You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2020/06/08 15:27:26 UTC
[allura] 03/03: fixup! fixup! [#8362] Add secure attr to session
cookie
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch kt/8362
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 5d623f60e31570edd51bf716af1d6ad571aa4c53
Author: Kenton Taylor <kt...@slashdotmedia.com>
AuthorDate: Thu Jun 4 18:41:10 2020 +0000
fixup! fixup! [#8362] Add secure attr to session cookie
---
Allura/allura/lib/plugin.py | 2 +-
Allura/allura/public/nf/js/allura-base.js | 3 ++-
Allura/allura/public/nf/js/maximize-content.js | 2 +-
Allura/allura/public/nf/js/memorable.js | 2 +-
Allura/allura/tests/test_plugin.py | 15 +++++++++++----
5 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 86bb0b5..bcf6527 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -261,7 +261,7 @@ class AuthenticationProvider(object):
self.session.invalidate()
self.session.save()
response.delete_cookie('allura-loggedin')
- response.set_cookie('memorable_forget', '/')
+ response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure)
def validate_password(self, user, password):
'''Check that provided password matches actual user password
diff --git a/Allura/allura/public/nf/js/allura-base.js b/Allura/allura/public/nf/js/allura-base.js
index 6a4fd10..a4031d6 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -218,7 +218,8 @@ $(function(){
cookie = cookie.replace(new RegExp(note_id + '-([0-9]+)-False'), note_id + '-$1-True');
$.cookie('site-notification', cookie, {
expires: 365,
- path: '/'
+ path: '/',
+ secure: top.location.protocol==='https:' ? true : false
});
e.preventDefault();
return false;
diff --git a/Allura/allura/public/nf/js/maximize-content.js b/Allura/allura/public/nf/js/maximize-content.js
index 7202125..c714057 100644
--- a/Allura/allura/public/nf/js/maximize-content.js
+++ b/Allura/allura/public/nf/js/maximize-content.js
@@ -25,7 +25,7 @@ $(document).ready(function () {
$('#maximize-content, #restore-content').click(function (e) {
$('body').toggleClass('content-maximized');
var is_visible = $(".content-maximized").is(":visible") ? 'true' : 'false';
- $.cookie('maximizeView', is_visible);
+ $.cookie('maximizeView', is_visible, {secure: true});
e.preventDefault();
return false;
diff --git a/Allura/allura/public/nf/js/memorable.js b/Allura/allura/public/nf/js/memorable.js
index e756cea..7143f35 100644
--- a/Allura/allura/public/nf/js/memorable.js
+++ b/Allura/allura/public/nf/js/memorable.js
@@ -264,7 +264,7 @@ Memorable.forget = function(key_prefix){
localStorage.removeItem(localStorage.key(i));
}
}
- $.removeCookie('memorable_forget', { path: '/' });
+ $.removeCookie('memorable_forget', { path: '/', secure: true });
}
};
diff --git a/Allura/allura/tests/test_plugin.py b/Allura/allura/tests/test_plugin.py
index e615b74..04cd893 100644
--- a/Allura/allura/tests/test_plugin.py
+++ b/Allura/allura/tests/test_plugin.py
@@ -338,9 +338,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': 'deadbeef-1-false'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-2-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-2-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -370,9 +372,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': '0ddba11-1000-true'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -387,9 +391,10 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {}
+ request.environ['beaker.session'].secure = False
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -404,9 +409,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': 'deadbeef-1000-true-bad'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c')
@patch('allura.model.notification.SiteNotification')