Commit cdbbb49b authored by Łukasz Nowak's avatar Łukasz Nowak

Rewrite in order to simplify future expansion.

parent 76fa2d35
...@@ -81,12 +81,26 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -81,12 +81,26 @@ class ERP5BearerExtractionPlugin(BasePlugin):
def extractCredentials(self, request): def extractCredentials(self, request):
""" Extract credentials from the request header. """ """ Extract credentials from the request header. """
creds = {} creds = {}
authorisation = request._auth token = None
if authorisation is not None: if request._auth is not None:
if 'Bearer' in authorisation: # 1st - try to fetch from Authorization header
if 'Bearer' in request._auth:
l = authorisation.split() l = authorisation.split()
if len(l) == 2: if len(l) == 2:
token = l[1] token = l[1]
if token is None:
# 2nd - try to fetch from Form-Encoded Body Parameter
# Not implemented as not required and enforced with high
# security considerations
pass
if token is None:
# 3rd - try to fetch from URI Query Parameter
# Not implemented as considered as unsecure.
pass
if token is not None:
sm = getSecurityManager() sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER: if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER)) newSecurityManager(self, self.getUser(SUPER_USER))
...@@ -108,7 +122,6 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -108,7 +122,6 @@ class ERP5BearerExtractionPlugin(BasePlugin):
finally: finally:
setSecurityManager(sm) setSecurityManager(sm)
if 'external_login' in creds: if 'external_login' in creds:
creds['external_login'] = token
creds['remote_host'] = request.get('REMOTE_HOST', '') creds['remote_host'] = request.get('REMOTE_HOST', '')
try: try:
creds['remote_address'] = request.getClientAddr() creds['remote_address'] = request.getClientAddr()
...@@ -116,7 +129,6 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -116,7 +129,6 @@ class ERP5BearerExtractionPlugin(BasePlugin):
creds['remote_address'] = request.get('REMOTE_ADDR', '') creds['remote_address'] = request.get('REMOTE_ADDR', '')
return creds return creds
# fallback to default way # fallback to default way
return DumbHTTPExtractor().extractCredentials(request) return DumbHTTPExtractor().extractCredentials(request)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment