Fix yourlabs#89: session_security breaks "End Session" on the current…

… session when using user_sessions Add a new parameter, SESSION_SECURITY_PASSIVE_URL_NAMES, which takes a list of URL names to skip when performing session activity updates. This provides an easy method for parameterized URLs to be skipped. The existing SESSION_SECURITY_PASSIVE_URLS parameter continues to work with static path names. For example, if you have the following URL from the user_sessions app: /account/sessions/<session_id>/delete/ You can skip the activity tracker by adding the following to settings.py: SESSION_SECURITY_PASSIVE_URL_NAMES = ['session_delete'] This currently only handles direct URL names and can be updated in the future to handled fully namespaced and instanced URL names.
sdann · Jan 4, 2017 · 45d7488 · 45d7488
1 parent 22ae6d5
commit 45d7488
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/session_security/middleware.py b/session_security/middleware.py
@@ -12,7 +12,7 @@
 from datetime import datetime, timedelta
 
 from django.contrib.auth import logout
-from django.core.urlresolvers import reverse
+from django.core.urlresolvers import reverse, resolve, Resolver404
 
 try:
     from django.utils.deprecation import MiddlewareMixin
@@ -21,7 +21,7 @@
     MiddlewareMixin = object
 
 from .utils import get_last_activity, set_last_activity
-from .settings import EXPIRE_AFTER, PASSIVE_URLS
+from .settings import EXPIRE_AFTER, PASSIVE_URLS, PASSIVE_URL_NAMES
 
 
 class SessionSecurityMiddleware(MiddlewareMixin):
@@ -31,7 +31,19 @@ class SessionSecurityMiddleware(MiddlewareMixin):
     """
 
     def is_passive_request(self, request):
-        return request.path in PASSIVE_URLS
+        """ Should we skip activity update on this URL/View. """
+        if request.path in PASSIVE_URLS:
+            return True
+
+        try:
+            match = resolve(request.path)
+            # TODO: check namespaces too
+            if match.url_name in PASSIVE_URL_NAMES:
+                return True
+        except Resolver404:
+            pass
+
+        return False
 
     def get_expire_seconds(self, request):
         """Return time (in seconds) before the user should be logged out."""

diff --git a/session_security/settings.py b/session_security/settings.py
@@ -32,6 +32,8 @@
 
 PASSIVE_URLS = getattr(settings, 'SESSION_SECURITY_PASSIVE_URLS', [])
 
+PASSIVE_URL_NAMES = getattr(settings, 'SESSION_SECURITY_PASSIVE_URL_NAMES', [])
+
 expire_at_browser_close = getattr(
     settings,
     'SESSION_EXPIRE_AT_BROWSER_CLOSE',