🐛 — Allow to use SHA1-signed anonymous edit URL
The default django.core.signing Signer uses SHA256 algorithm since Django 3. Umap used Django 2 in the paste, so people had SHA1 signed anonymous edit URLs, which became unusable when umap switch to Django 3. This commit makes them usable again (the new SHA256-signed anonymous edit URLs still works, obviously).
This commit is contained in:
parent
3f155101af
commit
123af0a7c9
2 changed files with 30 additions and 11 deletions
|
@ -4,6 +4,7 @@ import pytest
|
|||
from django.contrib.auth import get_user_model
|
||||
from django.urls import reverse
|
||||
|
||||
from django.core.signing import Signer
|
||||
from umap.models import DataLayer, Map
|
||||
|
||||
from .base import login_required
|
||||
|
@ -401,6 +402,20 @@ def test_anonymous_edit_url(cookieclient, anonymap):
|
|||
assert key in cookieclient.cookies
|
||||
|
||||
|
||||
@pytest.mark.usefixtures('allow_anonymous')
|
||||
def test_sha1_anonymous_edit_url(cookieclient, anonymap):
|
||||
signer = Signer(algorithm='sha1')
|
||||
signature = signer.sign(anonymap.pk)
|
||||
url = reverse('map_anonymous_edit_url', kwargs={'signature': signature})
|
||||
canonical = reverse('map', kwargs={'pk': anonymap.pk,
|
||||
'slug': anonymap.slug})
|
||||
response = cookieclient.get(url)
|
||||
assert response.status_code == 302
|
||||
assert response['Location'] == canonical
|
||||
key, value = anonymap.signed_cookie_elements
|
||||
assert key in cookieclient.cookies
|
||||
|
||||
|
||||
@pytest.mark.usefixtures('allow_anonymous')
|
||||
def test_bad_anonymous_edit_url_should_return_403(cookieclient, anonymap):
|
||||
url = anonymap.get_anonymous_edit_url()
|
||||
|
|
|
@ -657,17 +657,21 @@ class MapAnonymousEditUrl(RedirectView):
|
|||
try:
|
||||
pk = signer.unsign(self.kwargs["signature"])
|
||||
except BadSignature:
|
||||
return HttpResponseForbidden()
|
||||
else:
|
||||
map_inst = get_object_or_404(Map, pk=pk)
|
||||
url = map_inst.get_absolute_url()
|
||||
response = HttpResponseRedirect(url)
|
||||
if not map_inst.owner:
|
||||
key, value = map_inst.signed_cookie_elements
|
||||
response.set_signed_cookie(
|
||||
key=key, value=value, max_age=ANONYMOUS_COOKIE_MAX_AGE
|
||||
)
|
||||
return response
|
||||
signer = Signer(algorithm='sha1')
|
||||
try:
|
||||
pk = signer.unsign(self.kwargs["signature"])
|
||||
except BadSignature:
|
||||
return HttpResponseForbidden()
|
||||
|
||||
map_inst = get_object_or_404(Map, pk=pk)
|
||||
url = map_inst.get_absolute_url()
|
||||
response = HttpResponseRedirect(url)
|
||||
if not map_inst.owner:
|
||||
key, value = map_inst.signed_cookie_elements
|
||||
response.set_signed_cookie(
|
||||
key=key, value=value, max_age=ANONYMOUS_COOKIE_MAX_AGE
|
||||
)
|
||||
return response
|
||||
|
||||
|
||||
# ############## #
|
||||
|
|
Loading…
Reference in a new issue