0001-api-allow-unknown-NameID-on-categories-and-formdefs-.patch

Frédéric Péters, 17 août 2015 10:06

Voir les différences: en ligne côte à côte

Subject: [PATCH] api: allow unknown NameID on categories and formdefs API
 endpoints (#7957)

 tests/test_api.py    | 27 +++++++++++++++++++++++++++
 wcs/api.py           |  5 +++--
 wcs/forms/root.py    | 21 +++++++++++++++++----
 wcs/qommon/errors.py |  4 ++++
 4 files changed, 51 insertions(+), 6 deletions(-)

         output = get_app(pub).get('/user?%s&signature=%s' % (query, signature), status=403)
         assert output.json['err_desc'] == 'no user specified'
     def test_get_user_from_api_query_string_error_unknown_nameid():
         timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
         query = 'format=json&orig=coucou&algo=sha1&NameID=xxx&timestamp=' + timestamp
         signature = urllib.quote(
                 base64.b64encode(
                     hmac.new('1234',
                         query,
                         hashlib.sha1).digest()))
         output = get_app(pub).get('/user?%s&signature=%s' % (query, signature), status=403)
         assert output.json['err_desc'] == 'unknown NameID'
     def test_get_user_from_api_query_string_error_missing_email_valid_endpoint():
         # check it's ok to sign an URL without specifiying an user if the endpoint
         # works fine without user.
-...
                         hashlib.sha1).digest()))
         output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
         assert output.json == {'data': []}
         output = get_app(pub).get('/json?%s&signature=%s' % (query, signature))
         assert output.json == []
     def test_get_user_from_api_query_string_error_unknown_nameid_valid_endpoint():
         # check the categories and forms endpoints accept an unknown NameID
         timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
         query = 'format=json&NameID=xxx&orig=coucou&algo=sha1&timestamp=' + timestamp
         signature = urllib.quote(
                 base64.b64encode(
                     hmac.new('1234',
                         query,
                         hashlib.sha1).digest()))
         output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
         assert output.json == {'data': []}
         output = get_app(pub).get('/json?%s&signature=%s' % (query, signature))
         assert output.json == []
     def test_get_user_from_api_query_string_error_success_sha1(local_user):
         timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'

     from quixote import get_request, get_publisher, get_response
     from quixote.directory import Directory
     from qommon.errors import AccessForbiddenError, QueryError, TraversalError
     from qommon.errors import (AccessForbiddenError, QueryError, TraversalError,
         UnknownNameIdAccessForbiddenError)
     from wcs.formdef import FormDef
     from wcs.roles import Role
-...
             if users:
                 user = users[0]
             else:
                 raise AccessForbiddenError('unknown NameID')
                 raise UnknownNameIdAccessForbiddenError('unknown NameID')
         return user

             return r.getvalue()
         def json(self):
             from wcs.api import is_url_signed, get_user_from_api_query_string
             user = get_user_from_api_query_string() or get_request().user
             from wcs.api import (is_url_signed, get_user_from_api_query_string,
                 UnknownNameIdAccessForbiddenError)
             try:
                 user = get_user_from_api_query_string() or get_request().user
             except UnknownNameIdAccessForbiddenError:
                 # if authenticating the user via the query string failed, return
                 # results for the anonymous case; user is set to 'False' as a
                 # signed URL with a None user is considered like an appropriate
                 # webservice call.
                 user = False
             list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)
             list_forms = []
-...
             return r.getvalue()
         def categories_json(self):
             from wcs.api import get_user_from_api_query_string
             user = get_user_from_api_query_string() or get_request().user
             from wcs.api import get_user_from_api_query_string, UnknownNameIdAccessForbiddenError
             try:
                 user = get_user_from_api_query_string() or get_request().user
             except UnknownNameIdAccessForbiddenError:
                 # the name id was unknown, return the categories for anonymous
                 # users.
                 user = None
             list_categories = []
             charset = get_publisher().site_charset
             categories = self.get_categories(user)

                         location_hint = self.location_hint)
     class UnknownNameIdAccessForbiddenError(AccessForbiddenError):
         pass
     class AccessUnauthorizedError(AccessForbiddenError):
         def render(self):
             session = quixote.get_session()
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-api-allow-unknown-NameID-on-categories-and-formdefs-.patch