Mercurial > p > roundup > code
annotate roundup/dist/command/install_lib.py @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 42bf0a707763 |
| children |
| rev | line source |
|---|---|
| 4516 | 1 from roundup.dist.command.build import build_message_files, check_manifest |
|
6647
42bf0a707763
issue2551183 - Replace references to distutils in roundup/dist/command
John Rouillard <rouilj@ieee.org>
parents:
4516
diff
changeset
|
2 from setuptools.command.install_lib import install_lib as base |
| 4516 | 3 |
| 4 class install_lib(base): | |
| 5 | |
| 6 def run(self): | |
| 7 check_manifest() | |
| 8 build_message_files(self) | |
| 9 base.run(self) |