0

I have an API, in which if the user is not permitted to access it, am redirecting it to another view along with a user message adding to request session and using that info am using django message framework to display the message in templates. In this process the session data passed from one view is lost while I look in the redirected view. And this is happening only in Production environments.

Here is the code.

Views - 

def data_asset_alert_track(request, edf_data_asset_id):
    data_asset = EdfDataAsset.objects.get(data_asset_id=edf_data_asset_id)
    x_app_role = access_control.get_xapp_role(request)
    roles = access_control.get_roles(x_app_role)
    user = User.objects.get(username=request.user)
    is_edit_permitted = (access_control.has_edit_all_access(roles, 'edfdataasset'))\
                        or (True if data_asset.owner_id and data_asset.owner.owner_id == user.username else False)\
                        or (access_control.is_auth_user(data_asset.owner, user) if data_asset.owner_id else False)
    if not is_edit_permitted:
        request.session['message'] = 'Unauthorized Action: Edit DataAsset - %s not permitted'%data_asset.data_asset_name
        return HttpResponseRedirect(reverse('data_assets'))

    if data_asset.alert_fl is False:
       data_asset.alert_fl = 'True'
    else:
       data_asset.alert_fl = 'False'

    data_asset.save()

    return HttpResponseRedirect(request.META.get('HTTP_REFERER', '/'))

Redirected to view- 
def data_assets(request):  
    if 'message' in request.session:
        logr.info("There is a message")
    messages.add_message(request, messages.ERROR, "A trial message")
    data_asset_list = EdfDataAsset.objects.select_related('provider').order_by('data_asset_name')
    field_filter = DataAssetFilter(request.GET, queryset=data_asset_list)
    context = {'data_asset_list': data_asset_list, 'filter': field_filter, }
    return render(request, 'edf/data_assets.html', context)

This works completely fine in all dev and test environments. What could be the issue?

I tried adding these two settings in settings.py. Still it does not work

MESSAGE_STORAGE = 'django.contrib.messages.storage.session.SessionStorage'

SESSION_COOKIE_SECURE = False

gagana
  • 73
  • 1
  • 1
  • 6

1 Answers1

0

As you return HttpResponseRedirect, I do not think your request will go though middleware - meaning your session will not be saved.

To handle this properly, I suggest you use Django's . Directly into your data_asset_alert_track view.

That should give in your view

def data_asset_alert_track(request, edf_data_asset_id):
    data_asset = EdfDataAsset.objects.get(data_asset_id=edf_data_asset_id)
    x_app_role = access_control.get_xapp_role(request)
    roles = access_control.get_roles(x_app_role)
    user = User.objects.get(username=request.user)
    is_edit_permitted = (access_control.has_edit_all_access(roles, 'edfdataasset'))\
                        or (True if data_asset.owner_id and data_asset.owner.owner_id == user.username else False)\
                        or (access_control.is_auth_user(data_asset.owner, user) if data_asset.owner_id else False)
    if not is_edit_permitted:
        messages.add_message(request, messages.ERROR, 'Unauthorized Action: Edit DataAsset - %s not permitted')
        return HttpResponseRedirect(reverse('data_assets'))

    if data_asset.alert_fl is False:
       data_asset.alert_fl = 'True'
    else:
       data_asset.alert_fl = 'False'

    data_asset.save()

    return HttpResponseRedirect(request.META.get('HTTP_REFERER', '/'))

in your redirect view

def data_assets(request):  
    data_asset_list = EdfDataAsset.objects.select_related('provider').order_by('data_asset_name')
    field_filter = DataAssetFilter(request.GET, queryset=data_asset_list)
    context = {'data_asset_list': data_asset_list, 'filter': field_filter, }
    return render(request, 'edf/data_assets.html', context)
Julien Kieffer
  • 1,116
  • 6
  • 16