diff options
| -rw-r--r-- | docs/topics/credits.md | 2 | ||||
| -rw-r--r-- | docs/topics/release-notes.md | 1 | ||||
| -rw-r--r-- | rest_framework/authentication.py | 12 |
3 files changed, 10 insertions, 5 deletions
diff --git a/docs/topics/credits.md b/docs/topics/credits.md index 6edf347e..f6734f24 100644 --- a/docs/topics/credits.md +++ b/docs/topics/credits.md @@ -114,6 +114,7 @@ The following people have helped make REST framework great. * Dave Kuhn - [kuhnza] * Sitong Peng - [stoneg] * Victor Shih - [vshih] +* Atle Frenvik Sveen - [atlefren] Many thanks to everyone who's contributed to the project. @@ -262,3 +263,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter. [kuhnza]: https://github.com/kuhnza [stoneg]: https://github.com/stoneg [vshih]: https://github.com/vshih +[atlefren]: https://github.com/atlefren diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index 62c31358..eb93bf78 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -45,6 +45,7 @@ You can determine your currently installed version using `pip freeze`: * OAuth2 authentication no longer requires unneccessary URL parameters in addition to the token. * URL hyperlinking in browseable API now handles more cases correctly. * Bugfix: Fix regression with DjangoFilterBackend not worthing correctly with single object views. +* Bugfix: OAuth should fail hard when invalid token used. ### 2.2.5 diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py index 145d4295..1eebb5b9 100644 --- a/rest_framework/authentication.py +++ b/rest_framework/authentication.py @@ -10,7 +10,7 @@ from django.core.exceptions import ImproperlyConfigured from rest_framework import exceptions, HTTP_HEADER_ENCODING from rest_framework.compat import CsrfViewMiddleware from rest_framework.compat import oauth, oauth_provider, oauth_provider_store -from rest_framework.compat import oauth2_provider, oauth2_provider_forms +from rest_framework.compat import oauth2_provider from rest_framework.authtoken.models import Token @@ -230,7 +230,7 @@ class OAuthAuthentication(BaseAuthentication): try: consumer_key = oauth_request.get_parameter('oauth_consumer_key') consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key) - except oauth_provider_store.InvalidConsumerError as err: + except oauth_provider.store.InvalidConsumerError as err: raise exceptions.AuthenticationFailed(err) if consumer.status != oauth_provider.consts.ACCEPTED: @@ -240,7 +240,7 @@ class OAuthAuthentication(BaseAuthentication): try: token_param = oauth_request.get_parameter('oauth_token') token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param) - except oauth_provider_store.InvalidTokenError: + except oauth_provider.store.InvalidTokenError: msg = 'Invalid access token: %s' % oauth_request.get_parameter('oauth_token') raise exceptions.AuthenticationFailed(msg) @@ -325,11 +325,13 @@ class OAuth2Authentication(BaseAuthentication): except oauth2_provider.models.AccessToken.DoesNotExist: raise exceptions.AuthenticationFailed('Invalid token') - if not token.user.is_active: + user = token.user + + if not user.is_active: msg = 'User inactive or deleted: %s' % user.username raise exceptions.AuthenticationFailed(msg) - return (token.user, token) + return (user, token) def authenticate_header(self, request): """ |