From 3c37795675db48bf5d1e53f634b103f30e043d35 Mon Sep 17 00:00:00 2001
From: Tim Abbott <tabbott@zulipchat.com>
Date: Mon, 14 Aug 2017 15:42:16 -0700
Subject: [PATCH] decorator: Add localhost/Tornado hack to
 access_user_by_api_key.

This should make it possible to share that code with other code paths.
---
 zerver/decorator.py             | 8 ++++++--
 zerver/tests/test_decorators.py | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/zerver/decorator.py b/zerver/decorator.py
index 2fbcb71d38..9c0f58237b 100644
--- a/zerver/decorator.py
+++ b/zerver/decorator.py
@@ -236,8 +236,12 @@ def access_user_by_api_key(request, api_key):
     if user_profile.realm.deactivated:
         raise JsonableError(_("Realm for account has been deactivated"))
 
-    if not check_subdomain(get_subdomain(request), user_profile.realm.subdomain):
-        logging.warning("User %s attempted to access webhook API on wrong subdomain %s" % (
+    if (not check_subdomain(get_subdomain(request), user_profile.realm.subdomain) and
+        # Allow access to localhost for Tornado
+        not (settings.RUNNING_INSIDE_TORNADO and
+             request.META["SERVER_NAME"] == "127.0.0.1" and
+             request.META["REMOTE_ADDR"] == "127.0.0.1")):
+        logging.warning("User %s attempted to access API on wrong subdomain %s" % (
             user_profile.email, get_subdomain(request)))
         raise JsonableError(_("Account is not associated with this subdomain"))
 
diff --git a/zerver/tests/test_decorators.py b/zerver/tests/test_decorators.py
index b1c6419460..478e614d44 100644
--- a/zerver/tests/test_decorators.py
+++ b/zerver/tests/test_decorators.py
@@ -247,7 +247,7 @@ class DecoratorTestCase(TestCase):
                     api_result = my_webhook(request)
 
                 mock_warning.assert_called_with(
-                    "User {} attempted to access webhook API on wrong "
+                    "User {} attempted to access API on wrong "
                     "subdomain {}".format(webhook_bot_email, ''))
 
             with mock.patch('logging.warning') as mock_warning:
@@ -257,7 +257,7 @@ class DecoratorTestCase(TestCase):
                     api_result = my_webhook(request)
 
                 mock_warning.assert_called_with(
-                    "User {} attempted to access webhook API on wrong "
+                    "User {} attempted to access API on wrong "
                     "subdomain {}".format(webhook_bot_email, 'acme'))
 
         # Test when content_type is application/json and request.body