我已经为会话管理编写了中间件,我观察到的是,当根据会话状态重定向到所需页面时,中间件工作正常。
但问题是,即使在重定向之后,我在会话处于活动状态时仅写入的路由仍然会受到影响,而不管会话状态如何。
例如:只有在设置会话时才能访问安全归属路由,中间件通过将页面重定向到登录来完成工作,但在服务器中,我可以看到归属路由仍然受到影响
我可以再写一下代码块
if sessionActive:
// Code Goes Here Which Should Run For Active Session State
else:
// Return with Forbidden Message
我假设为什么我应该在中间件到位时写上面的代码?
PFB,中间件代码:
# Middleware Class to Handle Session & JWT default operations
# Written By: XXXX
# Date Written: Jan 1, 2019
from django.http import HttpResponse, HttpResponseRedirect
from django.shortcuts import redirect, render
from libraries.PostgreSQLConnector import PostgreSQLConnector
import jwt
class SessionHandler( object ):
'''
Main Function to process request header authenticity
Params: Object <request>
Return Type: Object
'''
def process_request( self, request ):
response = self.get_response( request )
path = request.path_info
PUBLIC_URLS = ('/authme/',)
if path in PUBLIC_URLS:
return response
else:
return self.regressChecking( request, path )
def regressChecking( self, request, path ):
response = self.get_response( request )
stoken = request.session.get('token', False)
if 'ctoken' in request.COOKIES and stoken:
if request.COOKIES['ctoken'] == stoken:
if not path.startswith("/admin") and request.method != 'POST':
return self.validatePagePermission( request, stoken, path )
return response
else:
response_redirect = HttpResponseRedirect('/authme/')
response_redirect.delete_cookie('csrftoken')
response_redirect.delete_cookie('ctoken')
return response_redirect
def validatePagePermission( self, request, token, path ):
if request.method == "GET":
token_dump = jwt.decode( token , "SECRET", algorithms="HS256")
userID = token_dump['user_id']
status = self.validateUserPerm( path, userID )
if status:
return self.get_response( request )
return HttpResponse("You are not allowed to access this page")
def validateUserPerm( self, SLUG, USERID ):
psy = PostgreSQLConnector( )
QUERY = '''select count(id) as is_present from system_user_form_level_permission where form_id_fk_id IN
(select id from system_app_form where form_name_html LIKE '%s') AND app_assignment_id_fk_id IN
(select id from system_apps_assignment where user_id_fk_id = %d )''' % ( SLUG, USERID )
r = psy._custom( QUERY , "select")
if len(r['data']) != 0:
return True
return False
def __init__( self, get_response ):
self.get_response = get_response
def __call__(self, request):
response = self.process_request(request)
return response
请建议中间件是否缺少?或者我们是否仍需要在安全代码开始之前显式插入会话检查代码?
get_response调用下游代码,即URL和视图。您应该在if块内组织移动呼叫。