X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Futil%2Fpage.py;h=094a6a949702c390fe346eda81cd24a417f978d4;hp=3a0181121c9d77cd8e1de9ba5a669fd2080a1a6f;hb=1bcc0d697dd37a9268641f0cbaa7e9e781552233;hpb=37ef4b972ea240f085e7d29923aba70787ac1668 diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py old mode 100755 new mode 100644 index 3a01811..094a6a9 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -1,5 +1,3 @@ -#!/usr/bin/python -# # Copyright (C) 2013 Simo Sorce # # see file 'COPYING' for use and warranty information @@ -17,8 +15,18 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -from ipsilon.util.user import UserSession import cherrypy +from ipsilon.util.endpoint import Endpoint +from ipsilon.util.user import UserSession +from ipsilon.util.trans import Transaction +from urllib import unquote +try: + from urlparse import urlparse + from urlparse import parse_qs +except ImportError: + # pylint: disable=no-name-in-module, import-error + from urllib.parse import urlparse + from urllib.parse import parse_qs def admin_protect(fn): @@ -32,40 +40,65 @@ def admin_protect(fn): return check -def protect(): - UserSession().remote_login() - - -class Page(object): +class Page(Endpoint): def __init__(self, site, form=False): - if not 'template_env' in site: + super(Page, self).__init__(site) + if 'template_env' not in site: raise ValueError('Missing template environment') self._site = site self.basepath = cherrypy.config.get('base.mount', "") self.user = None - self.form = form + self._is_form_page = form + self.auth_protect = False + + def get_url(self): + return cherrypy.url(relative=False) + + def instance_base_url(self): + url = self.get_url() + s = urlparse(unquote(url)) + return '%s://%s%s' % (s.scheme, s.netloc, self.basepath) + + def _check_referer(self, referer, url): + r = urlparse(unquote(referer)) + u = urlparse(unquote(url)) + if r.scheme != u.scheme: + return False + if r.netloc != u.netloc: + return False + if r.path.startswith(self.basepath): + return True + return False def __call__(self, *args, **kwargs): - # pylint: disable=star-args + cherrypy.response.headers.update(self.default_headers) + self.user = UserSession().get_user() + if self.auth_protect and self.user.is_anonymous: + raise cherrypy.HTTPError(401) + if len(args) > 0: op = getattr(self, args[0], None) - if callable(op) and getattr(self, args[0]+'.exposed', None): + if callable(op) and getattr(op, 'public_function', None): return op(*args[1:], **kwargs) else: - if self.form: - self._debug("method: %s" % cherrypy.request.method) + if self._is_form_page: + self.debug("method: %s" % cherrypy.request.method) op = getattr(self, cherrypy.request.method, None) if callable(op): # Basic CSRF protection if cherrypy.request.method != 'GET': + url = self.get_url() if 'referer' not in cherrypy.request.headers: - return cherrypy.HTTPError(403) + self.debug("Missing referer in %s request to %s" + % (cherrypy.request.method, url)) + raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - url = cherrypy.url(relative=False) - if referer != url: - return cherrypy.HTTPError(403) + if not self._check_referer(referer, url): + self.debug("Wrong referer %s in request to %s" + % (referer, url)) + raise cherrypy.HTTPError(403) return op(*args, **kwargs) else: op = getattr(self, 'root', None) @@ -82,18 +115,13 @@ class Page(object): return model def _template(self, *args, **kwargs): - # pylint: disable=star-args t = self._site['template_env'].get_template(args[0]) m = self._template_model() m.update(kwargs) return t.render(**m) - def _debug(self, fact): - if cherrypy.config.get('debug', False): - cherrypy.log(fact) - def default(self, *args, **kwargs): - raise cherrypy.HTTPError(404) + raise cherrypy.NotFound() def add_subtree(self, name, page): self.__dict__[name] = page @@ -101,4 +129,30 @@ class Page(object): def del_subtree(self, name): del self.__dict__[name] + def get_valid_transaction(self, provider, **kwargs): + try: + t = Transaction(provider) + # Try with kwargs first + tid = t.find_tid(kwargs) + if not tid: + # If no TID yet See if we have it in a referer or in the + # environment in the REDIRECT_URL + url = None + if 'referer' in cherrypy.request.headers: + url = cherrypy.request.headers['referer'] + r = urlparse(unquote(url)) + if r.query: + tid = t.find_tid(parse_qs(r.query)) + if not tid and 'REQUEST_URI' in cherrypy.request.wsgi_environ: + url = cherrypy.request.wsgi_environ['REQUEST_URI'] + r = urlparse(unquote(url)) + if r.query: + tid = t.find_tid(parse_qs(r.query)) + if not tid: + t.create_tid() + return t + except ValueError: + msg = 'Transaction expired, or cookies not available' + raise cherrypy.HTTPError(401, msg) + exposed = True