configure password via env var

2025-07-16 15:46:21 +02:00 · 2025-07-16 15:46:21 +02:00 · 27d2d3bb7a
commit 27d2d3bb7a
parent 0f54e411db
4 changed files with 33 additions and 4 deletions
--- a/hub/services/views/calculator.py
+++ b/hub/services/views/calculator.py
@ -1,6 +1,7 @@
 from django.shortcuts import render, redirect
 from django.contrib import messages
 from django.views.decorators.http import require_http_methods
+from django.conf import settings


@require_http_methods(["GET", "POST"])
@ -14,13 +15,30 @@ def csp_roi_calculator(request):
        request.session.pop("csp_calculator_authenticated", None)
        return redirect("services:csp_roi_calculator")

-    # Simple password protection - check if authenticated in session
+    # Get password from Django settings
+    calculator_password = getattr(settings, "CSP_CALCULATOR_PASSWORD", None)
+
+    # If no password is configured, deny access
+    if not calculator_password:
+        messages.error(
+            request,
+            "Calculator is not properly configured. Please contact administrator.",
+        )
+        return render(
+            request, "calculator/password_form.html", {"password_error": True}
+        )
+
+    # Password protection - check if authenticated in session
    if not request.session.get("csp_calculator_authenticated", False):
        if request.method == "POST":
            password = request.POST.get("password", "")
-            # Simple password check - in production, this should be more secure
-            if password == "servala2025":  # TODO: Move to environment variable
+
+            # Validate password
+            if password == calculator_password:
                request.session["csp_calculator_authenticated"] = True
+                # Set session timeout (optional - expires after 24 hours of inactivity)
+                request.session.set_expiry(86400)  # 24 hours
+                messages.success(request, "Access granted to CSP ROI Calculator.")
                return redirect("services:csp_roi_calculator")
            else:
                messages.error(request, "Invalid password. Please try again.")