Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only require 2fa for admin urls? #13

Open
vdboor opened this issue Feb 27, 2019 · 0 comments
Open

Only require 2fa for admin urls? #13

vdboor opened this issue Feb 27, 2019 · 0 comments

Comments

@vdboor
Copy link

vdboor commented Feb 27, 2019
edited
Loading

Would it make sense to only require 2fa for the pages where wagtail is mounted? E.g. everything below reverse('wagtailadmin_home') such as /cms/ and /admin/?

    def _require_verified_user(self, request):
        ...
        if settings.WAGTAIL_2FA_ONLY_URLS:
            # As safeguard, the wagtail+admin pages are always under 2fa,
            # otherwise there is a chance to circumvent 2fa for those URLs.
            admin_urls = settings.WAGTAIL_2FA_ONLY_URLS + [reverse('wagtailadmin_home')]
            try:
                admin_urls.append(reverse('admin:index'))
            except NoReverseMatch:
                pass
    
            if not any(request.path.startswith(url) for url in admin_urls):
                return False
    
        return True

Reason for using this:

  • on the regular user pages, we'd like to use allauth-2fa to show a user-facing 2fa check.
  • only on the wagtail and admin pages, the wagtail-2fa screen should popup.
@vdboor vdboor changed the title Only require page where wagtail is mounted? Only require 2fa for admin urls? Feb 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vdboor