perf: 优化跳转页

2025-09-15 06:49:17 +00:00 · 2023-11-16 11:26:26 +08:00
parent 64f3509c8c
commit ba38852354
8 changed files with 24 additions and 9 deletions
--- a/apps/authentication/api/sso.py
+++ b/apps/authentication/api/sso.py
@@ -14,7 +14,7 @@ from common.api import JMSGenericViewSet
 from common.const.http import POST, GET
 from common.permissions import OnlySuperUser
 from common.serializers import EmptySerializer
-from common.utils import reverse
+from common.utils import reverse, safe_next_url
 from common.utils.timezone import utc_now
 from users.models import User
 from ..errors import SSOAuthClosed
@@ -45,6 +45,7 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet):
        username = serializer.validated_data['username']
        user = User.objects.get(username=username)
        next_url = serializer.validated_data.get(NEXT_URL)
+        next_url = safe_next_url(next_url, request=request)

        operator = request.user.username
        # TODO `created_by` 和 `created_by` 可以通过 `ThreadLocal` 统一处理
--- a/apps/authentication/backends/oidc/views.py
+++ b/apps/authentication/backends/oidc/views.py
@@ -20,10 +20,11 @@ from django.core.exceptions import SuspiciousOperation
 from django.http import HttpResponseRedirect, QueryDict
 from django.urls import reverse
 from django.utils.crypto import get_random_string
-from django.utils.http import url_has_allowed_host_and_scheme, urlencode
+from django.utils.http import urlencode
 from django.views.generic import View

 from authentication.utils import build_absolute_uri_for_oidc
+from common.utils import safe_next_url
 from .utils import get_logger

 logger = get_logger(__file__)
@@ -100,8 +101,7 @@ class OIDCAuthRequestView(View):
        # Stores the "next" URL in the session if applicable.
        logger.debug(log_prompt.format('Stores next url in the session'))
        next_url = request.GET.get('next')
-        request.session['oidc_auth_next_url'] = next_url \
-            if url_has_allowed_host_and_scheme(url=next_url, allowed_hosts=(request.get_host(),)) else None
+        request.session['oidc_auth_next_url'] = safe_next_url(next_url, request=request)

        # Redirects the user to authorization endpoint.
        logger.debug(log_prompt.format('Construct redirect url'))
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@@ -18,7 +18,7 @@ from authentication.permissions import UserConfirmation
 from common.sdk.im.dingtalk import URL, DingTalk
 from common.utils import get_logger
 from common.utils.common import get_request_ip
-from common.utils.django import get_object_or_none, reverse
+from common.utils.django import get_object_or_none, reverse, safe_next_url
 from common.utils.random import random_string
 from common.views.mixins import PermissionsMixin, UserConfirmRequiredExceptionMixin
 from users.models import User
@@ -185,6 +185,7 @@ class DingTalkQRLoginView(DingTalkQRMixin, METAMixin, View):
    def get(self, request: HttpRequest):
        redirect_url = request.GET.get('redirect_url') or reverse('index')
        next_url = self.get_next_url_from_meta() or reverse('index')
+        next_url = safe_next_url(next_url, request=request)

        redirect_uri = reverse('authentication:dingtalk-qr-login-callback', external=True)
        redirect_uri += '?' + urlencode({
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -24,7 +24,7 @@ from django.views.decorators.debug import sensitive_post_parameters
 from django.views.generic.base import TemplateView, RedirectView
 from django.views.generic.edit import FormView

-from common.utils import FlashMessageUtil, static_or_direct
+from common.utils import FlashMessageUtil, static_or_direct, safe_next_url
 from users.utils import (
    redirect_user_first_login_or_index
 )
@@ -202,6 +202,7 @@ class UserLoginView(mixins.AuthMixin, UserLoginContextMixin, FormView):

        auth_name, redirect_url = auth_method['name'], auth_method['url']
        next_url = request.GET.get('next') or '/'
+        next_url = safe_next_url(next_url, request=request)
        query_string = request.GET.urlencode()
        redirect_url = '{}?next={}&{}'.format(redirect_url, next_url, query_string)

--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -19,7 +19,7 @@ from common.sdk.im.wecom import URL
 from common.sdk.im.wecom import WeCom
 from common.utils import get_logger
 from common.utils.common import get_request_ip
-from common.utils.django import reverse, get_object_or_none
+from common.utils.django import reverse, get_object_or_none, safe_next_url
 from common.utils.random import random_string
 from common.views.mixins import UserConfirmRequiredExceptionMixin, PermissionsMixin
 from users.models import User
@@ -182,6 +182,7 @@ class WeComQRLoginView(WeComQRMixin, METAMixin, View):
    def get(self, request: HttpRequest):
        redirect_url = request.GET.get('redirect_url') or reverse('index')
        next_url = self.get_next_url_from_meta() or reverse('index')
+        next_url = safe_next_url(next_url, request=request)
        redirect_uri = reverse('authentication:wecom-qr-login-callback', external=True)
        redirect_uri += '?' + urlencode({
            'redirect_url': redirect_url,