[api] fix operation with osc again, send a 401 for modifying operatio…

…ns without given account, not 403
openSUSE · Jan 29, 2014 · 76d4aee · 76d4aee
1 parent b3055ef
commit 76d4aee
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 1 deletion.
diff --git a/src/api/app/controllers/application_controller.rb b/src/api/app/controllers/application_controller.rb
@@ -37,6 +37,7 @@ class AuthenticationRequiredError < APIException
   before_action :setup_backend
   before_action :shutup_rails
   before_action :validate_params
+  before_action :require_login
 
   #contains current authentification method, one of (:proxy, :basic)
   attr_accessor :auth_method
@@ -559,6 +560,12 @@ class AnonymousUser < APIException
    setup 401
   end
 
+  def require_login
+    # we may allow anonymous GET operations (if configured) but we require
+    # a valid account on other opertations
+    be_not_nobody! unless request.get?
+  end
+
   def be_not_nobody!
     if !User.current || User.current.is_nobody?
       raise AnonymousUser.new  "Anonymous user is not allowed here - please login"

diff --git a/src/api/app/controllers/public_controller.rb b/src/api/app/controllers/public_controller.rb
@@ -4,6 +4,7 @@ class PublicController < ApplicationController
   # we need to fall back to _nobody_ (_public_)
   before_action :extract_user_public
   skip_before_action :extract_user
+  skip_before_action :require_login
 
   def extract_user_public
     # to become _public_ special user

diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb
@@ -21,6 +21,7 @@ class IllegalRequest < APIException
   validate_action update_package_meta: { request: :package, response: :status}
 
   skip_before_action :extract_user, only: [:lastevents_public]
+  skip_before_action :require_login, only: [:lastevents_public]
 
   before_action :require_valid_project_name, except: [:index, :lastevents, :lastevents_public, :global_command]
 

diff --git a/src/api/test/functional/source_controller_test.rb b/src/api/test/functional/source_controller_test.rb
@@ -2701,13 +2701,23 @@ def test_delete_and_undelete_permissions
   end
 
   def test_branch_creating_project
+    post '/source/home:Iggy/TestPack'
+    assert_response 401
+    c = Configuration.first
+    c.anonymous = false
+    c.save!
+    # still 401 and not 403 (or it breaks osc login)
+    post '/source/home:Iggy/TestPack'
+    assert_response 401
+
     prepare_request_with_user 'fredlibs', 'geröllheimer'
     # ensure he has no home project
     get '/source/home:fredlibs'
     assert_response 404
 
     # Create public project, but api config is changed to make it closed
     c = Configuration.first
+    c.anonymous = true
     c.allow_user_to_create_home_project = false
     c.save!
     post '/source/home:Iggy/TestPack', :cmd => :branch, :dryrun => '1'

diff --git a/src/api/test/unit/code_quality_test.rb b/src/api/test/unit/code_quality_test.rb
@@ -122,7 +122,7 @@ def setup
       'ProjectStatusCalculator#calc_status' => 74.59,
       'PublicController#binary_packages' => 131.24,
       'Repository#cleanup_before_destroy' => 85.53,
-      'RequestController#check_request_change' => 257.26,
+      'RequestController#check_request_change' => 255.23,
       'RequestController#render_request_collection' => 92.82,
       'RequestController#request_create' => 107.39,
       'SearchController#find_attribute' => 97.33,