Fix exposed functions

[cascardo/ipsilon.git] / ipsilon / util / page.py
diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py

index 7727dda..1548d47 100755 (executable)
--- a/ipsilon/util/page.py
+++ b/ipsilon/util/page.py
@@ -17,7 +17,9 @@
  # You should have received a copy of the GNU General Public License
  # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  
+from ipsilon.util.log import Log
  from ipsilon.util.user import UserSession
+from urllib import unquote
  import cherrypy
  
  
@@ -32,17 +34,31 @@ def admin_protect(fn):
      return check
  
  
-def protect():
-    UserSession().remote_login()
+def auth_protect(fn):
+    def check(self, *args, **kwargs):
+        if UserSession().get_user().is_anonymous:
+            raise cherrypy.HTTPRedirect(self.basepath)
+        else:
+            return fn(self, *args, **kwargs)
+
+    return check
  
  
-class Page(object):
-    def __init__(self, site):
-        if not 'template_env' in site:
+class Page(Log):
+    def __init__(self, site, form=False):
+        if 'template_env' not in site:
              raise ValueError('Missing template environment')
          self._site = site
          self.basepath = cherrypy.config.get('base.mount', "")
          self.user = None
+        self._is_form_page = form
+
+    def _compare_urls(self, url1, url2):
+        u1 = unquote(url1)
+        u2 = unquote(url2)
+        if u1 == u2:
+            return True
+        return False
  
      def __call__(self, *args, **kwargs):
          # pylint: disable=star-args
@@ -50,12 +66,30 @@ class Page(object):
  
          if len(args) > 0:
              op = getattr(self, args[0], None)
-            if callable(op) and getattr(self, args[0]+'.exposed', None):
+            if callable(op) and getattr(op, 'public_function', None):
                  return op(*args[1:], **kwargs)
          else:
-            op = getattr(self, 'root', None)
-            if callable(op):
-                return op(*args, **kwargs)
+            if self._is_form_page:
+                self._debug("method: %s" % cherrypy.request.method)
+                op = getattr(self, cherrypy.request.method, None)
+                if callable(op):
+                    # Basic CSRF protection
+                    if cherrypy.request.method != 'GET':
+                        url = cherrypy.url(relative=False)
+                        if 'referer' not in cherrypy.request.headers:
+                            self._debug("Missing referer in %s request to %s"
+                                        % (cherrypy.request.method, url))
+                            raise cherrypy.HTTPError(403)
+                        referer = cherrypy.request.headers['referer']
+                        if not self._compare_urls(referer, url):
+                            self._debug("Wrong referer %s in request to %s"
+                                        % (referer, url))
+                            raise cherrypy.HTTPError(403)
+                    return op(*args, **kwargs)
+            else:
+                op = getattr(self, 'root', None)
+                if callable(op):
+                    return op(*args, **kwargs)
  
          return self.default(*args, **kwargs)
  
@@ -73,10 +107,6 @@ class Page(object):
          m.update(kwargs)
          return t.render(**m)
  
-    def _debug(self, fact):
-        if cherrypy.config.get('debug', False):
-            cherrypy.log(fact)
-
      def default(self, *args, **kwargs):
          raise cherrypy.HTTPError(404)