Giters

simple-login / app

The SimpleLogin back-end and web app

Home Page:https://simplelogin.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Accessing admin views causes HTTP redirection loop in self-hosted environment

leor-gh opened this issue · comments

commented

Please note that this is only for bug report.

For help on your account, please reach out to us at hi[at]simplelogin.io. Please make sure to check out our FAQ that contains frequently asked questions.

For feature request, you can use our forum.

For self-hosted question/issue, please ask in self-hosted forum

Prerequisites

  • I have searched open and closed issues to make sure that the bug has not yet been reported.

Bug report

Describe the bug
In a hosted environment, when a user logged in without admin privilege, accessing the Flask-Admin views causes HTTP redirection loop (too many redirections).

Expected behavior
A user without necessary privilege accessing protected areas should get a 403 HTTP response.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (If applicable):

  • OS: Linux, Mac, Windows
  • Browser: Firefox, Chrome, Brave, Safari
  • Version [e.g. 78]

Additional context
The problem is caused by the admin index view. If the user is not logged in, or if the user is not an admin, the app redirects to the login page. However, if the user is logged in, there is no further login and it brings straight back to this line of code, thus causes an infinite redirection loop.

If the user accesses individual views in the admin area, checking for accessibility results in the same behavior. The check returns false, and the same logic in the callback just loops back to the login page.

The problem can be easily simplified and fixed. One approach is:

  • Remove the check in the admin index view, since all it does is redirecting to the admin user view, where the accessibility check will be applied again.
  • In the view's inaccessible callback, if the user is not logged in, redirect to the login page; otherwise return 403 Forbidden. (There are only two cases where the request will fall to the callback: user not logged in or user is not an admin.)
commented

Great. But there is another redirection loop at around line 92 of admin_model.py