Commit 64b11f4b authored by Vincent Pelletier's avatar Vincent Pelletier Committed by Kazuhiko Shiozaki

erp5_oauth2_authorisation/logged_in_once: Tolerate multipart/form-data request encoding

For better compatibility, as not all templates may be reconfigured to post
in application/x-www-form-urlencoded.
Also, tolerate a missing Content-Type request header, treating as an
unhandler type instead of raising a KeyError exception.
parent a177f200
...@@ -12,7 +12,7 @@ if portal.portal_skins.updateSkinCookie(): ...@@ -12,7 +12,7 @@ if portal.portal_skins.updateSkinCookie():
environ = REQUEST.environ environ = REQUEST.environ
if ( if (
environ['REQUEST_METHOD'] != 'POST' or environ['REQUEST_METHOD'] != 'POST' or
environ['CONTENT_TYPE'] != 'application/x-www-form-urlencoded' or environ.get('CONTENT_TYPE', '').split(';', 1)[0].rstrip() not in ('application/x-www-form-urlencoded', 'multipart/form-data') or
environ['QUERY_STRING'] environ['QUERY_STRING']
): ):
# There may be foul play, so escape to wherever. # There may be foul play, so escape to wherever.
...@@ -45,6 +45,10 @@ with substituteRequest( ...@@ -45,6 +45,10 @@ with substituteRequest(
method='POST', method='POST',
form=form, form=form,
) as inner_request: ) as inner_request:
# XXX: Zope request to oauthlib request compatibility layer (see document.erp5.OAuth2AuthorisationServerConnector)
# only supports application/x-www-form-urlencoded, so force this content-type while accepting multipart/form-data input.
# Non-basestring values are ignored, so it will ignore any posted file.
inner_request.environ['CONTENT_TYPE'] = 'application/x-www-form-urlencoded'
return connector_value.authorize( return connector_value.authorize(
REQUEST=inner_request, REQUEST=inner_request,
RESPONSE=inner_request.RESPONSE, RESPONSE=inner_request.RESPONSE,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment