add token check to raw_open edit view

This commit is contained in:
Aurélien Delobelle 2017-06-22 15:48:45 +02:00
parent 98f5f0c391
commit 19847ac9d8
4 changed files with 16 additions and 3 deletions

View file

@ -24,7 +24,7 @@ except KeyError:
try: try:
from .secret import ( from .secret import (
SECRET_KEY, RECAPTCHA_PUBLIC_KEY, RECAPTCHA_PRIVATE_KEY, ADMINS, SECRET_KEY, RECAPTCHA_PUBLIC_KEY, RECAPTCHA_PRIVATE_KEY, ADMINS,
REDIS_PASSWD, REDIS_DB, REDIS_HOST, REDIS_PORT REDIS_PASSWD, REDIS_DB, REDIS_HOST, REDIS_PORT, KFETOPEN_TOKEN,
) )
except ImportError: except ImportError:
raise RuntimeError("Secrets missing") raise RuntimeError("Secrets missing")

View file

@ -6,3 +6,5 @@ REDIS_PORT = 6379
REDIS_DB = 0 REDIS_DB = 0
REDIS_HOST = "127.0.0.1" REDIS_HOST = "127.0.0.1"
ADMINS = None ADMINS = None
KFETOPEN_TOKEN = "plop"

View file

@ -136,7 +136,10 @@ class OpenKfetViewsTest(ChannelTestCase):
def test_door(self): def test_door(self):
"""Edit raw_status.""" """Edit raw_status."""
for sent, expected in [(1, True), (0, False)]: for sent, expected in [(1, True), (0, False)]:
resp = Client().post('/k-fet/open/raw_open', {'raw_open': sent}) resp = Client().post('/k-fet/open/raw_open', {
'raw_open': sent,
'token': 'plop',
})
self.assertEqual(200, resp.status_code) self.assertEqual(200, resp.status_code)
self.assertEqual(expected, kfet_open.raw_open) self.assertEqual(expected, kfet_open.raw_open)
@ -254,7 +257,10 @@ class OpenKfetScenarioTest(ChannelTestCase):
self.ws_connect(self.r_c_ws) self.ws_connect(self.r_c_ws)
# door sent "I'm open!" # door sent "I'm open!"
self.c.post('/k-fet/open/raw_open', {'raw_open': True}) self.c.post('/k-fet/open/raw_open', {
'raw_open': True,
'token': 'plop',
})
# anonymous user agree # anonymous user agree
msg = self.c_ws.receive(json=True) msg = self.c_ws.receive(json=True)

View file

@ -1,3 +1,5 @@
from django.conf import settings
from django.core.exceptions import PermissionDenied
from django.contrib.auth.decorators import permission_required from django.contrib.auth.decorators import permission_required
from django.http import HttpResponse from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt from django.views.decorators.csrf import csrf_exempt
@ -12,6 +14,9 @@ TRUE_STR = ['1', 'True', 'true']
@csrf_exempt @csrf_exempt
@require_POST @require_POST
def raw_open(request): def raw_open(request):
token = request.POST.get('token')
if token != settings.KFETOPEN_TOKEN:
raise PermissionDenied
raw_open = request.POST.get('raw_open') in TRUE_STR raw_open = request.POST.get('raw_open') in TRUE_STR
kfet_open.raw_open = raw_open kfet_open.raw_open = raw_open
kfet_open.send_ws() kfet_open.send_ws()