sudo mode: fix bugs in the code

seahub/base/sudo_mode.py

@@ -17,10 +17,10 @@ _SUDO_MODE_SESSION_KEY = 'sudo_expire_ts'
 
 
 def sudo_mode_check(request):
-    return request.session.get('_SUDO_MODE_SESSION_KEY', 0) > time.time()
+    return request.session.get(_SUDO_MODE_SESSION_KEY, 0) > time.time()
 
 def update_sudo_mode_ts(request):
-    request.session['_SUDO_MODE_SESSION_KEY'] = time.time() + _SUDO_EXPIRE_SECONDS
+    request.session[_SUDO_MODE_SESSION_KEY] = time.time() + _SUDO_EXPIRE_SECONDS
 
 def update_sudo_ts_when_login(**kwargs):
     request = kwargs['request']

seahub/templates/sysadmin/sudo_mode.html

@@ -9,13 +9,17 @@
 <form action="" method="post" class="con">{% csrf_token %}
 	<label for="password">{% trans "Password" %}</label>
 	<input type="password" name="password" value="" class="input" autocomplete="off" />
-    {% if form.errors %}
+    {% if password_error %}
 	<p class="error">{% trans "Incorrect password" %}</p>
     {% else %}
 	<p class="error hide"></p>
     {% endif %}
 
     <input type="submit" value="{% trans "Confirm Password" %}" class="submit" />
+    {% if enable_shib_login %}
+    <button id="shib-login" class="submit fright">{% trans "Shibboleth" %}</button>
+    {% endif %}
+
     <div class="sudo-mode-tip">
         <p><span class="bold">{% trans "Tip:" %}</span>{% trans "You are entering sudo mode, we won't ask for your password again for a few hours." %}</p>
     </div>
@@ -38,5 +42,14 @@ $(function() {
     });
 });
 
+{% if enable_shib_login %}
+$(function() {
+    $('#shib-login').click(function() {
+        window.location = "{% url 'shib_login' %}{% if next %}?next={{ next|escape }}{% endif %}";
+        return false;
+    });
+});
+{% endif %}
+
 </script>
 {% endblock %}

seahub/views/sysadmin.py

@@ -1435,13 +1435,16 @@ def sys_sudo_mode(request):
         password = request.POST.get('password')
         if password:
             user = authenticate(username=request.user.username, password=password)
+            if user:
                 update_sudo_mode_ts(request)
                 return HttpResponseRedirect(
                     request.GET.get('next', reverse('sys_useradmin')))
         password_error = True
 
+    enable_shib_login = getattr(settings, 'ENABLE_SHIB_LOGIN', False)
     return render_to_response(
         'sysadmin/sudo_mode.html', {
-            'password_error': True,
+            'password_error': password_error,
+            'enable_shib_login': enable_shib_login,
         },
         context_instance=RequestContext(request))

tests/ui/test_sudo_mode.py

@@ -26,3 +26,21 @@ def test_sudo_mode_required(admin_browser_once):
         'once the admin enters the password, '
         'he would not be asked again within a certain time'
     )
+
+@pytest.mark.xfail
+def test_sudo_mode_rejects_wrong_password(admin_browser_once):
+    b = admin_browser_once
+    b.visit('/sys/useradmin/')
+    assert b.path == '/sys/sudo/', (
+        'when viewing sysadmin-only pages for the first time, '
+        'the browser should be redirected to the sudo mode page'
+    )
+
+    b.fill_form({
+        'password': 'wrong-password',
+    })
+    b.submit_by_input_name('password')
+    assert b.path == '/sys/sudo/', (
+        'after entering the wrong password, '
+        'the browser should still be on the sudo mode page'
+    )