inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2026-01-09 04:38:00 +00:00
Code Activity

Do not redirect for /plugin/ requests (#11085)

Browse Source 
- Instead, return a 401 error code
This commit is contained in:
Oliver
2026-01-06 15:43:23 +11:00
committed by GitHub
parent 75d6cbf729
commit 31a46e25a4
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/backend/InvenTree/InvenTree/middleware.py
View File

@@ -42,7 +42,7 @@ def get_token_from_request(request):
def ensure_slashes(path: str): def ensure_slashes(path: str):
"""Ensure that slashes are suroudning the passed path.""" """Ensure that slashes are surrounding the passed path."""
if not path.startswith('/'): if not path.startswith('/'):
path = f'/{path}' path = f'/{path}'
if not path.endswith('/'): if not path.endswith('/'):
@@ -59,6 +59,7 @@ urls = [
paths_ignore_handling = [ paths_ignore_handling = [
'/api/', '/api/',
'/plugin/',
reverse('auth-check'), reverse('auth-check'),
settings.MEDIA_URL, settings.MEDIA_URL,
settings.STATIC_URL, settings.STATIC_URL,
@@ -68,7 +69,7 @@ paths_ignore_handling = [
paths_own_security = [ paths_own_security = [
'/api/', # DRF handles API '/api/', # DRF handles API
'/o/', # oAuth2 library - has its own auth model '/o/', # oAuth2 library - has its own auth model
'/anymail/', # Mails - wehbhooks etc '/anymail/', # Mails - webhooks etc
'/accounts/', # allauth account management - has its own auth model '/accounts/', # allauth account management - has its own auth model
'/assets/', # Web assets - only used for testing, no security model needed '/assets/', # Web assets - only used for testing, no security model needed
ensure_slashes( ensure_slashes(
@@ -322,7 +323,7 @@ class InvenTreeHostSettingsMiddleware(MiddlewareMixin):
# treat the accessed scheme and host # treat the accessed scheme and host
accessed_scheme = request._current_scheme_host accessed_scheme = request._current_scheme_host
referer = urlsplit(accessed_scheme) referrer = urlsplit(accessed_scheme)
site_url = urlsplit(settings.SITE_URL) site_url = urlsplit(settings.SITE_URL)
@@ -330,8 +331,8 @@ class InvenTreeHostSettingsMiddleware(MiddlewareMixin):
site_url_match = ( site_url_match = (
( (
# Exact match on domain # Exact match on domain
is_same_domain(referer.netloc, site_url.netloc) is_same_domain(referrer.netloc, site_url.netloc)
and referer.scheme == site_url.scheme and referrer.scheme == site_url.scheme
) )
or ( or (
# Lax protocol match, accessed URL starts with SITE_URL # Lax protocol match, accessed URL starts with SITE_URL
@@ -341,7 +342,7 @@ class InvenTreeHostSettingsMiddleware(MiddlewareMixin):
or ( or (
# Lax protocol match, same domain # Lax protocol match, same domain
settings.SITE_LAX_PROTOCOL_CHECK settings.SITE_LAX_PROTOCOL_CHECK
and referer.hostname == site_url.hostname and referrer.hostname == site_url.hostname
) )
) )
@@ -367,7 +368,7 @@ class InvenTreeHostSettingsMiddleware(MiddlewareMixin):
trusted_origins_match = ( trusted_origins_match = (
# Matching domain found in allowed origins # Matching domain found in allowed origins
any( any(
is_same_domain(referer.netloc, host) is_same_domain(referrer.netloc, host)
for host in [ for host in [
urlsplit(origin).netloc.lstrip('*') urlsplit(origin).netloc.lstrip('*')
for origin in settings.CSRF_TRUSTED_ORIGINS for origin in settings.CSRF_TRUSTED_ORIGINS
@@ -377,7 +378,7 @@ class InvenTreeHostSettingsMiddleware(MiddlewareMixin):
# Lax protocol match allowed # Lax protocol match allowed
settings.SITE_LAX_PROTOCOL_CHECK settings.SITE_LAX_PROTOCOL_CHECK
and any( and any(
referer.hostname == urlsplit(origin).hostname referrer.hostname == urlsplit(origin).hostname
for origin in settings.CSRF_TRUSTED_ORIGINS for origin in settings.CSRF_TRUSTED_ORIGINS
) )
) )