Fixed a horrible security issue in the OAuth plugin.

Also added some real triggering logic to the OAuthAuth Auth object.
author: Joar Wandborg <git@wandborg.com> 2012-09-19 21:57:59 +0200
committer: Joar Wandborg <git@wandborg.com> 2012-09-19 21:57:59 +0200
commit: f26224d43359041f45adb28bdc3a9ac48570a0a3 (patch)
tree: 3fe9cd80fcb0961124c6077b9bbe4c4bd74faa4b
parent: a7b8c214e929b2d1ea5237e594c7cd88432ad891 (diff)
download: mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.lz
mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.xz
mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/mediagoblin/plugins/oauth/__init__.py b/mediagoblin/plugins/oauth/__init__.py
index 95919728..33dcaf16 100644
--- a/mediagoblin/plugins/oauth/__init__.py
+++ b/mediagoblin/plugins/oauth/__init__.py
@@ -48,7 +48,10 @@ def setup_plugin():
 
 class OAuthAuth(Auth):
     def trigger(self, request):
-        return True
+        if 'access_token' in request.GET:
+            return True
+
+        return False
 
     def __call__(self, request, *args, **kw):
         access_token = request.GET.get('access_token')
@@ -60,9 +63,9 @@ class OAuthAuth(Auth):
                 return False
 
             request.user = token.user
+            return True
 
-        return True
-
+        return False
 
 hooks = {
     'setup': setup_plugin,
author	Joar Wandborg <git@wandborg.com>	2012-09-19 21:57:59 +0200
committer	Joar Wandborg <git@wandborg.com>	2012-09-19 21:57:59 +0200
commit	f26224d43359041f45adb28bdc3a9ac48570a0a3 (patch)
tree	3fe9cd80fcb0961124c6077b9bbe4c4bd74faa4b
parent	a7b8c214e929b2d1ea5237e594c7cd88432ad891 (diff)
download	mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.lz mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.xz mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.zip