flows: don't check redirect URL when set from flow plan (set from authentik or policy)

closes #1203 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-08-01 15:10:45 +02:00 · 2021-08-01 15:10:45 +02:00 · d767504474
parent f84cd6208c
commit d767504474
2 changed files with 9 additions and 8 deletions
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@ -322,14 +322,15 @@ class FlowExecutorView(APIView):
        """User Successfully passed all stages"""
        # Since this is wrapped by the ExecutorShell, the next argument is saved in the session
        # extract the next param before cancel as that cleans it
-        next_param = None
-        if self.plan:
-            next_param = self.plan.context.get(PLAN_CONTEXT_REDIRECT)
-        if not next_param:
-            next_param = self.request.session.get(SESSION_KEY_GET, {}).get(
-                NEXT_ARG_NAME, "authentik_core:root-redirect"
-            )
        self.cancel()
+        if self.plan and PLAN_CONTEXT_REDIRECT in self.plan.context:
+            # The context `redirect` variable can only be set by
+            # an expression policy or authentik itself, so we don't
+            # check if its an absolute URL or a relative one
+            return redirect(self.plan.context.get(PLAN_CONTEXT_REDIRECT))
+        next_param = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:root-redirect"
+        )
        return to_stage_response(self.request, redirect_with_qs(next_param))

    def stage_ok(self) -> HttpResponse:
--- a/authentik/lib/utils/urls.py
+++ b/authentik/lib/utils/urls.py
@ -22,7 +22,7 @@ def redirect_with_qs(view: str, get_query_set=None, **kwargs) -> HttpResponse:
    except NoReverseMatch:
        if not is_url_absolute(view):
            return redirect(view)
-        LOGGER.debug("redirect target is not a valid view", view=view)
+        LOGGER.warning("redirect target is not a valid view", view=view)
        raise
    else:
        if get_query_set: