Do not allow GET /resource.json

By _default_, Pecan exposes the functionality to try and "use the extension in the URL for guessing the content type to return." I'm not even kidding: http://pecan.readthedocs.org/en/latest/pecan_core.html#pecan.core.Pecan `guess_content_type_from_ext`. So this allowed an API user to GET /v2/zones.json that returned the same thing as /v2/zones. Similarly for /zones/id.json. So this turns that off. Change-Id: I38a2e35f58cf7619bee64247d7ac01a50b0dcc58
2016-03-04 10:03:04 -06:00 · 2016-03-04 10:03:04 -06:00 · 2ce080d36c
commit 2ce080d36c
parent 3e95c7c723
3 changed files with 11 additions and 1 deletions
--- a/designate/api/v2/app.py
+++ b/designate/api/v2/app.py
@ -40,7 +40,8 @@ def setup_app(pecan_config):
        pecan_config.app.root,
        debug=getattr(pecan_config.app, 'debug', False),
        force_canonical=getattr(pecan_config.app, 'force_canonical', True),
-        request_cls=patches.Request
+        request_cls=patches.Request,
+        guess_content_type_from_ext=False
    )

    return app
--- a/functionaltests/api/v2/clients/zone_client.py
+++ b/functionaltests/api/v2/clients/zone_client.py
@ -75,3 +75,8 @@ class ZoneClient(ClientMixin):
        except NotFound:
            return True
        return False
+
+    def zones_dot_json(self, filters=None, **kwargs):
+        uri = self.create_uri("/zones.json", filters=filters)
+        resp, body = self.client.get(uri, **kwargs)
+        return self.deserialize(resp, body, ZoneListModel)
--- a/functionaltests/api/v2/test_zone.py
+++ b/functionaltests/api/v2/test_zone.py
@ -69,6 +69,10 @@ class ZoneTest(DesignateV2Test):
        self.assertEqual(202, resp.status)
        client.wait_for_zone_404(model.id)

+    def test_list_zones_dot_json_fails(self):
+        self.assertRaises(NotFound,
+            lambda: ZoneClient.as_user('default').zones_dot_json())
+

 class ZoneOwnershipTest(DesignateV2Test):