api: check request signature in tracking code lookup API (#21858)
This commit is contained in:
parent
77c0778f11
commit
31e374494f
|
@ -1979,21 +1979,24 @@ def test_tracking_code(pub):
|
|||
code.formdata = formdata
|
||||
code.store()
|
||||
|
||||
resp = get_app(pub).get('/api/code/foobar', status=404)
|
||||
# missing signature
|
||||
get_app(pub).get('/api/code/foobar', status=403)
|
||||
|
||||
resp = get_app(pub).get(sign_url('/api/code/foobar?orig=coucou', '1234'), status=404)
|
||||
assert resp.json['err'] == 1
|
||||
|
||||
resp = get_app(pub).get('/api/code/%s' % code.id, status=200)
|
||||
resp = get_app(pub).get(sign_url('/api/code/%s?orig=coucou' % code.id, '1234'), status=200)
|
||||
assert resp.json['err'] == 0
|
||||
assert resp.json['url'] == 'http://example.net/test/%s' % formdata.id
|
||||
|
||||
formdef.enable_tracking_codes = False
|
||||
formdef.store()
|
||||
resp = get_app(pub).get('/api/code/%s' % code.id, status=404)
|
||||
resp = get_app(pub).get(sign_url('/api/code/%s?orig=coucou' % code.id, '1234'), status=404)
|
||||
|
||||
formdef.enable_tracking_codes = True
|
||||
formdef.store()
|
||||
formdata.remove_self()
|
||||
resp = get_app(pub).get('/api/code/%s' % code.id, status=404)
|
||||
resp = get_app(pub).get(sign_url('/api/code/%s?orig=coucou' % code.id, '1234'), status=404)
|
||||
|
||||
def test_validate_expression(pub):
|
||||
resp = get_app(pub).get('/api/validate-expression?expression=hello')
|
||||
|
|
|
@ -645,6 +645,8 @@ class ApiUsersDirectory(Directory):
|
|||
class ApiTrackingCodeDirectory(Directory):
|
||||
def _q_lookup(self, component):
|
||||
get_response().set_content_type('application/json')
|
||||
if not is_url_signed():
|
||||
raise AccessForbiddenError('missing signature')
|
||||
try:
|
||||
tracking_code = get_publisher().tracking_code_class.get(component)
|
||||
except KeyError:
|
||||
|
|
Loading…
Reference in New Issue