Fixed a horrible security issue in the OAuth plugin.

author Joar Wandborg <git@wandborg.com>

Wed, 19 Sep 2012 19:57:59 +0000 (21:57 +0200)

committer Joar Wandborg <git@wandborg.com>

Wed, 19 Sep 2012 19:57:59 +0000 (21:57 +0200)
author Joar Wandborg <git@wandborg.com>
Wed, 19 Sep 2012 19:57:59 +0000 (21:57 +0200)
committer Joar Wandborg <git@wandborg.com>
Wed, 19 Sep 2012 19:57:59 +0000 (21:57 +0200)
diff --git a/mediagoblin/plugins/oauth/__init__.py b/mediagoblin/plugins/oauth/__init__.py

index 9591972853995727df361231a12dc48897892fa9..33dcaf16d6aa92d505fd59ce35c19859e09d6b78 100644 (file)
--- a/mediagoblin/plugins/oauth/__init__.py
+++ b/mediagoblin/plugins/oauth/__init__.py
@@ -48,7 +48,10 @@ def setup_plugin():
  
  class OAuthAuth(Auth):
      def trigger(self, request):
-        return True
+        if 'access_token' in request.GET:
+            return True
+
+        return False
  
      def __call__(self, request, *args, **kw):
          access_token = request.GET.get('access_token')
@@ -60,9 +63,9 @@ class OAuthAuth(Auth):
                  return False
  
              request.user = token.user
+            return True
  
-        return True
-
+        return False
  
  hooks = {
      'setup': setup_plugin,
author	Joar Wandborg <git@wandborg.com>
	Wed, 19 Sep 2012 19:57:59 +0000 (21:57 +0200)
committer	Joar Wandborg <git@wandborg.com>
	Wed, 19 Sep 2012 19:57:59 +0000 (21:57 +0200)