Move token logic to separate RH class

indico · Oct 22, 2019 · 3577565 · 3577565
1 parent e017d4a
commit 3577565
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 11 deletions.
diff --git a/indico/modules/users/controllers.py b/indico/modules/users/controllers.py
@@ -53,8 +53,8 @@
 from indico.web.flask.util import send_file, url_for
 from indico.web.forms.base import FormDefaults
 from indico.web.http_api.metadata import Serializer
-from indico.web.rh import RH, RHProtected
-from indico.web.util import is_signed_url_valid, jsonify_data, jsonify_form, jsonify_template
+from indico.web.rh import RHProtected, RHTokenProtected
+from indico.web.util import jsonify_data, jsonify_form, jsonify_template
 
 
 IDENTITY_ATTRIBUTES = {'first_name', 'last_name', 'email', 'affiliation', 'full_name'}
@@ -139,15 +139,7 @@ def _process(self):
                                                linked_events=linked_events)
 
 
-class RHExportDashboardICS(RH):
-    def _process_args(self):
-        self.user = User.get_one(request.view_args['user_id'])
-
-    def _check_access(self):
-        token = request.args.get('token')
-        if not token or not is_signed_url_valid(self.user, request.full_path):
-            raise Forbidden
-
+class RHExportDashboardICS(RHTokenProtected):
     @use_kwargs({
         'from_': HumanizedDate(data_key='from', missing=lambda: now_utc(False) - relativedelta(weeks=1)),
         'include': fields.List(fields.Str(), missing={'linked', 'categories'}),

diff --git a/indico/web/rh.py b/indico/web/rh.py
@@ -33,6 +33,7 @@
 from indico.util.locators import get_locator
 from indico.util.signals import values_from_signal
 from indico.web.flask.util import url_for
+from indico.web.util import is_signed_url_valid
 
 
 HTTP_VERBS = {'GET', 'PATCH', 'POST', 'PUT', 'DELETE'}
@@ -332,3 +333,15 @@ def _require_user(self):
 
     def _check_access(self):
         self._require_user()
+
+
+class RHTokenProtected(RH):
+    """A request handler which is protected through a signature token parameter."""
+
+    def _process_args(self):
+        self.user = db.m.User.get_one(request.view_args['user_id'])
+
+    def _check_access(self):
+        token = request.args.get('token')
+        if not token or not is_signed_url_valid(self.user, request.full_path):
+            raise Forbidden