diff --git a/wcs/api.py b/wcs/api.py index 425d8774d..52921f4d1 100644 --- a/wcs/api.py +++ b/wcs/api.py @@ -32,13 +32,13 @@ from wcs.formdef import FormDef from wcs.roles import Role -def get_user_from_api_query_string(): +def is_url_signed(): query_string = get_request().get_query() if not query_string: - return None + return False signature = get_request().form.get('signature') if not isinstance(signature, basestring): - return None + return False # verify signature orig = get_request().form.get('orig') if not isinstance(orig, basestring): @@ -67,7 +67,11 @@ def get_user_from_api_query_string(): if abs(delta) > datetime.timedelta(seconds=MAX_DELTA): raise AccessForbiddenError('timestamp delta is more ' 'than %s seconds: %s seconds' % (MAX_DELTA, delta)) + return True +def get_user_from_api_query_string(): + if not is_url_signed(): + return None # Signature is good. Now looking for the user, by email/NameID. # If email or NameID exist but are empty, return None user = None diff --git a/wcs/forms/root.py b/wcs/forms/root.py index fa63eea21..aa7634cbb 100644 --- a/wcs/forms/root.py +++ b/wcs/forms/root.py @@ -1210,8 +1210,10 @@ class RootDirectory(AccessControlled, Directory): return r.getvalue() def json(self): - from wcs.api import get_user_from_api_query_string + from wcs.api import is_url_signed, get_user_from_api_query_string user = get_user_from_api_query_string() or get_request().user + list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None) + list_forms = [] if self.category: @@ -1227,7 +1229,7 @@ class RootDirectory(AccessControlled, Directory): for formdef in formdefs: authentication_required = False - if formdef.roles and not (user and user.is_admin): + if formdef.roles and not list_all_forms: if not user: if not formdef.always_advertise: continue