snapshot: preserve role-aware notification preferences and operational alerts

2026-03-27 11:26:57 +01:00
parent fe3a8933fd
commit aa54f41731
25 changed files with 2958 additions and 633 deletions
--- a/backend/workflows/middleware.py
+++ b/backend/workflows/middleware.py
@@ -39,7 +39,7 @@ class RequestIDMiddleware:


 class RateLimitMiddleware:
-    LOGIN_PATHS = ('/accounts/login/',)
+    LOGIN_PATHS = ('/accounts/login/', '/accounts/login/totp/')
    PASSWORD_RESET_PATHS = ('/accounts/password_reset/',)
    # Keep this list path-prefix based so new platform actions get protected
    # without having to wire every single view into a second permission layer.
@@ -157,7 +157,13 @@ class AuthSessionHardeningMiddleware:
            login_url = reverse('login')
            return redirect(f'{login_url}?next={request.get_full_path()}')

-        if request.method == 'POST' and any(path.startswith(prefix) for prefix in self.SENSITIVE_POST_PREFIXES):
+        is_sensitive_post = request.method == 'POST' and any(path.startswith(prefix) for prefix in self.SENSITIVE_POST_PREFIXES)
+        if request.method == 'POST' and path == '/account/':
+            account_form = (request.POST.get('account_form') or '').strip()
+            if account_form in {'totp_disable', 'totp_regenerate_codes'}:
+                is_sensitive_post = True
+
+        if is_sensitive_post:
            fresh_window = max(60, settings.SENSITIVE_ACTION_REAUTH_SECONDS)
            auth_fresh_ts = int(request.session.get('auth_fresh_ts') or last_activity_ts)
            if now_ts - auth_fresh_ts > fresh_window: