You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by br...@apache.org on 2013/12/18 16:39:08 UTC

[1/2] git commit: Use CSRF during tests (fixes oauth tests with _session_id)

Updated Branches:
  refs/heads/master 8df4a71db -> 56590d473


Use CSRF during tests (fixes oauth tests with _session_id)


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/bd3bc2e9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/bd3bc2e9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/bd3bc2e9

Branch: refs/heads/master
Commit: bd3bc2e9d69a89c36919e7057989341614541308
Parents: 8df4a71
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Wed Dec 18 15:25:32 2013 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 18 15:25:32 2013 +0000

----------------------------------------------------------------------
 Allura/test.ini | 2 --
 1 file changed, 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/bd3bc2e9/Allura/test.ini
----------------------------------------------------------------------
diff --git a/Allura/test.ini b/Allura/test.ini
index 99ca324..5df127f 100644
--- a/Allura/test.ini
+++ b/Allura/test.ini
@@ -114,8 +114,6 @@ support_tool_choices = wiki tickets discussion
 
 #stats.sample_rate = 0
 
-disable_csrf_protection=1
-
 short_url.url_pattern = {base_url}/{nbhd}/{project}/{mount_point}/{short_name}
 
 # markdown text longer than max length will not be converted to html

[2/2] git commit: require POST for oauth app authorization form submit

Posted by br...@apache.org.

require POST for oauth app authorization form submit


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/56590d47
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/56590d47
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/56590d47

Branch: refs/heads/master
Commit: 56590d473094911cb28f9546c9c82a6df372ef17
Parents: bd3bc2e
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Wed Dec 18 15:26:01 2013 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 18 15:26:01 2013 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/rest.py           | 2 ++
 Allura/allura/tests/functional/test_auth.py | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/56590d47/Allura/allura/controllers/rest.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/rest.py b/Allura/allura/controllers/rest.py
index 3566caa..84301df 100644
--- a/Allura/allura/controllers/rest.py
+++ b/Allura/allura/controllers/rest.py
@@ -34,6 +34,7 @@ from allura.lib import helpers as h
 from allura.lib import security
 from allura.lib import plugin
 from allura.lib.exceptions import Invalid
+from allura.lib.decorators import require_post
 
 log = logging.getLogger(__name__)
 action_logger = h.log_action(log, 'API:')
@@ -191,6 +192,7 @@ class OAuthNegotiator(object):
             consumer=rtok.consumer_token)
 
     @expose('jinja:allura:templates/oauth_authorize_ok.html')
+    @require_post()
     def do_authorize(self, yes=None, no=None, oauth_token=None):
         security.require_authenticated()
         rtok = M.OAuthRequestToken.query.get(api_key=oauth_token)

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/56590d47/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 3159784..5ac17c6 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -953,7 +953,7 @@ class TestOAuth(TestController):
                 user_id=user._id,
             )
         ThreadLocalORMSession.flush_all()
-        r = self.app.get('/rest/oauth/do_authorize', params={'no': '1', 'oauth_token': 'api_key'})
+        r = self.app.post('/rest/oauth/do_authorize', params={'no': '1', 'oauth_token': 'api_key'})
         assert_is_none(M.OAuthRequestToken.query.get(api_key='api_key'))
 
     def test_do_authorize_oob(self):
@@ -970,7 +970,7 @@ class TestOAuth(TestController):
                 user_id=user._id,
             )
         ThreadLocalORMSession.flush_all()
-        r = self.app.get('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'})
+        r = self.app.post('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'})
         assert_is_not_none(r.html.find(text=re.compile('^PIN: ')))
 
     def test_do_authorize_cb(self):
@@ -987,7 +987,7 @@ class TestOAuth(TestController):
                 user_id=user._id,
             )
         ThreadLocalORMSession.flush_all()
-        r = self.app.get('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'})
+        r = self.app.post('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'})
         assert r.location.startswith('http://my.domain.com/callback?oauth_token=api_key&oauth_verifier=')
 
     def test_do_authorize_cb_params(self):
@@ -1004,7 +1004,7 @@ class TestOAuth(TestController):
                 user_id=user._id,
             )
         ThreadLocalORMSession.flush_all()
-        r = self.app.get('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'})
+        r = self.app.post('/rest/oauth/do_authorize', params={'yes': '1', 'oauth_token': 'api_key'})
         assert r.location.startswith('http://my.domain.com/callback?myparam=foo&oauth_token=api_key&oauth_verifier=')
 
     @mock.patch('allura.controllers.rest.oauth.Request')