api: export all formdefs if url is signed without a user (#7410)
This commit is contained in:
parent
fffe1c6c6a
commit
5b88e34063
10
wcs/api.py
10
wcs/api.py
|
@ -32,13 +32,13 @@ from wcs.formdef import FormDef
|
||||||
from wcs.roles import Role
|
from wcs.roles import Role
|
||||||
|
|
||||||
|
|
||||||
def get_user_from_api_query_string():
|
def is_url_signed():
|
||||||
query_string = get_request().get_query()
|
query_string = get_request().get_query()
|
||||||
if not query_string:
|
if not query_string:
|
||||||
return None
|
return False
|
||||||
signature = get_request().form.get('signature')
|
signature = get_request().form.get('signature')
|
||||||
if not isinstance(signature, basestring):
|
if not isinstance(signature, basestring):
|
||||||
return None
|
return False
|
||||||
# verify signature
|
# verify signature
|
||||||
orig = get_request().form.get('orig')
|
orig = get_request().form.get('orig')
|
||||||
if not isinstance(orig, basestring):
|
if not isinstance(orig, basestring):
|
||||||
|
@ -67,7 +67,11 @@ def get_user_from_api_query_string():
|
||||||
if abs(delta) > datetime.timedelta(seconds=MAX_DELTA):
|
if abs(delta) > datetime.timedelta(seconds=MAX_DELTA):
|
||||||
raise AccessForbiddenError('timestamp delta is more '
|
raise AccessForbiddenError('timestamp delta is more '
|
||||||
'than %s seconds: %s seconds' % (MAX_DELTA, delta))
|
'than %s seconds: %s seconds' % (MAX_DELTA, delta))
|
||||||
|
return True
|
||||||
|
|
||||||
|
def get_user_from_api_query_string():
|
||||||
|
if not is_url_signed():
|
||||||
|
return None
|
||||||
# Signature is good. Now looking for the user, by email/NameID.
|
# Signature is good. Now looking for the user, by email/NameID.
|
||||||
# If email or NameID exist but are empty, return None
|
# If email or NameID exist but are empty, return None
|
||||||
user = None
|
user = None
|
||||||
|
|
|
@ -1210,8 +1210,10 @@ class RootDirectory(AccessControlled, Directory):
|
||||||
return r.getvalue()
|
return r.getvalue()
|
||||||
|
|
||||||
def json(self):
|
def json(self):
|
||||||
from wcs.api import get_user_from_api_query_string
|
from wcs.api import is_url_signed, get_user_from_api_query_string
|
||||||
user = get_user_from_api_query_string() or get_request().user
|
user = get_user_from_api_query_string() or get_request().user
|
||||||
|
list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)
|
||||||
|
|
||||||
list_forms = []
|
list_forms = []
|
||||||
|
|
||||||
if self.category:
|
if self.category:
|
||||||
|
@ -1227,7 +1229,7 @@ class RootDirectory(AccessControlled, Directory):
|
||||||
|
|
||||||
for formdef in formdefs:
|
for formdef in formdefs:
|
||||||
authentication_required = False
|
authentication_required = False
|
||||||
if formdef.roles and not (user and user.is_admin):
|
if formdef.roles and not list_all_forms:
|
||||||
if not user:
|
if not user:
|
||||||
if not formdef.always_advertise:
|
if not formdef.always_advertise:
|
||||||
continue
|
continue
|
||||||
|
|
Loading…
Reference in New Issue