def test_acc_get_uid_from_request(self): """webapikey - Login user from request using REST key""" path = '/search' params = 'ln=es&sc=1&c=Articles & Preprints&action_search=Buscar&p=ellis' self.assertEqual(0, len(web_api_key.show_web_api_keys(uid=self.id_admin))) web_api_key.create_new_web_api_key(self.id_admin, "Test key I") key_info = run_sql("SELECT id FROM webapikey WHERE id_user=%s", (self.id_admin,)) url = web_api_key.build_web_request(path, params, api_key=key_info[0][0]) url = string.split(url, '?') uid = web_api_key.acc_get_uid_from_request(url[0], url[1]) self.assertEqual(uid, self.id_admin) url = web_api_key.build_web_request(path, params, api_key=key_info[0][0]) url += "123" # corrupt the key url = string.split(url, '?') uid = web_api_key.acc_get_uid_from_request(url[0], url[1]) self.assertEqual(uid, -1) path = '/bad' uid = web_api_key.acc_get_uid_from_request(path, "") self.assertEqual(uid, -1) params = { 'nocache': 'yes', 'limit': 123 } url = web_api_key.build_web_request(path, params, api_key=key_info[0][0]) url = string.split(url, '?') uid = web_api_key.acc_get_uid_from_request(url[0], url[1]) self.assertEqual(uid, -1) run_sql("DELETE FROM webapikey")
def test_acc_get_uid_from_request(self): """webapikey - Login user from request using REST key""" path = '/search' params = 'ln=es&sc=1&c=Articles & Preprints&action_search=Buscar&p=ellis' self.assertEqual(0, len(web_api_key.show_web_api_keys(uid=self.id_admin))) web_api_key.create_new_web_api_key(self.id_admin, "Test key I") key_info = run_sql("SELECT id FROM webapikey WHERE id_user=%s", (self.id_admin, )) url = web_api_key.build_web_request(path, params, api_key=key_info[0][0]) url = string.split(url, '?') uid = web_api_key.acc_get_uid_from_request(url[0], url[1]) self.assertEqual(uid, self.id_admin) url = web_api_key.build_web_request(path, params, api_key=key_info[0][0]) url += "123" # corrupt the key url = string.split(url, '?') uid = web_api_key.acc_get_uid_from_request(url[0], url[1]) self.assertEqual(uid, -1) path = '/bad' uid = web_api_key.acc_get_uid_from_request(path, "") self.assertEqual(uid, -1) params = {'nocache': 'yes', 'limit': 123} url = web_api_key.build_web_request(path, params, api_key=key_info[0][0]) url = string.split(url, '?') uid = web_api_key.acc_get_uid_from_request(url[0], url[1]) self.assertEqual(uid, -1) run_sql("DELETE FROM webapikey")
def _handler(req): """ This handler is invoked by mod_python with the apache request.""" allowed_methods = ("GET", "POST", "HEAD", "OPTIONS", "PUT") #req.allow_methods(allowed_methods, 1) #if req.method not in allowed_methods: # raise apache.SERVER_RETURN, apache.HTTP_METHOD_NOT_ALLOWED if req.method == 'OPTIONS': ## OPTIONS is used to now which method are allowed req.headers_out['Allow'] = ', '.join(allowed_methods) raise apache.SERVER_RETURN, apache.OK # Set user agent for fckeditor.py, which needs it here os.environ["HTTP_USER_AGENT"] = req.headers_in.get('User-Agent', '') # Check if REST authentication can be performed if req.args: args = cgi.parse_qs(req.args) if 'apikey' in args and req.is_https(): uid = web_api_key.acc_get_uid_from_request(req.uri, req.args) if uid < 0: raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED else: setUid(req=req, uid=uid) guest_p = isGuestUser(getUid(req), run_on_slave=False) uri = req.uri if uri == '/': path = [''] else: ## Let's collapse multiple slashes into a single / uri = RE_SLASHES.sub('/', uri) path = uri[1:].split('/') if CFG_ACCESS_CONTROL_LEVEL_SITE > 1: ## If the site is under maintainance mode let's return ## 503 to casual crawler to avoid having the site being ## indexed req.status = 503 g = _RE_BAD_MSIE.search(req.headers_in.get('User-Agent', "MSIE 6.0")) bad_msie = g and float(g.group(1)) < 9.0 if uri.startswith('/yours') or not guest_p: ## Private/personalized request should not be cached if bad_msie and req.is_https(): req.headers_out['Cache-Control'] = 'private, max-age=0, must-revalidate' else: req.headers_out['Cache-Control'] = 'private, no-cache, no-store, max-age=0, must-revalidate' req.headers_out['Pragma'] = 'no-cache' req.headers_out['Vary'] = '*' elif not (bad_msie and req.is_https()): req.headers_out['Cache-Control'] = 'public, max-age=3600' req.headers_out['Vary'] = 'Cookie, ETag, Cache-Control' try: if req.header_only and not RE_SPECIAL_URI.match(req.uri): return root._traverse(req, path, True, guest_p) else: ## bibdocfile have a special treatment for HEAD return root._traverse(req, path, False, guest_p) except TraversalError: raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND except apache.SERVER_RETURN: ## This is one of mod_python way of communicating raise except IOError, exc: if 'Write failed, client closed connection' not in "%s" % exc: ## Workaround for considering as false positive exceptions ## rised by mod_python when the user close the connection ## or in some other rare and not well identified cases. register_exception(req=req, alert_admin=True) raise
def _handler(req): """ This handler is invoked by mod_python with the apache request.""" allowed_methods = ("GET", "POST", "HEAD", "OPTIONS", "PUT") req.allow_methods(allowed_methods, 1) if req.method not in allowed_methods: raise apache.SERVER_RETURN, apache.HTTP_METHOD_NOT_ALLOWED if req.method == 'OPTIONS': ## OPTIONS is used to now which method are allowed req.headers_out['Allow'] = ', '.join(allowed_methods) raise apache.SERVER_RETURN, apache.OK # Set user agent for fckeditor.py, which needs it here os.environ["HTTP_USER_AGENT"] = req.headers_in.get('User-Agent', '') # Check if REST authentication can be performed if req.args: args = cgi.parse_qs(req.args) if 'apikey' in args and req.is_https(): uid = web_api_key.acc_get_uid_from_request(req.uri, req.args) if uid < 0: raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED else: setUid(req=req, uid=uid) guest_p = isGuestUser(getUid(req), run_on_slave=False) uri = req.uri if uri == '/': path = [''] else: ## Let's collapse multiple slashes into a single / uri = RE_SLASHES.sub('/', uri) path = uri[1:].split('/') if CFG_ACCESS_CONTROL_LEVEL_SITE > 1: ## If the site is under maintainance mode let's return ## 503 to casual crawler to avoid having the site being ## indexed req.status = 503 g = _RE_BAD_MSIE.search(req.headers_in.get('User-Agent', "MSIE 6.0")) bad_msie = g and float(g.group(1)) < 9.0 if uri.startswith('/yours') or not guest_p: ## Private/personalized request should not be cached if bad_msie and req.is_https(): req.headers_out['Cache-Control'] = 'private, max-age=0, must-revalidate' else: req.headers_out['Cache-Control'] = 'private, no-cache, no-store, max-age=0, must-revalidate' req.headers_out['Pragma'] = 'no-cache' req.headers_out['Vary'] = '*' elif not (bad_msie and req.is_https()): req.headers_out['Cache-Control'] = 'public, max-age=3600' req.headers_out['Vary'] = 'Cookie, ETag, Cache-Control' try: if req.header_only and not RE_SPECIAL_URI.match(req.uri): return root._traverse(req, path, True, guest_p) else: ## bibdocfile have a special treatment for HEAD return root._traverse(req, path, False, guest_p) except TraversalError: raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND except apache.SERVER_RETURN: ## This is one of mod_python way of communicating raise except IOError, exc: if 'Write failed, client closed connection' not in "%s" % exc: ## Workaround for considering as false positive exceptions ## rised by mod_python when the user close the connection ## or in some other rare and not well identified cases. register_exception(req=req, alert_admin=True) raise