Raise 403 forbidden on missing requested signature
Closes #170 Includes testcase
This commit is contained in:
Sandro Santilli
parent
7bc5bab432
commit
40a254922a
2
NEWS.md
2
NEWS.md
@ -4,6 +4,8 @@
|
|||||||
Enhancements:
|
Enhancements:
|
||||||
|
|
||||||
- Set statsd prefix for all endpoints
|
- Set statsd prefix for all endpoints
|
||||||
|
- Raise 403 forbidden on attempt to access map tiles waiving
|
||||||
|
signature of someone who had not left any (#170)
|
||||||
|
|
||||||
1.8.4 -- 2014-03-03
|
1.8.4 -- 2014-03-03
|
||||||
-------------------
|
-------------------
|
||||||
|
|||||||
@ -640,12 +640,25 @@ module.exports = function(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( ! signed_by ) {
|
if ( ! signed_by ) {
|
||||||
// request not authorized by signer,
|
// request not authorized by signer.
|
||||||
// continue to check table privacy,
|
|
||||||
// if table was given
|
// if table was given, continue to check table privacy
|
||||||
if ( req.params.table ) return null;
|
if ( req.params.table ) return null;
|
||||||
// otherwise return no authorization
|
|
||||||
callback(err, null);
|
// if no signer name was given, let dbparams and
|
||||||
|
// PostgreSQL do the rest.
|
||||||
|
//
|
||||||
|
if ( ! req.params.signer ) {
|
||||||
|
callback(null, true); // authorized so far
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// if signer name was given, return no authorization
|
||||||
|
err = new Error("No authorization left by '"
|
||||||
|
+ req.params.signer + "' on map '"
|
||||||
|
+ req.params.token + "'");
|
||||||
|
err.http_status = 403;
|
||||||
|
callback(err);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -667,7 +680,7 @@ module.exports = function(){
|
|||||||
},
|
},
|
||||||
function(err, privacy){
|
function(err, privacy){
|
||||||
if (req.profiler) req.profiler.done('getTablePrivacy');
|
if (req.profiler) req.profiler.done('getTablePrivacy');
|
||||||
callback(err, privacy);
|
callback(err, privacy !== "0");
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
@ -754,13 +767,13 @@ module.exports = function(){
|
|||||||
function getPrivacy(){
|
function getPrivacy(){
|
||||||
me.authorize(req, this);
|
me.authorize(req, this);
|
||||||
},
|
},
|
||||||
function gatekeep(err, data){
|
function gatekeep(err, authorized){
|
||||||
if (req.profiler) req.profiler.done('authorize');
|
if (req.profiler) req.profiler.done('authorize');
|
||||||
if(err) throw err;
|
if(err) throw err;
|
||||||
if(data === "0") throw new Error("Sorry, you are unauthorized (permission denied)");
|
if(!authorized) throw new Error("Sorry, you are unauthorized (permission denied)");
|
||||||
return data;
|
return null;
|
||||||
},
|
},
|
||||||
function getDatabase(err, data){
|
function getDatabase(err){
|
||||||
if(err) throw err;
|
if(err) throw err;
|
||||||
that.setDBConn(user, req.params, this);
|
that.setDBConn(user, req.params, this);
|
||||||
},
|
},
|
||||||
|
|||||||
@ -127,6 +127,24 @@ suite('multilayer', function() {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
|
// See https://github.com/CartoDB/Windshaft-cartodb/issues/170
|
||||||
|
function do_get_tile_nosignature(err)
|
||||||
|
{
|
||||||
|
if ( err ) throw err;
|
||||||
|
var next = this;
|
||||||
|
assert.response(server, {
|
||||||
|
url: '/tiles/layergroup/localhost@' + expected_token + ':cb0/0/0/0.png',
|
||||||
|
method: 'GET',
|
||||||
|
headers: {host: 'localhost' },
|
||||||
|
encoding: 'binary'
|
||||||
|
}, {}, function(res) {
|
||||||
|
assert.equal(res.statusCode, 403, res.statusCode + ':' + res.body);
|
||||||
|
var parsed = JSON.parse(res.body);
|
||||||
|
var msg = parsed.error; // TODO: should it be "errors" ?
|
||||||
|
assert.ok(msg.match(/no authorization left/i), msg);
|
||||||
|
next(err);
|
||||||
|
});
|
||||||
|
},
|
||||||
function do_get_grid_layer0(err)
|
function do_get_grid_layer0(err)
|
||||||
{
|
{
|
||||||
if ( err ) throw err;
|
if ( err ) throw err;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user