[Fixex #13805] Fix lockdown middleware order (#13806)

giohappy · web-flow · commit baa10c09734c · 2025-12-11T15:15:01.000+01:00
diff --git a/geonode/settings.py b/geonode/settings.py
@@ -862,18 +862,23 @@
 if SESSION_ENGINE in ("django.contrib.sessions.backends.cached_db", "django.contrib.sessions.backends.cache"):
     SESSION_CACHE_ALIAS = "memcached"  # use memcached cache if a cached backend is requested
 
-# Security stuff
-
-# Require users to authenticate before using Geonode
-LOCKDOWN_GEONODE = ast.literal_eval(os.getenv("LOCKDOWN_GEONODE", "False"))
-# Require users to authenticate before using Geonode
-if LOCKDOWN_GEONODE:
-    MIDDLEWARE += ("geonode.security.middleware.LoginRequiredMiddleware",)
-
-# LOCKDOWN API endpoints to prevent unauthenticated access.
-# If set to True, search won't deliver results and filtering ResourceBase-objects is not possible for anonymous users
-API_LOCKDOWN = ast.literal_eval(os.getenv("API_LOCKDOWN", "False"))
+# Add additional paths (as regular expressions) that don't require
+# authentication.
+# - authorized exempt urls needed for oauth when GeoNode is set to lockdown
+AUTH_EXEMPT_URLS = (
+    f"{FORCE_SCRIPT_NAME}/o/*",
+    f"{FORCE_SCRIPT_NAME}/gs/*",
+    f"{FORCE_SCRIPT_NAME}/account/*",
+    f"{FORCE_SCRIPT_NAME}/static/*",
+    f"{FORCE_SCRIPT_NAME}/api/o/*",
+    f"{FORCE_SCRIPT_NAME}/api/roles",
+    f"{FORCE_SCRIPT_NAME}/api/adminRole",
+    f"{FORCE_SCRIPT_NAME}/api/users",
+    f"{FORCE_SCRIPT_NAME}/api/datasets",
+    r"^/i18n/setlang/?$",
+)
 
+# Security stuff
 SESSION_EXPIRED_CONTROL_ENABLED = ast.literal_eval(os.environ.get("SESSION_EXPIRED_CONTROL_ENABLED", "True"))
 
 if SESSION_EXPIRED_CONTROL_ENABLED:
@@ -974,22 +979,6 @@
 # 1 day expiration time by default
 ACCESS_TOKEN_EXPIRE_SECONDS = int(os.getenv("ACCESS_TOKEN_EXPIRE_SECONDS", "86400"))
 
-# Add additional paths (as regular expressions) that don't require
-# authentication.
-# - authorized exempt urls needed for oauth when GeoNode is set to lockdown
-AUTH_EXEMPT_URLS = (
-    f"{FORCE_SCRIPT_NAME}/o/*",
-    f"{FORCE_SCRIPT_NAME}/gs/*",
-    f"{FORCE_SCRIPT_NAME}/account/*",
-    f"{FORCE_SCRIPT_NAME}/static/*",
-    f"{FORCE_SCRIPT_NAME}/api/o/*",
-    f"{FORCE_SCRIPT_NAME}/api/roles",
-    f"{FORCE_SCRIPT_NAME}/api/adminRole",
-    f"{FORCE_SCRIPT_NAME}/api/users",
-    f"{FORCE_SCRIPT_NAME}/api/datasets",
-    r"^/i18n/setlang/?$",
-)
-
 ANONYMOUS_USER_ID = os.getenv("ANONYMOUS_USER_ID", "-1")
 GUARDIAN_GET_INIT_ANONYMOUS_USER = os.getenv(
     "GUARDIAN_GET_INIT_ANONYMOUS_USER", "geonode.people.models.get_anonymous_user_instance"
@@ -1038,6 +1027,16 @@
     AUTHENTICATION_BACKENDS = ("geonode.security.backends.AdminRestrictedAccessBackend",) + AUTHENTICATION_BACKENDS
     MIDDLEWARE += ("geonode.security.middleware.AdminAllowedMiddleware",)
 
+# LOCKDOWN API endpoints to prevent unauthenticated access.
+# If set to True, search won't deliver results and filtering ResourceBase-objects is not possible for anonymous users
+API_LOCKDOWN = ast.literal_eval(os.getenv("API_LOCKDOWN", "False"))
+
+# Require users to authenticate before using Geonode
+LOCKDOWN_GEONODE = ast.literal_eval(os.getenv("LOCKDOWN_GEONODE", "False"))
+# Require users to authenticate before using Geonode
+if LOCKDOWN_GEONODE:
+    MIDDLEWARE += ("geonode.security.middleware.LoginRequiredMiddleware",)
+
 # A tuple of hosts the proxy can send requests to.
 try:
     # try to parse python notation, default in dockerized env
