jeff/umap
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1058 from framasoft/allow-old-anonymous-edit-url

Browse source 
🐛 — Allow to use SHA1-signed anonymous edit URL
This commit is contained in:
Yohan Boniface 2023-03-29 13:09:47 +02:00 committed by GitHub
commit 0116696ee6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
umap/tests/test_map_views.py
View file

@ -4,6 +4,7 @@ import pytest
from django.contrib.auth import get_user_model
from django.urls import reverse
from django.core.signing import Signer
from umap.models import DataLayer, Map
from .base import login_required
@ -401,6 +402,20 @@ def test_anonymous_edit_url(cookieclient, anonymap):
assert key in cookieclient.cookies
@pytest.mark.usefixtures('allow_anonymous')
def test_sha1_anonymous_edit_url(cookieclient, anonymap):
signer = Signer(algorithm='sha1')
signature = signer.sign(anonymap.pk)
url = reverse('map_anonymous_edit_url', kwargs={'signature': signature})
canonical = reverse('map', kwargs={'pk': anonymap.pk,
'slug': anonymap.slug})
response = cookieclient.get(url)
assert response.status_code == 302
assert response['Location'] == canonical
key, value = anonymap.signed_cookie_elements
assert key in cookieclient.cookies
@pytest.mark.usefixtures('allow_anonymous')
def test_bad_anonymous_edit_url_should_return_403(cookieclient, anonymap):
url = anonymap.get_anonymous_edit_url()

26
umap/views.py
View file

@ -657,17 +657,21 @@ class MapAnonymousEditUrl(RedirectView):
try:
pk = signer.unsign(self.kwargs["signature"])
except BadSignature:
return HttpResponseForbidden()
else:
map_inst = get_object_or_404(Map, pk=pk)
url = map_inst.get_absolute_url()
response = HttpResponseRedirect(url)
if not map_inst.owner:
key, value = map_inst.signed_cookie_elements
response.set_signed_cookie(
key=key, value=value, max_age=ANONYMOUS_COOKIE_MAX_AGE
)
return response
signer = Signer(algorithm='sha1')
try:
pk = signer.unsign(self.kwargs["signature"])
except BadSignature:
return HttpResponseForbidden()
map_inst = get_object_or_404(Map, pk=pk)
url = map_inst.get_absolute_url()
response = HttpResponseRedirect(url)
if not map_inst.owner:
key, value = map_inst.signed_cookie_elements
response.set_signed_cookie(
key=key, value=value, max_age=ANONYMOUS_COOKIE_MAX_AGE
)
return response
# ############## #