中间件的存在不能阻止请求到达路由

时间:2019-04-03 05:16:39

标签: python django middleware django-middleware

我已经为会话管理编写了中间件,我观察到的是,按照会话状态重定向到所需页面时,中间件工作正常。

但是问题是,我写的仅在会话处于活动状态时才被命中的路由,即使会话重定向后,无论会话状态如何,仍然会被命中。

例如:只有在设置了会话后,才能访问安全的本地路由,中间件通过将页面重定向到“登录”来完成其工作,但是在服务器中,我可以看到本地路由仍然被访问

我可以再次编写类似的代码块

if sessionActive:
  // Code Goes Here Which Should Run For Active Session State
else:
  // Return with Forbidden Message

我假设在使用中间件时为什么要编写上面的代码?

PFB,中间件代码: 

# Middleware Class to Handle Session & JWT default operations
# Written By: XXXX
# Date Written: Jan 1, 2019

from django.http import HttpResponse, HttpResponseRedirect
from django.shortcuts import redirect, render
from libraries.PostgreSQLConnector import PostgreSQLConnector
import jwt


class SessionHandler( object ):

  '''
  Main Function to process request header authenticity
  Params: Object <request>
  Return Type: Object
  '''
  def process_request( self, request ):
    response = self.get_response( request )
    path = request.path_info
    PUBLIC_URLS = ('/authme/',)
    if path in PUBLIC_URLS:
      return response
    else:
      return self.regressChecking( request, path )

  def regressChecking( self, request, path ):
    response  = self.get_response( request )
    stoken = request.session.get('token', False)
    if 'ctoken' in request.COOKIES and stoken:
      if request.COOKIES['ctoken'] == stoken:
        if not path.startswith("/admin") and request.method != 'POST':
          return self.validatePagePermission( request, stoken, path )
        return response
    else:
        response_redirect = HttpResponseRedirect('/authme/')
        response_redirect.delete_cookie('csrftoken')
        response_redirect.delete_cookie('ctoken')
        return response_redirect


  def validatePagePermission( self, request, token, path ):
    if request.method == "GET":
      token_dump = jwt.decode( token , "SECRET", algorithms="HS256")
      userID = token_dump['user_id']
      status = self.validateUserPerm( path, userID )
      if status:
        return self.get_response( request )
      return HttpResponse("You are not allowed to access this page")


  def validateUserPerm( self, SLUG, USERID ):
    psy = PostgreSQLConnector( )
    QUERY = '''select count(id) as is_present from system_user_form_level_permission where form_id_fk_id IN
     (select id from system_app_form where form_name_html LIKE '%s') AND app_assignment_id_fk_id IN
     (select id from system_apps_assignment where user_id_fk_id = %d )''' % ( SLUG, USERID )
    r = psy._custom( QUERY , "select")
    if len(r['data']) != 0:
      return True
    return False

  def __init__( self, get_response ):
    self.get_response = get_response

  def __call__(self, request):
    response =  self.process_request(request)
    return response

请建议中间件是否缺少?还是我们仍然需要在安全代码开始之前明确插入会话检查代码?

1 个答案:

答案 0 :(得分:0)

get_response调用下游代码,即URL和视图。您应该在if块内组织移动调用。

相关问题
最新问题