Fix AJAX views to better handle user logging out

Rather than redirecting to login page, return HTTP 403 Forbidden

CHANGELOG.md

@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file.
 
 ### Bug Fixes
 - Fix Check.ping() to lock the check before updating (#1023)
+- Fix AJAX views to better handle user logging out
 
 
 ## v3.4 - 2024-06-20

hc/front/tests/test_log_events.py

@@ -57,6 +57,10 @@ class LogTestCase(BaseTestCase):
         self.assertContains(r, "Sent email to alice@example.org")
         self.assertContains(r, "new ➔ down")
 
+    def test_it_returns_403_for_anon_requests(self) -> None:
+        r = self.client.get(self.url())
+        self.assertEqual(r.status_code, 403)
+
     def test_team_access_works(self) -> None:
         # Logging in as bob, not alice. Bob has team access so this
         # should work.

hc/front/tests/test_status.py

@@ -26,6 +26,10 @@ class StatusTestCase(BaseTestCase):
         self.assertEqual(detail["status"], "new")
         self.assertIn("Never", detail["last_ping"])
 
+    def test_it_returns_403_for_anon_requests(self) -> None:
+        r = self.client.get(self.url)
+        self.assertEqual(r.status_code, 403)
+
     def test_it_allows_cross_team_access(self) -> None:
         self.client.login(username="bob@example.org", password="password")
         r = self.client.get(self.url)

hc/front/tests/test_status_single.py

@@ -21,6 +21,10 @@ class StatusSingleTestCase(BaseTestCase):
         self.assertTrue("never received a ping" in doc["status_text"])
         self.assertTrue("not received any pings yet" in doc["events"])
 
+    def test_it_returns_403_for_anon_requests(self) -> None:
+        r = self.client.get(self.url)
+        self.assertEqual(r.status_code, 403)
+
     def test_it_returns_events(self) -> None:
         p = Ping.objects.create(owner=self.check, ua="test-user-agent", n=1)
         self.check.status = "up"

hc/front/views.py

@@ -303,8 +303,10 @@ def checks(request: AuthenticatedHttpRequest, code: UUID) -> HttpResponse:
     return render(request, "front/checks.html", ctx)
 
 
-@login_required
-def status(request: AuthenticatedHttpRequest, code: UUID) -> HttpResponse:
+def status(request: HttpRequest, code: UUID) -> HttpResponse:
+    if not request.user.is_authenticated:
+        return HttpResponseForbidden()
+
     project, rw = _get_project_for_user(request, code)
     checks = list(Check.objects.filter(project=project))
 
@@ -1085,8 +1087,10 @@ def copy(request: AuthenticatedHttpRequest, code: UUID) -> HttpResponse:
     return redirect(url + "?copied")
 
 
-@login_required
-def status_single(request: AuthenticatedHttpRequest, code: UUID) -> HttpResponse:
+def status_single(request: HttpRequest, code: UUID) -> HttpResponse:
+    if not request.user.is_authenticated:
+        return HttpResponseForbidden()
+
     check, rw = _get_check_for_user(request, code, preload_owner_profile=True)
 
     status = check.get_status()
@@ -2779,8 +2783,10 @@ def verify_signal_number(request: AuthenticatedHttpRequest) -> HttpResponse:
     return render_result(None)
 
 
-@login_required
-def log_events(request: AuthenticatedHttpRequest, code: UUID) -> HttpResponse:
+def log_events(request: HttpRequest, code: UUID) -> HttpResponse:
+    if not request.user.is_authenticated:
+        return HttpResponseForbidden()
+
     check, rw = _get_check_for_user(request, code, preload_owner_profile=True)
     form = forms.LogFiltersForm(request.GET)
     if not form.is_valid():

static/js/log.js

@@ -124,6 +124,9 @@ $(function () {
                 switchDateFormat(dateFormat, tbody.querySelectorAll("tr"));
                 document.getElementById("log").prepend(tbody);
                 updateNumHits();
+            },
+            error: function(data, textStatus, xhr) {
+                activeRequest = null;
             }
         });
     }