Merge pull request #1058 from framasoft/allow-old-anonymous-edit-url
🐛 — Allow to use SHA1-signed anonymous edit URL
This commit is contained in:
commit
0116696ee6
2 changed files with 30 additions and 11 deletions
|
@ -4,6 +4,7 @@ import pytest
|
||||||
from django.contrib.auth import get_user_model
|
from django.contrib.auth import get_user_model
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
|
|
||||||
|
from django.core.signing import Signer
|
||||||
from umap.models import DataLayer, Map
|
from umap.models import DataLayer, Map
|
||||||
|
|
||||||
from .base import login_required
|
from .base import login_required
|
||||||
|
@ -401,6 +402,20 @@ def test_anonymous_edit_url(cookieclient, anonymap):
|
||||||
assert key in cookieclient.cookies
|
assert key in cookieclient.cookies
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.usefixtures('allow_anonymous')
|
||||||
|
def test_sha1_anonymous_edit_url(cookieclient, anonymap):
|
||||||
|
signer = Signer(algorithm='sha1')
|
||||||
|
signature = signer.sign(anonymap.pk)
|
||||||
|
url = reverse('map_anonymous_edit_url', kwargs={'signature': signature})
|
||||||
|
canonical = reverse('map', kwargs={'pk': anonymap.pk,
|
||||||
|
'slug': anonymap.slug})
|
||||||
|
response = cookieclient.get(url)
|
||||||
|
assert response.status_code == 302
|
||||||
|
assert response['Location'] == canonical
|
||||||
|
key, value = anonymap.signed_cookie_elements
|
||||||
|
assert key in cookieclient.cookies
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.usefixtures('allow_anonymous')
|
@pytest.mark.usefixtures('allow_anonymous')
|
||||||
def test_bad_anonymous_edit_url_should_return_403(cookieclient, anonymap):
|
def test_bad_anonymous_edit_url_should_return_403(cookieclient, anonymap):
|
||||||
url = anonymap.get_anonymous_edit_url()
|
url = anonymap.get_anonymous_edit_url()
|
||||||
|
|
|
@ -654,11 +654,15 @@ class MapAnonymousEditUrl(RedirectView):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
signer = Signer()
|
signer = Signer()
|
||||||
|
try:
|
||||||
|
pk = signer.unsign(self.kwargs["signature"])
|
||||||
|
except BadSignature:
|
||||||
|
signer = Signer(algorithm='sha1')
|
||||||
try:
|
try:
|
||||||
pk = signer.unsign(self.kwargs["signature"])
|
pk = signer.unsign(self.kwargs["signature"])
|
||||||
except BadSignature:
|
except BadSignature:
|
||||||
return HttpResponseForbidden()
|
return HttpResponseForbidden()
|
||||||
else:
|
|
||||||
map_inst = get_object_or_404(Map, pk=pk)
|
map_inst = get_object_or_404(Map, pk=pk)
|
||||||
url = map_inst.get_absolute_url()
|
url = map_inst.get_absolute_url()
|
||||||
response = HttpResponseRedirect(url)
|
response = HttpResponseRedirect(url)
|
||||||
|
|
Loading…
Reference in a new issue