From 304af24562eb0b90a0db1661d193e1b21a237df0 Mon Sep 17 00:00:00 2001 From: David Muller Date: Sun, 5 Oct 2014 16:14:11 -0700 Subject: [PATCH 1/2] Add skip_authorization_completely to AuthorizationView --- oauth2_provider/views/base.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py index 50a1d8bbd..716eb91fc 100644 --- a/oauth2_provider/views/base.py +++ b/oauth2_provider/views/base.py @@ -73,6 +73,8 @@ class AuthorizationView(BaseAuthorizationView, FormView): server_class = Server validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS + skip_authorization_completely = False + def get_initial(self): # TODO: move this scopes conversion from and to string into a utils function scopes = self.oauth2_data.get('scope', self.oauth2_data.get('scopes', [])) @@ -121,7 +123,17 @@ def get(self, request, *args, **kwargs): # Check to see if the user has already granted access and return # a successful response depending on 'approval_prompt' url parameter require_approval = request.GET.get('approval_prompt', oauth2_settings.REQUEST_APPROVAL_PROMPT) - if require_approval == 'auto': + + # if skip_authorization_completely is True, skip the authorization screen even + # if this is the first use of the application and there was no previous authorization + # useful for in-house applications-> assume an in-house applications are already approved. + if self.skip_authorization_completely: + uri, headers, body, status = self.create_authorization_response( + request=self.request, scopes=" ".join(scopes), + credentials=credentials, allow=True) + return HttpResponseRedirect(uri) + + elif require_approval == 'auto': tokens = request.user.accesstoken_set.filter(application=kwargs['application'], expires__gt=timezone.now()).all() # check past authorizations regarded the same scopes as the current one From c9ee4a1ef51a5ea582e220cc8b7a28f6150235bc Mon Sep 17 00:00:00 2001 From: David Muller Date: Sun, 5 Oct 2014 16:15:03 -0700 Subject: [PATCH 2/2] Add test for skip_authorization_completely bool flag --- oauth2_provider/tests/test_implicit.py | 27 +++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/oauth2_provider/tests/test_implicit.py b/oauth2_provider/tests/test_implicit.py index a3cfb9e4f..7adad06e0 100644 --- a/oauth2_provider/tests/test_implicit.py +++ b/oauth2_provider/tests/test_implicit.py @@ -1,12 +1,14 @@ from __future__ import unicode_literals +import mock + from django.test import TestCase, RequestFactory from django.core.urlresolvers import reverse from ..compat import urlparse, parse_qs, urlencode, get_user_model from ..models import get_application_model from ..settings import oauth2_settings -from ..views import ProtectedResourceView +from ..views import ProtectedResourceView, AuthorizationView Application = get_application_model() @@ -140,6 +142,29 @@ def test_post_auth_allow(self): self.assertIn('access_token=', response['Location']) self.assertIn('state=random_state_string', response['Location']) + @mock.patch('oauth2_provider.views.base.AuthorizationView.skip_authorization_completely', True) + def test_skip_authorization_completely(self): + """ + If skip_authorization_completely = True, should skip the authorization page. + """ + self.client.login(username="test_user", password="123456") + + query_string = urlencode({ + 'client_id': self.application.client_id, + 'response_type': 'token', + 'state': 'random_state_string', + 'scope': 'read write', + 'redirect_uri': 'http://example.it', + }) + + url = "{url}?{qs}".format(url=reverse('oauth2_provider:authorize'), qs=query_string) + + response = self.client.get(url) + self.assertEqual(response.status_code, 302) + self.assertIn('http://example.it#', response['Location']) + self.assertIn('access_token=', response['Location']) + self.assertIn('state=random_state_string', response['Location']) + def test_token_post_auth_deny(self): """ Test error when resource owner deny access