0001-api-require-url-to-be-signed-to-get-roles-but-not-a-.patch
tests/test_api.py | ||
---|---|---|
47 | 47 |
user.store() |
48 | 48 |
return user |
49 | 49 | |
50 |
def sign_uri(uri, user): |
|
50 |
def sign_uri(uri, user=None):
|
|
51 | 51 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z' |
52 | 52 |
scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri) |
53 | 53 |
if query: |
54 | 54 |
query += '&' |
55 |
query += 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp |
|
55 |
query += 'format=json&orig=coucou&algo=sha256×tamp=' + timestamp |
|
56 |
if user: |
|
57 |
query += '&email=' + urllib.quote(user.email) |
|
56 | 58 |
query += '&signature=%s' % urllib.quote( |
57 | 59 |
base64.b64encode( |
58 | 60 |
hmac.new('1234', |
... | ... | |
383 | 385 |
role = Role(name='Hello World') |
384 | 386 |
role.store() |
385 | 387 | |
386 |
resp = get_app(pub).get(sign_uri('/api/roles', user=local_user), headers={'Accept': 'application/json'}) |
|
388 |
resp = get_app(pub).get('/api/roles', status=403) |
|
389 | ||
390 |
resp = get_app(pub).get(sign_uri('/api/roles')) |
|
387 | 391 |
assert resp.json['data'][0]['text'] == 'Hello World' |
388 | 392 |
assert resp.json['data'][0]['slug'] == 'hello-world' |
389 | 393 | |
390 | 394 |
# also check old endpoint, for compatibility |
391 |
resp = get_app(pub).get(sign_uri('/roles', user=local_user), headers={'Accept': 'application/json'})
|
|
395 |
resp = get_app(pub).get(sign_uri('/roles'), headers={'Accept': 'application/json'}) |
|
392 | 396 |
assert resp.json['data'][0]['text'] == 'Hello World' |
393 | 397 |
assert resp.json['data'][0]['slug'] == 'hello-world' |
wcs/api.py | ||
---|---|---|
177 | 177 | |
178 | 178 |
def roles(self): |
179 | 179 |
get_response().set_content_type('application/json') |
180 |
if not (get_request().user and get_request().user.can_go_in_admin()) and \
|
|
181 |
not get_user_from_api_query_string():
|
|
180 |
if not (is_url_signed() or (
|
|
181 |
get_request().user and get_request().user.can_go_in_admin())):
|
|
182 | 182 |
raise AccessForbiddenError() |
183 | 183 |
list_roles = [] |
184 | 184 |
charset = get_publisher().site_charset |
185 |
- |