Fix view_in_or_basicauth decorator not working in the context of the REST API #8543
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merge from upsteram
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.2 to 1.26.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/1.26.3/CHANGES.rst) - [Commits](urllib3/urllib3@1.26.2...1.26.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Toni <[email protected]>
…6881) * [Fixes GeoNode#6880] Circle CI upload tests fail irregulary * CircleCI test fix: sometimes expires due to upload timeout in the test environment * - Avoid infinite loop on upload testing * Revert "CircleCI test fix: sometimes expires due to upload timeout in the test environment" This reverts commit 66139fd. Co-authored-by: Alessio Fabiani <[email protected]> Co-authored-by: afabiani <[email protected]>
…de#6911) * get meaningful document filenames on download * - Strip extension from document title before slugify it (e.g.: image.jpg instead of imagejpg.jpg) Co-authored-by: afabiani <[email protected]> Co-authored-by: Alessio Fabiani <[email protected]>
…loop on "wait_for_progress"
…ng slash at the end of GEOSERVER_LOCATION (GeoNode#6913) * [Fixes GeoNode#6916] gsimporter.api.NotFound caused by missing trailing slash at the end of GEOSERVER_LOCATION * [Fixes GeoNode#6916] unit test for GEOSERVER_LOCATION
Bumps [django-cors-headers](https://github.com/adamchainz/django-cors-headers) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/adamchainz/django-cors-headers/releases) - [Changelog](https://github.com/adamchainz/django-cors-headers/blob/master/HISTORY.rst) - [Commits](adamchainz/django-cors-headers@3.6.0...3.7.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [amqp](https://github.com/celery/py-amqp) from 5.0.3 to 5.0.5. - [Release notes](https://github.com/celery/py-amqp/releases) - [Changelog](https://github.com/celery/py-amqp/blob/master/Changelog) - [Commits](celery/py-amqp@v5.0.3...v5.0.5) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pip](https://github.com/pypa/pip) from 21.0 to 21.0.1. - [Release notes](https://github.com/pypa/pip/releases) - [Changelog](https://github.com/pypa/pip/blob/master/NEWS.rst) - [Commits](pypa/pip@21.0...21.0.1) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [coverage](https://github.com/nedbat/coveragepy) from 5.3.1 to 5.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](nedbat/coveragepy@coverage-5.3.1...coverage-5.4) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pytest](https://github.com/pytest-dev/pytest) from 6.2.1 to 6.2.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest@6.2.1...6.2.2) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [djangorestframework-gis](https://github.com/openwisp/django-rest-framework-gis) from 0.16 to 0.17. - [Release notes](https://github.com/openwisp/django-rest-framework-gis/releases) - [Changelog](https://github.com/openwisp/django-rest-framework-gis/blob/master/CHANGES.rst) - [Commits](openwisp/django-rest-framework-gis@v0.16.0...v0.17.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… it has… (GeoNode#6923) * [Fixes GeoNode#6922][REST API v2] Expose the curated thumbnail URL if it has been uploaded * - Add REST APIs test suite to CircleCI
* [Cleanup and Refactor] Remove QGIS server backend dependencies * [Cleanup and Refactor] Remove QGIS server backend dependencies * - Fix LGTM issues
…iddleware Feature#650 basic auth middleware
Upstream master
…olutions_master
added 15 commits
September 30, 2021 15:04
This shall allow this to work with either GUI or API interactions. The previous implementation relied on django.contrib.gis.auth.get_user(), which assumes we are working in the context of a django HTTP session - and the REST API does not require sessions.
The `login_required` decorator already checks if there is an authenticated user, so no need to perform a similar check inside a view that has that decorator applied
|
| Secret | Commit | Filename | Detected At | |
|---|---|---|---|---|
| Django Secret Key | 0b8cbac | .env_dev | 12:32 December 23rd, 2021 | View secret |
| Django Secret Key | 0b8cbac | .env_local | 12:32 December 23rd, 2021 | View secret |
| Django Secret Key | 9669e80 | .devcontainer/.env | 12:32 December 23rd, 2021 | View secret |
| Django Secret Key | 5fa8dac | .devcontainer/.env | 12:32 December 23rd, 2021 | View secret |
| Django Secret Key | 5fa8dac | .env_dev | 12:32 December 23rd, 2021 | View secret |
| Django Secret Key | 5fa8dac | .env_local | 12:32 December 23rd, 2021 | View secret |
| Generic High Entropy Secret | 354764e | .env | 21:32 May 27th, 2021 | View secret |
| Django Secret Key | e5cf581 | .env_dev | 14:37 September 29th, 2021 | View secret |
| Generic High Entropy Secret | e5cf581 | .env_dev | 14:37 September 29th, 2021 | View secret |
| Django Secret Key | e5cf581 | .env_local | 14:37 September 29th, 2021 | View secret |
| Django Secret Key | e5cf581 | .env_test | 14:37 September 29th, 2021 | View secret |
| Generic High Entropy Secret | e5cf581 | .env_test | 14:37 September 29th, 2021 | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
GitGuardian is an automated secrets detection service.We help developers and security teams secure the modern software development process.
Our GitHub checks need improvements? Share your feedbacks
|
This pull request introduces 2 alerts when merging f51ef29 into 28357a5 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging 06b08ae into 28357a5 - view on LGTM.com new alerts:
|
Codecov Report
@@ Coverage Diff @@
## master #8543 +/- ##
==========================================
+ Coverage 58.48% 58.60% +0.11%
==========================================
Files 780 780
Lines 46483 46480 -3
Branches 6917 6916 -1
==========================================
+ Hits 27187 27240 +53
+ Misses 17788 17737 -51
+ Partials 1508 1503 -5 |
afabiani
approved these changes
Dec 25, 2021
|
@ricardogsilva shouldn't we backport this to 3.3.x too? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes the
geonode.decorators.view_or_basicauth()function in order to get the current user by looking at the request directly instead of usingdjango.contrib.auth.get_user(). This change was done in order to allow dataset uploads via REST API to work.The REST API's
/api/v2/uploads/upload/endpoint eventually ends up usingview_or_basicauthin order to check whether to allow the upload view to get called.When using the REST API via a non-browser client, with OAuth2, there will not be any django session where the user is already stored. This means that
django.contrib.auth.get_user()will fail, as it relies on sessions.The proposed implementation simply uses
request.userin order to get the current user. This ought to work on both occasions, as it relies on the django auth middleware having already performed its duty and enhanced the djangorequestobject with a user (be it a regular user or an AnonymousUser).fixes #8541