Don't allow the user id to change in a session loaded from storage.

6eace27f · Calen Pennington · 496022a4 · 6eace27f · 6eace27f · 6eace27f
Commit 6eace27f authored Oct 08, 2015 by Calen Pennington
16 changed files
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -42,7 +42,7 @@ DEBUG = False
 TEMPLATE_DEBUG = False
 EMAIL_BACKEND = 'django_ses.SESBackend'
-SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.cache'
 # IMPORTANT: With this enabled, the server must always be behind a proxy that
 # strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,

--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -394,6 +394,7 @@ DEBUG = False
 TEMPLATE_DEBUG = False
 SESSION_COOKIE_SECURE = False
 SESSION_SAVE_EVERY_REQUEST = False
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.db'
 # Site info
 SITE_ID = 1

--- a/cms/envs/yaml_config.py
+++ b/cms/envs/yaml_config.py
@@ -62,7 +62,7 @@ DEBUG = False
 TEMPLATE_DEBUG = False
 EMAIL_BACKEND = 'django_ses.SESBackend'
-SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.cache'
 DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
 ##############################################################

--- a/common/djangoapps/external_auth/tests/test_shib.py
+++ b/common/djangoapps/external_auth/tests/test_shib.py
@@ -73,7 +73,7 @@ def gen_all_identities():
 @ddt
-@override_settings(SESSION_ENGINE='django.contrib.sessions.backends.cache')
+@override_settings(SESSION_ENGINE='openedx.core.djangoapps.safe_sessions.backends.cache')
 class ShibSPTest(SharedModuleStoreTestCase):
    """
    Tests for the Shibboleth SP, which communicates via request.META

--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -47,7 +47,7 @@ DEBUG = False
 TEMPLATE_DEBUG = False
 EMAIL_BACKEND = 'django_ses.SESBackend'
-SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.cache'
 # IMPORTANT: With this enabled, the server must always be behind a proxy that
 # strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,

--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -802,6 +802,7 @@ TEMPLATE_DEBUG = False
 USE_TZ = True
 SESSION_COOKIE_SECURE = False
 SESSION_SAVE_EVERY_REQUEST = False
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.db'
 # CMS base
 CMS_BASE = 'localhost:8001'

--- a/lms/envs/devplus.py
+++ b/lms/envs/devplus.py
@@ -48,7 +48,7 @@ CACHES = {
    }
 }
-SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.cache'
 ################################ DEBUG TOOLBAR #################################

--- a/lms/envs/yaml_config.py
+++ b/lms/envs/yaml_config.py
@@ -61,7 +61,7 @@ DEBUG = False
 TEMPLATE_DEBUG = False
 EMAIL_BACKEND = 'django_ses.SESBackend'
-SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+SESSION_ENGINE = 'openedx.core.djangoapps.safe_sessions.backends.cache'
 DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
 # IMPORTANT: With this enabled, the server must always be behind a proxy that

--- a/openedx/core/djangoapps/safe_sessions/__init__.py
+++ b/openedx/core/djangoapps/safe_sessions/__init__.py
--- a/openedx/core/djangoapps/safe_sessions/backends/__init__.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/__init__.py
--- a/openedx/core/djangoapps/safe_sessions/backends/base.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/base.py
+from django.contrib.auth import SESSION_KEY
+class SessionUserChanged(Exception):
+    def __init__(self, key, new, stored):
+        self.key = key
+        self.new = new
+        self.stored = stored
+        super(SessionUserChanged, self).__init__(
+            "Cannot change session {} from user {} to user {}".format(
+                self.key,
+                self.stored,
+                self.new,
+            )
+        )
+class SafeSessionMixin(object):
+    """
+    Mixin to prevent a session from being changed from one userid to another.
+    """
+    def __init__(self, *args, **kwargs):
+        self.__stored_user = None
+        super(SafeSessionMixin, self).__init__(*args, **kwargs)
+    def __setitem__(self, key, value):
+        if (
+            key == SESSION_KEY and
+            self.__stored_user is not None and
+            value != self.__stored_user
+        ):
+            raise SessionUserChanged(self.session_key, value, self.__stored_user)
+        return super(SafeSessionMixin, self).__setitem__(key, value)
+    def pop(self, key, *args):
+        if key == SESSION_KEY and self.__stored_user is None:
+            self.__stored_user = self._session.get(SESSION_KEY)
+        return super(SafeSessionMixin, self).pop(key, *args)
+    def setdefault(self, key, value):
+        if (
+            key == SESSION_KEY and
+            self.__stored_user is not None and
+            value != self.__stored_user
+        ):
+            raise SessionUserChanged(self.session_key, value, self.__stored_user)
+        return super(SafeSessionMixin, self).setdefault(key, value)
+    def update(self, dict_):
+        if (
+            SESSION_KEY in dict_ and
+            self.__stored_user is not None and
+            dict_[SESSION_KEY] != self.__stored_user
+        ):
+            raise SessionUserChanged(self.session_key, dict_[SESSION_KEY], self.__stored_user)
+        return super(SafeSessionMixin, self).save(must_create=must_create)
+    def clear(self):
+        super(SafeSessionMixin, self).clear()
+        self.__stored_user = None
+    def save(self, must_create=False):
+        """
+        Saves the session data. If 'must_create' is True, a new session object
+        is created (otherwise a CreateError exception is raised). Otherwise,
+        save() can update an existing object with the same key.
+        """
+        if (
+            SESSION_KEY in self._session and
+            self.__stored_user is not None and
+            self._session[SESSION_KEY] != self.__stored_user
+        ):
+            raise SessionUserChanged(self.session_key, self._session[SESSION_KEY], self.__stored_user)
+        return super(SafeSessionMixin, self).save(must_create=must_create)
+    def load(self):
+        """
+        Loads the session data and returns a dictionary.
+        """
+        session_data = super(SafeSessionMixin, self).load()
+        self.__stored_user = session_data.get(SESSION_KEY)
+        return session_data
--- a/openedx/core/djangoapps/safe_sessions/backends/cache.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/cache.py
+from django.contrib.sessions.backends.cache import SessionStore
+from .base import SafeSessionMixin
+class SessionStore(SafeSessionMixin, SessionStore):
+    pass
--- a/openedx/core/djangoapps/safe_sessions/backends/cached_db.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/cached_db.py
+from django.contrib.sessions.backends.cached_db import SessionStore
+from .base import SafeSessionMixin
+class SessionStore(SafeSessionMixin, SessionStore):
+    pass
--- a/openedx/core/djangoapps/safe_sessions/backends/db.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/db.py
+from django.contrib.sessions.backends.db import SessionStore
+from .base import SafeSessionMixin
+class SessionStore(SafeSessionMixin, SessionStore):
+    pass
--- a/openedx/core/djangoapps/safe_sessions/backends/file.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/file.py
+from django.contrib.sessions.backends.file import SessionStore
+from .base import SafeSessionMixin
+class SessionStore(SafeSessionMixin, SessionStore):
+    pass
--- a/openedx/core/djangoapps/safe_sessions/backends/signed_cookies.py
+++ b/openedx/core/djangoapps/safe_sessions/backends/signed_cookies.py
+from django.contrib.sessions.backends.signed_cookies import SessionStore
+from .base import SafeSessionMixin
+class SessionStore(SafeSessionMixin, SessionStore):
+    pass