Skip to content

Commit 650d831

Browse files
committed
Make the submit tool use the access token framework with a bit of backwards compatibility glue
- Legacy-Id: 6717
1 parent 6174e72 commit 650d831

8 files changed

Lines changed: 44 additions & 33 deletions

File tree

ietf/submit/admin.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ class SubmissionAdmin(admin.ModelAdmin):
1313
def status_link(self, instance):
1414
url = urlreverse('submit_submission_status_by_hash',
1515
kwargs=dict(submission_id=instance.pk,
16-
access_key=instance.access_key))
16+
access_token=instance.access_token()))
1717
return '<a href="%s">%s</a>' % (url, instance.state)
1818
status_link.allow_tags = True
1919

ietf/submit/mail.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
from ietf.person.models import Person
99
from ietf.group.models import Role
1010
from ietf.message.models import Message
11+
from ietf.utils.accesstoken import generate_access_token
1112

1213
def submission_confirmation_email_list(submission):
1314
try:
@@ -25,8 +26,8 @@ def send_submission_confirmation(request, submission):
2526
from_email = settings.IDSUBMIT_FROM_EMAIL
2627
to_email = submission_confirmation_email_list(submission)
2728

28-
confirm_url = settings.IDTRACKER_BASE_URL + urlreverse('submit_confirm_submission', kwargs=dict(submission_id=submission.pk, auth_key=submission.auth_key))
29-
status_url = settings.IDTRACKER_BASE_URL + urlreverse('submit_submission_status_by_hash', kwargs=dict(submission_id=submission.pk, access_key=submission.access_key))
29+
confirm_url = settings.IDTRACKER_BASE_URL + urlreverse('submit_confirm_submission', kwargs=dict(submission_id=submission.pk, auth_token=generate_access_token(submission.auth_key)))
30+
status_url = settings.IDTRACKER_BASE_URL + urlreverse('submit_submission_status_by_hash', kwargs=dict(submission_id=submission.pk, access_token=submission.access_token()))
3031

3132
send_mail(request, to_email, from_email, subject, 'submit/confirm_submission.txt', {
3233
'submission': submission,
@@ -40,9 +41,8 @@ def send_full_url(request, submission):
4041
subject = 'Full URL for managing submission of draft %s' % submission.name
4142
from_email = settings.IDSUBMIT_FROM_EMAIL
4243
to_email = submission_confirmation_email_list(submission)
43-
url = settings.IDTRACKER_BASE_URL + urlreverse('submit_submission_status_by_hash',
44-
kwargs=dict(submission_id=submission.pk,
45-
access_key=submission.access_key))
44+
url = settings.IDTRACKER_BASE_URL + urlreverse('submit_submission_status_by_hash', kwargs=dict(submission_id=submission.pk, access_token=submission.access_token()))
45+
4646
send_mail(request, to_email, from_email, subject, 'submit/full_url.txt', {
4747
'submission': submission,
4848
'url': url,

ietf/submit/models.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
from ietf.person.models import Person
77
from ietf.group.models import Group
88
from ietf.name.models import DraftSubmissionStateName
9-
from ietf.utils.uniquekey import generate_unique_key
9+
from ietf.utils.accesstoken import generate_random_key, generate_access_token
1010

1111

1212
def parse_email_line(line):
@@ -21,7 +21,7 @@ class Submission(models.Model):
2121
state = models.ForeignKey(DraftSubmissionStateName)
2222
remote_ip = models.CharField(max_length=100, blank=True)
2323

24-
access_key = models.CharField(max_length=255, default=generate_unique_key)
24+
access_key = models.CharField(max_length=255, default=generate_random_key)
2525
auth_key = models.CharField(max_length=255, blank=True)
2626

2727
# draft metadata
@@ -59,6 +59,9 @@ def authors_parsed(self):
5959
def submitter_parsed(self):
6060
return parse_email_line(self.submitter)
6161

62+
def access_token(self):
63+
return generate_access_token(self.access_key)
64+
6265

6366
class SubmissionEvent(models.Model):
6467
submission = models.ForeignKey(Submission)

ietf/submit/urls.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,9 @@
66
url(r'^status/$', 'search_submission', name='submit_search_submission'),
77
url(r'^status/(?P<submission_id>\d+)/$', 'submission_status', name='submit_submission_status'),
88
url(r'^status/(?P<submission_id>\d+)/edit/$', 'edit_submission', name='submit_edit_submission'),
9-
url(r'^status/(?P<submission_id>\d+)/confirm/(?P<auth_key>[a-f\d]+)/$', 'confirm_submission', name='submit_confirm_submission'),
10-
url(r'^status/(?P<submission_id>\d+)/(?P<access_key>[a-f\d]*)/$', 'submission_status', name='submit_submission_status_by_hash'),
11-
url(r'^status/(?P<submission_id>\d+)/(?P<access_key>[a-f\d]+)/edit/$', 'edit_submission', name='submit_edit_submission_by_hash'),
9+
url(r'^status/(?P<submission_id>\d+)/confirm/(?P<auth_token>[a-f\d]+)/$', 'confirm_submission', name='submit_confirm_submission'),
10+
url(r'^status/(?P<submission_id>\d+)/(?P<access_token>[a-f\d]*)/$', 'submission_status', name='submit_submission_status_by_hash'),
11+
url(r'^status/(?P<submission_id>\d+)/(?P<access_token>[a-f\d]+)/edit/$', 'edit_submission', name='submit_edit_submission_by_hash'),
1212
url(r'^note-well/$', 'note_well', name='submit_note_well'),
1313
url(r'^tool-instructions/$', 'tool_instructions', name='submit_tool_instructions'),
1414

ietf/submit/views.py

Lines changed: 27 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
from ietf.submit.utils import check_idnits, found_idnits, validate_submission, create_submission_event
2222
from ietf.submit.utils import post_submission, cancel_submission, rename_submission_files
2323
from ietf.submit.mail import send_full_url, send_approval_request_to_group, send_submission_confirmation, submission_confirmation_email_list, send_manual_post_request
24-
from ietf.utils.uniquekey import generate_unique_key
24+
from ietf.utils.accesstoken import generate_random_key, generate_access_token
2525

2626
def upload_submission(request):
2727
if request.method == 'POST':
@@ -89,7 +89,7 @@ def upload_submission(request):
8989

9090
create_submission_event(request, submission, desc="Uploaded submission")
9191

92-
return redirect("submit_submission_status_by_hash", submission_id=submission.pk, access_key=submission.access_key)
92+
return redirect("submit_submission_status_by_hash", submission_id=submission.pk, access_token=submission.access_token())
9393
except IOError as e:
9494
if "read error" in str(e): # The server got an IOError when trying to read POST data
9595
form = UploadForm(request=request)
@@ -128,23 +128,26 @@ def search_submission(request):
128128
'name': name},
129129
context_instance=RequestContext(request))
130130

131-
def can_edit_submission(request, submission, access_key):
132-
key_matched = access_key and submission.access_key == access_key
131+
def can_edit_submission(request, submission, access_token):
132+
key_matched = access_token and submission.access_token() == access_token
133+
if not key_matched: key_matched = submission.access_key == access_token # backwards-compat
133134
return key_matched or has_role(request.user, "Secretariat")
134135

135-
def submission_status(request, submission_id, access_key=None, message=None):
136+
def submission_status(request, submission_id, access_token=None):
136137
submission = get_object_or_404(Submission, pk=submission_id)
137-
if access_key and submission.access_key != access_key:
138+
139+
key_matched = access_token and submission.access_token() == access_token
140+
if not key_matched: key_matched = submission.access_key == access_token # backwards-compat
141+
if access_token and not key_matched:
138142
raise Http404
139143

140144
errors = validate_submission(submission)
141145
passes_idnits = found_idnits(submission.idnits_message)
142146

143-
key_matched = access_key and submission.access_key == access_key
144147
is_secretariat = has_role(request.user, "Secretariat")
145148
is_chair = submission.group and submission.group.has_role(request.user, "chair")
146149

147-
can_edit = can_edit_submission(request, submission, access_key) and submission.state_id == "uploaded"
150+
can_edit = can_edit_submission(request, submission, access_token) and submission.state_id == "uploaded"
148151
can_cancel = (key_matched or is_secretariat) and submission.state.next_states.filter(slug="cancel")
149152
can_group_approve = (is_secretariat or is_chair) and submission.state_id == "grp-appr"
150153
can_force_post = is_secretariat and submission.state.next_states.filter(slug="posted")
@@ -161,8 +164,10 @@ def submission_status(request, submission_id, access_key=None, message=None):
161164

162165
requires_prev_authors_approval = Document.objects.filter(name=submission.name)
163166

167+
message = None
168+
164169
if submission.state_id == "cancel":
165-
message = ('error', 'This submission has been cancelled, modification is no longer possible.')
170+
message = ('error', 'This submission has been canceled, modification is no longer possible.')
166171
elif submission.state_id == "auth":
167172
message = ('success', u'The submission is pending email authentication. An email has been sent to: %s' % ",".join(confirmation_list))
168173
elif submission.state_id == "grp-appr":
@@ -192,7 +197,7 @@ def submission_status(request, submission_id, access_key=None, message=None):
192197
desc = "sent approval email to group chairs: %s" % u", ".join(sent_to)
193198

194199
else:
195-
submission.auth_key = generate_unique_key()
200+
submission.auth_key = generate_random_key()
196201
if requires_prev_authors_approval:
197202
submission.state = DraftSubmissionStateName.objects.get(slug="aut-appr")
198203
else:
@@ -208,11 +213,11 @@ def submission_status(request, submission_id, access_key=None, message=None):
208213

209214
create_submission_event(request, submission, u"Set submitter to \"%s\" and %s" % (submission.submitter, desc))
210215

211-
return redirect("submit_submission_status_by_hash", submission_id=submission.pk, access_key=access_key)
216+
return redirect("submit_submission_status_by_hash", submission_id=submission.pk, access_token=access_token)
212217

213218
elif action == "edit" and submission.state_id == "uploaded":
214-
if access_key:
215-
return redirect("submit_edit_submission_by_hash", submission_id=submission.pk, access_key=access_key)
219+
if access_token:
220+
return redirect("submit_edit_submission_by_hash", submission_id=submission.pk, access_token=access_token)
216221
else:
217222
return redirect("submit_edit_submission", submission_id=submission.pk)
218223

@@ -229,7 +234,7 @@ def submission_status(request, submission_id, access_key=None, message=None):
229234

230235
cancel_submission(submission)
231236

232-
create_submission_event(request, submission, "Cancelled submission")
237+
create_submission_event(request, submission, "Canceled submission")
233238

234239
return redirect("submit_submission_status", submission_id=submission_id)
235240

@@ -284,10 +289,10 @@ def submission_status(request, submission_id, access_key=None, message=None):
284289
context_instance=RequestContext(request))
285290

286291

287-
def edit_submission(request, submission_id, access_key=None):
292+
def edit_submission(request, submission_id, access_token=None):
288293
submission = get_object_or_404(Submission, pk=submission_id, state="uploaded")
289294

290-
if not can_edit_submission(request.user, submission, access_key):
295+
if not can_edit_submission(request.user, submission, access_token):
291296
return HttpResponseForbidden('You do not have permission to access this page')
292297

293298
errors = validate_submission(submission)
@@ -360,10 +365,13 @@ def edit_submission(request, submission_id, access_key=None):
360365
context_instance=RequestContext(request))
361366

362367

363-
def confirm_submission(request, submission_id, auth_key):
368+
def confirm_submission(request, submission_id, auth_token):
364369
submission = get_object_or_404(Submission, pk=submission_id)
365370

366-
if request.method == 'POST' and submission.state_id in ("auth", "aut-appr") and auth_key == submission.auth_key:
371+
key_matched = submission.auth_key and auth_token == generate_access_token(submission.auth_key)
372+
if not key_matched: key_matched = auth_token == submission.auth_key # backwards-compat
373+
374+
if request.method == 'POST' and submission.state_id in ("auth", "aut-appr") and key_matched:
367375
post_submission(request, submission)
368376

369377
create_submission_event(request, submission, "Confirmed and posted submission")
@@ -372,7 +380,7 @@ def confirm_submission(request, submission_id, auth_key):
372380

373381
return render_to_response('submit/confirm_submission.html', {
374382
'submission': submission,
375-
'auth_key': auth_key,
383+
'key_matched': key_matched,
376384
}, context_instance=RequestContext(request))
377385

378386

ietf/templates/submit/approval_request.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Hi,
44
Chair approval is needed for posting of {{ submission.name }}-{{ submission.rev }}.
55

66
To approve the draft, go to this URL (note: you need to login to be able to approve):
7-
https://{{ domain }}/submit/status/{{ submission.pk }}/{{ submission.access_key }}/
7+
https://{{ domain }}{% url submit_submission_status_by_hash submission_id=submission.pk access_token=submission.access_token %}
88

99
File name : {{ submission.name }}
1010
Revision : {{ submission.rev }}

ietf/templates/submit/approvals.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ <h2 id="approvals">Submissions you can approve</h2>
2828
</tr>
2929
{% for s in approvals %}
3030
<tr>
31-
<td><a href="{% url submit_submission_status_by_hash submission_id=s.pk access_key=s.access_key %}">{{ s.name }}-{{ s.rev }}</a></td>
31+
<td><a href="{% url submit_submission_status_by_hash submission_id=s.pk access_token=s.access_token %}">{{ s.name }}-{{ s.rev }}</a></td>
3232
<td>{{ s.submission_date }}</td>
3333
</tr>
3434
{% endfor %}

ietf/templates/submit/confirm_submission.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ <h2>Confirm submission of {{ submission.name }}</h2>
2323
{% endif %}
2424
{% else %}
2525

26-
{% if auth_key != submission.auth_key %}
26+
{% if not key_matched %}
2727
<p class="error">Incorrect authorization key.</p>
2828

2929
<p>Double-check the link you followed. If everything fails, you can go to

0 commit comments

Comments
 (0)