Page MenuHomeSoftware Heritage
Files F7123789

D4612.diff
No OneTemporary
Actions

D4612.diff
View Options

diff --git a/swh/deposit/api/common.py b/swh/deposit/api/common.py
--- a/swh/deposit/api/common.py
+++ b/swh/deposit/api/common.py
@@ -739,6 +739,14 @@
create_origin = metadata.get("swh:deposit", {}).get("swh:create_origin")
if create_origin:
origin_url = create_origin["swh:origin"]["@url"]
+ if origin_url is not None:
+ provider_url = deposit.client.provider_url.rstrip("/") + "/"
+ if not origin_url.startswith(provider_url):
+ raise DepositError(
+ FORBIDDEN,
+ f"Cannot create origin {origin_url}, it must start with "
+ f"{provider_url}",
+ )
deposit.origin_url = origin_url
if "atom:external_identifier" in metadata:
diff --git a/swh/deposit/tests/api/test_collection_post_atom.py b/swh/deposit/tests/api/test_collection_post_atom.py
--- a/swh/deposit/tests/api/test_collection_post_atom.py
+++ b/swh/deposit/tests/api/test_collection_post_atom.py
@@ -96,6 +96,28 @@
assert b"Malformed xml metadata" in response.content
+def test_post_deposit_atom_403_wrong_origin_url_prefix(
+ authenticated_client, deposit_collection, atom_dataset, deposit_user
+):
+ """Creating an origin for a prefix not owned by the client is forbidden
+
+ """
+ origin_url = "http://example.org/foo"
+
+ response = authenticated_client.post(
+ reverse(COL_IRI, args=[deposit_collection.name]),
+ content_type="application/atom+xml;type=entry",
+ data=atom_dataset["entry-data0"] % origin_url,
+ HTTP_IN_PROGRESS="true",
+ )
+ assert response.status_code == status.HTTP_403_FORBIDDEN
+ expected_msg = (
+ f"Cannot create origin {origin_url}, "
+ f"it must start with {deposit_user.provider_url}"
+ )
+ assert expected_msg in response.content.decode()
+
+
def test_post_deposit_atom_use_slug_header(
authenticated_client, deposit_collection, deposit_user, atom_dataset, mocker
):

File Metadata

Mime Type
text/plain
Expires
Dec 20 2024, 2:05 AM (11 w, 3 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3217107

Event Timeline

About · Developer information · Legal