Skip to content

feat: remove enterprise dashboard context imports (ENT-11569)#38094

Open
pwnage101 wants to merge 9 commits intomasterfrom
pwnage101/ENT-11569
Open

feat: remove enterprise dashboard context imports (ENT-11569)#38094
pwnage101 wants to merge 9 commits intomasterfrom
pwnage101/ENT-11569

Conversation

@pwnage101
Copy link
Copy Markdown
Contributor

@pwnage101 pwnage101 commented Mar 4, 2026

feat: remove enterprise dashboard context imports (ENT-11569)

ENT-11569

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 4, 2026
View reviewed changes
Comment thread common/djangoapps/student/views/management.py
return redirect(settings.AUTHN_MICROFRONTEND_URL + url_path)

response = redirect(redirect_url) if redirect_url and is_enterprise_learner(request.user) else redirect('dashboard')
response = redirect(redirect_url) if redirect_url else redirect('dashboard')

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 1 day ago

To fix this without changing intended functionality, add a final allowlist-style safety validation for redirect_url in activate_account before it is used in redirect(...). If the URL is not safe, fall back to dashboard behavior (existing default). Use Django’s built-in url_has_allowed_host_and_scheme, allowing only the current host and requiring HTTPS according to request security.

Best single change:

  • File: common/djangoapps/student/views/management.py
  • Region: activate_account, around lines 687–709 (where redirect_url is set and consumed).
  • Edits needed:
    1. Add import: from django.utils.http import url_has_allowed_host_and_scheme
    2. After computing redirect_url, validate it:
      • If present and unsafe, set redirect_url = None
    3. Keep existing logic and fallback redirect('dashboard') unchanged.

This preserves behavior for legitimate internal redirects and blocks untrusted external targets.

Suggested changeset 1
common/djangoapps/student/views/management.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/djangoapps/student/views/management.py b/common/djangoapps/student/views/management.py
--- a/common/djangoapps/student/views/management.py
+++ b/common/djangoapps/student/views/management.py
@@ -24,6 +24,7 @@
 from django.shortcuts import redirect
 from django.template.context_processors import csrf
 from django.urls import reverse
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext as _
 from django.views.decorators.csrf import (  # pylint: disable=unused-import  # noqa: F401
     csrf_exempt,
@@ -698,6 +699,13 @@
         ):
             redirect_url = get_redirect_url_with_host(root_login_url, redirect_to)
 
+    if redirect_url and not url_has_allowed_host_and_scheme(
+        redirect_url,
+        allowed_hosts={request.get_host()},
+        require_https=request.is_secure(),
+    ):
+        redirect_url = None
+
     if should_redirect_to_authn_microfrontend() and not request.user.is_authenticated:
         params = {'account_activation_status': activation_message_type}
         if redirect_url:
EOF
@@ -24,6 +24,7 @@
from django.shortcuts import redirect
from django.template.context_processors import csrf
from django.urls import reverse
from django.utils.http import url_has_allowed_host_and_scheme
from django.utils.translation import gettext as _
from django.views.decorators.csrf import ( # pylint: disable=unused-import # noqa: F401
csrf_exempt,
@@ -698,6 +699,13 @@
):
redirect_url = get_redirect_url_with_host(root_login_url, redirect_to)

if redirect_url and not url_has_allowed_host_and_scheme(
redirect_url,
allowed_hosts={request.get_host()},
require_https=request.is_secure(),
):
redirect_url = None

if should_redirect_to_authn_microfrontend() and not request.user.is_authenticated:
params = {'account_activation_status': activation_message_type}
if redirect_url:
Copilot is powered by AI and may make mistakes. Always verify output.
@pwnage101 pwnage101 force-pushed the pwnage101/ENT-11569 branch from 87089ed to 4637f70 Compare March 4, 2026 21:58
@pwnage101 pwnage101 marked this pull request as draft March 5, 2026 00:22
pwnage101
pwnage101 commented Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@pwnage101 pwnage101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for implementer/reviewer: looks like isort got ran with the wrong parameters. at least fix that.

@pwnage101 pwnage101 added the enterprise An enterprise-related change label Mar 18, 2026
@kiram15 kiram15 force-pushed the pwnage101/ENT-11569 branch 2 times, most recently from 325efef to 644789f Compare April 20, 2026 21:22
@kiram15 kiram15 marked this pull request as ready for review April 20, 2026 21:51
kiram15
kiram15 reviewed Apr 22, 2026
View reviewed changes
Comment thread common/djangoapps/student/views/dashboard.py Outdated
@kiram15 kiram15 force-pushed the pwnage101/ENT-11569 branch 2 times, most recently from 2e22c20 to aabafbc Compare April 27, 2026 22:29
@kiram15 kiram15 force-pushed the pwnage101/ENT-11569 branch from 02fafbf to c0912bf Compare April 28, 2026 23:08
@kiram15 kiram15 requested a review from a team as a code owner April 28, 2026 23:08
pwnage101
pwnage101 commented Apr 29, 2026
View reviewed changes
Comment thread lms/envs/common.py Outdated
pwnage101
pwnage101 commented Apr 29, 2026
View reviewed changes
Comment thread requirements/edx/base.txt Outdated
pwnage101
pwnage101 commented Apr 29, 2026
View reviewed changes
Comment thread common/djangoapps/student/views/management.py Outdated
pwnage101
pwnage101 commented Apr 29, 2026
View reviewed changes
Comment thread cms/envs/help_tokens.ini
pwnage101
pwnage101 commented Apr 29, 2026
View reviewed changes
Comment thread lms/envs/common.py
@kiram15 kiram15 force-pushed the pwnage101/ENT-11569 branch from 865906c to 646712c Compare April 29, 2026 21:35
@kiram15 kiram15 force-pushed the pwnage101/ENT-11569 branch from 646712c to 6ef4473 Compare April 29, 2026 21:41
pwnage101
pwnage101 commented Apr 29, 2026
View reviewed changes
Comment thread common/djangoapps/student/views/dashboard.py Outdated
@kiram15 kiram15 requested a review from a team as a code owner April 30, 2026 23:29
@kiram15 kiram15 force-pushed the pwnage101/ENT-11569 branch from 96c6b3b to aa08351 Compare April 30, 2026 23:55
@pwnage101 pwnage101 mentioned this pull request May 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kiram15 kiram15 kiram15 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enterprise An enterprise-related change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pwnage101 @kiram15 @github-advanced-security