From 2eacc84cd02802704a9d686843d3c2224f35dcb5 Mon Sep 17 00:00:00 2001 From: moson-mo Date: Thu, 25 May 2023 13:23:37 +0200 Subject: [PATCH] fix: properly evaluate AURREMEMBER cookie Whenever the AURREMEMBER cookie was defined, regardless of its value, "remember_me" is always set to True The get method of a dict returns a string, converting a value of str "False" into a bool -> True We have to check AURREMEMBERs value instead. Signed-off-by: moson-mo --- aurweb/auth/__init__.py | 4 +--- aurweb/cookies.py | 2 +- aurweb/users/update.py | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/aurweb/auth/__init__.py b/aurweb/auth/__init__.py index 5a1fc8d0..83dd424c 100644 --- a/aurweb/auth/__init__.py +++ b/aurweb/auth/__init__.py @@ -104,9 +104,7 @@ class BasicAuthBackend(AuthenticationBackend): return unauthenticated timeout = aurweb.config.getint("options", "login_timeout") - remembered = "AURREMEMBER" in conn.cookies and bool( - conn.cookies.get("AURREMEMBER") - ) + remembered = conn.cookies.get("AURREMEMBER") == "True" if remembered: timeout = aurweb.config.getint("options", "persistent_cookie_timeout") diff --git a/aurweb/cookies.py b/aurweb/cookies.py index 841e9adc..2bfcf7a7 100644 --- a/aurweb/cookies.py +++ b/aurweb/cookies.py @@ -65,7 +65,7 @@ def update_response_cookies( "AURLANG", aurlang, secure=secure, httponly=secure, samesite=samesite() ) if aursid: - remember_me = bool(request.cookies.get("AURREMEMBER", False)) + remember_me = request.cookies.get("AURREMEMBER") == "True" response.set_cookie( "AURSID", aursid, diff --git a/aurweb/users/update.py b/aurweb/users/update.py index 21349a39..ace9dace 100644 --- a/aurweb/users/update.py +++ b/aurweb/users/update.py @@ -131,7 +131,7 @@ def password( user.update_password(P) if user == request.user: - remember_me = request.cookies.get("AURREMEMBER", False) + remember_me = request.cookies.get("AURREMEMBER") == "True" # If the target user is the request user, login with # the updated password to update the Session record.