You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2023/03/03 22:15:18 UTC
[allura] branch master updated: Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 75e6e3c51 Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
75e6e3c51 is described below
commit 75e6e3c51fefc50cf02c55025635484ddf0cb97e
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Fri Mar 3 17:15:05 2023 -0500
Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
---
Allura/allura/lib/custom_middleware.py | 7 +++++--
ForgeImporters/forgeimporters/github/__init__.py | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index f06f04d27..72fd7677f 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -491,10 +491,13 @@ class ContentSecurityPolicyMiddleware:
report_rules.add(f"frame-src {self.config['csp.frame_sources']}")
if self.config.get('csp.form_action_urls'):
+ srcs = self.config['csp.form_action_urls']
+ if environ.get('csp_form_actions'):
+ srcs += ' ' + ' '.join(environ['csp_form_actions'])
if asbool(self.config.get('csp.form_actions_enforce', False)):
- rules.add(f"form-action {self.config['csp.form_action_urls']}")
+ rules.add(f"form-action {srcs}")
else:
- report_rules.add(f"form-action {self.config['csp.form_action_urls']}")
+ report_rules.add(f"form-action {srcs}")
if self.config.get('csp.script_src'):
script_srcs = self.config['csp.script_src']
diff --git a/ForgeImporters/forgeimporters/github/__init__.py b/ForgeImporters/forgeimporters/github/__init__.py
index 2bf1b6173..3b01a6224 100644
--- a/ForgeImporters/forgeimporters/github/__init__.py
+++ b/ForgeImporters/forgeimporters/github/__init__.py
@@ -25,12 +25,13 @@ import six.moves.urllib.request
import six.moves.urllib.error
from datetime import datetime
-from tg import config, session, redirect, request, expose
+from tg import config, session, redirect, request, expose, flash
from tg.decorators import without_trailing_slash
from tg import tmpl_context as c
from requests_oauthlib import OAuth2Session
from formencode import validators as fev
+from allura.lib.security import is_site_admin
from forgeimporters import base
from urllib.parse import urlparse
@@ -232,7 +233,10 @@ class GitHubOAuthMixin:
client_id = config.get('github_importer.client_id')
secret = config.get('github_importer.client_secret')
if not client_id or not secret:
- log.warning('github_importer.* not set up in .ini file; cannot use OAuth for GitHub')
+ msg = 'github_importer.* not set up in .ini file; cannot use OAuth for GitHub'
+ log.warning(msg)
+ if is_site_admin(c.user):
+ flash(msg, 'error')
return # GitHub app is not configured
access_token = c.user.get_tool_data('GitHubProjectImport', 'token')
if access_token and valid_access_token(access_token, scopes_required=scope):