From 3c089cd09a266ed7be23e8bf7251be828eae75b8 Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Thu, 19 May 2016 13:44:06 -0400 Subject: [PATCH] Remove SSL decorators and middleware The site is now served regardless of SSL, and assumes that the webserver or web cache ensures that things rae always SSL. --- docs/dev_install.rst | 1 - pgweb/account/views.py | 20 -------------------- pgweb/core/views.py | 8 ++------ pgweb/docs/views.py | 2 -- pgweb/downloads/views.py | 4 +--- pgweb/events/views.py | 2 -- pgweb/misc/views.py | 2 -- pgweb/news/views.py | 2 -- pgweb/profserv/views.py | 2 -- pgweb/settings.py | 2 -- pgweb/util/middleware.py | 23 ----------------------- 11 files changed, 3 insertions(+), 65 deletions(-) diff --git a/docs/dev_install.rst b/docs/dev_install.rst index 1a0a169d..6eb3d52f 100644 --- a/docs/dev_install.rst +++ b/docs/dev_install.rst @@ -26,7 +26,6 @@ with. Here's a quick step-by-step on how to do that: DEBUG=True TEMPLATE_DEBUG=DEBUG SITE_ROOT="http://localhost:8000" - NO_HTTPS_REDIRECT=True SESSION_COOKIE_SECURE=False SESSION_COOKIE_DOMAIN=None DATABASE_NAME="pgweb" diff --git a/pgweb/account/views.py b/pgweb/account/views.py index b436a44f..b5e4ffb7 100644 --- a/pgweb/account/views.py +++ b/pgweb/account/views.py @@ -19,7 +19,6 @@ import time import json from datetime import datetime, timedelta -from pgweb.util.decorators import ssl_required from pgweb.util.contexts import NavContext from pgweb.util.misc import send_template_mail, generate_random_token, get_client_ip from pgweb.util.helpers import HttpServerError @@ -39,7 +38,6 @@ from forms import ChangeEmailForm import logging log = logging.getLogger(__name__) -@ssl_required @login_required def home(request): myarticles = NewsArticle.objects.filter(org__managers=request.user, approved=False) @@ -79,7 +77,6 @@ objtypes = { }, } -@ssl_required @login_required @transaction.atomic def profile(request): @@ -123,7 +120,6 @@ def profile(request): 'contribform': contribform, }, NavContext(request, "account")) -@ssl_required @login_required @transaction.atomic def change_email(request): @@ -158,7 +154,6 @@ def change_email(request): 'token': token, }, NavContext(request, "account")) -@ssl_required @login_required @transaction.atomic def confirm_change_email(request, tokenhash): @@ -176,7 +171,6 @@ def confirm_change_email(request, tokenhash): 'success': token and True or False, }, NavContext(request, "account")) -@ssl_required @login_required def listobjects(request, objtype): if not objtypes.has_key(objtype): @@ -190,7 +184,6 @@ def listobjects(request, objtype): 'suburl': objtype, }, NavContext(request, 'account')) -@ssl_required @login_required def orglist(request): orgs = Organisation.objects.filter(approved=True) @@ -199,40 +192,33 @@ def orglist(request): 'orgs': orgs, }, NavContext(request, 'account')) -@ssl_required def login(request): return authviews.login(request, template_name='account/login.html', authentication_form=PgwebAuthenticationForm) -@ssl_required def logout(request): return authviews.logout_then_login(request, login_url='/') -@ssl_required def changepwd(request): log.info("Initiating password change from {0}".format(get_client_ip(request))) return authviews.password_change(request, template_name='account/password_change.html', post_change_redirect='/account/changepwd/done/') -@ssl_required def resetpwd(request): log.info("Initiating password set from {0}".format(get_client_ip(request))) return authviews.password_reset(request, template_name='account/password_reset.html', email_template_name='account/password_reset_email.txt', post_reset_redirect='/account/reset/done/') -@ssl_required def change_done(request): log.info("Password change done from {0}".format(get_client_ip(request))) return authviews.password_change_done(request, template_name='account/password_change_done.html') -@ssl_required def reset_done(request): log.info("Password reset done from {0}".format(get_client_ip(request))) return authviews.password_reset_done(request, template_name='account/password_reset_done.html') -@ssl_required def reset_confirm(request, uidb64, token): log.info("Confirming password reset for uidb {0}, token {1} from {2}".format(uidb64, token, get_client_ip(request))) return authviews.password_reset_confirm(request, @@ -241,12 +227,10 @@ def reset_confirm(request, uidb64, token): template_name='account/password_reset_confirm.html', post_reset_redirect='/account/reset/complete/') -@ssl_required def reset_complete(request): log.info("Password reset completed for user from {0}".format(get_client_ip(request))) return authviews.password_reset_complete(request, template_name='account/password_reset_complete.html') -@ssl_required def signup(request): if request.user.is_authenticated(): return HttpServerError("You must log out before you can sign up for a new account") @@ -298,7 +282,6 @@ content is available for reading without an account. }, NavContext(request, 'account')) -@ssl_required def signup_complete(request): return render_to_response('account/signup_complete.html', { }, NavContext(request, 'account')) @@ -309,7 +292,6 @@ def signup_complete(request): ## Community authentication endpoint #### -@ssl_required def communityauth(request, siteid): # Get whatever site the user is trying to log in to. site = get_object_or_404(CommunityAuthSite, pk=siteid) @@ -397,7 +379,6 @@ def communityauth(request, siteid): )) -@ssl_required def communityauth_logout(request, siteid): # Get whatever site the user is trying to log in to. site = get_object_or_404(CommunityAuthSite, pk=siteid) @@ -408,7 +389,6 @@ def communityauth_logout(request, siteid): # Redirect user back to the specified suburl return HttpResponseRedirect("%s?s=logout" % site.redirecturl) -@ssl_required def communityauth_search(request, siteid): # Perform a search for users. The response will be encrypted with the site # key to prevent abuse, therefor we need the site. diff --git a/pgweb/core/views.py b/pgweb/core/views.py index 00d9c5d7..acaf4c75 100644 --- a/pgweb/core/views.py +++ b/pgweb/core/views.py @@ -15,7 +15,7 @@ import os import re import urllib -from pgweb.util.decorators import ssl_required, cache, nocache +from pgweb.util.decorators import cache, nocache from pgweb.util.contexts import NavContext from pgweb.util.helpers import simple_form, PgXmlHelper, HttpServerError from pgweb.util.moderation import get_all_pending_moderations @@ -111,7 +111,6 @@ def fallback(request, url): return HttpResponse(t.render(NavContext(request, navsect))) # Edit-forms for core objects -@ssl_required @login_required def organisationform(request, itemid): return simple_form(Organisation, itemid, request, OrganisationForm, @@ -160,8 +159,7 @@ def sitemap(request): # dynamic CSS serving, meaning we merge a number of different CSS into a # single one, making sure it turns into a single http response. We do this -# dynamically, since the output will be cached (for all non-SSL users, which -# is the vast majority) anyway. +# dynamically, since the output will be cached. _dynamic_cssmap = { 'base': ['media/css/global.css', 'media/css/layout.css', @@ -231,7 +229,6 @@ def system_information(request): 'client_ip': get_client_ip(request), }) -@ssl_required def system_information_ssl(request): return render_to_response('core/system_information.html', { 'server': os.uname()[1], @@ -278,7 +275,6 @@ def admin_purge(request): 'latest_purges': latest, }, RequestContext(request)) -@ssl_required @csrf_exempt def api_varnish_purge(request): if not request.META['REMOTE_ADDR'] in settings.VARNISH_PURGERS: diff --git a/pgweb/docs/views.py b/pgweb/docs/views.py index b7c93c5a..bd4dddf6 100644 --- a/pgweb/docs/views.py +++ b/pgweb/docs/views.py @@ -9,7 +9,6 @@ from django.conf import settings from decimal import Decimal import os -from pgweb.util.decorators import ssl_required from pgweb.util.contexts import NavContext from pgweb.util.helpers import template_to_string from pgweb.util.misc import send_template_mail @@ -119,7 +118,6 @@ def manualarchive(request): 'versions': [_VersionPdfWrapper(v) for v in versions], }, NavContext(request, 'docs')) -@ssl_required @login_required def commentform(request, itemid, version, filename): if request.method == 'POST': diff --git a/pgweb/downloads/views.py b/pgweb/downloads/views.py index 17595a89..e5c21fd7 100644 --- a/pgweb/downloads/views.py +++ b/pgweb/downloads/views.py @@ -9,7 +9,7 @@ import os import urlparse import cPickle as pickle -from pgweb.util.decorators import ssl_required, nocache +from pgweb.util.decorators import nocache from pgweb.util.contexts import NavContext from pgweb.util.helpers import simple_form, PgXmlHelper, HttpServerError from pgweb.util.misc import get_client_ip, varnish_purge, version_sort @@ -94,7 +94,6 @@ def ftpbrowser(request, subpath): # server(s) can post it. # There is no concurrency check - the ftp site better not send more than one # file in parallel. -@ssl_required @csrf_exempt def uploadftp(request): if request.method != 'PUT': @@ -152,7 +151,6 @@ def productlist(request, catid, junk=None): 'productcount': len(products), }, NavContext(request, 'download')) -@ssl_required @login_required def productform(request, itemid): return simple_form(Product, itemid, request, ProductForm, diff --git a/pgweb/events/views.py b/pgweb/events/views.py index 0654259f..5af2b5e4 100644 --- a/pgweb/events/views.py +++ b/pgweb/events/views.py @@ -4,7 +4,6 @@ from django.contrib.auth.decorators import login_required from datetime import date -from pgweb.util.decorators import ssl_required from pgweb.util.contexts import NavContext from pgweb.util.helpers import simple_form @@ -47,7 +46,6 @@ def item(request, itemid, throwaway=None): 'obj': event, }, NavContext(request, 'about')) -@ssl_required @login_required def form(request, itemid): return simple_form(Event, itemid, request, EventForm, diff --git a/pgweb/misc/views.py b/pgweb/misc/views.py index 3eae6301..33acf65f 100644 --- a/pgweb/misc/views.py +++ b/pgweb/misc/views.py @@ -9,13 +9,11 @@ import os from pgweb.util.contexts import NavContext from pgweb.util.helpers import template_to_string from pgweb.util.misc import send_template_mail -from pgweb.util.decorators import ssl_required from pgweb.core.models import Version from forms import SubmitBugForm -@ssl_required @login_required def submitbug(request): if request.method == 'POST': diff --git a/pgweb/news/views.py b/pgweb/news/views.py index 0ee7d77d..6c87e97c 100644 --- a/pgweb/news/views.py +++ b/pgweb/news/views.py @@ -2,7 +2,6 @@ from django.shortcuts import render_to_response, get_object_or_404 from django.http import Http404 from django.contrib.auth.decorators import login_required -from pgweb.util.decorators import ssl_required from pgweb.util.contexts import NavContext from pgweb.util.helpers import simple_form @@ -23,7 +22,6 @@ def item(request, itemid, throwaway=None): 'obj': news, }, NavContext(request, 'about')) -@ssl_required @login_required def form(request, itemid): return simple_form(NewsArticle, itemid, request, NewsArticleForm, diff --git a/pgweb/profserv/views.py b/pgweb/profserv/views.py index 0f4f30b8..3a8f8ddc 100644 --- a/pgweb/profserv/views.py +++ b/pgweb/profserv/views.py @@ -2,7 +2,6 @@ from django.shortcuts import render_to_response from django.http import Http404 from django.contrib.auth.decorators import login_required -from pgweb.util.decorators import ssl_required from pgweb.util.contexts import NavContext from pgweb.util.helpers import simple_form @@ -56,7 +55,6 @@ def region(request, servtype, regionname): # Forms to edit -@ssl_required @login_required def profservform(request, itemid): return simple_form(ProfessionalService, itemid, request, ProfessionalServiceForm, diff --git a/pgweb/settings.py b/pgweb/settings.py index d0f00579..93080735 100644 --- a/pgweb/settings.py +++ b/pgweb/settings.py @@ -157,8 +157,6 @@ NOTIFICATION_FROM="someone@example.com" # Address to send notific LISTSERVER_EMAIL="someone@example.com" # Address to majordomo BUGREPORT_EMAIL="someone@example.com" # Address to pgsql-bugs list DOCSREPORT_EMAIL="someone@example.com" # Address to pgsql-docs list -NO_HTTPS_REDIRECT=False # Set to true to disable redirects to https when - # developing locally FRONTEND_SERVERS=() # A tuple containing the *IP addresses* of all the # varnish frontend servers in use. FTP_MASTERS=() # A tuple containing the *IP addresses* of all machines diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py index f389862e..540eae84 100644 --- a/pgweb/util/middleware.py +++ b/pgweb/util/middleware.py @@ -17,29 +17,6 @@ def get_current_user(): # project. class PgMiddleware(object): def process_view(self, request, view_func, view_args, view_kwargs): - # We implement the SSL verification in a middleware and not just a decorator, because - # if we do it just in a decorator we'd have to add a decorator for each and every - # view that *doesn't* require SSL. This is much easier, of course. - - if hasattr(settings,'NO_HTTPS_REDIRECT') and settings.NO_HTTPS_REDIRECT: - return None - - # Always redirect the admin interface to https - if request.path.startswith('/admin'): - if not request.is_secure(): - return HttpResponseRedirect(request.build_absolute_uri().replace('http://','https://',1)) - return None - - if getattr(view_func, 'ssl_required', False): - # This view requires SSL, so check if we have it - if not request.is_secure(): - # May need to deal with ports specified here? - return HttpResponseRedirect(request.build_absolute_uri().replace('http://','https://',1)) - else: - # This view must not use SSL, so make sure we don't have it - if request.is_secure(): - return HttpResponseRedirect(request.build_absolute_uri().replace('https://','http://',1)) - return None def process_request(self, request):