[allura] branch master updated: Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing

[br...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/master by this push:
     new 75e6e3c51 Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
75e6e3c51 is described below

commit 75e6e3c51fefc50cf02c55025635484ddf0cb97e
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Fri Mar 3 17:15:05 2023 -0500

    Allow csp_form_actions environ override; more obvious warning if github oauth .ini settings missing
---
 Allura/allura/lib/custom_middleware.py           | 7 +++++--
 ForgeImporters/forgeimporters/github/__init__.py | 8 ++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index f06f04d27..72fd7677f 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -491,10 +491,13 @@ class ContentSecurityPolicyMiddleware:
                 report_rules.add(f"frame-src {self.config['csp.frame_sources']}")
 
         if self.config.get('csp.form_action_urls'):
+            srcs = self.config['csp.form_action_urls']
+            if environ.get('csp_form_actions'):
+                srcs += ' ' + ' '.join(environ['csp_form_actions'])
             if asbool(self.config.get('csp.form_actions_enforce', False)):
-                rules.add(f"form-action {self.config['csp.form_action_urls']}")
+                rules.add(f"form-action {srcs}")
             else:
-                report_rules.add(f"form-action {self.config['csp.form_action_urls']}")
+                report_rules.add(f"form-action {srcs}")
 
         if self.config.get('csp.script_src'):
             script_srcs = self.config['csp.script_src']
diff --git a/ForgeImporters/forgeimporters/github/__init__.py b/ForgeImporters/forgeimporters/github/__init__.py
index 2bf1b6173..3b01a6224 100644
--- a/ForgeImporters/forgeimporters/github/__init__.py
+++ b/ForgeImporters/forgeimporters/github/__init__.py
@@ -25,12 +25,13 @@ import six.moves.urllib.request
 import six.moves.urllib.error
 from datetime import datetime
 
-from tg import config, session, redirect, request, expose
+from tg import config, session, redirect, request, expose, flash
 from tg.decorators import without_trailing_slash
 from tg import tmpl_context as c
 from requests_oauthlib import OAuth2Session
 from formencode import validators as fev
 
+from allura.lib.security import is_site_admin
 from forgeimporters import base
 from urllib.parse import urlparse
 
@@ -232,7 +233,10 @@ class GitHubOAuthMixin:
         client_id = config.get('github_importer.client_id')
         secret = config.get('github_importer.client_secret')
         if not client_id or not secret:
-            log.warning('github_importer.* not set up in .ini file; cannot use OAuth for GitHub')
+            msg = 'github_importer.* not set up in .ini file; cannot use OAuth for GitHub'
+            log.warning(msg)
+            if is_site_admin(c.user):
+                flash(msg, 'error')
             return  # GitHub app is not configured
         access_token = c.user.get_tool_data('GitHubProjectImport', 'token')
         if access_token and valid_access_token(access_token, scopes_required=scope):