ident: don't expose register page if it doesn't exist for method (#40935)

2020-03-25 09:01:55 +01:00 · 2020-03-25 09:01:55 +01:00 · a6c5831933
parent 9fb3a20204
commit a6c5831933
2 changed files with 9 additions and 0 deletions
--- a/tests/test_fc_auth.py
+++ b/tests/test_fc_auth.py
@ -350,3 +350,10 @@ def test_fc_logout_error():
    setup_fc_environment(pub)
    app = get_app(pub)
    app.get('/ident/fc/logout', status=400)
+
+
+def test_fc_register_error():
+    setup_user_profile(pub)
+    setup_fc_environment(pub)
+    app = get_app(pub)
+    app.get('/register/fc/', status=404)
--- a/wcs/root.py
+++ b/wcs/root.py
@ -182,6 +182,8 @@ class RegisterDirectory(Directory):
    def _q_lookup(self, component):
        try:
            dir = ident.get_method_directory(component)
+            if 'register' not in dir._q_exports:
+                return errors.TraversalError()
            # set the register page as the index page, so the url can be
            # /register/password/ instead of /register/password/register
            dir._q_exports.append('')