Prevent unauthenticated requests from changing map styles
This commit is contained in:
parent
6a92fd3170
commit
282ac94e29
@ -37,8 +37,7 @@ var CartodbWindshaft = function(serverOptions) {
|
|||||||
else that.afterStateChange(req, data, callback);
|
else that.afterStateChange(req, data, callback);
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
console.log("WARNING: map style changed by unauthenticated request!");
|
callback(new Error("map style cannot be changed by unauthenticated request!"));
|
||||||
this.afterStateChange(req, data, callback);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -53,8 +52,7 @@ var CartodbWindshaft = function(serverOptions) {
|
|||||||
else that.afterStateChange(req, data, callback);
|
else that.afterStateChange(req, data, callback);
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
console.log("WARNING: map style deleted by unauthenticated request!");
|
callback(new Error("map style cannot be deleted by unauthenticated request!"));
|
||||||
this.afterStateChange(req, data, callback);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ suite('server', function() {
|
|||||||
|
|
||||||
test("post'ing good style returns 200", function(done){
|
test("post'ing good style returns 200", function(done){
|
||||||
assert.response(server, {
|
assert.response(server, {
|
||||||
url: '/tiles/my_table5/style',
|
url: '/tiles/my_table5/style?map_key=1234',
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {host: 'vizzuality.localhost.lan', 'Content-Type': 'application/x-www-form-urlencoded' },
|
headers: {host: 'vizzuality.localhost.lan', 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||||
data: querystring.stringify({style: 'Map {background-color:#fff;}'})
|
data: querystring.stringify({style: 'Map {background-color:#fff;}'})
|
||||||
@ -79,10 +79,24 @@ suite('server', function() {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
test("post'ing good style with no authentication returns an error", function(done){
|
||||||
|
assert.response(server, {
|
||||||
|
url: '/tiles/my_table5/style',
|
||||||
|
method: 'POST',
|
||||||
|
headers: {host: 'vizzuality.localhost.lan', 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||||
|
data: querystring.stringify({style: 'Map {background-color:#fff;}'})
|
||||||
|
},{}, function(res) {
|
||||||
|
// fixme: we should really return a 403 here
|
||||||
|
assert.equal(res.statusCode, 500, res.body);
|
||||||
|
assert.ok(res.body.indexOf('map style cannot be changed by unauthenticated request') != -1, res.body);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
test("post'ing good style returns 200 then getting returns original style", function(done){
|
test("post'ing good style returns 200 then getting returns original style", function(done){
|
||||||
var style = 'Map {background-color:#fff;}';
|
var style = 'Map {background-color:#fff;}';
|
||||||
assert.response(server, {
|
assert.response(server, {
|
||||||
url: '/tiles/my_table5/style',
|
url: '/tiles/my_table5/style?map_key=1234',
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {host: 'vizzuality.localhost.lan', 'Content-Type': 'application/x-www-form-urlencoded' },
|
headers: {host: 'vizzuality.localhost.lan', 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||||
data: querystring.stringify({style: style})
|
data: querystring.stringify({style: style})
|
||||||
@ -104,8 +118,20 @@ suite('server', function() {
|
|||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// TODO: test that unauthenticated DELETE should fail
|
// Test that unauthenticated DELETE should fail
|
||||||
// See https://github.com/Vizzuality/cartodb-management/issues/155
|
// See https://github.com/Vizzuality/cartodb-management/issues/155
|
||||||
|
test("delete'ing style with no authentication returns an error", function(done){
|
||||||
|
assert.response(server, {
|
||||||
|
url: '/tiles/my_table5/style',
|
||||||
|
method: 'DELETE',
|
||||||
|
headers: {host: 'vizzuality'},
|
||||||
|
},{}, function(res) {
|
||||||
|
// fixme: we should really return a 403 here
|
||||||
|
assert.equal(res.statusCode, 500, res.body);
|
||||||
|
assert.ok(res.body.indexOf('map style cannot be deleted by unauthenticated request') != -1, res.body);
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
test("delete'ing style returns 200 then getting returns default style", function(done){
|
test("delete'ing style returns 200 then getting returns default style", function(done){
|
||||||
// this is the default style
|
// this is the default style
|
||||||
@ -113,7 +139,7 @@ suite('server', function() {
|
|||||||
assert.response(server, {
|
assert.response(server, {
|
||||||
url: '/tiles/my_table5/style?map_key=1234',
|
url: '/tiles/my_table5/style?map_key=1234',
|
||||||
method: 'DELETE',
|
method: 'DELETE',
|
||||||
headers: {host: 'localhost'},
|
headers: {host: 'vizzuality'},
|
||||||
},{}, function(res) {
|
},{}, function(res) {
|
||||||
assert.equal(res.statusCode, 200, res.body);
|
assert.equal(res.statusCode, 200, res.body);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user