MultipleGroupRequiredMixin redirect loop when user doesn't have permissions

[ahharu]

Instead of loading the same page the user was on with the error message it enters a redirect loop

[20/Jan/2015 09:44:03] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:03] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:03] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:03] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:03] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /projects/63/members/ HTTP/1.1" 302 0
[20/Jan/2015 09:44:04] "GET /login/?next=/projects/63/members/ HTTP/1.1" 302 0

I solved it as follows, please check

class MultipleGroupRequiredMixin(GroupRequiredMixin):

def check_membership(self, group):
    """ Check required group(s) """
    user_groups = self.request.user.groups.values_list("name", flat=True)
    if isinstance(group, (list, tuple)):
        for req_group in group:
            if req_group in user_groups:
                return True

    is_member = group in user_groups

    return is_member

def dispatch(self, request, *args, **kwargs):
    self.request = request

    if self.request.user.is_authenticated():
        if not self.check_membership(
                self.get_group_required()):
            string_msg = 'You are not authorized to access to this page.'
            messages.add_message(self.request, messages.ERROR, string_msg)
            referer = request.META.get('HTTP_REFERER', '/')
            return redirect(referer)
    else:
        return redirect_to_login(
            request.get_full_path(),
            self.get_login_url(),
            self.get_redirect_field_name())

    return super(GroupRequiredMixin, self).dispatch(
        request, *args, **kwargs)

[lucacorti]

Indeed this is an issue for GroupRequiredMixin. If the user is already logged in but is not in the required group, the redirect to the login page causes a redirect loop.

[kennethlove]

Hey @ahharu can you submit this as a pull request? Thanks!

[bcail]

@ahharu are you working on this? I just ran into this issue. I might be able to work on it if you're not.

[ahharu]

@bcail I am sorry but currently we dropped the project where we were using it and don't have a spot to dig into a nice solution (and not a workaround like the one posted)

[bcail]

ok, no problem. I actually found out that the raise_exception flag did what I needed it to. Seems like it would make sense to automatically raise the exception if the user is already logged in, but this flag fixed it enough for me.

[gkeller2]

Hi! I posted a potential fix to this bug in issue #181.