Extra safety on account-level DELETE
I just noticed tonight when adding a bunch of stuff to Swiftly that the Bulk Delete middleware uses an account-level DELETE request, albeit with a query parameter of bulk-delete. But, one typo and, assuming the cluster supports it and you have access, whoops, you just marked the account for deletion! I put a bit of extra safety on the account deletion by requiring it to have an empty query string. Change-Id: Ib5df11193b04eff69d14185bd9d0607169131e7f
This commit is contained in:
2 changed files with 28 additions and 0 deletions
@@ -5564,6 +5564,29 @@ class TestAccountController(unittest.TestCase):
test_status_map((201, 500, 500), 503)
test_status_map((204, 500, 404), 503)
def test_DELETE_with_query_string(self):
# Extra safety in case someone typos a query string for an
# account-level DELETE request that was really meant to be caught by
# some middleware.
with save_globals():
controller = proxy_server.AccountController(self.app, 'account')
def test_status_map(statuses, expected, **kwargs):
set_http_connect(*statuses, **kwargs)
self.app.memcache.store = {}
req = Request.blank('/a?whoops', {'REQUEST_METHOD': 'DELETE'})
req.content_length = 0
self.app.update_request(req)
res = controller.DELETE(req)
expected = str(expected)
self.assertEquals(res.status[:len(expected)], expected)
test_status_map((201, 201, 201), 400)
self.app.allow_account_management = True
test_status_map((201, 201, 201), 400)
test_status_map((201, 201, 500), 400)
test_status_map((201, 500, 500), 400)
test_status_map((204, 500, 404), 400)
class FakeObjectController(object):
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.