def __call__(self): """Create a request token and include its key/secret in the response. If the consumer key is empty or the signature doesn't match, respond with a 401 status. If the key is not empty but there's no consumer with it, we register a new consumer. """ form = get_oauth_authorization(self.request) consumer_key = form.get('oauth_consumer_key') if not consumer_key: self.request.unauthorized(OAUTH_CHALLENGE) return u'' consumer_set = getUtility(IOAuthConsumerSet) consumer = consumer_set.getByKey(consumer_key) if consumer is None: consumer = consumer_set.new(key=consumer_key) if not check_oauth_signature(self.request, consumer, None): return u'' token = consumer.newRequestToken() if self.request.headers.get('Accept') == HTTPResource.JSON_TYPE: # Don't show the client the DESKTOP_INTEGRATION access # level. If they have a legitimate need to use it, they'll # already know about it. permissions = [ permission for permission in OAuthPermission.items if (permission != OAuthPermission.DESKTOP_INTEGRATION) ] return self.getJSONRepresentation( permissions, token, include_secret=True) return u'oauth_token=%s&oauth_token_secret=%s' % ( token.key, token.secret)
def initialize(self): self.storeTokenContext() form = get_oauth_authorization(self.request) key = form.get('oauth_token') if key: self.token = getUtility(IOAuthRequestTokenSet).getByKey(key) callback = self.request.form.get('oauth_callback') if (self.token is not None and self.token.consumer.is_integrated_desktop): # Nip problems in the bud by appling special rules about # what desktop integrations are allowed to do. if callback is not None: # A desktop integration is not allowed to specify a callback. raise Unauthorized( "A desktop integration may not specify an " "OAuth callback URL.") # A desktop integration token can only have one of two # permission levels: "Desktop Integration" and # "Unauthorized". It shouldn't even be able to ask for any # other level. for action in self.visible_actions: if action.permission not in ( OAuthPermission.DESKTOP_INTEGRATION, OAuthPermission.UNAUTHORIZED): raise Unauthorized( ("Desktop integration token requested a permission " '("%s") not supported for desktop-wide use.') % action.label) super(OAuthAuthorizeTokenView, self).initialize()
def storeTokenContext(self): """Store the context given by the consumer in this view.""" self.token_context = None # We have no guarantees that lp.context will be together with the # OAuth parameters, so we need to check in the Authorization header # and on the request's form if it's not in the former. oauth_data = get_oauth_authorization(self.request) context = oauth_data.get('lp.context') if not context: context = self.request.form.get('lp.context') if not context: return try: context = lookup_oauth_context(context) except ValueError: raise UnexpectedFormData("Unknown context.") self.token_context = context