entrouvert
/
auquotidien
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

myspace: check request signature of API requests

This commit is contained in:
Frédéric Péters 2013-04-20 12:21:57 +02:00
parent e9f7e9a3ff
commit 523acb042d
1 changed files with 2 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
extra/modules/myspace.ptl
View File

@ -13,6 +13,7 @@ from qommon import template
from qommon.form import *
from qommon import get_cfg, get_logger
from qommon import errors
from wcs.api import get_user_from_api_query_string
import qommon.ident.password
from qommon.ident.password_accounts import PasswordAccount
@ -365,13 +366,7 @@ class JsonDirectory(Directory):
user = None
def _q_traverse(self, path):
if get_request().form.get('NameID'):
ni = get_request().form.get('NameID')
nis = list(get_publisher().user_class.select(lambda x: ni in x.name_identifiers))
if nis:
self.user = nis[0]
else:
self.user = get_request().user
self.user = get_user_from_api_query_string() or get_request().user
if not self.user:
raise errors.AccessUnauthorizedError()
return Directory._q_traverse(self, path)