[FIX] website_require_login: Login recursion

If one of the parents of /web/login is requested for login, infinite redirection loop starts
OCA · Aug 6, 2024 · 7264b78 · 7264b78
1 parent 4380b5d
commit 7264b78
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 7 deletions.
diff --git a/website_require_login/README.rst b/website_require_login/README.rst
@@ -7,7 +7,7 @@ Website Login Required
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:a0f16f0655f6b5b9eec2c2e621f35dbcc40c69a3c5353dec8b07ddfab1874313
+   !! source digest: sha256:74ad683eba54803e4df9ebfe80d38fba6520b41c3d7ce6106be4aad28f2b2726
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png

diff --git a/website_require_login/models/ir_http.py b/website_require_login/models/ir_http.py
@@ -24,6 +24,17 @@ def _serve_fallback(cls):
             return res
         return super()._serve_fallback()
 
+    @classmethod
+    def _require_login_whitelist_paths(cls):
+        """List of paths that must always be available to all users."""
+        return [
+            # backend is already protected by login,
+            # also /web/login, /web/assets, /web/image and others
+            # are needed to correctly render the login page
+            "/web",
+            "/website/translations",
+        ]
+
     @classmethod
     def _require_login_get_matching_path(cls, path, search_paths):
         """Return which one of `search_paths` is a parent of `path`."""
@@ -42,6 +53,14 @@ def _check_require_auth(cls):
         website = request.env["website"].sudo().get_current_website()
         if not website:
             return None
+
+        # Skip whitelisted paths
+        path = request.httprequest.path
+        whitelist_paths = cls._require_login_whitelist_paths()
+        whitelist_path = cls._require_login_get_matching_path(path, whitelist_paths)
+        if whitelist_path:
+            return None
+
         if request.uid and (request.uid != website.user_id.id):
             return None
         auth_paths = (
@@ -54,7 +73,6 @@ def _check_require_auth(cls):
             )
             .mapped("path")
         )
-        path = request.httprequest.path
         auth_path = cls._require_login_get_matching_path(path, auth_paths)
         if auth_path:
             redirect_path = "/web/login?redirect=%s" % path

diff --git a/website_require_login/static/description/index.html b/website_require_login/static/description/index.html
@@ -8,10 +8,11 @@
 
 /*
 :Author: David Goodger ([email protected])
-:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
+Despite the name, some widely supported CSS2 features are used.
 
 See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
@@ -274,7 +275,7 @@
   margin-left: 2em ;
   margin-right: 2em }
 
-pre.code .ln { color: grey; } /* line numbers */
+pre.code .ln { color: gray; } /* line numbers */
 pre.code, code { background-color: #eeeeee }
 pre.code .comment, code .comment { color: #5C6576 }
 pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
@@ -300,7 +301,7 @@
 span.pre {
   white-space: pre }
 
-span.problematic {
+span.problematic, pre.problematic {
   color: red }
 
 span.section-subtitle {
@@ -366,7 +367,7 @@ <h1 class="title">Website Login Required</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:a0f16f0655f6b5b9eec2c2e621f35dbcc40c69a3c5353dec8b07ddfab1874313
+!! source digest: sha256:74ad683eba54803e4df9ebfe80d38fba6520b41c3d7ce6106be4aad28f2b2726
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/website/tree/16.0/website_require_login"><img alt="OCA/website" src="https://img.shields.io/badge/github-OCA%2Fwebsite-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/website-16-0/website-16-0-website_require_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/website&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows to restrict access to specific website pages to logged users.</p>
@@ -418,7 +419,9 @@ <h2><a class="toc-backref" href="#toc-entry-5">Contributors</a></h2>
 <div class="section" id="maintainers">
 <h2><a class="toc-backref" href="#toc-entry-6">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
-<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<a class="reference external image-reference" href="https://odoo-community.org">
+<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
+</a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>

diff --git a/website_require_login/tests/test_ir_http.py b/website_require_login/tests/test_ir_http.py
@@ -1,3 +1,6 @@
+#  Copyright 2024 Simone Rubino - Aion Tech
+#  License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl-3.0).
+
 from odoo.tests import HttpCase
 
 
@@ -35,3 +38,31 @@ def test_dispatch_authorized(self):
             200,
             "Expected the response status code to be 200 which means no redirection",
         )
+
+    def test_authorize_everything(self):
+        """Requiring "/" for authorization always redirects to login page."""
+        # Arrange
+        self.env["website.auth.url"].unlink()
+        root_path = "/"
+        self.env["website.auth.url"].create(
+            {"website_id": self.website.id, "path": root_path}
+        )
+        self.env["ir.qweb"]._pregenerate_assets_bundles()
+        asset_attachment = self.env["ir.attachment"].search(
+            [
+                ("url", "like", "/web/assets/%"),
+            ],
+            limit=1,
+        )
+
+        redirection_path_map = {
+            "/": "/web/login?redirect=/",
+            "/contactus": "/web/login?redirect=/contactus",
+            asset_attachment.url: asset_attachment.url,
+            "/web/login": "/web/login",
+        }
+
+        # Assert
+        for requested_path, expected_redirected_path in redirection_path_map.items():
+            response = self.url_open(requested_path)
+            self.assertTrue(response.url.endswith(expected_redirected_path))