Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): Allow superusers to bypass server rendered auth page #10349

Merged
merged 3 commits into from Oct 31, 2018
Merged

feat(auth): Allow superusers to bypass server rendered auth page #10349

merged 3 commits into from Oct 31, 2018

Conversation

billyvg
Copy link
Member

@billyvg billyvg commented Oct 30, 2018

For inactive superusers, bypass server rendered login page and allow React frontend
to handle the route. This means if you are trying to access an org you do not have
access to, React will continue to perform the API requests at that route. This will
result in a 403 and open the sudo login modal.

@billyvg
feat(auth): Allow superusers to bypass server rendered auth page
aea4a69 
For inactive superusers, bypass server rendered login page and allow React frontend
to handle the route. This means if you are trying to access an org you do not have
access to, React will continue to perform the API requests at that route. This will
result in a 403 and open the sudo login modal.
@billyvg
add test
9cf7279
@billyvg billyvg requested a review from a team October 30, 2018 23:31
evanpurkhiser
evanpurkhiser approved these changes Oct 30, 2018
View reviewed changes
Copy link
Member

@evanpurkhiser evanpurkhiser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome

macqueen
macqueen approved these changes Oct 30, 2018
View reviewed changes
src/sentry/web/frontend/react_page.py
def handle_auth_required(self, request, *args, **kwargs):
# If user is a superuser (but not active, because otherwise this method would never be called)
# Then allow client to handle the route and respond to any API request errors
if request.user.is_superuser:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was going to say that i think it's possible for request.user to be anonymous here, but apparently is_superuser will always be false in that case https://docs.djangoproject.com/en/1.7/ref/contrib/auth/#anonymous-users so this should be fine

@billyvg billyvg merged commit cbce6b5 into master Oct 31, 2018
@billyvg billyvg deleted the feat/ui/open-sudo-when-org-details-403-superuser branch October 31, 2018 20:14
@github-actions github-actions bot locked and limited conversation to collaborators Dec 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@evanpurkhiser evanpurkhiser evanpurkhiser approved these changes

@macqueen macqueen macqueen approved these changes

Assignees
No one assigned
Labels
Component: Auth
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@billyvg @evanpurkhiser @macqueen