Projet

Général

Profil

0001-api-export-all-formdefs-if-url-is-signed-without-a-u.patch

Thomas Noël, 29 mai 2015 11:54

Télécharger (2,42 ko)

Voir les différences: 

Subject: [PATCH] api: export all formdefs if url is signed without a user
 (#7410)


 wcs/api.py        | 10 +++++++---
 wcs/forms/root.py |  6 ++++--
 2 files changed, 11 insertions(+), 5 deletions(-)
wcs/api.py
32 32 
from wcs.roles import Role
33 33 

  		




  34
  34
  
    

  		




  35
  
  
    
def get_user_from_api_query_string():

  		




  
  35
  
    
def is_url_signed():

  		




  36
  36
  
    
    query_string = get_request().get_query()

  		




  37
  37
  
    
    if not query_string:

  		




  38
  
  
    
        return None

  		




  
  38
  
    
        return False

  		




  39
  39
  
    
    signature = get_request().form.get('signature')

  		




  40
  40
  
    
    if not isinstance(signature, basestring):

  		




  41
  
  
    
        return None

  		




  
  41
  
    
        return False

  		




  42
  42
  
    
    # verify signature

  		




  43
  43
  
    
    orig = get_request().form.get('orig')

  		




  44
  44
  
    
    if not isinstance(orig, basestring):

  		




  ......




  67
  67
  
    
    if abs(delta) > datetime.timedelta(seconds=MAX_DELTA):

  		




  68
  68
  
    
        raise AccessForbiddenError('timestamp delta is more '

  		




  69
  69
  
    
                'than %s seconds: %s seconds' % (MAX_DELTA, delta))

  		




  
  70
  
    
    return True

  		




  70
  71
  
    

  		




  
  72
  
    
def get_user_from_api_query_string():

  		




  
  73
  
    
    if not is_url_signed():

  		




  
  74
  
    
        return None

  		




  71
  75
  
    
    # Signature is good. Now looking for the user, by email/NameID.

  		




  72
  76
  
    
    # If email or NameID exist but are empty, return None

  		




  73
  77
  
    
    user = None

  		












  

    
      wcs/forms/root.py
    
  





  1210
  1210
  
    
        return r.getvalue()

  		




  1211
  1211
  
    

  		




  1212
  1212
  
    
    def json(self):

  		




  1213
  
  
    
        from wcs.api import get_user_from_api_query_string

  		




  
  1213
  
    
        from wcs.api import is_url_signed, get_user_from_api_query_string

  		




  1214
  1214
  
    
        user = get_user_from_api_query_string() or get_request().user

  		




  
  1215
  
    
        list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)

  		




  
  1216
  
    

  		




  1215
  1217
  
    
        list_forms = []

  		




  1216
  1218
  
    

  		




  1217
  1219
  
    
        if self.category:

  		




  ......




  1227
  1229
  
    

  		




  1228
  1230
  
    
        for formdef in formdefs:

  		




  1229
  1231
  
    
            authentication_required = False

  		




  1230
  
  
    
            if formdef.roles and not (user and user.is_admin):

  		




  
  1232
  
    
            if formdef.roles and not list_all_forms:

  		




  1231
  1233
  
    
                if not user:

  		




  1232
  1234
  
    
                    if not formdef.always_advertise:

  		




  1233
  1235
  
    
                        continue

  		




  1234
  
  
    
-