From 2d5f76852334be318242477d69ff5ea9d519abaf Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Sun, 9 Oct 2016 10:32:58 +0100
Subject: [PATCH] Added cookie check with nice error message

---
 RIGS/views.py                           | 22 ++++++++++++++++++++--
 templates/base_embed.html               | 10 ++++++++++
 templates/registration/login_embed.html | 15 ---------------
 3 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/RIGS/views.py b/RIGS/views.py
index fded9865..c0186bed 100644
--- a/RIGS/views.py
+++ b/RIGS/views.py
@@ -12,6 +12,8 @@ from django.contrib import messages
 import datetime, pytz
 import operator
 from registration.views import RegistrationView
+from django.views.decorators.csrf import csrf_exempt
+
 
 from RIGS import models, forms
 
@@ -29,21 +31,37 @@ class Index(generic.TemplateView):
 def login(request, **kwargs):
     if request.user.is_authenticated():
         next = request.REQUEST.get('next', '/')
-        return HttpResponseRedirect(request.REQUEST.get('next', '/'))
+        return HttpResponseRedirect(next)
     else:
         from django.contrib.auth.views import login
 
         return login(request)
 
+
+# This view should be exempt from requiring CSRF token.
+# Then we can check for it and show a nice error
+# Don't worry, django.contrib.auth.views.login will
+# check for it before logging  the user in
+@csrf_exempt
 def login_embed(request, **kwargs):
+    print("Running LOGIN")
     if request.user.is_authenticated():
         next = request.REQUEST.get('next', '/')
-        return HttpResponseRedirect(request.REQUEST.get('next', '/'))
+        return HttpResponseRedirect(next)
     else:
         from django.contrib.auth.views import login
 
+        if request.method == "POST":
+            csrf_cookie = request.COOKIES.get('csrftoken', None)
+
+            if csrf_cookie is None:
+                messages.warning(request, 'Cookies do not seem to be enabled. Try logging in using a new tab.')
+                request.method = 'GET'  # Render the page without trying to login
+
         return login(request, template_name="registration/login_embed.html")
 
+
+
 """
 Called from a modal window (e.g. when an item is submitted to an event/invoice).
 May optionally also include some javascript in a success message to cause a load of
diff --git a/templates/base_embed.html b/templates/base_embed.html
index 24259ee5..bc7daa1a 100644
--- a/templates/base_embed.html
+++ b/templates/base_embed.html
@@ -28,6 +28,16 @@
 
 <div class="embed_container">
     <div class="container-fluid">
+        {% if messages %}
+            {% for message in messages %}
+                <div class="alert alert-{{ message.level_tag }} alert-dismissible" role="alert">
+                    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span
+                            aria-hidden="true">&times;</span></button>
+                    {{ message }}
+                </div>
+            {% endfor %}
+        {% endif %}
+
         {% block content %}
         {% endblock %}
     </div>
diff --git a/templates/registration/login_embed.html b/templates/registration/login_embed.html
index 7f50a7bc..64ef8437 100644
--- a/templates/registration/login_embed.html
+++ b/templates/registration/login_embed.html
@@ -3,18 +3,6 @@
 
 {% block title %}Login{% endblock %}
 
-{% block js %}
-    <script>
-        $(document).ready(function(){
-            console.log("Cookies Enabled: " + navigator.cookieEnabled)
-            if(!navigator.cookieEnabled){
-                $('#loginForm').prop("target", "_blank");
-                $('#cookieWarning').removeClass('hidden');
-            }   
-        });
-    </script>
-{% endblock %}
-
 {% block content %}
 <div class="text-center">
 <h1>R<small>ig</small> I<small>nformation</small> G<small>athering</small> S<small>ystem</small></h1>
@@ -36,9 +24,6 @@
             {% render_field form.password class+="form-control" placeholder=form.password.label %}
         </div>
         <div class="text-right">
-            <span id="cookieWarning" class="text-warning hidden">
-              Login will happen in new tab (cookies blocked)
-            </span>
             <input type="submit" value="Login" class="btn btn-primary"/>
         </div>
         <input type="hidden" name="next" value="{{ next }}"/>