Skip to content
Snippets Groups Projects
Commit 74a5fc48 authored by Antoine Lambert's avatar Antoine Lambert
Browse files

admin/origin_save: Do not modify unauthorized URLs list when rejecting 

When rejecting a Save Code Now request, the submitted origin URL was
automatically added to the unauthorized URLs list. But this was
prolematic as a valid URL prefix could be added in that list and
thus a valid request whose origin URL has that prefix would be
automatically rejected.

So remove the automatic adding of origin URL in unauthorized list
when rejecting a request.

Also return 404 in the reject endpoint when the request does not
exist.
parent d6605c7a
No related branches found
Tags v0.0.395
No related merge requests found
Hide whitespace changes
Inline Side-by-side
swh/web/admin/origin_save.py
+ 10
10
View file @ 74a5fc48
......@@ -184,17 +184,17 @@ def _admin_origin_save_request_accept(request, visit_type, origin_url):
@staff_member_required(view_func=None, login_url=settings.LOGIN_URL)
def _admin_origin_save_request_reject(request, visit_type, origin_url):
try:
SaveUnauthorizedOrigin.objects.get(url=origin_url)
sor = SaveOriginRequest.objects.get(
visit_type=visit_type, origin_url=origin_url, status=SAVE_REQUEST_PENDING
)
except ObjectDoesNotExist:
SaveUnauthorizedOrigin.objects.create(url=origin_url)
sor = SaveOriginRequest.objects.get(
visit_type=visit_type, origin_url=origin_url, status=SAVE_REQUEST_PENDING
)
sor.status = SAVE_REQUEST_REJECTED
sor.note = json.loads(request.body).get("note")
sor.save()
return HttpResponse(status=200)
status_code = 404
else:
status_code = 200
sor.status = SAVE_REQUEST_REJECTED
sor.note = json.loads(request.body).get("note")
sor.save()
return HttpResponse(status=status_code)
@admin_route(
......
swh/web/tests/admin/test_origin_save.py
+ 14
0
View file @ 74a5fc48
......@@ -164,6 +164,20 @@ def test_reject_pending_save_request(client, staff_user, swh_scheduler):
assert response.data[0]["note"] is None
def test_reject_pending_save_request_not_found(client, staff_user, swh_scheduler):
visit_type = "git"
origin_url = "https://example.org"
reject_request_url = reverse(
"admin-origin-save-request-reject",
url_args={"visit_type": visit_type, "origin_url": origin_url},
)
client.force_login(staff_user)
check_http_post_response(client, reject_request_url, status_code=404)
def test_reject_pending_save_request_with_note(client, staff_user, swh_scheduler):
visit_type = "git"
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment