feat: remove enterprise dashboard context imports (ENT-11569)#38094
Open
feat: remove enterprise dashboard context imports (ENT-11569)#38094
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| return redirect(settings.AUTHN_MICROFRONTEND_URL + url_path) | ||
|
|
||
| response = redirect(redirect_url) if redirect_url and is_enterprise_learner(request.user) else redirect('dashboard') | ||
| response = redirect(redirect_url) if redirect_url else redirect('dashboard') |
Check warning
Code scanning / CodeQL
URL redirection from remote source Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
Add an explicit safety validation immediately before the redirect sink in activate_account in common/djangoapps/student/views/management.py.
Best fix:
- Import Django’s built-in validator:
from django.utils.http import url_has_allowed_host_and_scheme
- Before
response = redirect(redirect_url) if redirect_url else redirect('dashboard'), validateredirect_urlagainst allowed hosts and HTTPS policy:- Allowed hosts should include current host (
request.get_host()) and optionally configured LMS host. - Require HTTPS when request is secure.
- Allowed hosts should include current host (
- If validation fails, set
redirect_url = Noneso the existing fallbackredirect('dashboard')is used.
This keeps existing functionality for valid internal redirects while guaranteeing a safe fallback when malformed/external URLs slip through.
Suggested changeset
1
common/djangoapps/student/views/management.py
| @@ -24,6 +24,7 @@ | ||
| from django.shortcuts import redirect | ||
| from django.template.context_processors import csrf | ||
| from django.urls import reverse | ||
| from django.utils.http import url_has_allowed_host_and_scheme | ||
| from django.utils.translation import gettext as _ | ||
| from django.views.decorators.csrf import ensure_csrf_cookie # lint-amnesty, pylint: disable=unused-import # noqa: F401 | ||
| from django.views.decorators.http import ( # lint-amnesty, pylint: disable=unused-import | ||
| @@ -702,6 +703,13 @@ | ||
| url_path = '/login?{}'.format(urllib.parse.urlencode(params)) # noqa: UP032 | ||
| return redirect(settings.AUTHN_MICROFRONTEND_URL + url_path) | ||
|
|
||
| if redirect_url and not url_has_allowed_host_and_scheme( | ||
| url=redirect_url, | ||
| allowed_hosts={request.get_host()}, | ||
| require_https=request.is_secure(), | ||
| ): | ||
| redirect_url = None | ||
|
|
||
| response = redirect(redirect_url) if redirect_url else redirect('dashboard') | ||
| if show_account_activation_popup: | ||
| response.delete_cookie( |
Copilot is powered by AI and may make mistakes. Always verify output.
pwnage101
force-pushed
the
pwnage101/ENT-11569
branch
from
87089ed to
4637f70
Compare
pwnage101
commented
Mar 5, 2026
Contributor
Author
pwnage101
left a comment
pwnage101
left a comment
There was a problem hiding this comment.
Note for implementer/reviewer: looks like isort got ran with the wrong parameters. at least fix that.
kiram15
force-pushed
the
pwnage101/ENT-11569
branch
2 times, most recently
from
325efef to
644789f
Compare
kiram15
reviewed
Apr 22, 2026
| @@ -802,7 +793,7 @@ def student_dashboard(request): # lint-amnesty, pylint: disable=too-many-statem | |||
| 'urls': urls, | |||
| 'programs_data': programs_data, | |||
| 'enterprise_message': enterprise_message, | |||
Contributor
There was a problem hiding this comment.
Should I remove enterprise_message entirely?
kiram15
force-pushed
the
pwnage101/ENT-11569
branch
from
644789f to
3542e01
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: remove enterprise dashboard context imports (ENT-11569)
ENT-11569