Permalink
Browse files

Finish rollover to session logins. Closes #201.

  • Loading branch information...
1 parent 1cfe081 commit d4153d9f2912d9d9882ec04b2b1c78c96e874561 @onyxfish onyxfish committed Aug 7, 2012
Showing with 22 additions and 2 deletions.
  1. +1 −0 CHANGELOG
  2. +8 −0 client/static/js/views/root.js
  3. +3 −1 panda/tests/test_views.py
  4. +1 −0 panda/urls.py
  5. +9 −1 panda/views.py
View
@@ -1,6 +1,7 @@
1.0.1
-----
+* Improve security implemention to prevent API key theft. (#201)
* Notifications list fixed in IE9. (#822)
* Fix for searching categories with many datasets. (#849)
* Fixed broken cross-dataset export link. (#848)
@@ -373,8 +373,16 @@ PANDA.views.Root = Backbone.View.extend({
},
goto_logout: function() {
+ // Request a session logout
+ $.ajax({
+ url: '/logout/',
+ type: 'POST'
+ });
+
+ // Blow away local cookies
this.set_current_user(null);
+ // Back to the login screen
this.goto_login();
},
@@ -25,9 +25,11 @@ def test_login_success(self):
body = json.loads(response.content)
self.assertEqual(body['email'], 'user@pandaproject.net')
- self.assertEqual(body['api_key'], 'edfe6c5ffd1be4d3bf22f69188ac6bc0fc04c84c')
self.assertEqual(body['notifications'], [])
+ # Verify old code is dead
+ self.assertNotIn('api_key', body)
+
def test_login_disabled(self):
self.user.is_active = False
self.user.save()
View
@@ -21,6 +21,7 @@
urlpatterns = patterns('',
url(r'^login%s$' % trailing_slash(), views.panda_login, name="login"),
+ url(r'^logout%s$' % trailing_slash(), views.panda_logout, name="logout"),
url(r'^check_activation_key/(?P<activation_key>[\w\d]+)%s$' % trailing_slash(), views.check_activation_key, name="check_activation_key"),
url(r'^activate%s$' % trailing_slash(), views.activate, name="activate"),
url(r'^forgot_password%s$' % trailing_slash(), views.forgot_password, name="forgot_password"),
View
@@ -5,7 +5,7 @@
from ajaxuploader.views import AjaxFileUploader
from csvkit.exceptions import FieldSizeLimitError
from django.conf import settings
-from django.contrib.auth import authenticate, login
+from django.contrib.auth import authenticate, login, logout
from django.http import HttpResponse
from django.utils.timezone import now
from livesettings import config_value
@@ -103,6 +103,14 @@ def panda_login(request):
# Invalid request
return JSONResponse(None, status=400)
+def panda_logout(request):
+ """
+ Logout any active session.
+ """
+ logout(request)
+
+ return JSONResponse({ '__all__': 'Successfully logged out' }, status=200)
+
def check_activation_key(request, activation_key):
"""
Test if an activation key is valid and if so fetch information

0 comments on commit d4153d9

Please sign in to comment.