TempAuth: don't return 401/403 if .r without .rlistings

When checking referer (.r, .rlistings), tempauth return 401/403 if '.r' exists without '.rlistings' or obj. Actually it should skip this kind of authorizing and check the following authorizing. And remove some unnecessary lines Change-Id: Ib60e59b7c80331a699cb5c3496f948cf32135d0b
2013-06-25 16:43:37 +08:00 · 2013-06-25 16:43:37 +08:00 · 8ff374de97
commit 8ff374de97
parent 66a0817e99
2 changed files with 7 additions and 6 deletions
--- a/swift/common/middleware/tempauth.py
+++ b/swift/common/middleware/tempauth.py
@ -286,17 +286,12 @@ class TempAuth(object):
            return None

        referrers, groups = parse_acl(getattr(req, 'acl', None))
+
        if referrer_allowed(req.referer, referrers):
            if obj or '.rlistings' in groups:
                self.logger.debug("Allow authorizing %s via referer ACL."
                                  % req.referer)
                return None
-            self.logger.debug("Disallow authorizing %s via referer ACL."
-                              % req.referer)
-            return self.denied_response(req)
-
-        if not req.remote_user:
-            return self.denied_response(req)

        for user_group in user_groups:
            if user_group in groups:
--- a/test/unit/common/middleware/test_tempauth.py
+++ b/test/unit/common/middleware/test_tempauth.py
@ -285,6 +285,12 @@ class TestAuth(unittest.TestCase):
        resp = self.test_auth.authorize(req)
        self.assertEquals(resp.status_int, 403)

+    def test_authorize_acl_referer_after_user_groups(self):
+        req = self._make_request('/v1/AUTH_cfa/c')
+        req.remote_user = 'act:usr'
+        req.acl = '.r:*,act:usr'
+        self.assertEquals(self.test_auth.authorize(req), None)
+
    def test_authorize_acl_referrer_access(self):
        req = self._make_request('/v1/AUTH_cfa/c')
        req.remote_user = 'act:usr,act'