From 07b9923bf67fd399777d983113ff94f977546c0c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 28 Apr 2021 22:13:54 +0200 Subject: [PATCH] stages/invitation: fix token not being loaded correctly Signed-off-by: Jens Langhammer --- authentik/stages/invitation/stage.py | 5 +++-- authentik/stages/invitation/tests.py | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/authentik/stages/invitation/stage.py b/authentik/stages/invitation/stage.py index 77292d2eb..228be9699 100644 --- a/authentik/stages/invitation/stage.py +++ b/authentik/stages/invitation/stage.py @@ -3,6 +3,7 @@ from django.http import HttpRequest, HttpResponse from django.shortcuts import get_object_or_404 from authentik.flows.stage import StageView +from authentik.flows.views import SESSION_KEY_GET from authentik.stages.invitation.models import Invitation, InvitationStage from authentik.stages.invitation.signals import invitation_used from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT @@ -17,13 +18,13 @@ class InvitationStageView(StageView): def get(self, request: HttpRequest) -> HttpResponse: """Apply data to the current flow based on a URL""" stage: InvitationStage = self.executor.current_stage - if INVITATION_TOKEN_KEY not in request.GET: + if INVITATION_TOKEN_KEY not in request.session.get(SESSION_KEY_GET, {}): # No Invitation was given, raise error or continue if stage.continue_flow_without_invitation: return self.executor.stage_ok() return self.executor.stage_invalid() - token = request.GET[INVITATION_TOKEN_KEY] + token = request.session[SESSION_KEY_GET][INVITATION_TOKEN_KEY] invite: Invitation = get_object_or_404(Invitation, pk=token) self.executor.plan.context[PLAN_CONTEXT_PROMPT] = invite.fixed_data self.executor.plan.context[INVITATION_IN_EFFECT] = True diff --git a/authentik/stages/invitation/tests.py b/authentik/stages/invitation/tests.py index 4dec9d12e..8394ab351 100644 --- a/authentik/stages/invitation/tests.py +++ b/authentik/stages/invitation/tests.py @@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch from django.test import Client, TestCase from django.urls import reverse from django.utils.encoding import force_str +from django.utils.http import urlencode from guardian.shortcuts import get_anonymous_user from rest_framework.test import APITestCase @@ -116,9 +117,8 @@ class TestUserLoginStage(TestCase): base_url = reverse( "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug} ) - response = self.client.get( - base_url + f"?{INVITATION_TOKEN_KEY}={invite.pk.hex}" - ) + args = urlencode({INVITATION_TOKEN_KEY: invite.pk.hex}) + response = self.client.get(base_url + f"?query={args}") session = self.client.session plan: FlowPlan = session[SESSION_KEY_PLAN]