api: require url to be signed to get roles, but not a valid user (#7535)
This commit is contained in:
parent
0504685899
commit
d7aad79da3
|
@ -47,12 +47,14 @@ def local_user():
|
|||
user.store()
|
||||
return user
|
||||
|
||||
def sign_uri(uri, user):
|
||||
def sign_uri(uri, user=None):
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
|
||||
if query:
|
||||
query += '&'
|
||||
query += 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
||||
query += 'format=json&orig=coucou&algo=sha256×tamp=' + timestamp
|
||||
if user:
|
||||
query += '&email=' + urllib.quote(user.email)
|
||||
query += '&signature=%s' % urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
|
@ -383,11 +385,13 @@ def test_roles(local_user):
|
|||
role = Role(name='Hello World')
|
||||
role.store()
|
||||
|
||||
resp = get_app(pub).get(sign_uri('/api/roles', user=local_user), headers={'Accept': 'application/json'})
|
||||
resp = get_app(pub).get('/api/roles', status=403)
|
||||
|
||||
resp = get_app(pub).get(sign_uri('/api/roles'))
|
||||
assert resp.json['data'][0]['text'] == 'Hello World'
|
||||
assert resp.json['data'][0]['slug'] == 'hello-world'
|
||||
|
||||
# also check old endpoint, for compatibility
|
||||
resp = get_app(pub).get(sign_uri('/roles', user=local_user), headers={'Accept': 'application/json'})
|
||||
resp = get_app(pub).get(sign_uri('/roles'), headers={'Accept': 'application/json'})
|
||||
assert resp.json['data'][0]['text'] == 'Hello World'
|
||||
assert resp.json['data'][0]['slug'] == 'hello-world'
|
||||
|
|
|
@ -177,8 +177,8 @@ class ApiDirectory(Directory):
|
|||
|
||||
def roles(self):
|
||||
get_response().set_content_type('application/json')
|
||||
if not (get_request().user and get_request().user.can_go_in_admin()) and \
|
||||
not get_user_from_api_query_string():
|
||||
if not (is_url_signed() or (
|
||||
get_request().user and get_request().user.can_go_in_admin())):
|
||||
raise AccessForbiddenError()
|
||||
list_roles = []
|
||||
charset = get_publisher().site_charset
|
||||
|
|
Loading…
Reference in New Issue