Closed torgeirl closed 7 months ago
As far as I can tell the next
parameter is discarded by Allauth itself, never reaching our login provider. I believe it is caused by a known issue with Allauth, where it checks whether the URL is among allowed hosts but never consults the allowed hosts in Django settings - therefore discarding the return URL as unsafe.
The problem is addressed by https://github.com/pennersr/django-allauth/pull/3264 but unclear if and when the fix might be included in Allauth.
When that's solved we might also have to use full URLs instead of URIs for the parameter.
The problem is addressed by pennersr/django-allauth#3264 but unclear if and when the fix might be included in Allauth.
Starting with v0.55, Allauth's is_safe_url
should finally respect Django's allowed_hosts
(fixed with pennersr/django-allauth#3329).
Starting with v0.55, Allauth's
is_safe_url
should finally respect Django'sallowed_hosts
(fixed with pennersr/django-allauth#3329).
v0.55 was released on August 22, but due to an incompatibility it doesn't work with Trix (#138).
Without LOGIN_REDIRECT_URL
(#141) users are redirected to /accounts/profile/
, which is default in Django 4.2:
LOGIN_REDIRECT_URL Default:
'/accounts/profile/'
The URL or named URL pattern where requests are redirected after login when theLoginView
doesn’t get a next GET parameter.
This suggests the next parameter still gets discarded, or further setting adjustments are needed.
So found out that it was how redirecting to the correct login view was handled. The TrixLogin view redirected the user to the AllauthLoginView when 'DATAPORTEN_LOGIN' was set to True and when redirecting not passing the ?next= url to AllauthLoginView. So I added TrixLoginRedirectView to handle the redirect and made sure it propagates ?next= correctly. 97f6dd4.
I think this should also "fix" #141, but the fallbacks should still be set since even if all instances of the login button always sends a ?next= to current view, user could stil remove the ?next= or go to the login view url manually.
I still get a HTTP 404 at accounts/profile/
, but it looks like the ?next=
parameter is dropped one step later than before.
v4.0.0b1
vs
v4.0.0b2
Solved in v4.0.0b4! :tada:
If you log in, you are redirected to the front page upon your return from Dataporten. If possible, we should instead redirect to the page where the user clicked login on.
Edit: I thought we didn't get to adding this in v3.0.0, but the login link actually has a next link ie.:
/authenticate/login/?next=/course/11
(when current page is/course/11
). It seems to be discarded by Dataporten, but it might be fixable by adjusting its configuration.