paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-01 12:33:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

decorator: Add localhost/Tornado hack to access_user_by_api_key.

Browse Source 
This should make it possible to share that code with other code paths.
This commit is contained in:
Tim Abbott
2017-08-14 15:42:16 -07:00
parent 1144eed48b
commit 3c37795675
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
zerver/decorator.py
View File

@@ -236,8 +236,12 @@ def access_user_by_api_key(request, api_key):
if user_profile.realm.deactivated:
raise JsonableError(_("Realm for account has been deactivated"))
if not check_subdomain(get_subdomain(request), user_profile.realm.subdomain):
logging.warning("User %s attempted to access webhook API on wrong subdomain %s" % (
if (not check_subdomain(get_subdomain(request), user_profile.realm.subdomain) and
# Allow access to localhost for Tornado
not (settings.RUNNING_INSIDE_TORNADO and
request.META["SERVER_NAME"] == "127.0.0.1" and
request.META["REMOTE_ADDR"] == "127.0.0.1")):
logging.warning("User %s attempted to access API on wrong subdomain %s" % (
user_profile.email, get_subdomain(request)))
raise JsonableError(_("Account is not associated with this subdomain"))