decorator: Explicitly require req_secret in internal_notify_view.

It's hard to come up with a realistic story where this would matter: SHARED_SECRET is generated automatically during server setup at the same time as SECRET_KEY, which is a required setting, but it seems preferable to be explicit that this is a required parameter for the internal_notify authentication model.
2025-10-31 20:13:46 +00:00 · 2022-07-14 15:00:31 -07:00
parent 855e14272a
commit 05b70ba74a
3 changed files with 17 additions and 6 deletions
--- a/zerver/tests/test_event_system.py
+++ b/zerver/tests/test_event_system.py
@@ -15,6 +15,7 @@ from zerver.actions.users import do_change_user_role
 from zerver.lib.event_schema import check_restart_event
 from zerver.lib.events import fetch_initial_state_data
 from zerver.lib.exceptions import AccessDeniedError
+from zerver.lib.request import RequestVariableMissingError
 from zerver.lib.test_classes import ZulipTestCase
 from zerver.lib.test_helpers import (
    HostRequestMock,
@@ -206,6 +207,14 @@ class EventsEndpointTest(ZulipTestCase):
        )
        req = HostRequestMock(post_data)
        req.META["REMOTE_ADDR"] = "127.0.0.1"
+        with self.assertRaises(RequestVariableMissingError) as context:
+            result = self.client_post_request("/notify_tornado", req)
+        self.assertEqual(str(context.exception), "Missing 'secret' argument")
+        self.assertEqual(context.exception.http_status_code, 400)
+
+        post_data["secret"] = "random"
+        req = HostRequestMock(post_data, user_profile=None)
+        req.META["REMOTE_ADDR"] = "127.0.0.1"
        with self.assertRaises(AccessDeniedError) as context:
            result = self.client_post_request("/notify_tornado", req)
        self.assertEqual(str(context.exception), "Access denied")