-
-
Notifications
You must be signed in to change notification settings - Fork 253
feat(templates): add oath consent template #7454
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
nadahlberg
wants to merge
5
commits into
main
Choose a base branch
from
oauth-consent-template
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+79
−0
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
7f51b50
feat(templates): add oath consent template
nadahlberg d45b17d
feat(templates): update oauth consent errors to mirror login
nadahlberg 1579523
Merge branch 'main' into oauth-consent-template
ERosendo eb7c739
Merge branch 'main' into oauth-consent-template
ERosendo 42274b9
Merge branch 'main' into oauth-consent-template
ERosendo File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| {% extends "base.html" %} | ||
|
|
||
| {% block title %}{% if error %}Authorization error{% else %}Authorize {{ application.name }}{% endif %} – CourtListener.com{% endblock %} | ||
|
|
||
| {% block privacy %} | ||
| <meta name="robots" content="noindex, noodp, noarchive, noimageindex"/> | ||
| {% endblock %} | ||
|
|
||
| {% block footer-scripts %}{% endblock %} | ||
| {% block sidebar %}{% endblock %} | ||
|
|
||
| {% block content %} | ||
| <div class="col-xs-1 col-sm-2 col-md-3"></div> | ||
| <div class="col-xs-10 col-sm-8 col-md-6 well"> | ||
| {% if not error %} | ||
| <h2>Authorize <em>{{ application.name }}</em>?</h2> | ||
| <p class="gray"> | ||
| Signed in as <strong>{{ request.user.username }}</strong>. | ||
| </p> | ||
|
|
||
| <p class="lead v-offset-above-2"> | ||
| The application <strong>{{ application.name }}</strong> is | ||
| requesting access to your CourtListener account. If you | ||
| approve, it will be able to: | ||
| </p> | ||
|
|
||
| <ul> | ||
| {% for scope in scopes_descriptions %} | ||
| <li>{{ scope }}</li> | ||
| {% endfor %} | ||
| </ul> | ||
|
|
||
| {% if form.redirect_uri.value %} | ||
| <p> | ||
| After you decide, you will be redirected to: | ||
| <br> | ||
| <code>{{ form.redirect_uri.value }}</code> | ||
| </p> | ||
| {% endif %} | ||
|
|
||
| <div class="alert alert-warning v-offset-above-2" role="alert"> | ||
| <i class="fa fa-exclamation-triangle"></i> | ||
| Only authorize applications you trust. They will be able to | ||
| act on your behalf within the permissions listed above. | ||
| </div> | ||
|
|
||
| {% if form.errors %} | ||
| {% for error in form.non_field_errors %} | ||
| <p class="alert alert-danger">{{ error|escape }}</p> | ||
| {% endfor %} | ||
| {% endif %} | ||
|
|
||
| <form method="post" id="authorizationForm">{% csrf_token %} | ||
| {% for field in form %} | ||
| {% if field.is_hidden %}{{ field }}{% endif %} | ||
| {% endfor %} | ||
| <div class="text-right v-offset-above-2"> | ||
| <button type="submit" class="btn btn-default btn-lg">Cancel</button> | ||
| <button type="submit" name="allow" value="Authorize" class="btn btn-primary btn-lg">Allow access</button> | ||
| </div> | ||
| </form> | ||
| {% else %} | ||
| <h2>Something went wrong</h2> | ||
| <p class="lead">We couldn’t complete this authorization request.</p> | ||
| <p> | ||
| <strong>Error:</strong> {{ error.error }} | ||
| {% if error.description %} | ||
| <br><strong>Details:</strong> {{ error.description }} | ||
| {% endif %} | ||
| </p> | ||
| <p> | ||
| Try returning to the application that sent you here and | ||
| starting over. If the problem continues, please | ||
| <a href="{% url "contact" %}">contact us</a>. | ||
| </p> | ||
| {% endif %} | ||
| </div> | ||
| <div class="col-xs-1 col-sm-2 col-md-3"></div> | ||
| {% endblock %} | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡
{{ form.errors }}renders Django'sErrorDict(viaas_ul()), which already includes non-field errors under the__all__key — so the immediately-following{{ form.non_field_errors }}prints those same messages a second time inside the alert box. Since django-oauth-toolkit'sAllowFormvalidation failures (invalidredirect_uri,scope, etc.) are almost exclusively non-field errors, the duplication will be visible in essentially every error case. Drop one of the two lines (typically{{ form.non_field_errors }}).Extended reasoning...
What goes wrong
Django's
Form.errorsis anErrorDict. Its default rendering (ErrorDict.__str__→as_ul()) emits a single<ul class="errorlist">containing every error on the form, including non-field errors keyed under the special__all__key (NON_FIELD_ERRORS).form.non_field_errors()is then justself.errors.get(NON_FIELD_ERRORS, self.error_class(...))— it returns the sameErrorListthatform.errorsalready rendered.So this block:
renders the non-field errors twice inside the same alert div.
Why this matters for AllowForm
The form used here is django-oauth-toolkit's
AllowForm. Validation failures fromclean()/add_error(None, ...)(invalidredirect_uri, invalidscope, etc.) are non-field errors, so practically every error message a user would see on this page will appear duplicated.Step-by-step proof
scope.AllowForm.clean()raises aValidationError, which is stored under__all__.{% if form.errors %}→ True; enters the alert div.{{ form.errors }}→ErrorDict.as_ul()emits e.g.<ul class="errorlist nonfield"><li>Invalid scope.</li></ul>.{{ form.non_field_errors }}→ returns the sameErrorListand renders<ul class="errorlist nonfield"><li>Invalid scope.</li></ul>again.Why this slipped past
Both Django snippets look complementary at a glance — "errors and non-field errors" reads naturally — but
form.errorsis a superset, not a sibling, ofform.non_field_errors. The standard Django idiom is to render either{{ form.errors }}alone, or{{ form.non_field_errors }}plus per-field errors — never both.Impact
Cosmetic only — no functional or security impact, and only visible on the error path. The visible OAuth error code path mostly flows through the
{% else %}branch (which renderserror.error/error.description), so this duplication shows up only whenAllowFormitself fails validation.Fix
Delete the
{{ form.non_field_errors }}line;{{ form.errors }}already covers it: