add token check to raw_open edit view

2017-06-22 15:48:45 +02:00 · 2017-06-22 15:48:45 +02:00 · 19847ac9d8
commit 19847ac9d8
parent 98f5f0c391
4 changed files with 16 additions and 3 deletions
--- a/cof/settings/common.py
+++ b/cof/settings/common.py
@ -24,7 +24,7 @@ except KeyError:
 try:
    from .secret import (
        SECRET_KEY, RECAPTCHA_PUBLIC_KEY, RECAPTCHA_PRIVATE_KEY, ADMINS,
-        REDIS_PASSWD, REDIS_DB, REDIS_HOST, REDIS_PORT
+        REDIS_PASSWD, REDIS_DB, REDIS_HOST, REDIS_PORT, KFETOPEN_TOKEN,
    )
 except ImportError:
    raise RuntimeError("Secrets missing")
--- a/cof/settings/secret_example.py
+++ b/cof/settings/secret_example.py
@ -6,3 +6,5 @@ REDIS_PORT = 6379
 REDIS_DB = 0
 REDIS_HOST = "127.0.0.1"
 ADMINS = None
+
+KFETOPEN_TOKEN = "plop"
--- a/kfet/open/tests.py
+++ b/kfet/open/tests.py
@ -136,7 +136,10 @@ class OpenKfetViewsTest(ChannelTestCase):
    def test_door(self):
        """Edit raw_status."""
        for sent, expected in [(1, True), (0, False)]:
-            resp = Client().post('/k-fet/open/raw_open', {'raw_open': sent})
+            resp = Client().post('/k-fet/open/raw_open', {
+                'raw_open': sent,
+                'token': 'plop',
+            })
            self.assertEqual(200, resp.status_code)
            self.assertEqual(expected, kfet_open.raw_open)

@ -254,7 +257,10 @@ class OpenKfetScenarioTest(ChannelTestCase):
        self.ws_connect(self.r_c_ws)

        # door sent "I'm open!"
-        self.c.post('/k-fet/open/raw_open', {'raw_open': True})
+        self.c.post('/k-fet/open/raw_open', {
+            'raw_open': True,
+            'token': 'plop',
+        })

        # anonymous user agree
        msg = self.c_ws.receive(json=True)
--- a/kfet/open/views.py
+++ b/kfet/open/views.py
@ -1,3 +1,5 @@
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
 from django.contrib.auth.decorators import permission_required
 from django.http import HttpResponse
 from django.views.decorators.csrf import csrf_exempt
@ -12,6 +14,9 @@ TRUE_STR = ['1', 'True', 'true']
@csrf_exempt
@require_POST
 def raw_open(request):
+    token = request.POST.get('token')
+    if token != settings.KFETOPEN_TOKEN:
+        raise PermissionDenied
    raw_open = request.POST.get('raw_open') in TRUE_STR
    kfet_open.raw_open = raw_open
    kfet_open.send_ws()