aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoar Wandborg <git@wandborg.com>2012-09-19 21:57:59 +0200
committerJoar Wandborg <git@wandborg.com>2012-09-19 21:57:59 +0200
commitf26224d43359041f45adb28bdc3a9ac48570a0a3 (patch)
tree3fe9cd80fcb0961124c6077b9bbe4c4bd74faa4b
parenta7b8c214e929b2d1ea5237e594c7cd88432ad891 (diff)
downloadmediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.lz
mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.tar.xz
mediagoblin-f26224d43359041f45adb28bdc3a9ac48570a0a3.zip
Fixed a horrible security issue in the OAuth plugin.
Also added some real triggering logic to the OAuthAuth Auth object.
-rw-r--r--mediagoblin/plugins/oauth/__init__.py9
1 files changed, 6 insertions, 3 deletions
diff --git a/mediagoblin/plugins/oauth/__init__.py b/mediagoblin/plugins/oauth/__init__.py
index 95919728..33dcaf16 100644
--- a/mediagoblin/plugins/oauth/__init__.py
+++ b/mediagoblin/plugins/oauth/__init__.py
@@ -48,7 +48,10 @@ def setup_plugin():
class OAuthAuth(Auth):
def trigger(self, request):
- return True
+ if 'access_token' in request.GET:
+ return True
+
+ return False
def __call__(self, request, *args, **kw):
access_token = request.GET.get('access_token')
@@ -60,9 +63,9 @@ class OAuthAuth(Auth):
return False
request.user = token.user
+ return True
- return True
-
+ return False
hooks = {
'setup': setup_plugin,