https://django-elevate.readthedocs.io/en/latest/config/index.html

hypha/settings/production.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,11 @@
99
except ImportError:
1010
pass
1111

12+
# Security settings
13+
SESSION_COOKIE_SECURE = True
14+
CSRF_COOKIE_SECURE = True
15+
ELEVATE_COOKIE_SECURE = True
16+
1217
# Mailgun configuration.
1318
if env.str("MAILGUN_API_KEY", None):
1419
EMAIL_BACKEND = "anymail.backends.mailgun.EmailBackend"

0 commit comments

Comments
 (0)