api: require url to be signed to get roles, but not a valid user (#7535)

2015-06-11 14:31:27 +02:00 · 2015-06-11 14:31:27 +02:00 · d7aad79da3
parent 0504685899
commit d7aad79da3
2 changed files with 10 additions and 6 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -47,12 +47,14 @@ def local_user():
    user.store()
    return user

-def sign_uri(uri, user):
+def sign_uri(uri, user=None):
    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
    scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
    if query:
        query += '&'
-    query += 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp
+    query += 'format=json&orig=coucou&algo=sha256&timestamp=' + timestamp
+    if user:
+        query += '&email=' + urllib.quote(user.email)
    query += '&signature=%s' % urllib.quote(
            base64.b64encode(
                hmac.new('1234',
@ -383,11 +385,13 @@ def test_roles(local_user):
    role = Role(name='Hello World')
    role.store()

-    resp = get_app(pub).get(sign_uri('/api/roles', user=local_user), headers={'Accept': 'application/json'})
+    resp = get_app(pub).get('/api/roles', status=403)
+
+    resp = get_app(pub).get(sign_uri('/api/roles'))
    assert resp.json['data'][0]['text'] == 'Hello World'
    assert resp.json['data'][0]['slug'] == 'hello-world'

    # also check old endpoint, for compatibility
-    resp = get_app(pub).get(sign_uri('/roles', user=local_user), headers={'Accept': 'application/json'})
+    resp = get_app(pub).get(sign_uri('/roles'), headers={'Accept': 'application/json'})
    assert resp.json['data'][0]['text'] == 'Hello World'
    assert resp.json['data'][0]['slug'] == 'hello-world'
--- a/wcs/api.py
+++ b/wcs/api.py
@ -177,8 +177,8 @@ class ApiDirectory(Directory):

    def roles(self):
        get_response().set_content_type('application/json')
-        if not (get_request().user and get_request().user.can_go_in_admin()) and \
-                not get_user_from_api_query_string():
+        if not (is_url_signed() or (
+                get_request().user and get_request().user.can_go_in_admin())):
            raise AccessForbiddenError()
        list_roles = []
        charset = get_publisher().site_charset