From 08da0da549f2f3f2df1f654592290ab03c6ad11e Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Sep 18 2018 14:59:44 +0000
Subject: Break infinite redirect loop


When AUTH is set to fas, if the user has not sign the FPCA and tries
accessing a page requiring authentication and FPCA, they get redirected
to the index page, from there to the user's dashboard that requires
authentication and FPCA and the loop is triggered.

Fixes https://pagure.io/pagure/issue/3611

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/ui/app.py b/pagure/ui/app.py
index fcf0ca1..4639798 100644
--- a/pagure/ui/app.py
+++ b/pagure/ui/app.py
@@ -58,7 +58,9 @@ def _filter_acls(repos, acl, user):
 def index():
     """ Front page of the application.
     """
-    if authenticated() and flask.request.path == "/":
+    if authenticated() and flask.request.path == "/" \
+            and not flask.session.get("_requires_fpca", False):
+        flask.request.from_index = True
         return flask.redirect(flask.url_for("ui_ns.userdash_projects"))
 
     sorting = flask.request.args.get("sorting") or None
@@ -986,6 +988,7 @@ def userprofile_groups(username):
 def new_project():
     """ Form to create a new project.
     """
+
     user = pagure.lib.search_user(
         flask.g.session, username=flask.g.fas_user.username
     )
diff --git a/pagure/utils.py b/pagure/utils.py
index a1d74c0..43433c8 100644
--- a/pagure/utils.py
+++ b/pagure/utils.py
@@ -205,11 +205,11 @@ def login_required(function):
     If the auth system is ``fas`` it will also require that the user sign
     the FPCA.
     """
-    auth_method = pagure_config.get("PAGURE_AUTH", None)
 
     @wraps(function)
     def decorated_function(*args, **kwargs):
         """ Decorated function, actually does the work. """
+        auth_method = pagure_config.get("PAGURE_AUTH", None)
         if flask.session.get("_justloggedout", False):
             return flask.redirect(flask.url_for("ui_ns.index"))
         elif not authenticated():
@@ -217,6 +217,7 @@ def login_required(function):
                 flask.url_for("auth_login", next=flask.request.url)
             )
         elif auth_method == "fas" and not flask.g.fas_user.cla_done:
+            flask.session["_requires_fpca"] = True
             flask.flash(
                 flask.Markup(
                     'You must <a href="https://admin.fedoraproject'
diff --git a/tests/test_pagure_flask_ui_app.py b/tests/test_pagure_flask_ui_app.py
index b3680b6..32beae9 100644
--- a/tests/test_pagure_flask_ui_app.py
+++ b/tests/test_pagure_flask_ui_app.py
@@ -1937,6 +1937,23 @@ class PagureFlaskApptests(tests.Modeltests):
             output = self.app.get('/settings/token/new')
             self.assertEqual(output.status_code, 302)
 
+    @patch.dict('pagure.config.config', {'PAGURE_AUTH': 'fas'})
+    @patch.dict('pagure.utils.pagure_config', {'PAGURE_AUTH': 'fas'})
+    def test_create_project_auth_FAS_no_FPCA(self):
+        """ Test creating a project when auth is FAS and the user did not
+        sign the FPCA. """
+
+        user = tests.FakeUser(username='foo', cla_done=False)
+        with tests.user_set(self.app.application, user):
+            output = self.app.get('/new/', follow_redirects=True)
+            self.assertEqual(output.status_code, 200)
+            output_text = output.get_data(as_text=True)
+            self.assertIn('<title>Home - Pagure</title>', output_text)
+            self.assertIn(
+                '</i> You must <a href="https://admin.fedoraproject.org/accounts/'
+                '">sign the FPCA</a> (Fedora Project Contributor Agreement) '
+                'to use pagure</div>', output_text)
+
 
 class PagureFlaskAppNoDocstests(tests.Modeltests):
     """ Tests for flask app controller of pagure """