From c2a6f7045b0a6a0d77a17f81999b538f8bc883d5 Mon Sep 17 00:00:00 2001
From: Art Lukyanchyk <artiom.lukyanchyk@hs-hannover.de>
Date: Tue, 16 Jan 2018 16:56:03 +0100
Subject: [PATCH] Bugfixes, improvements, better README - all the stuff I
 forgot earlier

---
 README.md                                    | 18 +++++++-----------
 ssoauth/management/commands/group_mapping.py |  4 ++--
 ssoauth/views.py                             |  8 +++++++-
 3 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 9b4a2aa..50efd44 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,6 @@
 - Python dependencies: see `requirements.txt` or `setup.py`
 - Add the app into `INSTALLED_APPS`
 - Include the app's `urls.py` into the project `urls.py` `urlpatterns`, preferably without a prefix
-- If you want to use `ssoauth` to log into `django.contrib.admin` or some other app with its own login page, in `urls.py` add into the top of `urlpatterns`: `re_path("^(admin/)?login/?$", AuthenticateRedirectView.as_view())`
 
 
 #### Development Setup
@@ -46,16 +45,13 @@ SP_FORCE_ENTITY_ID = "dev-id-{0}-{1}".format(socket.gethostname(), os.path.dirna
 LOGIN_URL = urls.reverse_lazy("sso-dev")  # it's "sso-login" for prod
 ```
 
-#### Overriding Log In in Other Apps
-There are some apps like `django.contrib.admin` or `wagtail` that will simply ignore `LOGIN_URL` and use their own log in page. If this behavior is undesirable and you would prefer using `ssoauth` instead:
-  - find out the login page of that app (let's assume it's `admin/login`)
-  - in `urls.py`, before including URLs for that app, include this view:
-    ```python3
-    path("admin/login", ssoauth.views.LogInView(already_authenticated_403=True)),
-    ```
-    Optional argument `already_authenticated_403=True` is used to avoid redirect loops caused by `django.contrib.admin`.
-    Instead of it you can also use `already_authenticated_redirect="url-name"`.
-    
+#### Overriding Log In Pages of Other Apps
+There are some apps like `django.contrib.admin` or `wagtail` that will simply ignore `LOGIN_URL` and use their own log in page. If this behavior is undesirable and you would prefer using `ssoauth` instead, add the following into your `urls.py` (_before_ including URLs of that other app):
+```python3
+re_path(r"^(?:\w+/)?login/?$", ssoauth_views.LogInView.as_view(already_authenticated_403=True)),
+```
+  - Adjust the path if required
+  - Optional argument `already_authenticated_403=True` is used to avoid redirect loops (e.g. caused by `django.contrib.admin`). You can also use `already_authenticated_redirect="url-name"`.
 
 
 #### Regarding Logging Out
diff --git a/ssoauth/management/commands/group_mapping.py b/ssoauth/management/commands/group_mapping.py
index 42375fa..9a85dde 100644
--- a/ssoauth/management/commands/group_mapping.py
+++ b/ssoauth/management/commands/group_mapping.py
@@ -54,7 +54,7 @@ class Command(BaseCommand):
         groups = Group.objects.all()
         mapped = groups.filter(sso_mapping__isnull=False)
         unmapped = groups.filter(sso_mapping__isnull=True)
-        logger.info("There {g} groups, {m} mapped and {u} unmapped:".format(g=len(groups), m=len(mapped), u=len(unmapped)))
+        logger.info("There are {g} groups ({m} mapped, {u} unmapped):".format(g=len(groups), m=len(mapped), u=len(unmapped)))
         for group in groups.order_by("-sso_mapping", "name"):
             name = group.name
             try:
@@ -95,7 +95,7 @@ class Command(BaseCommand):
 
 
     ## seems like the following code can create groups and permissions as we had it
-    ## in the old hshauth, based on the project settings
+    ## in the old There hshauth, based on the project settings
     #
     # @staticmethod
     # def ensure_group_exists(group_name, permission_names=list()):
diff --git a/ssoauth/views.py b/ssoauth/views.py
index 3aed913..48f22f5 100644
--- a/ssoauth/views.py
+++ b/ssoauth/views.py
@@ -75,7 +75,7 @@ class LogInView(SAMLMixin, View):
     def get(self, request, *args, **kwargs):
         if request.user.is_authenticated:
             if self.already_authenticated_403:
-                return exceptions.PermissionDenied()
+                raise exceptions.PermissionDenied()
             if self.already_authenticated_redirect:
                 return http.HttpResponseRedirect(urls.reverse(self.already_authenticated_redirect))
             if request.user.last_login > timezone.now() - timedelta(seconds=20):
@@ -94,6 +94,7 @@ class LogInView(SAMLMixin, View):
         return str(next_url)
 
 
+@method_decorator(never_cache, "dispatch")
 class LogOutView(RedirectView):
     """
     Logs the user out locally.
@@ -147,6 +148,9 @@ class ACSAuthNView(SAMLMixin, View):
     It's how OneLogin toolkit works, cannot easily detect/process other statements here, so I don't even try.
     """
 
+    def get(self, *args, **kwargs):
+        raise http.Http404()
+
     def post(self, request, *args, **kwargs):
         auth = self.get_onelogin_auth(request)
         auth.process_response()
@@ -248,6 +252,7 @@ class SLSView(SAMLMixin, View):
         return response
 
 
+@method_decorator(never_cache, "dispatch")
 class MetadataView(SAMLMixin, View):
 
     def get(self, request, *args, **kwargs):
@@ -260,6 +265,7 @@ class MetadataView(SAMLMixin, View):
         return http.HttpResponse(content_type="text/xml", content=meta)
 
 
+@method_decorator(never_cache, "dispatch")
 class DevView(FormView):
 
     class DevForm(forms.Form):
-- 
GitLab