From 8ff374de97f2c0c70201644e4fad6c4041fd586b Mon Sep 17 00:00:00 2001
From: Kun Huang <academicgareth@gmail.com>
Date: Tue, 25 Jun 2013 16:43:37 +0800
Subject: [PATCH] TempAuth: don't return 401/403 if .r without .rlistings

When checking referer (.r, .rlistings), tempauth return 401/403 if '.r'
exists without '.rlistings' or obj. Actually it should skip this kind of
authorizing and check the following authorizing.

And remove some unnecessary lines

Change-Id: Ib60e59b7c80331a699cb5c3496f948cf32135d0b
---
 swift/common/middleware/tempauth.py          | 7 +------
 test/unit/common/middleware/test_tempauth.py | 6 ++++++
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/swift/common/middleware/tempauth.py b/swift/common/middleware/tempauth.py
index 4636fc486b..e0baf35026 100644
--- a/swift/common/middleware/tempauth.py
+++ b/swift/common/middleware/tempauth.py
@@ -286,17 +286,12 @@ class TempAuth(object):
             return None
 
         referrers, groups = parse_acl(getattr(req, 'acl', None))
+
         if referrer_allowed(req.referer, referrers):
             if obj or '.rlistings' in groups:
                 self.logger.debug("Allow authorizing %s via referer ACL."
                                   % req.referer)
                 return None
-            self.logger.debug("Disallow authorizing %s via referer ACL."
-                              % req.referer)
-            return self.denied_response(req)
-
-        if not req.remote_user:
-            return self.denied_response(req)
 
         for user_group in user_groups:
             if user_group in groups:
diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py
index 39b1012138..312b70c46d 100644
--- a/test/unit/common/middleware/test_tempauth.py
+++ b/test/unit/common/middleware/test_tempauth.py
@@ -285,6 +285,12 @@ class TestAuth(unittest.TestCase):
         resp = self.test_auth.authorize(req)
         self.assertEquals(resp.status_int, 403)
 
+    def test_authorize_acl_referer_after_user_groups(self):
+        req = self._make_request('/v1/AUTH_cfa/c')
+        req.remote_user = 'act:usr'
+        req.acl = '.r:*,act:usr'
+        self.assertEquals(self.test_auth.authorize(req), None)
+
     def test_authorize_acl_referrer_access(self):
         req = self._make_request('/v1/AUTH_cfa/c')
         req.remote_user = 'act:usr,act'