0001-api-export-all-formdefs-if-url-is-signed-without-a-u.patch
wcs/api.py | ||
---|---|---|
32 | 32 |
from wcs.roles import Role |
33 | 33 | |
34 | 34 | |
35 |
def get_user_from_api_query_string():
|
|
35 |
def is_url_signed():
|
|
36 | 36 |
query_string = get_request().get_query() |
37 | 37 |
if not query_string: |
38 |
return None
|
|
38 |
return False
|
|
39 | 39 |
signature = get_request().form.get('signature') |
40 | 40 |
if not isinstance(signature, basestring): |
41 |
return None
|
|
41 |
return False
|
|
42 | 42 |
# verify signature |
43 | 43 |
orig = get_request().form.get('orig') |
44 | 44 |
if not isinstance(orig, basestring): |
... | ... | |
67 | 67 |
if abs(delta) > datetime.timedelta(seconds=MAX_DELTA): |
68 | 68 |
raise AccessForbiddenError('timestamp delta is more ' |
69 | 69 |
'than %s seconds: %s seconds' % (MAX_DELTA, delta)) |
70 |
return True |
|
70 | 71 | |
72 |
def get_user_from_api_query_string(): |
|
73 |
if not is_url_signed(): |
|
74 |
return None |
|
71 | 75 |
# Signature is good. Now looking for the user, by email/NameID. |
72 | 76 |
# If email or NameID exist but are empty, return None |
73 | 77 |
user = None |
wcs/forms/root.py | ||
---|---|---|
1210 | 1210 |
return r.getvalue() |
1211 | 1211 | |
1212 | 1212 |
def json(self): |
1213 |
from wcs.api import get_user_from_api_query_string |
|
1213 |
from wcs.api import is_url_signed, get_user_from_api_query_string
|
|
1214 | 1214 |
user = get_user_from_api_query_string() or get_request().user |
1215 |
list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None) |
|
1216 | ||
1215 | 1217 |
list_forms = [] |
1216 | 1218 | |
1217 | 1219 |
if self.category: |
... | ... | |
1227 | 1229 | |
1228 | 1230 |
for formdef in formdefs: |
1229 | 1231 |
authentication_required = False |
1230 |
if formdef.roles and not (user and user.is_admin):
|
|
1232 |
if formdef.roles and not list_all_forms:
|
|
1231 | 1233 |
if not user: |
1232 | 1234 |
if not formdef.always_advertise: |
1233 | 1235 |
continue |
1234 |
- |