Permalink
Browse files

Add validator that checks a secret key or admin cookie.

  • Loading branch information...
1 parent 89a59d5 commit 5721e4683fe1d6c0c003db2e3b1f1db32b238a0e @spladug spladug committed Sep 15, 2011
Showing with 9 additions and 0 deletions.
  1. +2 −0 r2/example.ini
  2. +7 −0 r2/r2/controllers/validator/validator.py
View
2 r2/example.ini
@@ -38,6 +38,8 @@ SECRET = abcdefghijklmnopqrstuvwxyz0123456789
MODSECRET = abcdefghijklmnopqrstuvwxyz0123456789
# secret for /prefs/feeds
FEEDSECRET = abcdefghijklmnopqrstuvwxyz0123456789
+# used for authenticating admin API calls w/o cookie
+ADMINSECRET = abcdefghijklmnopqrstuvwxyz0123456789
INDEXTANK_API_URL =
View
7 r2/r2/controllers/validator/validator.py
@@ -32,6 +32,7 @@
from r2.lib.log import log_text
from r2.models import *
from r2.lib.authorize import Address, CreditCard
+from r2.lib.utils import constant_time_compare
from r2.controllers.errors import errors, UserRequiredException
from r2.controllers.errors import VerifiedUserRequiredException
@@ -581,6 +582,12 @@ def run(self):
if not c.user_is_admin:
abort(404, "page not found")
+class VAdminOrAdminSecret(VAdmin):
+ def run(self, secret):
+ if secret and constant_time_compare(secret, g.ADMINSECRET):
+ return
+ super(VAdminOrAdminSecret, self).run()
+
class VVerifiedUser(VUser):
def run(self):
VUser.run(self)

0 comments on commit 5721e46

Please sign in to comment.