lgcosta/paperless-ngx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix unsafe requests with remote user auth

Browse Source
This commit is contained in:
shamoon 2024-01-13 20:14:21 -08:00
parent 2e2362e2df
commit 62b8be1a10
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/paperless/auth.py
View File

@ -47,3 +47,11 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
""" """
header = settings.HTTP_REMOTE_USER_HEADER_NAME header = settings.HTTP_REMOTE_USER_HEADER_NAME
class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
"""
REMOTE_USER authentication for DRF which overrides the default header.
"""
header = settings.HTTP_REMOTE_USER_HEADER_NAME

5
src/paperless/settings.py
View File

@ -429,8 +429,9 @@ HTTP_REMOTE_USER_HEADER_NAME = os.getenv(
if ENABLE_HTTP_REMOTE_USER: if ENABLE_HTTP_REMOTE_USER:
MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware") MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware")
AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend") AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend")
REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append( REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].insert(
"rest_framework.authentication.RemoteUserAuthentication", 0,
"paperless.auth.PaperlessRemoteUserAuthentication",
) )
# X-Frame options for embedded PDF display: # X-Frame options for embedded PDF display: