Disable toolbar when using forcing HTTPS

reddit-archive · Sep 5, 2014 · 8aa2312 · 8aa2312
1 parent 0b5eeba
commit 8aa2312
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 3 deletions.
diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
@@ -1057,6 +1057,10 @@ def POST_set_force_https(self, form, jquery, password, force_https):
             form.set_html(".status", _("employees are required to use HTTPS"))
             return
         c.user.pref_force_https = force_https
+        # Most pages we'd try to frame would be http:, and most browsers
+        # disallow mixed-content. Disable the toolbar when forcing HTTPS.
+        if force_https:
+            c.user.pref_frame = False
         c.user._commit()
 
         # run the change password command to get a new salt.

diff --git a/r2/r2/controllers/toolbar.py b/r2/r2/controllers/toolbar.py
@@ -118,7 +118,7 @@ def GET_tb(self, link):
             self.abort403()
         elif link.is_self:
             return self.redirect(link.url)
-        elif not (c.user_is_loggedin and c.user.pref_frame):
+        elif not (c.user_is_loggedin and c.user.uses_toolbar):
             return self.redirect(link.make_permalink_slow(force_domain=True))
 
         # if the domain is shame-banned, bail out.

diff --git a/r2/r2/models/account.py b/r2/r2/models/account.py
@@ -659,6 +659,10 @@ def https_forced(self):
             return True
         return self.pref_force_https
 
+    @property
+    def uses_toolbar(self):
+        return not self.https_forced and self.pref_frame
+
     @property
     def cpm_selfserve_pennies(self):
         override_price = getattr(self, 'cpm_selfserve_pennies_override', None)

diff --git a/r2/r2/models/link.py b/r2/r2/models/link.py
@@ -365,7 +365,7 @@ def add_props(cls, user, wrapped):
         user_is_admin = c.user_is_admin
         user_is_loggedin = c.user_is_loggedin
         pref_media = user.pref_media
-        pref_frame = user.pref_frame
+        pref_frame = user.uses_toolbar
         cname = c.cname
         site = c.site
 

diff --git a/r2/r2/templates/prefoptions.html b/r2/r2/templates/prefoptions.html
@@ -112,7 +112,7 @@
   <tr>
     <th>${_("clicking options")}</th>
     <td class="prefright">
-      ${checkbox(_("display links with a reddit toolbar"), "frame")}
+      ${checkbox(_("display links with a reddit toolbar"), "frame", disabled=c.user.https_forced, disabled_text=_("(not supported when using HTTPS)"))}
       <br/>
       ${checkbox(_("open links in a new window"), "newwindow")}
     </td>