0001-api-return-form-categories-even-if-user-authenticati.patch
tests/test_api.py | ||
---|---|---|
124 | 124 |
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature)) |
125 | 125 |
assert output.json == {'data': []} |
126 | 126 | |
127 |
def test_get_user_from_api_query_string_error_invalid_nameid_valid_endpoint(): |
|
128 |
# check it's ok to sign an URL with an invalid NameID if the endpoint |
|
129 |
# works fine without user. |
|
130 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z' |
|
131 |
query = 'format=json&NameID=xxx&orig=coucou&algo=sha1×tamp=' + timestamp |
|
132 |
signature = urllib.quote( |
|
133 |
base64.b64encode( |
|
134 |
hmac.new('1234', |
|
135 |
query, |
|
136 |
hashlib.sha1).digest())) |
|
137 |
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature)) |
|
138 |
assert output.json == {'data': []} |
|
139 | ||
127 | 140 |
def test_get_user_from_api_query_string_error_success_sha1(local_user): |
128 | 141 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z' |
129 | 142 |
query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(local_user.email) + '×tamp=' + timestamp |
wcs/api.py | ||
---|---|---|
26 | 26 | |
27 | 27 |
from quixote import get_request, get_publisher, get_response |
28 | 28 |
from quixote.directory import Directory |
29 |
from qommon.errors import AccessForbiddenError, QueryError, TraversalError |
|
29 |
from qommon.errors import AccessForbiddenError, QueryError, TraversalError, \ |
|
30 |
UnknownNameIdAccessForbiddenError |
|
30 | 31 | |
31 | 32 |
from wcs.formdef import FormDef |
32 | 33 |
from wcs.roles import Role |
... | ... | |
92 | 93 |
if users: |
93 | 94 |
user = users[0] |
94 | 95 |
else: |
95 |
raise AccessForbiddenError('unknown NameID') |
|
96 |
raise UnknownNameIdAccessForbiddenError('unknown NameID')
|
|
96 | 97 | |
97 | 98 |
return user |
98 | 99 |
wcs/forms/root.py | ||
---|---|---|
1188 | 1188 |
return r.getvalue() |
1189 | 1189 | |
1190 | 1190 |
def json(self): |
1191 |
from wcs.api import is_url_signed, get_user_from_api_query_string |
|
1192 |
user = get_user_from_api_query_string() or get_request().user |
|
1191 |
from wcs.api import is_url_signed, get_user_from_api_query_string, \ |
|
1192 |
UnknownNameIdAccessForbiddenError |
|
1193 |
try: |
|
1194 |
user = get_user_from_api_query_string() or get_request().user |
|
1195 |
except UnknownNameIdAccessForbiddenError: |
|
1196 |
# if authenticating the user via the query string failed, return |
|
1197 |
# results for the anonymous case; user is set to 'False' as a |
|
1198 |
# signed URL with a None user is considered like an appropriate |
|
1199 |
# webservice call. |
|
1200 |
user = False |
|
1193 | 1201 |
list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None) |
1194 | 1202 | |
1195 | 1203 |
list_forms = [] |
... | ... | |
1278 | 1286 |
return r.getvalue() |
1279 | 1287 | |
1280 | 1288 |
def categories_json(self): |
1281 |
from wcs.api import get_user_from_api_query_string |
|
1282 |
user = get_user_from_api_query_string() or get_request().user |
|
1289 |
from wcs.api import get_user_from_api_query_string, UnknownNameIdAccessForbiddenError |
|
1290 |
try: |
|
1291 |
user = get_user_from_api_query_string() or get_request().user |
|
1292 |
except UnknownNameIdAccessForbiddenError: |
|
1293 |
# the name id was unknown, return the categories for anonymous |
|
1294 |
# users. |
|
1295 |
user = None |
|
1283 | 1296 |
list_categories = [] |
1284 | 1297 |
charset = get_publisher().site_charset |
1285 | 1298 |
categories = self.get_categories(user) |
wcs/qommon/errors.py | ||
---|---|---|
39 | 39 |
location_hint = self.location_hint) |
40 | 40 | |
41 | 41 | |
42 |
class UnknownNameIdAccessForbiddenError(AccessForbiddenError): |
|
43 |
pass |
|
44 | ||
45 | ||
42 | 46 |
class AccessUnauthorizedError(AccessForbiddenError): |
43 | 47 |
def render(self): |
44 | 48 |
session = quixote.get_session() |
45 |
- |