Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GET method is allowed on verify-email endpoint #370

Open
axnsan12 opened this issue Oct 19, 2017 · 0 comments
Open

GET method is allowed on verify-email endpoint #370

axnsan12 opened this issue Oct 19, 2017 · 0 comments

Comments

@axnsan12
Copy link

VerifyEmailView should override http_method_names instead of allowed_methods, in order to restrict the get method of its parent ConfirmationEmailView. As it stands, overriding default_methods has no effect and GET is wrongly allowed, calling ConfirmationEmailView.get() from allauth.

django-rest-auth/rest_auth/registration/views.py

Line 80 in 42d039b

allowed_methods = ('POST', 'OPTIONS', 'HEAD')

Background:

APIView from rest_framework defines allowed_methods as

    def allowed_methods(self):

        """
        Wrap Django's private `_allowed_methods` interface in a public property.
        """
        return self._allowed_methods()

which references django's _allowed_methods():

    def _allowed_methods(self):
        return [m.upper() for m in self.http_method_names if hasattr(self, m)]

However, APIView.dispatch() actually checks http_method_names:

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?

        try:
            self.initial(request, *args, **kwargs)

            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:  # <----------- HERE
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed

            response = handler(request, *args, **kwargs)

        except Exception as exc:
            response = self.handle_exception(exc)

        self.response = self.finalize_response(request, response, *args, **kwargs)
        return self.response

Taken from Djang 1.11.6, django-rest-auth 0.9.2, djangorestframework 3.7.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@axnsan12