Create and use @internal_notify_view

Resolves #288. (imported from commit 982bf5651a34fa66cd81c882ed0351829eaadf86)
2025-11-11 01:16:19 +00:00 · 2012-11-27 23:37:13 -05:00
parent 1dbd806b6a
commit cb7e726d77
2 changed files with 21 additions and 17 deletions
--- a/zephyr/decorator.py
+++ b/zephyr/decorator.py
@@ -4,6 +4,7 @@ from zephyr.models import UserProfile, UserActivity, get_client
 from zephyr.lib.response import json_success, json_error
 from django.utils.timezone import now
 from django.db import transaction, IntegrityError
+from django.conf import settings

 from functools import wraps

@@ -93,6 +94,23 @@ def authenticated_json_view(view_func):
        return view_func(request, request.user.userprofile, *args, **kwargs)
    return _wrapped_view_func

+# These views are used by the main Django server to notify the Tornado server
+# of events.  We protect them from the outside world by checking a shared
+# secret, and also the originating IP (for now).
+def authenticate_notify(request):
+    return (request.META['REMOTE_ADDR'] in ('127.0.0.1', '::1')
+            and request.POST.get('secret') == settings.SHARED_SECRET)
+
+def internal_notify_view(view_func):
+    @csrf_exempt
+    @require_post
+    @wraps(view_func)
+    def _wrapped_view_func(request, *args, **kwargs):
+        if not authenticate_notify(request):
+            return json_error('Access denied', status=403)
+        return view_func(request, *args, **kwargs)
+    return _wrapped_view_func
+
 # Used in conjunction with @has_request_variables, below
 class POST(object):
    # NotSpecified is a sentinel value for determining whether a