Require HTTPS for user-account-related pages.

accounts/decorators.py

+from functools import wraps
+from django.http import HttpResponseRedirect
 from django.contrib.auth.decorators import user_passes_test
 from django.conf import settings
 
 superuser_required = user_passes_test(lambda u: u.is_superuser, login_url=settings.LOGIN_URL)
+
+def https_required(view):
+    """A view decorator that redirects to HTTPS if this view is requested
+    over HTTP. Allows HTTP when DEBUG is on and during unit tests.
+    """
+    @wraps(view)
+    def view_or_redirect(request, *args, **kwargs):
+        if not request.is_secure():
+            # Just load the view on a devserver or in the testing environment.
+            if settings.DEBUG or request.META['SERVER_NAME'] == "testserver":
+                return view(request, *args, **kwargs)
+            else:
+                # Redirect to HTTPS.
+                request_url = request.build_absolute_uri(request.get_full_path())
+                secure_url = request_url.replace('http://', 'https://')
+                return HttpResponseRedirect(secure_url)
+        else:
+            # It's HTTPS, so load the view.
+            return view(request, *args, **kwargs)
+    return view_or_redirect
+
+def https_and_superuser_required(view):
+    return https_required(superuser_required(view))

accounts/urls.py

 from django.conf.urls import url, include
 from django.contrib.auth import views as auth_views
+from .decorators import https_required
 from . import views, viewsets
 
 urlpatterns = [
-    url(r'^login/$', views.RememberMeLoginView.as_view(), name='login'),
-    url(r'^logout/$', auth_views.LogoutView.as_view(), name='logout'),
-    url(r'^password_change/$', auth_views.PasswordChangeView.as_view(), name='password_change'),
-    url(r'^password_change/done/$', auth_views.PasswordChangeDoneView.as_view(), name='password_change_done'),
-    url(r'^password_reset/$', auth_views.PasswordResetView.as_view(), name='password_reset'),
-    url(r'^password_reset/done/$', auth_views.PasswordChangeDoneView.as_view(), name='password_reset_done'),
-    url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', auth_views.PasswordResetConfirmView.as_view(), name='password_reset_confirm'),
-    url(r'^reset/done/$', auth_views.PasswordResetCompleteView.as_view(), name='password_reset_complete'),
+    url(r'^login/$', https_required(views.RememberMeLoginView.as_view()), name='login'),
+    url(r'^logout/$', https_required(auth_views.LogoutView.as_view()), name='logout'),
+    url(r'^password_change/$', https_required(auth_views.PasswordChangeView.as_view()), name='password_change'),
+    url(r'^password_change/done/$', https_required(auth_views.PasswordChangeDoneView.as_view()), name='password_change_done'),
+    url(r'^password_reset/$', https_required(auth_views.PasswordResetView.as_view()), name='password_reset'),
+    url(r'^password_reset/done/$', https_required(auth_views.PasswordChangeDoneView.as_view()), name='password_reset_done'),
+    url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', https_required(auth_views.PasswordResetConfirmView.as_view()), name='password_reset_confirm'),
+    url(r'^reset/done/$', https_required(auth_views.PasswordResetCompleteView.as_view()), name='password_reset_complete'),
     url(r'^users/', include(viewsets.UserViewset.urls(), namespace='user')),
 ]

accounts/viewsets.py

         return user
 
 class UserViewset(BaseViewset):
-    view_decorator = staticmethod(decorators.superuser_required)
+    view_decorator = staticmethod(decorators.https_and_superuser_required)
 
     filter_class = UserFilterSet
     form_class = UserForm