Replaced all request.POST with request.form, ...

- Fixed error handling in OAuth plugin
- Changed request.POST file fields to request.files

mediagoblin/plugins/api/views.py

@@ -20,8 +20,8 @@ import uuid
 
 from os.path import splitext
 from webob import exc, Response
-from cgi import FieldStorage
 from werkzeug.utils import secure_filename
+from werkzeug.datastructures import FileStorage
 from celery import registry
 
 from mediagoblin.db.util import ObjectId
@@ -29,13 +29,10 @@ from mediagoblin.decorators import require_active_login
 from mediagoblin.processing import mark_entry_failed
 from mediagoblin.processing.task import ProcessMedia
 from mediagoblin.meddleware.csrf import csrf_exempt
-from mediagoblin.media_types import sniff_media, InvalidFileType, \
-        FileTypeNotSupported
+from mediagoblin.media_types import sniff_media
 from mediagoblin.plugins.api.tools import api_auth, get_entry_serializable, \
         json_response
 
-from mediagoblin.plugins.api import config
-
 _log = logging.getLogger(__name__)
 
 
@@ -52,24 +49,24 @@ def post_entry(request):
         _log.debug('Must POST against post_entry')
         return exc.HTTPBadRequest()
 
-    if not 'file' in request.POST \
-            or not isinstance(request.POST['file'], FieldStorage) \
-            or not request.POST['file'].file:
+    if not 'file' in request.files \
+            or not isinstance(request.files['file'], FileStorage) \
+            or not request.files['file'].stream:
         _log.debug('File field not found')
         return exc.HTTPBadRequest()
 
-    media_file = request.POST['file']
+    media_file = request.files['file']
 
     media_type, media_manager = sniff_media(media_file)
 
     entry = request.db.MediaEntry()
     entry.id = ObjectId()
     entry.media_type = unicode(media_type)
-    entry.title = unicode(request.POST.get('title')
+    entry.title = unicode(request.form.get('title')
             or splitext(media_file.filename)[0])
 
-    entry.description = unicode(request.POST.get('description'))
-    entry.license = unicode(request.POST.get('license', ''))
+    entry.description = unicode(request.form.get('description'))
+    entry.license = unicode(request.form.get('license', ''))
 
     entry.uploader = request.user.id
 
@@ -88,7 +85,7 @@ def post_entry(request):
         queue_filepath, 'wb')
 
     with queue_file:
-        queue_file.write(request.POST['file'].file.read())
+        queue_file.write(request.files['file'].stream.read())
 
     # Add queued filename to the entry
     entry.queued_media_file = queue_filepath
@@ -98,10 +95,10 @@ def post_entry(request):
     # Save now so we have this data before kicking off processing
     entry.save(validate=True)
 
-    if request.POST.get('callback_url'):
+    if request.form.get('callback_url'):
         metadata = request.db.ProcessingMetaData()
         metadata.media_entry = entry
-        metadata.callback_url = unicode(request.POST['callback_url'])
+        metadata.callback_url = unicode(request.form['callback_url'])
         metadata.save()
 
     # Pass off to processing

mediagoblin/plugins/oauth/README.rst

@@ -133,10 +133,12 @@ Incapabilities
 ==============
 
 - Only `bearer tokens`_ are issued.
-- `Access Token Scope`_
 - `Implicit Grant`_
+- `Force TLS for token endpoint`_ - This one is up the the siteadmin
+- Authorization `scope`_ and `state`
 - ...
 
 .. _`bearer tokens`: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08
-.. _`Access Token Scope`: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-3.3
+.. _`scope`: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-3.3
 .. _`Implicit Grant`: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-4.2
+.. _`Force TLS for token endpoint`: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-3.2

mediagoblin/plugins/oauth/views.py

@@ -41,15 +41,15 @@ def register_client(request):
     '''
     Register an OAuth client
     '''
-    form = ClientRegistrationForm(request.POST)
+    form = ClientRegistrationForm(request.form)
 
     if request.method == 'POST' and form.validate():
         client = OAuthClient()
-        client.name = unicode(request.POST['name'])
-        client.description = unicode(request.POST['description'])
-        client.type = unicode(request.POST['type'])
+        client.name = unicode(request.form['name'])
+        client.description = unicode(request.form['description'])
+        client.type = unicode(request.form['type'])
         client.owner_id = request.user.id
-        client.redirect_uri = unicode(request.POST['redirect_uri'])
+        client.redirect_uri = unicode(request.form['redirect_uri'])
 
         client.generate_identifier()
         client.generate_secret()
@@ -86,7 +86,7 @@ def list_connections(request):
 
 @require_active_login
 def authorize_client(request):
-    form = AuthorizationForm(request.POST)
+    form = AuthorizationForm(request.form)
 
     client = OAuthClient.query.filter(OAuthClient.id ==
         form.client_id.data).first()
@@ -169,7 +169,7 @@ def authorize(request, client):
         # code parameter
         # - on deny: send the user agent back to the redirect uri with error
         # information
-        form = AuthorizationForm(request.POST)
+        form = AuthorizationForm(request.form)
         form.client_id.data = client.id
         form.next.data = request.url
         return render_to_response(
@@ -185,6 +185,31 @@ def access_token(request):
                 request.GET.get('code')).first()
 
         if code:
+            if code.client.type == u'confidential':
+                client_identifier = request.GET.get('client_id')
+
+                if not client_identifier:
+                    return json_response({
+                        'error': 'invalid_request',
+                        'error_description':
+                            'Missing client_id in request'})
+
+                client_secret = request.GET.get('client_secret')
+
+                if not client_secret:
+                    return json_response({
+                        'error': 'invalid_request',
+                        'error_description':
+                            'Missing client_secret in request'})
+
+                if not client_secret == code.client.secret or \
+                        not client_identifier == code.client.identifier:
+                    return json_response({
+                        'error': 'invalid_client',
+                        'error_description':
+                            'The client_id or client_secret does not match the'
+                            ' code'})
+
             token = OAuthToken()
             token.token = unicode(uuid4())
             token.user = code.user
@@ -194,10 +219,17 @@ def access_token(request):
             access_token_data = {
                 'access_token': token.token,
                 'token_type': 'bearer',
-                'expires_in':
-                (token.expires - datetime.now()).total_seconds()}
+                'expires_in': int(
+                    round(
+                        (token.expires - datetime.now()).total_seconds()))}
             return json_response(access_token_data, _disable_cors=True)
-
-    error_data = {
-        'error': 'Incorrect code'}
-    return Response(json.dumps(error_data))
+        else:
+            return json_response({
+                'error': 'invalid_request',
+                'error_description':
+                    'Invalid code'})
+    else:
+        return json_response({
+            'error': 'invalid_request',
+            'error_descriptin':
+                'Missing `code` parameter in request'})