From fd79e18378f1ade2ecbe1b9fded4e651d50040f8 Mon Sep 17 00:00:00 2001
From: Aurélien Bompard <aurelien@bompard.org>
Date: Thu, 5 Dec 2013 18:40:40 +0100
Subject: SSLRedirect middleware: if USE_SSL is false, don't redirect

Don't ever redirect, even to plaintext.
---
 hyperkitty/middleware.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'hyperkitty/middleware.py')

diff --git a/hyperkitty/middleware.py b/hyperkitty/middleware.py
index 4f48e37..26c00a2 100644
--- a/hyperkitty/middleware.py
+++ b/hyperkitty/middleware.py
@@ -90,14 +90,15 @@ SSL = 'SSL'
 class SSLRedirect(object):
 
     def process_view(self, request, view_func, view_args, view_kwargs):
-        secure = view_kwargs.pop(SSL, False)
-        if request.user.is_authenticated():
-            secure = True
+        want_secure = view_kwargs.pop(SSL, False)
         if not settings.USE_SSL: # User-disabled (e.g: development server)
-            secure = False
+            return # but after having removed the 'SSL' kwarg
+
+        if request.user.is_authenticated():
+            want_secure = True
 
-        if not secure == self._is_secure(request):
-            return self._redirect(request, secure)
+        if not want_secure == self._is_secure(request):
+            return self._redirect(request, want_secure)
 
     def _is_secure(self, request):
         if request.is_secure():
-- 
cgit