We do some whitelisted domain checks in db.py, which means that we need to give it knowledge of the domain whitelist. These checks are probably better done at the web layer instead, as long as we can factor them out to avoid massive duplication. From Nick's review in bug 1021018: > ::: admin.wsgi > @@ +30,5 @@ > > auslib.log.cef_config = auslib.log.get_cef_config(cfg.getCefLogfile()) > > +dbo.setDb(cfg.getDburi()) > > +dbo.setupChangeMonitors(cfg.getSystemAccounts()) > > +dbo.setDomainWhitelist(cfg.getDomainWhitelist()) > > +application.config['WHITELISTED_DOMAINS'] = cfg.getDomainWhitelist() > > Setting this twice is a little odd. Perhaps we can look at moving > containsForbiddenDomain() into the code that handles API calls. Fodder for a > followup if it's worthwhile.
The blob classes might be the best place, actually, since finding the file urls is blob-specific.
Commit pushed to master at https://github.com/mozilla/balrog https://github.com/mozilla/balrog/commit/53f48d4519df5fc709cbd6b28097af2d57ebef37 Bug 1041584 - move balrog whitelist checks out of AUSDatabase (#121). r=bhearsum
This is in production now. Thanks Varun!