# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipsilon.util.user import UserSession
+from urllib import unquote
import cherrypy
return check
-def protect():
- UserSession().remote_login()
-
-
class Page(object):
def __init__(self, site, form=False):
- if not 'template_env' in site:
+ if 'template_env' not in site:
raise ValueError('Missing template environment')
self._site = site
self.basepath = cherrypy.config.get('base.mount', "")
self.user = None
self.form = form
+ def _compare_urls(self, url1, url2):
+ u1 = unquote(url1)
+ u2 = unquote(url2)
+ if u1 == u2:
+ return True
+ return False
+
def __call__(self, *args, **kwargs):
# pylint: disable=star-args
self.user = UserSession().get_user()
if callable(op):
# Basic CSRF protection
if cherrypy.request.method != 'GET':
+ url = cherrypy.url(relative=False)
if 'referer' not in cherrypy.request.headers:
- return cherrypy.HTTPError(403)
+ self._debug("Missing referer in %s request to %s"
+ % (cherrypy.request.method, url))
+ raise cherrypy.HTTPError(403)
referer = cherrypy.request.headers['referer']
- url = cherrypy.url(relative=False)
- if referer != url:
- return cherrypy.HTTPError(403)
+ if not self._compare_urls(referer, url):
+ self._debug("Wrong referer %s in request to %s"
+ % (referer, url))
+ raise cherrypy.HTTPError(403)
return op(*args, **kwargs)
else:
op = getattr(self, 'root', None)