-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HotFix] Fix BingPreview Issue [OSF-7581] #6938
[HotFix] Fix BingPreview Issue [OSF-7581] #6938
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
first pass complete
framework/auth/views.py
Outdated
@@ -50,6 +50,12 @@ def reset_password_get(auth, uid=None, token=None): | |||
:raises: HTTPError(http.BAD_REQUEST) if verification key for the user is invalid, has expired or was used | |||
""" | |||
|
|||
# TODO [CAS-10][OSF-7566]: implement long-term fix for URL preview/prefetch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use a function decorator, see https://github.com/CenterForOpenScience/osf.io/blob/master/framework/auth/decorators.py#L17
e33cb49
to
78c91f3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add tests please.
@cslzchen, appears this might be failing due to an earlier issue in master, maybe rebase/merge the latest master? e.g. https://travis-ci.org/CenterForOpenScience/osf.io/jobs/206793730#L5994 |
ea3f44e
to
9ebba39
Compare
@icereval I do have the latest master for the failed tests. Maybe just a probabilistic failure? I amended the commit to trigger a new run of travis. |
9ebba39
to
fcc1b13
Compare
- new user - link/create ORCiD user - user add email - user merge account - reset password - new user claim contributorship - existing user claim contributorship
46adef6
to
bc666ec
Compare
in case the |
@@ -4701,5 +4702,193 @@ def test_dashboard_institutions(self): | |||
assert_not_equal(dashboard_institutions[0]['id'], self.inst_four._id) | |||
assert_not_equal(dashboard_institutions[0]['id'], self.inst_five._id) | |||
|
|||
|
|||
class TestConfirmationViewBlockBingPreview(OsfTestCase): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decide to put all BingPreview blocking tests together in one class TestConfirmationViewBlockBingPreview
in test/test_views.py
since tests for reset_password_get
, confirm_email_get
, external_login_confirm_email_get
, claim_user_form
and claim_user_registered
are scattered in different places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@functools.wraps(func) | ||
def wrapped(*args, **kwargs): | ||
user_agent = request.headers.get('User-Agent') | ||
if user_agent and 'BingPreview' in user_agent: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Request may not have the User-Agent
header.
def wrapped(*args, **kwargs): | ||
user_agent = request.headers.get('User-Agent') | ||
if user_agent and 'BingPreview' in user_agent: | ||
return HTTPError(httplib.FORBIDDEN) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Return HTTP 403
.
Note
@icereval
FYI @brianjgeiger
Security related issue. Please refer to the ticket.
Tickets
https://openscience.atlassian.net/browse/OSF-7581