api: search api keys from dedicated storage objects too (#48751)
This commit is contained in:
parent
119288b7cd
commit
7138d09c3b
|
@ -299,6 +299,32 @@ def test_get_user(pub, local_user):
|
|||
assert [x['slug'] for x in output.json['user_roles']] == ['foo-bar']
|
||||
|
||||
|
||||
def test_api_access_from_xml_storable_object(pub, local_user, admin_user):
|
||||
app = login(get_app(pub))
|
||||
resp = app.get('/backoffice/settings/api-access/new')
|
||||
resp.form['name'] = 'Salut API access key'
|
||||
resp.form['access_identifier'] = 'salut'
|
||||
resp.form['access_key'] = '5678'
|
||||
resp = resp.form.submit('submit')
|
||||
|
||||
Role.wipe()
|
||||
role = Role(name='Foo bar')
|
||||
role.store()
|
||||
local_user.roles = [role.id]
|
||||
local_user.store()
|
||||
signed_url = sign_url('http://example.net/api/user/?format=json&orig=UNKNOWN_ACCESS&email=%s' % (
|
||||
urllib.quote(local_user.email)), '5678')
|
||||
url = signed_url[len('http://example.net'):]
|
||||
output = get_app(pub).get(url, status=403)
|
||||
assert output.json['err_desc'] == 'invalid orig'
|
||||
|
||||
signed_url = sign_url('http://example.net/api/user/?format=json&orig=salut&email=%s' % (
|
||||
urllib.quote(local_user.email)), '5678')
|
||||
url = signed_url[len('http://example.net'):]
|
||||
output = get_app(pub).get(url)
|
||||
assert output.json['user_display_name'] == u'Jean Darmette'
|
||||
|
||||
|
||||
def test_is_url_signed_check_nonce(pub, local_user, freezer):
|
||||
ORIG = 'xxx'
|
||||
KEY = 'xxx'
|
||||
|
|
|
@ -29,6 +29,7 @@ from django.utils.six.moves.urllib import parse as urllib
|
|||
from django.utils.six.moves.urllib import parse as urlparse
|
||||
|
||||
from quixote import get_request, get_publisher
|
||||
from .api_access import ApiAccess
|
||||
from .qommon.errors import (AccessForbiddenError, HttpResponse401Error, UnknownNameIdAccessForbiddenError)
|
||||
import qommon.misc
|
||||
|
||||
|
@ -49,7 +50,7 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
|
|||
orig = get_request().form.get('orig')
|
||||
if not isinstance(orig, six.string_types):
|
||||
raise AccessForbiddenError('missing/multiple orig field')
|
||||
key = get_publisher().get_site_option(orig, 'api-secrets')
|
||||
key = ApiAccess.get_access_key(orig) or get_publisher().get_site_option(orig, 'api-secrets')
|
||||
if not key:
|
||||
raise AccessForbiddenError('invalid orig')
|
||||
algo = get_request().form.get('algo')
|
||||
|
|
Loading…
Reference in New Issue