From 4624bb7c3eec270f21d9efd16a768377ff6b55fd Mon Sep 17 00:00:00 2001 From: Tim McCormack Date: Wed, 19 Jan 2022 22:01:31 +0000 Subject: [PATCH] fix: Prevent SafeSessions false alarm in course outline alt-masquerading The course outline view has a way for a staff user to make a request as if they are another user, not just by using the masquerade mechanism but also by setting a request parameter. This can result in false positives in the safe-sessions middleware, and if `ENFORCE_SAFE_SESSIONS` is enabled the responses will be 401 errors. The fix here is to do the same thing that masquerading does in setting a `real_user` property on the new user object, which the safe-sessions middleware then undoes (restoring the request.user) before determing whether there's a mismatch. (Without this fix, enabling `ENFORCE_SAFE_SESSIONS` also causes some tests in `test_views.py` to fail.) --- .../core/djangoapps/content/learning_sequences/views.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openedx/core/djangoapps/content/learning_sequences/views.py b/openedx/core/djangoapps/content/learning_sequences/views.py index 72169afbb5..c410592473 100644 --- a/openedx/core/djangoapps/content/learning_sequences/views.py +++ b/openedx/core/djangoapps/content/learning_sequences/views.py @@ -213,7 +213,12 @@ class CourseOutlineView(APIView): target_username = request.GET.get("user") if target_username is not None: - return self._get_target_user(request, course_key, has_staff_access, target_username) + target_user = self._get_target_user(request, course_key, has_staff_access, target_username) + # Just like in masquerading, set real_user so that the + # SafeSessions middleware can see that the user didn't + # change unexpectedly. + target_user.real_user = request.user + return target_user _course_masquerade, user = setup_masquerade(request, course_key, has_staff_access) return user