api: allow signed queries that do not specify email or NameID (#7156)
This commit is contained in:
parent
1e200cd30c
commit
4e78b42ae5
|
@ -65,8 +65,8 @@ def test_user_page_redirect():
|
|||
assert output.headers.get('location') == 'http://example.net/myspace/'
|
||||
|
||||
def test_user_page_error_when_json_and_no_user():
|
||||
output = get_app(pub).get('/user?format=json')
|
||||
assert output.body == '???'
|
||||
output = get_app(pub).get('/user?format=json', status=403)
|
||||
assert output.json['err_desc'] == 'no user specified'
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_orig():
|
||||
output = get_app(pub).get('/user?format=json&signature=xxx', status=403)
|
||||
|
@ -106,7 +106,20 @@ def test_get_user_from_api_query_string_error_missing_email():
|
|||
query,
|
||||
hashlib.sha1).digest()))
|
||||
output = get_app(pub).get('/user?%s&signature=%s' % (query, signature), status=403)
|
||||
assert output.json['err_desc'] == 'missing email or NameID fields'
|
||||
assert output.json['err_desc'] == 'no user specified'
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_email_valid_endpoint():
|
||||
# check it's ok to sign an URL without specifiying an user if the endpoint
|
||||
# works fine without user.
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
||||
signature = urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
query,
|
||||
hashlib.sha1).digest()))
|
||||
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
|
||||
assert output.json == {'data': []}
|
||||
|
||||
def test_get_user_from_api_query_string_error_success_sha1(local_user):
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
|
|
|
@ -69,9 +69,7 @@ def get_user_from_api_query_string():
|
|||
# Signature is good. Now looking for the user, by email/NameID.
|
||||
# If email or NameID exist but are empty, return None
|
||||
user = None
|
||||
if not ('email' in get_request().form or 'NameID' in get_request().form):
|
||||
raise AccessForbiddenError('missing email or NameID fields')
|
||||
elif get_request().form.get('email'):
|
||||
if get_request().form.get('email'):
|
||||
email = get_request().form.get('email')
|
||||
if not isinstance(email, basestring):
|
||||
raise AccessForbiddenError('multiple email field')
|
||||
|
|
|
@ -292,7 +292,7 @@ class RootDirectory(Directory):
|
|||
get_response().set_content_type('application/json')
|
||||
user = get_user_from_api_query_string() or get_request().user
|
||||
if not user:
|
||||
return errors.AccessForbiddenError()
|
||||
raise errors.AccessForbiddenError('no user specified')
|
||||
user_info = user.get_substitution_variables(prefix='')
|
||||
del user_info['user']
|
||||
user_info['user_roles'] = []
|
||||
|
|
Loading…
Reference in New Issue