From 755ca076f080be386fbc2d0cd1843f3348c9bcbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 11 Jun 2015 14:31:27 +0200
Subject: [PATCH] api: require url to be signed to get roles, but not a valid
 user (#7535)

---
 tests/test_api.py | 12 ++++++++----
 wcs/api.py        |  4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index 960f6bf..151251e 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -47,12 +47,14 @@ def local_user():
     user.store()
     return user
 
-def sign_uri(uri, user):
+def sign_uri(uri, user=None):
     timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
     scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
     if query:
         query += '&'
-    query += 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp
+    query += 'format=json&orig=coucou&algo=sha256&timestamp=' + timestamp
+    if user:
+        query += '&email=' + urllib.quote(user.email)
     query += '&signature=%s' % urllib.quote(
             base64.b64encode(
                 hmac.new('1234',
@@ -383,11 +385,13 @@ def test_roles(local_user):
     role = Role(name='Hello World')
     role.store()
 
-    resp = get_app(pub).get(sign_uri('/api/roles', user=local_user), headers={'Accept': 'application/json'})
+    resp = get_app(pub).get('/api/roles', status=403)
+
+    resp = get_app(pub).get(sign_uri('/api/roles'))
     assert resp.json['data'][0]['text'] == 'Hello World'
     assert resp.json['data'][0]['slug'] == 'hello-world'
 
     # also check old endpoint, for compatibility
-    resp = get_app(pub).get(sign_uri('/roles', user=local_user), headers={'Accept': 'application/json'})
+    resp = get_app(pub).get(sign_uri('/roles'), headers={'Accept': 'application/json'})
     assert resp.json['data'][0]['text'] == 'Hello World'
     assert resp.json['data'][0]['slug'] == 'hello-world'
diff --git a/wcs/api.py b/wcs/api.py
index 52921f4..a400ae7 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -177,8 +177,8 @@ class ApiDirectory(Directory):
 
     def roles(self):
         get_response().set_content_type('application/json')
-        if not (get_request().user and get_request().user.can_go_in_admin()) and \
-                not get_user_from_api_query_string():
+        if not (is_url_signed() or (
+                get_request().user and get_request().user.can_go_in_admin())):
             raise AccessForbiddenError()
         list_roles = []
         charset = get_publisher().site_charset
-- 
2.1.4