Skip to content

feat: remove enterprise dashboard context imports (ENT-11569)#38094

Draft
pwnage101 wants to merge 1 commit intomasterfrom
pwnage101/ENT-11569
Draft

feat: remove enterprise dashboard context imports (ENT-11569)#38094
pwnage101 wants to merge 1 commit intomasterfrom
pwnage101/ENT-11569

Conversation

@pwnage101
Copy link
Contributor

@pwnage101 pwnage101 commented Mar 4, 2026

feat: remove enterprise dashboard context imports (ENT-11569)

ENT-11569

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 4, 2026
View reviewed changes
common/djangoapps/student/views/management.py
return redirect(settings.AUTHN_MICROFRONTEND_URL + url_path)

response = redirect(redirect_url) if redirect_url and is_enterprise_learner(request.user) else redirect('dashboard')
response = redirect(redirect_url) if redirect_url else redirect('dashboard')

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 6 days ago

In general, to fix untrusted URL redirection, any URL derived from user input (directly or indirectly) must be validated against an allowlist or using a robust “is safe redirect” check before being passed to redirect(). In a Django context, this typically means ensuring that the target is either a relative URL or, if absolute, has an allowed host and scheme.

For this specific case, the simplest, least-invasive fix is to validate redirect_url at the point where it is used. We already import is_safe_login_or_logout_redirect in common/djangoapps/student/helpers.py; we can use that here by importing it in management.py and checking redirect_url just before calling redirect(redirect_url). If redirect_url is not safe, we should ignore it and fall back to the dashboard, preserving existing behavior for legitimate values while preventing open redirects.

Concretely:

  • In common/djangoapps/student/views/management.py, add an import for is_safe_login_or_logout_redirect from openedx.core.djangoapps.user_authn.utils.
  • In the activate_account view, just before constructing response = redirect(redirect_url) if redirect_url else redirect('dashboard'), add a conditional that resets redirect_url to None if redirect_url is not considered safe by is_safe_login_or_logout_redirect. This leaves all other logic intact, including the use of redirect_url in the params['next'] when redirecting to the AuthN microfrontend.

This ensures that even if get_next_url_for_login_page or get_redirect_url_with_host were ever modified or misused to allow unsafe values, the final redirect in activate_account remains protected.

Suggested changeset 1
common/djangoapps/student/views/management.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/djangoapps/student/views/management.py b/common/djangoapps/student/views/management.py
--- a/common/djangoapps/student/views/management.py
+++ b/common/djangoapps/student/views/management.py
@@ -40,6 +40,7 @@
 from eventtracking import tracker
 # Note that this lives in LMS, so this dependency should be refactored.
 from opaque_keys import InvalidKeyError
+from openedx.core.djangoapps.user_authn.utils import is_safe_login_or_logout_redirect
 from opaque_keys.edx.keys import CourseKey
 from rest_framework.decorators import api_view, authentication_classes, permission_classes
 from rest_framework.permissions import IsAuthenticated
@@ -697,6 +698,9 @@
         url_path = '/login?{}'.format(urllib.parse.urlencode(params))
         return redirect(settings.AUTHN_MICROFRONTEND_URL + url_path)
 
+    if redirect_url and not is_safe_login_or_logout_redirect(redirect_url, request):
+        redirect_url = None
+
     response = redirect(redirect_url) if redirect_url else redirect('dashboard')
     if show_account_activation_popup:
         response.delete_cookie(
EOF
@@ -40,6 +40,7 @@
from eventtracking import tracker
# Note that this lives in LMS, so this dependency should be refactored.
from opaque_keys import InvalidKeyError
from openedx.core.djangoapps.user_authn.utils import is_safe_login_or_logout_redirect
from opaque_keys.edx.keys import CourseKey
from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.permissions import IsAuthenticated
@@ -697,6 +698,9 @@
url_path = '/login?{}'.format(urllib.parse.urlencode(params))
return redirect(settings.AUTHN_MICROFRONTEND_URL + url_path)

if redirect_url and not is_safe_login_or_logout_redirect(redirect_url, request):
redirect_url = None

response = redirect(redirect_url) if redirect_url else redirect('dashboard')
if show_account_activation_popup:
response.delete_cookie(
Copilot is powered by AI and may make mistakes. Always verify output.
@pwnage101 pwnage101 force-pushed the pwnage101/ENT-11569 branch from 87089ed to 4637f70 Compare March 4, 2026 21:58
@pwnage101 pwnage101 marked this pull request as draft March 5, 2026 00:22
pwnage101
pwnage101 commented Mar 5, 2026
View reviewed changes
Copy link
Contributor Author

@pwnage101 pwnage101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for implementer/reviewer: looks like isort got ran with the wrong parameters. at least fix that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pwnage101