0001-misc-add-rate-limiting-to-tracking-code-URL-35386.patch

Frédéric Péters, 13 août 2019 14:07

Voir les différences: en ligne côte à côte

Subject: [PATCH] misc: add rate limiting to tracking code URL (#35386)

 debian/control           |  1 +
 setup.py                 |  1 +
 tests/conftest.py        |  9 +++++++++
 tests/test_form_pages.py | 27 +++++++++++++++++----------
 wcs/forms/root.py        | 10 ++++++++++
 5 files changed, 38 insertions(+), 10 deletions(-)

debian/control
15	15	python-hobo,
16	16	graphviz,
17	17	python-django-ckeditor,
	18	python-django-ratelimit,
18	19	python-feedparser,
19	20	python-imaging,
20	21	python-pyproj,

setup.py
109	109	install_requires=[
110	110	'gadjo>=0.53',
111	111	'django-ckeditor<=4.5.3',
	112	'django-ratelimit<3',
112	113	'XStatic-Leaflet',
113	114	'pyproj',
114	115	],

     def http_requests():
         with HttpRequestsMocking() as http_requests:
             yield http_requests
     @pytest.fixture
     def nocache(settings):
         settings.CACHES = {
             'default': {
                 'BACKEND': 'django.core.cache.backends.dummy.DummyCache',
+            }
+        }

             t1, t2 = z1.read(name), z2.read(name)
             assert t1 == t2, 'file "%s" differs' % name
     def pytest_generate_tests(metafunc):
         if 'pub' in metafunc.fixturenames:
             metafunc.parametrize('pub', ['pickle', 'sql', 'pickle-templates', 'pickle-lazy'], indirect=True)
-...
                 break
         return tracking_code
     def test_form_tracking_code(pub):
     def test_form_tracking_code(pub, nocache):
         formdef = create_formdef()
         formdef.fields = [fields.StringField(id='0', label='string')]
         formdef.enable_tracking_codes = True
-...
         assert resp.location == 'http://example.net/test/%s' % formdata_id
         resp = resp.follow()
     def test_form_tracking_code_rate_limit(pub):
         # three errors
         get_app(pub).get('/code/ABC/load', status=404)
         get_app(pub).get('/code/ABC/load', status=404)
         get_app(pub).get('/code/ABC/load', status=404)
         # and out
         get_app(pub).get('/code/ABC/load', status=403)
         get_app(pub).get('/code/ABC/load', status=403)
     def test_form_tracking_code_as_user(pub):
     def test_form_tracking_code_as_user(pub, nocache):
         user = create_user(pub)
         formdef = create_formdef()
         formdef.fields = [fields.StringField(id='0', label='string')]
-...
         resp = app.get('/code/%s/load' % tracking_code,
                 headers={'User-agent': 'Googlebot'}, status=403)
     def test_form_empty_tracking_code(pub):
     def test_form_empty_tracking_code(pub, nocache):
         formdef = create_formdef()
         formdef.fields = [fields.StringField(id='0', label='string')]
         formdef.enable_tracking_codes = True
-...
         assert resp.location == 'http://example.net/code/%s/load' % tracking_code
         resp = resp.follow(status=404)
     def test_form_tracking_code_email(pub, emails):
     def test_form_tracking_code_email(pub, emails, nocache):
         formdef = create_formdef()
         formdef.data_class().wipe()
         formdef.fields = [fields.StringField(id='0', label='string'),
-...
         resp = resp.follow()
         assert resp.forms[1]['f0'].value == 'barfoo'
     def test_form_tracking_code_remove_draft(pub):
     def test_form_tracking_code_remove_draft(pub, nocache):
         formdef = create_formdef()
         formdef.fields = [fields.StringField(id='0', label='string')]
         formdef.enable_tracking_codes = True
-...
         assert resp.location == 'http://example.net/'
         assert formdef.data_class().count() == 0
     def test_form_tracking_code_remove_empty_draft(pub):
     def test_form_tracking_code_remove_empty_draft(pub, nocache):
         formdef = create_formdef()
         formdef.fields = [fields.StringField(id='0', label='string')]
         formdef.enable_tracking_codes = True
-...
         assert resp.location == 'http://example.net/'
         assert formdef.data_class().count() == 0
     def test_form_discard_draft(pub):
     def test_form_discard_draft(pub, nocache):
         user = create_user(pub)
         formdef = create_formdef()
-...
         resp = resp.forms[1].submit('cancel')
         assert [x.status for x in formdef.data_class().select()] == ['draft']
     def test_form_invalid_tracking_code(pub):
     def test_form_invalid_tracking_code(pub, nocache):
         formdef = create_formdef()
         formdef.fields = [fields.StringField(id='0', label='string')]
         formdef.enable_tracking_codes = True
-...
         assert resp.location == 'http://example.net/code/%s/load' % code.id
         resp = resp.follow(status=404)
     def test_form_tracking_code_as_variable(pub):
     def test_form_tracking_code_as_variable(pub, nocache):
         formdef = create_formdef()
         formdef.fields = [fields.PageField(id='0', label='1st page', type='page'),
                 fields.StringField(id='1', label='string'),

     from django.utils.six import StringIO
     from django.utils.safestring import mark_safe
     import ratelimit.utils
     from quixote import (get_publisher, get_request, get_response, get_session,
             get_session_manager, redirect)
     from quixote.directory import Directory, AccessControlled
-...
             return r.getvalue()
         def load(self):
             ratelimited = ratelimit.utils.is_ratelimited(
                     request=get_request().django_request,
                     group='trackingcode',
                     key='ip',
                     rate='3/s',
                     increment=True)
             if ratelimited:
                 raise errors.AccessForbiddenError()
             try:
                 tracking_code = get_publisher().tracking_code_class.get(self.code)
                 if tracking_code.formdata_id is None:
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-misc-add-rate-limiting-to-tracking-code-URL-35386.patch