import cherrypy
+def admin_protect(fn):
+
+ def check(*args, **kwargs):
+ if UserSession().get_user().is_admin:
+ return fn(*args, **kwargs)
+
+ raise cherrypy.HTTPError(403)
+
+ return check
+
+
def protect():
UserSession().remote_login()
class Page(object):
- def __init__(self, site):
+ def __init__(self, site, form=False):
if not 'template_env' in site:
raise ValueError('Missing template environment')
self._site = site
self.basepath = cherrypy.config.get('base.mount', "")
self.user = None
+ self.form = form
def __call__(self, *args, **kwargs):
# pylint: disable=star-args
if callable(op) and getattr(self, args[0]+'.exposed', None):
return op(*args[1:], **kwargs)
else:
- op = getattr(self, 'root', None)
- if callable(op):
- return op(*args, **kwargs)
+ if self.form:
+ self._debug("method: %s" % cherrypy.request.method)
+ op = getattr(self, cherrypy.request.method, None)
+ if callable(op):
+ # Basic CSRF protection
+ if cherrypy.request.method != 'GET':
+ if 'referer' not in cherrypy.request.headers:
+ return cherrypy.HTTPError(403)
+ referer = cherrypy.request.headers['referer']
+ url = cherrypy.url(relative=False)
+ if referer != url:
+ return cherrypy.HTTPError(403)
+ return op(*args, **kwargs)
+ else:
+ op = getattr(self, 'root', None)
+ if callable(op):
+ return op(*args, **kwargs)
return self.default(*args, **kwargs)
m.update(kwargs)
return t.render(**m)
+ def _debug(self, fact):
+ if cherrypy.config.get('debug', False):
+ cherrypy.log(fact)
+
def default(self, *args, **kwargs):
raise cherrypy.HTTPError(404)
+ def add_subtree(self, name, page):
+ self.__dict__[name] = page
+
+ def del_subtree(self, name):
+ del self.__dict__[name]
+
exposed = True