From f2720ebbc4c860dcb7d5a3e5a1126a14f207b35c Mon Sep 17 00:00:00 2001
From: Felix Hammerl <fhammerl@thoughtworks.com>
Date: Mon, 4 Jul 2016 14:43:48 +0200
Subject: Issue #738: Bypass cookie validation for sandbox

---
 service/pixelated/resources/auth.py | 43 ++++++++++++++++++++-----------------
 1 file changed, 23 insertions(+), 20 deletions(-)

(limited to 'service/pixelated/resources/auth.py')

diff --git a/service/pixelated/resources/auth.py b/service/pixelated/resources/auth.py
index 5aedad3a..1e6e293c 100644
--- a/service/pixelated/resources/auth.py
+++ b/service/pixelated/resources/auth.py
@@ -15,6 +15,7 @@
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 
 import logging
+import re
 
 from leap.auth import SRPAuth
 from leap.exceptions import SRPAuthenticationError
@@ -123,26 +124,28 @@ class PixelatedAuthSessionWrapper(object):
 
     def _authorizedResource(self, request):
         creds = SessionCredential(request)
-        return util.DeferredResource(self._login(creds))
+        return util.DeferredResource(self._login(creds, request))
+
+    def _login(self, credentials, request):
+        pattern = re.compile("^/sandbox/")
+
+        def loginSucceeded(args):
+            interface, avatar, logout = args
+            if avatar == checkers.ANONYMOUS and not pattern.match(request.path):
+                return self._anonymous_resource
+            else:
+                return self._root_resource
+
+        def loginFailed(result):
+            if result.check(error.Unauthorized, error.LoginFailed):
+                return UnauthorizedResource(self._credentialFactories)
+            else:
+                log.err(
+                    result,
+                    "HTTPAuthSessionWrapper.getChildWithDefault encountered "
+                    "unexpected error")
+                return ErrorPage(500, None, None)
 
-    def _login(self, credentials):
         d = self._portal.login(credentials, None, IResource)
-        d.addCallbacks(self._loginSucceeded, self._loginFailed)
+        d.addCallbacks(loginSucceeded, loginFailed)
         return d
-
-    def _loginSucceeded(self, args):
-        interface, avatar, logout = args
-        if avatar == checkers.ANONYMOUS:
-            return self._anonymous_resource
-        else:
-            return self._root_resource
-
-    def _loginFailed(self, result):
-        if result.check(error.Unauthorized, error.LoginFailed):
-            return UnauthorizedResource(self._credentialFactories)
-        else:
-            log.err(
-                result,
-                "HTTPAuthSessionWrapper.getChildWithDefault encountered "
-                "unexpected error")
-            return ErrorPage(500, None, None)
-- 
cgit v1.2.3