Projet

Général

Profil

0001-api-require-url-to-be-signed-to-get-roles-but-not-a-.patch

Frédéric Péters, 11 juin 2015 14:32

Télécharger (2,57 ko)

Voir les différences: 

Subject: [PATCH] api: require url to be signed to get roles, but not a valid
 user (#7535)


 tests/test_api.py | 12 ++++++++----
 wcs/api.py        |  4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)
tests/test_api.py
47 47 
    user.store()
48 48 
    return user
49 49 

  		




  50
  
  
    
def sign_uri(uri, user):

  		




  
  50
  
    
def sign_uri(uri, user=None):

  		




  51
  51
  
    
    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'

  		




  52
  52
  
    
    scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)

  		




  53
  53
  
    
    if query:

  		




  54
  54
  
    
        query += '&'

  		




  55
  
  
    
    query += 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp

  		




  
  55
  
    
    query += 'format=json&orig=coucou&algo=sha256&timestamp=' + timestamp

  		




  
  56
  
    
    if user:

  		




  
  57
  
    
        query += '&email=' + urllib.quote(user.email)

  		




  56
  58
  
    
    query += '&signature=%s' % urllib.quote(

  		




  57
  59
  
    
            base64.b64encode(

  		




  58
  60
  
    
                hmac.new('1234',

  		




  ......




  383
  385
  
    
    role = Role(name='Hello World')

  		




  384
  386
  
    
    role.store()

  		




  385
  387
  
    

  		




  386
  
  
    
    resp = get_app(pub).get(sign_uri('/api/roles', user=local_user), headers={'Accept': 'application/json'})

  		




  
  388
  
    
    resp = get_app(pub).get('/api/roles', status=403)

  		




  
  389
  
    

  		




  
  390
  
    
    resp = get_app(pub).get(sign_uri('/api/roles'))

  		




  387
  391
  
    
    assert resp.json['data'][0]['text'] == 'Hello World'

  		




  388
  392
  
    
    assert resp.json['data'][0]['slug'] == 'hello-world'

  		




  389
  393
  
    

  		




  390
  394
  
    
    # also check old endpoint, for compatibility

  		




  391
  
  
    
    resp = get_app(pub).get(sign_uri('/roles', user=local_user), headers={'Accept': 'application/json'})

  		




  
  395
  
    
    resp = get_app(pub).get(sign_uri('/roles'), headers={'Accept': 'application/json'})

  		




  392
  396
  
    
    assert resp.json['data'][0]['text'] == 'Hello World'

  		




  393
  397
  
    
    assert resp.json['data'][0]['slug'] == 'hello-world'

  		












  

    
      wcs/api.py
    
  





  177
  177
  
    

  		




  178
  178
  
    
    def roles(self):

  		




  179
  179
  
    
        get_response().set_content_type('application/json')

  		




  180
  
  
    
        if not (get_request().user and get_request().user.can_go_in_admin()) and \

  		




  181
  
  
    
                not get_user_from_api_query_string():

  		




  
  180
  
    
        if not (is_url_signed() or (

  		




  
  181
  
    
                get_request().user and get_request().user.can_go_in_admin())):

  		




  182
  182
  
    
            raise AccessForbiddenError()

  		




  183
  183
  
    
        list_roles = []

  		




  184
  184
  
    
        charset = get_publisher().site_charset

  		




  185
  
  
    
-