Add HTTP_AUTHORIZATION to values copied to dummy preview requests

CHANGELOG.txt

@@ -12,6 +12,7 @@ Changelog
  * Notification emails now include an "Auto-Submitted: auto-generated" header (Dan Braghis)
  * Image chooser panels now show alt text as title (Samir Shah)
  * Added `download_url` field to images in the API (Michael Harrison)
+ * Dummy requests for preview now preserve the HTTP Authorization header (Ben Dickinson)
  * Fix: Respect next param on login (Loic Teixeira)
  * Fix: InlinePanel now handles relations that specify a related_query_name (Aram Dulyan)
  * Fix: before_delete_page / after_delete_page hooks now run within the same database transaction as the page deletion (Tomasz Knapik)

CONTRIBUTORS.rst

@@ -316,6 +316,7 @@ Contributors
 * Matthew Schinckel
 * Michael Borisov
 * Dan Braghis
+* Ben Dickinson
 
 Translators
 ===========

docs/releases/2.3.rst

@@ -29,6 +29,7 @@ Other features
  * Notification emails now include an "Auto-Submitted: auto-generated" header (Dan Braghis)
  * Image chooser panels now show alt text as title (Samir Shah)
  * Added ``download_url`` field to images in the API (Michael Harrison)
+ * Dummy requests for preview now preserve the HTTP Authorization header (Ben Dickinson)
 
 
 Bug fixes

wagtail/core/models.py

@@ -1242,7 +1242,7 @@ class Page(AbstractPage, index.Indexed, ClusterableModel, metaclass=PageBase):
 
         # Add important values from the original request object, if it was provided.
         HEADERS_FROM_ORIGINAL_REQUEST = [
-            'REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR', 'HTTP_COOKIE', 'HTTP_USER_AGENT',
+            'REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR', 'HTTP_COOKIE', 'HTTP_USER_AGENT', 'HTTP_AUTHORIZATION',
             'wsgi.version', 'wsgi.multithread', 'wsgi.multiprocess', 'wsgi.run_once',
         ]
         if settings.SECURE_PROXY_SSL_HEADER:

wagtail/core/tests/test_page_model.py

@@ -1371,6 +1371,7 @@ class TestDummyRequest(TestCase):
             'HTTP_X_FORWARDED_FOR': '192.168.0.2,192.168.0.3',
             'HTTP_COOKIE': "test=1;blah=2",
             'HTTP_USER_AGENT': "Test Agent",
+            'HTTP_AUTHORIZATION': "Basic V2FndGFpbDpXYWd0YWlsCg==",
         }
         factory = RequestFactory(**original_headers)
         original_request = factory.get('/home/events/')
@@ -1381,6 +1382,7 @@ class TestDummyRequest(TestCase):
         self.assertEqual(request.META['HTTP_X_FORWARDED_FOR'], original_request.META['HTTP_X_FORWARDED_FOR'])
         self.assertEqual(request.META['HTTP_COOKIE'], original_request.META['HTTP_COOKIE'])
         self.assertEqual(request.META['HTTP_USER_AGENT'], original_request.META['HTTP_USER_AGENT'])
+        self.assertEqual(request.META['HTTP_AUTHORIZATION'], original_request.META['HTTP_AUTHORIZATION'])
 
         # check other env vars required by the WSGI spec
         self.assertEqual(request.META['REQUEST_METHOD'], 'GET')