From 13bd8771f91f3c6f66886dd613c817c87d1ff122 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Wed, 26 Mar 2025 17:31:47 -0700 Subject: [PATCH] corporate: Parse Accept header instead of X-Requested-With. Signed-off-by: Anders Kaseorg --- corporate/lib/decorator.py | 9 +++++++-- corporate/tests/test_remote_billing.py | 22 ++++++++++++++++++---- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/corporate/lib/decorator.py b/corporate/lib/decorator.py index 459fa0897b..93cacb8398 100644 --- a/corporate/lib/decorator.py +++ b/corporate/lib/decorator.py @@ -16,6 +16,7 @@ from corporate.lib.remote_billing_util import ( get_remote_server_and_user_from_session, ) from zerver.lib.exceptions import RemoteBillingAuthenticationError +from zerver.lib.request import get_preferred_type from zerver.lib.subdomains import get_subdomain from zerver.lib.url_encoding import append_url_query_string from zilencer.models import RemoteRealm @@ -123,7 +124,9 @@ def authenticated_remote_realm_management_endpoint( url = append_url_query_string(url, query) # Return error for AJAX requests with url. - if request.headers.get("x-requested-with") == "XMLHttpRequest": # nocoverage + if ( + get_preferred_type(request, ["application/json", "text/html"]) != "text/html" + ): # nocoverage return session_expired_ajax_response(url) return HttpResponseRedirect(url) @@ -207,7 +210,9 @@ def authenticated_remote_server_management_endpoint( url = append_url_query_string(url, query) # Return error for AJAX requests with url. - if request.headers.get("x-requested-with") == "XMLHttpRequest": # nocoverage + if ( + get_preferred_type(request, ["application/json", "text/html"]) != "text/html" + ): # nocoverage return session_expired_ajax_response(url) return HttpResponseRedirect(url) diff --git a/corporate/tests/test_remote_billing.py b/corporate/tests/test_remote_billing.py index 6194188a7a..85a71f1082 100644 --- a/corporate/tests/test_remote_billing.py +++ b/corporate/tests/test_remote_billing.py @@ -500,7 +500,9 @@ class RemoteBillingAuthenticationTest(RemoteRealmBillingTestCase): now + timedelta(seconds=REMOTE_BILLING_SESSION_VALIDITY_SECONDS + 1), tick=False, ): - result = self.client_get(final_url, subdomain="selfhosting") + result = self.client_get( + final_url, subdomain="selfhosting", HTTP_ACCEPT="text/html, */*;q=0.8" + ) self.assertEqual(result.status_code, 302) self.assertEqual( @@ -1510,7 +1512,11 @@ class LegacyServerLoginTest(RemoteServerTestCase): hamlet = self.example_user("hamlet") now = timezone_now() # Try to open a page with no auth at all. - result = self.client_get(f"/server/{self.uuid}/billing/", subdomain="selfhosting") + result = self.client_get( + f"/server/{self.uuid}/billing/", + subdomain="selfhosting", + HTTP_ACCEPT="text/html, */*;q=0.8", + ) self.assertEqual(result.status_code, 302) # Redirects to the login form with appropriate next_page value. self.assertEqual(result["Location"], "/serverlogin/?next_page=billing") @@ -1534,7 +1540,11 @@ class LegacyServerLoginTest(RemoteServerTestCase): next_page="upgrade", return_without_clicking_confirmation_link=True, ) - result = self.client_get(f"/server/{self.uuid}/billing/", subdomain="selfhosting") + result = self.client_get( + f"/server/{self.uuid}/billing/", + subdomain="selfhosting", + HTTP_ACCEPT="text/html, */*;q=0.8", + ) self.assertEqual(result.status_code, 302) # Redirects to the login form with appropriate next_page value. self.assertEqual(result["Location"], "/serverlogin/?next_page=billing") @@ -1561,7 +1571,11 @@ class LegacyServerLoginTest(RemoteServerTestCase): now + timedelta(seconds=REMOTE_BILLING_SESSION_VALIDITY_SECONDS + 30), tick=False, ): - result = self.client_get(f"/server/{self.uuid}/upgrade/", subdomain="selfhosting") + result = self.client_get( + f"/server/{self.uuid}/upgrade/", + subdomain="selfhosting", + HTTP_ACCEPT="text/html, */*;q=0.8", + ) self.assertEqual(result.status_code, 302) self.assertEqual(result["Location"], "/serverlogin/?next_page=upgrade")