Merge branch 'fix-subscription' into 'master'
Fix subscription

The subscription method contained what could be security issue, any email sent by the user would be used as a subscription request.

Fix this and add more tests.

See merge request !42
commit 96787b32421afef43078efa1f5f5295dad03f290
2 parents ed1431d + f91919f
@Aurélien Bompard Aurélien Bompard authored on 12 Nov 2015
Showing 10 changed files
View
0
■■■■■
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription.yaml
Too large (Show diff)
View
404
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription_mod_primary.yaml 0 → 100644
interactions:
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com
response:
body: {string: !!python/unicode '{"fqdn_listname": "moderate_subs@example.com",
"http_etag": "\"4cf5a031a451ad84a54e4c708cacda8e676e617f\"", "list_name":
"moderate_subs", "volume": 1, "mail_host": "example.com", "member_count":
0, "self_link": "http://localhost:9001/3.0/lists/moderate_subs.example.com",
"display_name": "Moderate_subs", "list_id": "moderate_subs.example.com"}'}
headers:
content-length: ['344']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/users/test@example.com
response:
body: {string: !!python/unicode '{"user_id": 114244264928177560586593517544856958785,
"password": "$6$rounds=652394$5DreAtMxuCfc0vPW$.AwpgxX.m0wG1a8OAagQNPlwWVfKVPk0zkXKhpQnDz5gCwjFLR1P6RmLnrFUFHEAE8YwyGEVF7UVFwEACK4kB1",
"http_etag": "\"6e1a0cecfb80a877ccf87c1c39ae22e2826c4fe2\"", "created_on":
"2015-11-12T20:10:21.324612", "self_link": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"is_server_owner": false}'}
headers:
content-length: ['407']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/users/114244264928177560586593517544856958785/addresses
response:
body: {string: !!python/unicode '{"http_etag": "\"ca6e800d65650c5c42905fea4f9554fd78fcb438\"",
"total_size": 2, "start": 0, "entries": [{"original_email": "fritz@example.org",
"registered_on": "2015-11-12T20:10:22.295952", "http_etag": "\"da8c461057ada5cdb401ed2e6e55f0ccb8d6d026\"",
"user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/fritz@example.org", "email":
"fritz@example.org", "verified_on": "2015-11-12T20:10:22.394627"}, {"original_email":
"test@example.com", "registered_on": "2015-11-12T20:10:21.324255", "http_etag":
"\"96a4915ee8726cc7a0ee071eb728ce84dca5404d\"", "user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/test@example.com", "email":
"test@example.com"}]}'}
headers:
content-length: ['809']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/addresses/fritz@example.org
response:
body: {string: !!python/unicode '{"original_email": "fritz@example.org", "registered_on":
"2015-11-12T20:10:22.295952", "http_etag": "\"da8c461057ada5cdb401ed2e6e55f0ccb8d6d026\"",
"user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/fritz@example.org", "email":
"fritz@example.org", "verified_on": "2015-11-12T20:10:22.394627"}'}
headers:
content-length: ['375']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/addresses/test@example.com
response:
body: {string: !!python/unicode '{"original_email": "test@example.com", "registered_on":
"2015-11-12T20:10:21.324255", "http_etag": "\"96a4915ee8726cc7a0ee071eb728ce84dca5404d\"",
"user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/test@example.com", "email":
"test@example.com"}'}
headers:
content-length: ['327']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com/roster/owner
response:
body: {string: !!python/unicode '{"http_etag": "\"32223434a0f3af4cdc4673d1fbc5bac1f6d98fd3\"",
"total_size": 0, "start": 0}'}
headers:
content-length: ['90']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com/roster/moderator
response:
body: {string: !!python/unicode '{"http_etag": "\"32223434a0f3af4cdc4673d1fbc5bac1f6d98fd3\"",
"total_size": 0, "start": 0}'}
headers:
content-length: ['90']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:22 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: display_name=None&subscriber=test%40example.com&list_id=moderate_subs.example.com&pre_verified=True&pre_confirmed=True
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'content-type': [!!python/unicode 'application/x-www-form-urlencoded']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'POST'
uri: http://localhost:9001/3.0/members
response:
body: {string: !!python/unicode '{"http_etag": "\"43764d5b3dd3ec545af9728b1b5758e594a07a17\"",
"token_owner": "moderator", "token": "595ef1977cc284df4dbbdfae5a473be5696dee62"}'}
headers:
content-length: ['142']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 202, message: Accepted}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs@example.com/roster/member
response:
body: {string: !!python/unicode '{"http_etag": "\"32223434a0f3af4cdc4673d1fbc5bac1f6d98fd3\"",
"total_size": 0, "start": 0}'}
headers:
content-length: ['90']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs@example.com/requests
response:
body: {string: !!python/unicode '{"http_etag": "\"9f1ff031317a700fad928974406404c329bafe2a\"",
"total_size": 1, "start": 0, "entries": [{"when": "2015-11-12T20:10:23", "display_name":
"", "token_owner": "moderator", "http_etag": "\"ac97afe7a17aeab68db07e6b65cd77af5c813857\"",
"email": "test@example.com", "list_id": "moderate_subs.example.com", "token":
"595ef1977cc284df4dbbdfae5a473be5696dee62"}]}'}
headers:
content-length: ['367']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com
response:
body: {string: !!python/unicode '{"fqdn_listname": "moderate_subs@example.com",
"http_etag": "\"4cf5a031a451ad84a54e4c708cacda8e676e617f\"", "list_name":
"moderate_subs", "volume": 1, "mail_host": "example.com", "member_count":
0, "self_link": "http://localhost:9001/3.0/lists/moderate_subs.example.com",
"display_name": "Moderate_subs", "list_id": "moderate_subs.example.com"}'}
headers:
content-length: ['344']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/users/test@example.com
response:
body: {string: !!python/unicode '{"user_id": 114244264928177560586593517544856958785,
"password": "$6$rounds=652394$5DreAtMxuCfc0vPW$.AwpgxX.m0wG1a8OAagQNPlwWVfKVPk0zkXKhpQnDz5gCwjFLR1P6RmLnrFUFHEAE8YwyGEVF7UVFwEACK4kB1",
"http_etag": "\"6e1a0cecfb80a877ccf87c1c39ae22e2826c4fe2\"", "created_on":
"2015-11-12T20:10:21.324612", "self_link": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"is_server_owner": false}'}
headers:
content-length: ['407']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/users/114244264928177560586593517544856958785/addresses
response:
body: {string: !!python/unicode '{"http_etag": "\"9856ef089b263dda875af23446f9375cb5c74279\"",
"total_size": 2, "start": 0, "entries": [{"original_email": "fritz@example.org",
"registered_on": "2015-11-12T20:10:22.295952", "http_etag": "\"da8c461057ada5cdb401ed2e6e55f0ccb8d6d026\"",
"user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/fritz@example.org", "email":
"fritz@example.org", "verified_on": "2015-11-12T20:10:22.394627"}, {"original_email":
"test@example.com", "registered_on": "2015-11-12T20:10:21.324255", "http_etag":
"\"df25c44e175172e093e3087c9631f3f8ae7472b6\"", "user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/test@example.com", "email":
"test@example.com", "verified_on": "2015-11-12T20:10:23.033518"}]}'}
headers:
content-length: ['854']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/addresses/fritz@example.org
response:
body: {string: !!python/unicode '{"original_email": "fritz@example.org", "registered_on":
"2015-11-12T20:10:22.295952", "http_etag": "\"da8c461057ada5cdb401ed2e6e55f0ccb8d6d026\"",
"user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/fritz@example.org", "email":
"fritz@example.org", "verified_on": "2015-11-12T20:10:22.394627"}'}
headers:
content-length: ['375']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/addresses/test@example.com
response:
body: {string: !!python/unicode '{"original_email": "test@example.com", "registered_on":
"2015-11-12T20:10:21.324255", "http_etag": "\"df25c44e175172e093e3087c9631f3f8ae7472b6\"",
"user": "http://localhost:9001/3.0/users/114244264928177560586593517544856958785",
"self_link": "http://localhost:9001/3.0/addresses/test@example.com", "email":
"test@example.com", "verified_on": "2015-11-12T20:10:23.033518"}'}
headers:
content-length: ['372']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com/roster/owner
response:
body: {string: !!python/unicode '{"http_etag": "\"32223434a0f3af4cdc4673d1fbc5bac1f6d98fd3\"",
"total_size": 0, "start": 0}'}
headers:
content-length: ['90']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com/roster/moderator
response:
body: {string: !!python/unicode '{"http_etag": "\"32223434a0f3af4cdc4673d1fbc5bac1f6d98fd3\"",
"total_size": 0, "start": 0}'}
headers:
content-length: ['90']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com/member/test@example.com
response:
body: {string: !!python/unicode '{}'}
headers:
content-length: ['2']
content-type: [application/json]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 404, message: Not Found}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs.example.com/member/fritz@example.org
response:
body: {string: !!python/unicode '{}'}
headers:
content-length: ['2']
content-type: [application/json]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 404, message: Not Found}
- request:
body: null
headers:
accept-encoding: ['gzip, deflate']
!!python/unicode 'authorization': [!!python/unicode 'Basic cmVzdGFkbWluOnJlc3RwYXNz']
!!python/unicode 'user-agent': [!!python/unicode 'GNU Mailman REST client v1.0.0']
method: !!python/unicode 'GET'
uri: http://localhost:9001/3.0/lists/moderate_subs@example.com/config
response:
body: {string: !!python/unicode '{"send_welcome_message": true, "http_etag": "\"16e7711bc8144133517e2b24634c538464a4f07f\"",
"digest_size_threshold": 30.0, "bounces_address": "moderate_subs-bounces@example.com",
"subject_prefix": "[Moderate_subs] ", "welcome_message_uri": "mailman:///welcome.txt",
"autorespond_owner": "none", "collapse_alternatives": true, "allow_list_posts":
true, "description": "", "reply_goes_to_list": "no_munging", "no_reply_address":
"noreply@example.com", "advertised": true, "autorespond_requests": "none",
"leave_address": "moderate_subs-leave@example.com", "request_address": "moderate_subs-request@example.com",
"display_name": "Moderate_subs", "filter_content": false, "web_host": "example.com",
"first_strip_reply_to": false, "include_rfc2369_headers": true, "autorespond_postings":
"none", "post_id": 1, "owner_address": "moderate_subs-owner@example.com",
"list_name": "moderate_subs", "scheme": "http", "volume": 1, "default_nonmember_action":
"hold", "admin_immed_notify": true, "posting_pipeline": "default-posting-pipeline",
"digest_last_sent_at": null, "reply_to_address": "", "default_member_action":
"defer", "autoresponse_request_text": "", "administrivia": true, "fqdn_listname":
"moderate_subs@example.com", "subscription_policy": "moderate", "acceptable_aliases":
[], "autoresponse_owner_text": "", "join_address": "moderate_subs-join@example.com",
"convert_html_to_plaintext": false, "created_at": "2015-11-12T20:10:21.036174",
"anonymous_list": false, "admin_notify_mchanges": false, "next_digest_number":
1, "posting_address": "moderate_subs@example.com", "autoresponse_grace_period":
"90d", "archive_policy": "public", "autoresponse_postings_text": "", "last_post_at":
null, "mail_host": "example.com"}'}
headers:
content-length: ['1718']
content-type: [application/json; charset=utf-8]
date: ['Thu, 12 Nov 2015 20:10:23 GMT']
server: [WSGIServer/0.2 CPython/3.4.2]
status: {code: 200, message: OK}
version: 1
View
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription_mod_secondary.yaml 0 → 100644
View
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription_moderate.yaml 100644 → 0
View
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription_open_primary.yaml 0 → 100644
View
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription_open_secondary.yaml 0 → 100644
View
src/postorius/tests/fixtures/vcr_cassettes/test_list_subscription_unknown.yaml 0 → 100644
View
src/postorius/tests/mailman_api_tests/test_subscriptions.py
View
src/postorius/tests/utils.py
View
src/postorius/views/list.py