Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions cl/assets/templates/oauth2_provider/authorize.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{% extends "base.html" %}

{% block title %}{% if error %}Authorization error{% else %}Authorize {{ application.name }}{% endif %} – CourtListener.com{% endblock %}

{% block privacy %}
<meta name="robots" content="noindex, noodp, noarchive, noimageindex"/>
{% endblock %}

{% block footer-scripts %}{% endblock %}
{% block sidebar %}{% endblock %}

{% block content %}
<div class="col-xs-1 col-sm-2 col-md-3"></div>
<div class="col-xs-10 col-sm-8 col-md-6 well">
{% if not error %}
<h2>Authorize <em>{{ application.name }}</em>?</h2>
<p class="gray">
Signed in as <strong>{{ request.user.username }}</strong>.
</p>

<p class="lead v-offset-above-2">
The application <strong>{{ application.name }}</strong> is
requesting access to your CourtListener account. If you
approve, it will be able to:
</p>

<ul>
{% for scope in scopes_descriptions %}
<li>{{ scope }}</li>
{% endfor %}
</ul>

{% if form.redirect_uri.value %}
<p>
After you decide, you will be redirected to:
<br>
<code>{{ form.redirect_uri.value }}</code>
</p>
{% endif %}

<div class="alert alert-warning v-offset-above-2" role="alert">
<i class="fa fa-exclamation-triangle"></i>
Only authorize applications you trust. They will be able to
act on your behalf within the permissions listed above.
</div>

{% if form.errors %}
{% for error in form.non_field_errors %}
<p class="alert alert-danger">{{ error|escape }}</p>
{% endfor %}
{% endif %}
Comment on lines +47 to +51

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 {{ form.errors }} renders Django's ErrorDict (via as_ul()), which already includes non-field errors under the __all__ key — so the immediately-following {{ form.non_field_errors }} prints those same messages a second time inside the alert box. Since django-oauth-toolkit's AllowForm validation failures (invalid redirect_uri, scope, etc.) are almost exclusively non-field errors, the duplication will be visible in essentially every error case. Drop one of the two lines (typically {{ form.non_field_errors }}).

Extended reasoning...

What goes wrong

Django's Form.errors is an ErrorDict. Its default rendering (ErrorDict.__str__as_ul()) emits a single <ul class="errorlist"> containing every error on the form, including non-field errors keyed under the special __all__ key (NON_FIELD_ERRORS). form.non_field_errors() is then just self.errors.get(NON_FIELD_ERRORS, self.error_class(...)) — it returns the same ErrorList that form.errors already rendered.

So this block:

{% if form.errors %}
  <div class="alert alert-danger">
    {{ form.errors }}
    {{ form.non_field_errors }}
  </div>
{% endif %}

renders the non-field errors twice inside the same alert div.

Why this matters for AllowForm

The form used here is django-oauth-toolkit's AllowForm. Validation failures from clean() / add_error(None, ...) (invalid redirect_uri, invalid scope, etc.) are non-field errors, so practically every error message a user would see on this page will appear duplicated.

Step-by-step proof

  1. User submits the consent form with an invalid scope.
  2. AllowForm.clean() raises a ValidationError, which is stored under __all__.
  3. Template hits {% if form.errors %} → True; enters the alert div.
  4. {{ form.errors }}ErrorDict.as_ul() emits e.g.
    <ul class="errorlist nonfield"><li>Invalid scope.</li></ul>.
  5. {{ form.non_field_errors }} → returns the same ErrorList and renders
    <ul class="errorlist nonfield"><li>Invalid scope.</li></ul> again.
  6. The user sees the message twice in the same alert box.

Why this slipped past

Both Django snippets look complementary at a glance — "errors and non-field errors" reads naturally — but form.errors is a superset, not a sibling, of form.non_field_errors. The standard Django idiom is to render either {{ form.errors }} alone, or {{ form.non_field_errors }} plus per-field errors — never both.

Impact

Cosmetic only — no functional or security impact, and only visible on the error path. The visible OAuth error code path mostly flows through the {% else %} branch (which renders error.error / error.description), so this duplication shows up only when AllowForm itself fails validation.

Fix

Delete the {{ form.non_field_errors }} line; {{ form.errors }} already covers it:

{% if form.errors %}
  <div class="alert alert-danger">
    {{ form.errors }}
  </div>
{% endif %}


<form method="post" id="authorizationForm">{% csrf_token %}
{% for field in form %}
{% if field.is_hidden %}{{ field }}{% endif %}
{% endfor %}
<div class="text-right v-offset-above-2">
<button type="submit" class="btn btn-default btn-lg">Cancel</button>
<button type="submit" name="allow" value="Authorize" class="btn btn-primary btn-lg">Allow access</button>
</div>
</form>
{% else %}
<h2>Something went wrong</h2>
<p class="lead">We couldn’t complete this authorization request.</p>
<p>
<strong>Error:</strong> {{ error.error }}
{% if error.description %}
<br><strong>Details:</strong> {{ error.description }}
{% endif %}
</p>
<p>
Try returning to the application that sent you here and
starting over. If the problem continues, please
<a href="{% url "contact" %}">contact us</a>.
</p>
{% endif %}
</div>
<div class="col-xs-1 col-sm-2 col-md-3"></div>
{% endblock %}
Loading