diff options
author | Joar Wandborg <git@wandborg.com> | 2012-09-19 21:57:59 +0200 |
---|---|---|
committer | Joar Wandborg <git@wandborg.com> | 2012-09-19 21:57:59 +0200 |
commit | f26224d43359041f45adb28bdc3a9ac48570a0a3 (patch) | |
tree | 3fe9cd80fcb0961124c6077b9bbe4c4bd74faa4b | |
parent | a7b8c214e929b2d1ea5237e594c7cd88432ad891 (diff) | |
download | mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.lz mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.xz mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.zip |
Fixed a horrible security issue in the OAuth plugin.
Also added some real triggering logic to the OAuthAuth Auth object.
-rw-r--r-- | mediagoblin/plugins/oauth/__init__.py | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/mediagoblin/plugins/oauth/__init__.py b/mediagoblin/plugins/oauth/__init__.py index 95919728..33dcaf16 100644 --- a/mediagoblin/plugins/oauth/__init__.py +++ b/mediagoblin/plugins/oauth/__init__.py @@ -48,7 +48,10 @@ def setup_plugin(): class OAuthAuth(Auth): def trigger(self, request): - return True + if 'access_token' in request.GET: + return True + + return False def __call__(self, request, *args, **kw): access_token = request.GET.get('access_token') @@ -60,9 +63,9 @@ class OAuthAuth(Auth): return False request.user = token.user + return True - return True - + return False hooks = { 'setup': setup_plugin, |