inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-04-28 11:36:44 +00:00
Code

Samesite fix (#8390)

Browse Source 
* Fix for migratoin

* Fix for COOKIE_MODE

- Update to match master

* Fix default value in config template

- samesite = false, not none

* Remove conflicting migration

- Should not have back-ported this from master branch
- Will not cause any serious issues, was a "nice to have" data migration
This commit is contained in:
Oliver 2024-10-29 10:17:41 +11:00 committed by GitHub
parent 343f63c6ba
commit de2edc4ed6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 24 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/backend/InvenTree/InvenTree/settings.py
View File

@ -1061,26 +1061,40 @@ if (
sys.exit(-1) sys.exit(-1)
COOKIE_MODE = ( COOKIE_MODE = (
str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None')) str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'False'))
.lower() .lower()
.strip() .strip()
) )
valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': 'None', 'null': 'None'} # Valid modes (as per the django settings documentation)
valid_cookie_modes = ['lax', 'strict', 'none']
if COOKIE_MODE not in valid_cookie_modes.keys(): if not DEBUG and not TESTING and COOKIE_MODE in valid_cookie_modes:
logger.error('Invalid cookie samesite mode: %s', COOKIE_MODE) # Set the cookie mode (in production mode only)
sys.exit(-1) COOKIE_MODE = COOKIE_MODE.capitalize()
else:
COOKIE_MODE = valid_cookie_modes.get(COOKIE_MODE.lower(), 'None') # Default to False, as per the Django settings
COOKIE_MODE = False
# Additional CSRF settings # Additional CSRF settings
CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_NAME = 'csrftoken'
CSRF_COOKIE_SAMESITE = COOKIE_MODE CSRF_COOKIE_SAMESITE = COOKIE_MODE
SESSION_COOKIE_SAMESITE = COOKIE_MODE SESSION_COOKIE_SAMESITE = COOKIE_MODE
SESSION_COOKIE_SECURE = get_boolean_setting(
'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False """Set the SESSION_COOKIE_SECURE value based on the following rules:
- False if the server is running in DEBUG mode
- True if samesite cookie setting is set to 'None'
- Otherwise, use the value specified in the configuration file (or env var)
"""
SESSION_COOKIE_SECURE = (
False
if DEBUG
else (
SESSION_COOKIE_SAMESITE == 'None'
or get_boolean_setting('INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', True)
)
) )
USE_X_FORWARDED_HOST = get_boolean_setting( USE_X_FORWARDED_HOST = get_boolean_setting(

39
src/backend/InvenTree/common/migrations/0031_auto_20241026_0024.py
View File

@ -1,39 +0,0 @@
# Generated by Django 4.2.16 on 2024-10-26 00:24
from django.conf import settings
from django.db import migrations
import logging
logger = logging.getLogger('inventree')
def update_news_feed_urls(apps, schema_editor):
"""Update and validate the news feed URLs."""
from common.models import NewsFeedEntry
n = 0
for entry in NewsFeedEntry.objects.all():
if entry.link and entry.link.startswith('/'):
entry.link = settings.INVENTREE_BASE_URL + entry.link
entry.save()
n += 1
if n > 0:
logger.info("Updated link for %s NewsFeedEntry objects", n)
class Migration(migrations.Migration):
dependencies = [
('common', '0030_barcodescanresult'),
]
operations = [
migrations.RunPython(
update_news_feed_urls,
reverse_code=migrations.RunPython.noop
)
]

2
src/backend/InvenTree/config_template.yaml
View File

@ -117,7 +117,7 @@ use_x_forwarded_port: false
# Cookie settings # Cookie settings
cookie: cookie:
secure: false secure: false
samesite: none samesite: false
# Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers) # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
cors: cors: