Add some tests to verify we're not leaking anything to completely public users (we're not)
This commit is contained in:
yackob03
parent
7dc4c2b250
commit
db59b5bf9c
6 changed files with 440 additions and 101 deletions
|
|
@ -5,7 +5,7 @@ import requests
|
|||
import urlparse
|
||||
import json
|
||||
|
||||
from flask import request, make_response, jsonify, abort, url_for
|
||||
from flask import request, make_response, jsonify, abort
|
||||
from flask.ext.login import login_required, current_user, logout_user
|
||||
from flask.ext.principal import identity_changed, AnonymousIdentity
|
||||
from functools import wraps
|
||||
|
|
@ -46,6 +46,19 @@ def api_login_required(f):
|
|||
return decorated_view
|
||||
|
||||
|
||||
def required_json_args(*required_args):
|
||||
def wrap(f):
|
||||
@wraps(f)
|
||||
def wrapped(*args, **kwargs):
|
||||
request_data = request.get_json()
|
||||
for arg in required_args:
|
||||
if arg not in request_data:
|
||||
abort(400)
|
||||
return f(*args, **kwargs)
|
||||
return wrapped
|
||||
return wrap
|
||||
|
||||
|
||||
@app.errorhandler(model.DataModelException)
|
||||
def handle_dme(ex):
|
||||
return make_response(ex.message, 400)
|
||||
|
|
@ -120,8 +133,10 @@ def change_user_details():
|
|||
|
||||
|
||||
@app.route('/api/user/', methods=['POST'])
|
||||
@required_json_args('username', 'password', 'email')
|
||||
def create_user_api():
|
||||
user_data = request.get_json()
|
||||
|
||||
existing_user = model.get_user(user_data['username'])
|
||||
if existing_user:
|
||||
error_resp = jsonify({
|
||||
|
|
@ -145,6 +160,7 @@ def create_user_api():
|
|||
|
||||
|
||||
@app.route('/api/signin', methods=['POST'])
|
||||
@required_json_args('username', 'password')
|
||||
def signin_api():
|
||||
signin_data = request.get_json()
|
||||
|
||||
|
|
@ -184,6 +200,7 @@ def logout():
|
|||
|
||||
|
||||
@app.route("/api/recovery", methods=['POST'])
|
||||
@required_json_args('email')
|
||||
def send_recovery():
|
||||
email = request.get_json()['email']
|
||||
code = model.create_reset_password_email_code(email)
|
||||
|
|
@ -264,6 +281,7 @@ def team_view(orgname, t):
|
|||
|
||||
|
||||
@app.route('/api/organization/<orgname>', methods=['GET'])
|
||||
@api_login_required
|
||||
def get_organization(orgname):
|
||||
user = current_user.db_user()
|
||||
|
||||
|
|
@ -277,11 +295,9 @@ def get_organization(orgname):
|
|||
'is_admin': is_admin
|
||||
}
|
||||
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
|
||||
org = model.get_organization(orgname)
|
||||
if not org:
|
||||
try:
|
||||
org = model.get_organization(orgname)
|
||||
except model.InvalidOrganizationException:
|
||||
abort(404)
|
||||
|
||||
teams = model.get_teams_within_org(org)
|
||||
|
|
@ -289,6 +305,7 @@ def get_organization(orgname):
|
|||
|
||||
|
||||
@app.route('/api/organization/<orgname>/private', methods=['GET'])
|
||||
@api_login_required
|
||||
def get_organization_private_allowed(orgname):
|
||||
permission = CreateRepositoryPermission(orgname)
|
||||
if permission.can():
|
||||
|
|
@ -318,6 +335,7 @@ def member_view(m):
|
|||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>',
|
||||
methods=['PUT', 'POST'])
|
||||
@api_login_required
|
||||
def update_organization_team(orgname, teamname):
|
||||
edit_permission = AdministerOrganizationPermission(orgname)
|
||||
if edit_permission.can():
|
||||
|
|
@ -354,6 +372,7 @@ def update_organization_team(orgname, teamname):
|
|||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>',
|
||||
methods=['DELETE'])
|
||||
@api_login_required
|
||||
def delete_organization_team(orgname, teamname):
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
|
|
@ -365,6 +384,7 @@ def delete_organization_team(orgname, teamname):
|
|||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
def get_organization_team_members(orgname, teamname):
|
||||
view_permission = ViewTeamPermission(orgname, teamname)
|
||||
edit_permission = AdministerOrganizationPermission(orgname)
|
||||
|
|
@ -389,6 +409,7 @@ def get_organization_team_members(orgname, teamname):
|
|||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>',
|
||||
methods=['PUT', 'POST'])
|
||||
@api_login_required
|
||||
def update_organization_team_member(orgname, teamname, membername):
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
|
|
@ -416,6 +437,7 @@ def update_organization_team_member(orgname, teamname, membername):
|
|||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>',
|
||||
methods=['DELETE'])
|
||||
@api_login_required
|
||||
def delete_organization_team_member(orgname, teamname, membername):
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
|
|
@ -666,6 +688,7 @@ def get_repo_builds(namespace, repository):
|
|||
|
||||
|
||||
@app.route('/api/filedrop/', methods=['POST'])
|
||||
@api_login_required
|
||||
def get_filedrop_url():
|
||||
mime_type = request.get_json()['mimeType']
|
||||
(url, file_id) = user_files.prepare_for_drop(mime_type)
|
||||
|
|
@ -774,7 +797,11 @@ def get_image_changes(namespace, repository, image_id):
|
|||
def list_tag_images(namespace, repository, tag):
|
||||
permission = ReadRepositoryPermission(namespace, repository)
|
||||
if permission.can() or model.repository_is_public(namespace, repository):
|
||||
tag_image = model.get_tag_image(namespace, repository, tag)
|
||||
try:
|
||||
tag_image = model.get_tag_image(namespace, repository, tag)
|
||||
except model.DataModelException:
|
||||
abort(404)
|
||||
|
||||
parent_images = model.get_parent_images(tag_image)
|
||||
|
||||
parents = list(parent_images)
|
||||
|
|
|
|||
Reference in a new issue