Django process_view middleware resulting in 403 forbidden

StackOverflow https://stackoverflow.com/questions/4657726

  •  09-10-2019
  •  | 
  •  

Question

I've written a small bit of middleware that catches if a user is using a temporary password and, if so, redirects them to a page that forces them to create a new password. My problem is that the page works fine when the user is logged in and NOT using a temp password (i.e. they go to the change password URL manually), but when they ARE using a temp password the redirect from the middleware yields a 403 Forbidden page.

The middleware does one other thing in process_view after the temp password check, but this is the relevant code:

class MyMiddleware( object ):
  def process_view( self, request, view_func, view_args, view_kwargs ):
    if request.user.is_authenticated( ): 
      try:
        if request.user.get_profile( ).using_temp:
          return HttpResponseRedirect( reverse( 'change_password' ) )
        except Object.DoesNotExist:
          pass
        # Not using temp password, let the request process
        return None

Note that rendering the template directly could be used, with something like render_to_response, to fix the problem but that will cause the browser's URL to not follow as well as it not being able to really exit the page it renders.

Was it helpful?

Solution

First, I think your indenting is off in the example, but how about the following as a solution to detect when the current path is the change_password URL? This should get rid of that infinite redirect you have going on.

class MyMiddleware( object ):
  def process_view( self, request, view_func, view_args, view_kwargs ):
    if request.user.is_authenticated( ): 
      try:
        if request.user.get_profile( ).using_temp and request.path != reverse('change_password'):
          return HttpResponseRedirect( reverse( 'change_password' ) )
      except Object.DoesNotExist:
          pass
   # Not using temp password, let the request process
   return None

OTHER TIPS

Which version of django are you using ?

If your are using the latest beta, setting the logging may be helpful

http://docs.djangoproject.com/en/dev/topics/logging/

Django Debug Toolbar might be helpful here. It can trap redirects and show you where it's redirecting before actually going there. This helps run down broken redirects.

That said, I'd recommend using a different "change password" page for users with temporary passwords, so it can handle permissions checking differently. The page you have might have a @login_required decorator, and a temporary password might not be considered "really" logged in.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top