wcs: always sign api url (#7404)

combo/apps/wcs/models.py

@@ -158,17 +158,18 @@ class WcsBlurpMixin(object):
             }
 
             url += self.api_url + '?format=json'
-            if context.get('user'):
-                url += '&orig=%s' % wcs_site.get('orig')
+            if wcs_site.get('orig') and wcs_site.get('secret'):
+                url += '&orig=%s' % wcs_site['orig']
                 source['auth_mech'] = 'hmac-sha1'
-                source['signature_key'] = str(wcs_site.get('secret', ''))
-                if context.get('request') and hasattr(context['request'], 'session') \
-                   and context['request'].session.get('mellon_session'):
-                    mellon = context['request'].session['mellon_session']
-                    nameid = mellon['name_id_content']
-                    url += '&NameID=' + urllib.quote(nameid)
-                elif hasattr(context['user'], 'email') and context['user'].email:
-                    url += '&email=' + urllib.quote(context['user'].email)
+                source['signature_key'] = str(wcs_site['secret'])
+                if context.get('user'):
+                    if context.get('request') and hasattr(context['request'], 'session') \
+                       and context['request'].session.get('mellon_session'):
+                        mellon = context['request'].session['mellon_session']
+                        nameid = mellon['name_id_content']
+                        url += '&NameID=' + urllib.quote(nameid)
+                    elif hasattr(context['user'], 'email') and context['user'].email:
+                        url += '&email=' + urllib.quote(context['user'].email)
 
             source['url'] = url
             sources.append(source)