Commit d5008fbe authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Rafael Monnerat

Rewrite in order to simplify future expansion.

parent 30e131ed
......@@ -81,12 +81,26 @@ class ERP5BearerExtractionPlugin(BasePlugin):
def extractCredentials(self, request):
""" Extract credentials from the request header. """
creds = {}
authorisation = request._auth
if authorisation is not None:
if 'Bearer' in authorisation:
token = None
if request._auth is not None:
# 1st - try to fetch from Authorization header
if 'Bearer' in request._auth:
l = authorisation.split()
if len(l) == 2:
token = l[1]
if token is None:
# 2nd - try to fetch from Form-Encoded Body Parameter
# Not implemented as not required and enforced with high
# security considerations
pass
if token is None:
# 3rd - try to fetch from URI Query Parameter
# Not implemented as considered as unsecure.
pass
if token is not None:
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
......@@ -108,7 +122,6 @@ class ERP5BearerExtractionPlugin(BasePlugin):
finally:
setSecurityManager(sm)
if 'external_login' in creds:
creds['external_login'] = token
creds['remote_host'] = request.get('REMOTE_HOST', '')
try:
creds['remote_address'] = request.getClientAddr()
......@@ -116,7 +129,6 @@ class ERP5BearerExtractionPlugin(BasePlugin):
creds['remote_address'] = request.get('REMOTE_ADDR', '')
return creds
# fallback to default way
return DumbHTTPExtractor().extractCredentials(request)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment