decorator: Add localhost/Tornado hack to access_user_by_api_key.

This should make it possible to share that code with other code paths.

zerver/decorator.py

@@ -236,8 +236,12 @@ def access_user_by_api_key(request, api_key):
     if user_profile.realm.deactivated:
         raise JsonableError(_("Realm for account has been deactivated"))
 
-    if not check_subdomain(get_subdomain(request), user_profile.realm.subdomain):
+    if (not check_subdomain(get_subdomain(request), user_profile.realm.subdomain) and
-        logging.warning("User %s attempted to access webhook API on wrong subdomain %s" % (
+        # Allow access to localhost for Tornado
+        not (settings.RUNNING_INSIDE_TORNADO and
+             request.META["SERVER_NAME"] == "127.0.0.1" and
+             request.META["REMOTE_ADDR"] == "127.0.0.1")):
+        logging.warning("User %s attempted to access API on wrong subdomain %s" % (
             user_profile.email, get_subdomain(request)))
         raise JsonableError(_("Account is not associated with this subdomain"))
 

zerver/tests/test_decorators.py

@@ -247,7 +247,7 @@ class DecoratorTestCase(TestCase):
                     api_result = my_webhook(request)
 
                 mock_warning.assert_called_with(
-                    "User {} attempted to access webhook API on wrong "
+                    "User {} attempted to access API on wrong "
                     "subdomain {}".format(webhook_bot_email, ''))
 
             with mock.patch('logging.warning') as mock_warning:
@@ -257,7 +257,7 @@ class DecoratorTestCase(TestCase):
                     api_result = my_webhook(request)
 
                 mock_warning.assert_called_with(
-                    "User {} attempted to access webhook API on wrong "
+                    "User {} attempted to access API on wrong "
                     "subdomain {}".format(webhook_bot_email, 'acme'))
 
         # Test when content_type is application/json and request.body