import cherrypy
+def admin_protect(fn):
+
+ def check(*args, **kwargs):
+ if UserSession().get_user().is_admin:
+ return fn(*args, **kwargs)
+
+ raise cherrypy.HTTPError(403)
+
+ return check
+
+
def protect():
UserSession().remote_login()
class Page(object):
- def __init__(self, site):
- if not 'template_env' in site:
+ def __init__(self, site, form=False):
+ if 'template_env' not in site:
raise ValueError('Missing template environment')
self._site = site
self.basepath = cherrypy.config.get('base.mount', "")
self.user = None
+ self.form = form
def __call__(self, *args, **kwargs):
# pylint: disable=star-args
if callable(op) and getattr(self, args[0]+'.exposed', None):
return op(*args[1:], **kwargs)
else:
- op = getattr(self, 'root', None)
- if callable(op):
- return op(*args, **kwargs)
+ if self.form:
+ self._debug("method: %s" % cherrypy.request.method)
+ op = getattr(self, cherrypy.request.method, None)
+ if callable(op):
+ # Basic CSRF protection
+ if cherrypy.request.method != 'GET':
+ if 'referer' not in cherrypy.request.headers:
+ return cherrypy.HTTPError(403)
+ referer = cherrypy.request.headers['referer']
+ url = cherrypy.url(relative=False)
+ if referer != url:
+ return cherrypy.HTTPError(403)
+ return op(*args, **kwargs)
+ else:
+ op = getattr(self, 'root', None)
+ if callable(op):
+ return op(*args, **kwargs)
return self.default(*args, **kwargs)
+ def _template_model(self):
+ model = dict()
+ model['basepath'] = self.basepath
+ model['title'] = 'IPSILON'
+ model['user'] = self.user
+ return model
+
def _template(self, *args, **kwargs):
+ # pylint: disable=star-args
t = self._site['template_env'].get_template(args[0])
- return t.render(basepath=self.basepath, user=self.user, **kwargs)
+ m = self._template_model()
+ m.update(kwargs)
+ return t.render(**m)
+
+ def _debug(self, fact):
+ if cherrypy.config.get('debug', False):
+ cherrypy.log(fact)
def default(self, *args, **kwargs):
raise cherrypy.HTTPError(404)
+ def add_subtree(self, name, page):
+ self.__dict__[name] = page
+
+ def del_subtree(self, name):
+ del self.__dict__[name]
+
exposed = True