def __call__(self):
"""Create a request token and include its key/secret in the response.
If the consumer key is empty or the signature doesn't match, respond
with a 401 status. If the key is not empty but there's no consumer
with it, we register a new consumer.
"""
form = get_oauth_authorization(self.request)
consumer_key = form.get('oauth_consumer_key')
if not consumer_key:
self.request.unauthorized(OAUTH_CHALLENGE)
return u''
consumer_set = getUtility(IOAuthConsumerSet)
consumer = consumer_set.getByKey(consumer_key)
if consumer is None:
consumer = consumer_set.new(key=consumer_key)
if not check_oauth_signature(self.request, consumer, None):
return u''
token = consumer.newRequestToken()
if self.request.headers.get('Accept') == HTTPResource.JSON_TYPE:
# Don't show the client the DESKTOP_INTEGRATION access
# level. If they have a legitimate need to use it, they'll
# already know about it.
permissions = [
permission for permission in OAuthPermission.items
if (permission != OAuthPermission.DESKTOP_INTEGRATION)
]
return self.getJSONRepresentation(
permissions, token, include_secret=True)
return u'oauth_token=%s&oauth_token_secret=%s' % (
token.key, token.secret)
def initialize(self):
self.storeTokenContext()
form = get_oauth_authorization(self.request)
key = form.get('oauth_token')
if key:
self.token = getUtility(IOAuthRequestTokenSet).getByKey(key)
callback = self.request.form.get('oauth_callback')
if (self.token is not None
and self.token.consumer.is_integrated_desktop):
# Nip problems in the bud by appling special rules about
# what desktop integrations are allowed to do.
if callback is not None:
# A desktop integration is not allowed to specify a callback.
raise Unauthorized(
"A desktop integration may not specify an "
"OAuth callback URL.")
# A desktop integration token can only have one of two
# permission levels: "Desktop Integration" and
# "Unauthorized". It shouldn't even be able to ask for any
# other level.
for action in self.visible_actions:
if action.permission not in (
OAuthPermission.DESKTOP_INTEGRATION,
OAuthPermission.UNAUTHORIZED):
raise Unauthorized(
("Desktop integration token requested a permission "
'("%s") not supported for desktop-wide use.')
% action.label)
super(OAuthAuthorizeTokenView, self).initialize()
def storeTokenContext(self):
"""Store the context given by the consumer in this view."""
self.token_context = None
# We have no guarantees that lp.context will be together with the
# OAuth parameters, so we need to check in the Authorization header
# and on the request's form if it's not in the former.
oauth_data = get_oauth_authorization(self.request)
context = oauth_data.get('lp.context')
if not context:
context = self.request.form.get('lp.context')
if not context:
return
try:
context = lookup_oauth_context(context)
except ValueError:
raise UnexpectedFormData("Unknown context.")
self.token_context = context
