Merge branch 'dev' of https://github.com/knaperek/djangosaml2 into dev

Author: peppelinux

djangosaml2/backends.py

@@ -140,8 +140,9 @@ def authenticate(self, request, session_info=None, attribute_mapping=None, creat
         if user is not None:
             user = self._update_user(
                 user, attributes, attribute_mapping, force_save=created)
-
-        return user
+        
+        if self.user_can_authenticate(user):
+            return user
 
     def _update_user(self, user, attributes: dict, attribute_mapping: dict, force_save: bool = False):
         """ Update a user with a set of attributes and returns the updated user.
@@ -197,6 +198,14 @@ def is_authorized(self, attributes: dict, attribute_mapping: dict, idp_entityid:
         """ Hook to allow custom authorization policies based on SAML attributes. True by default. """
         return True
 
+    def user_can_authenticate(self, user) -> bool:
+        """
+        Reject users with is_active=False. Custom user models that don't have
+        that attribute are allowed.
+        """
+        is_active = getattr(user, 'is_active', None)
+        return is_active or is_active is None
+
     def clean_user_main_attribute(self, main_attribute: Any) -> Any:
         """ Hook to clean the extracted user-identifying value. No-op by default. """
         return main_attribute

djangosaml2/views.py

@@ -439,9 +439,10 @@ def post_login_hook(self, request: HttpRequest, user: settings.AUTH_USER_MODEL,
     def build_relay_state(self) -> str:
         """ The relay state is a URL used to redirect the user to the view where they came from.
         """
+        login_redirect_url = get_custom_setting('LOGIN_REDIRECT_URL', '/')
         default_relay_state = get_custom_setting(
-            'ACS_DEFAULT_REDIRECT_URL', settings.LOGIN_REDIRECT_URL)
-        relay_state = self.request.POST.get('RelayState', '/')
+            'ACS_DEFAULT_REDIRECT_URL', login_redirect_url)
+        relay_state = self.request.POST.get('RelayState', default_relay_state)
         relay_state = self.customize_relay_state(relay_state)
         if not relay_state:
             logger.warning('The RelayState parameter exists but is empty')
@@ -505,7 +506,7 @@ def get(self, request, *args, **kwargs):
                 'Error Handled - SLO not supported by IDP: {}'.format(exp))
             auth.logout(request)
             state.sync()
-            return HttpResponseRedirect(getattr(settings, 'LOGOUT_REDIRECT_URL', '/'))
+            return self.handle_unsupported_slo_exception(request, exp)
 
         auth.logout(request)
         state.sync()
@@ -541,6 +542,15 @@ def get(self, request, *args, **kwargs):
             'Could not logout because there only the HTTP_REDIRECT is supported')
         return HttpResponseServerError('Logout Binding not supported')
 
+    def handle_unsupported_slo_exception(self, request, exception, *args, **kwargs):
+        """ Subclasses may override this method to implement custom logic for
+            handling logout errors. Redirects to LOGOUT_REDIRECT_URL by default.
+
+            For example, a site may want to perform additional logic and redirect
+            users somewhere other than the LOGOUT_REDIRECT_URL.
+        """
+        return HttpResponseRedirect(getattr(settings, 'LOGOUT_REDIRECT_URL', '/'))
+
 
 @method_decorator(csrf_exempt, name='dispatch')
 class LogoutView(SPConfigMixin, View):