Return-Path: X-Original-To: apmail-incubator-allura-commits-archive@minotaur.apache.org Delivered-To: apmail-incubator-allura-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7428510625 for ; Wed, 18 Dec 2013 15:39:16 +0000 (UTC) Received: (qmail 65747 invoked by uid 500); 18 Dec 2013 15:39:14 -0000 Delivered-To: apmail-incubator-allura-commits-archive@incubator.apache.org Received: (qmail 65717 invoked by uid 500); 18 Dec 2013 15:39:12 -0000 Mailing-List: contact allura-commits-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: allura-dev@incubator.apache.org Delivered-To: mailing list allura-commits@incubator.apache.org Received: (qmail 65593 invoked by uid 99); 18 Dec 2013 15:39:09 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Dec 2013 15:39:09 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id EC59A8F54; Wed, 18 Dec 2013 15:39:08 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: brondsem@apache.org To: allura-commits@incubator.apache.org Date: Wed, 18 Dec 2013 15:39:09 -0000 Message-Id: <7b696ce2ada64c19b956ff624b89ec03@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [2/2] git commit: require POST for oauth app authorization form submit require POST for oauth app authorization form submit Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/56590d47 Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/56590d47 Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/56590d47 Branch: refs/heads/master Commit: 56590d473094911cb28f9546c9c82a6df372ef17 Parents: bd3bc2e Author: Dave Brondsema Authored: Wed Dec 18 15:26:01 2013 +0000 Committer: Dave Brondsema Committed: Wed Dec 18 15:26:01 2013 +0000 ---------------------------------------------------------------------- Allura/allura/controllers/rest.py | 2 ++ Allura/allura/tests/functional/test_auth.py | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/56590d47/Allura/allura/controllers/rest.py ---------------------------------------------------------------------- diff --git a/Allura/allura/controllers/rest.py b/Allura/allura/controllers/rest.py index 3566caa..84301df 100644 --- a/Allura/allura/controllers/rest.py +++ b/Allura/allura/controllers/rest.py @@ -34,6 +34,7 @@ from allura.lib import helpers as h from allura.lib import security from allura.lib import plugin from allura.lib.exceptions import Invalid +from allura.lib.decorators import require_post log = logging.getLogger(__name__) action_logger = h.log_action(log, 'API:') @@ -191,6 +192,7 @@ class OAuthNegotiator(object): consumer=rtok.consumer_token) @expose('jinja:allura:templates/oauth_authorize_ok.html') + @require_post() def do_authorize(self, yes=None, no=None, oauth_token=None): security.require_authenticated() rtok = M.OAuthRequestToken.query.get(api_key=oauth_token) http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/56590d47/Allura/allura/tests/functional/test_auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index 3159784..5ac17c6 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -953,7 +953,7 @@ class TestOAuth(TestController): user_id=user._id, ) ThreadLocalORMSession.flush_all() - r = self.app.get('/rest/oauth/do_authorize', params={'no': '1', 'oauth_token': 'api_key'}) + r = self.app.post('/rest/oauth/do_authorize', params={'no': '1', 'oauth_token': 'api_key'}) assert_is_none(M.OAuthRequestToken.query.get(api_key='api_key')) def test_do_authorize_oob(self): @@ -970,7 +970,7 @@ class TestOAuth(TestController): user_id=user._id, ) ThreadLocalORMSession.flush_all() - r = self.app.get('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'}) + r = self.app.post('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'}) assert_is_not_none(r.html.find(text=re.compile('^PIN: '))) def test_do_authorize_cb(self): @@ -987,7 +987,7 @@ class TestOAuth(TestController): user_id=user._id, ) ThreadLocalORMSession.flush_all() - r = self.app.get('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'}) + r = self.app.post('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'}) assert r.location.startswith('http://my.domain.com/callback?oauth_token=api_key&oauth_verifier=') def test_do_authorize_cb_params(self): @@ -1004,7 +1004,7 @@ class TestOAuth(TestController): user_id=user._id, ) ThreadLocalORMSession.flush_all() - r = self.app.get('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'}) + r = self.app.post('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'}) assert r.location.startswith('http://my.domain.com/callback?myparam=foo&oauth_token=api_key&oauth_verifier=') @mock.patch('allura.controllers.rest.oauth.Request')