Projet

Général

Profil

0001-api-return-form-categories-even-if-user-authenticati.patch

Serghei Mihai (congés, retour 15/05), 28 juillet 2015 11:24

Télécharger (4,64 ko)

Voir les différences: 

Subject: [PATCH] api: return form categories even if user authentication fails
 (#7957)


 tests/test_api.py    | 13 +++++++++++++
 wcs/api.py           |  5 +++--
 wcs/forms/root.py    | 21 +++++++++++++++++----
 wcs/qommon/errors.py |  4 ++++
 4 files changed, 37 insertions(+), 6 deletions(-)
tests/test_api.py
124 124 
    output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
125 125 
    assert output.json == {'data': []}
126 126 

  		




  
  127
  
    
def test_get_user_from_api_query_string_error_invalid_nameid_valid_endpoint():

  		




  
  128
  
    
    # check it's ok to sign an URL with an invalid NameID if the endpoint

  		




  
  129
  
    
    # works fine without user.

  		




  
  130
  
    
    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'

  		




  
  131
  
    
    query = 'format=json&NameID=xxx&orig=coucou&algo=sha1&timestamp=' + timestamp

  		




  
  132
  
    
    signature = urllib.quote(

  		




  
  133
  
    
            base64.b64encode(

  		




  
  134
  
    
                hmac.new('1234',

  		




  
  135
  
    
                    query,

  		




  
  136
  
    
                    hashlib.sha1).digest()))

  		




  
  137
  
    
    output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))

  		




  
  138
  
    
    assert output.json == {'data': []}

  		




  
  139
  
    

  		




  127
  140
  
    
def test_get_user_from_api_query_string_error_success_sha1(local_user):

  		




  128
  141
  
    
    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'

  		




  129
  142
  
    
    query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(local_user.email) + '&timestamp=' + timestamp

  		












  

    
      wcs/api.py
    
  





  26
  26
  
    

  		




  27
  27
  
    
from quixote import get_request, get_publisher, get_response

  		




  28
  28
  
    
from quixote.directory import Directory

  		




  29
  
  
    
from qommon.errors import AccessForbiddenError, QueryError, TraversalError

  		




  
  29
  
    
from qommon.errors import AccessForbiddenError, QueryError, TraversalError, \

  		




  
  30
  
    
    UnknownNameIdAccessForbiddenError

  		




  30
  31
  
    

  		




  31
  32
  
    
from wcs.formdef import FormDef

  		




  32
  33
  
    
from wcs.roles import Role

  		




  ......




  92
  93
  
    
        if users:

  		




  93
  94
  
    
            user = users[0]

  		




  94
  95
  
    
        else:

  		




  95
  
  
    
            raise AccessForbiddenError('unknown NameID')

  		




  
  96
  
    
            raise UnknownNameIdAccessForbiddenError('unknown NameID')

  		




  96
  97
  
    

  		




  97
  98
  
    
    return user

  		




  98
  99
  
    

  		












  

    
      wcs/forms/root.py
    
  





  1188
  1188
  
    
        return r.getvalue()

  		




  1189
  1189
  
    

  		




  1190
  1190
  
    
    def json(self):

  		




  1191
  
  
    
        from wcs.api import is_url_signed, get_user_from_api_query_string

  		




  1192
  
  
    
        user = get_user_from_api_query_string() or get_request().user

  		




  
  1191
  
    
        from wcs.api import is_url_signed, get_user_from_api_query_string, \

  		




  
  1192
  
    
            UnknownNameIdAccessForbiddenError

  		




  
  1193
  
    
        try:

  		




  
  1194
  
    
            user = get_user_from_api_query_string() or get_request().user

  		




  
  1195
  
    
        except UnknownNameIdAccessForbiddenError:

  		




  
  1196
  
    
            # if authenticating the user via the query string failed, return

  		




  
  1197
  
    
            # results for the anonymous case; user is set to 'False' as a

  		




  
  1198
  
    
            # signed URL with a None user is considered like an appropriate

  		




  
  1199
  
    
            # webservice call.

  		




  
  1200
  
    
            user = False

  		




  1193
  1201
  
    
        list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)

  		




  1194
  1202
  
    

  		




  1195
  1203
  
    
        list_forms = []

  		




  ......




  1278
  1286
  
    
        return r.getvalue()

  		




  1279
  1287
  
    

  		




  1280
  1288
  
    
    def categories_json(self):

  		




  1281
  
  
    
        from wcs.api import get_user_from_api_query_string

  		




  1282
  
  
    
        user = get_user_from_api_query_string() or get_request().user

  		




  
  1289
  
    
        from wcs.api import get_user_from_api_query_string, UnknownNameIdAccessForbiddenError

  		




  
  1290
  
    
        try:

  		




  
  1291
  
    
            user = get_user_from_api_query_string() or get_request().user

  		




  
  1292
  
    
        except UnknownNameIdAccessForbiddenError:

  		




  
  1293
  
    
            # the name id was unknown, return the categories for anonymous

  		




  
  1294
  
    
            # users.

  		




  
  1295
  
    
            user = None

  		




  1283
  1296
  
    
        list_categories = []

  		




  1284
  1297
  
    
        charset = get_publisher().site_charset

  		




  1285
  1298
  
    
        categories = self.get_categories(user)

  		












  

    
      wcs/qommon/errors.py
    
  





  39
  39
  
    
                    location_hint = self.location_hint)

  		




  40
  40
  
    

  		




  41
  41
  
    

  		




  
  42
  
    
class UnknownNameIdAccessForbiddenError(AccessForbiddenError):

  		




  
  43
  
    
    pass

  		




  
  44
  
    

  		




  
  45
  
    

  		




  42
  46
  
    
class AccessUnauthorizedError(AccessForbiddenError):

  		




  43
  47
  
    
    def render(self):

  		




  44
  48
  
    
        session = quixote.get_session()

  		




  45
  
  
    
-