X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Futil%2Fpage.py;h=19680098e6aeda03d90bdc7fc5a3a3fa2bafcd71;hp=56a6463c70a167aaace1fbcaa44d2c75e952eefc;hb=f47a95ba1df58ccf9784c47beeaa0702c469b3e1;hpb=0d81fcba2c57e9dfb2d55bbbcc1dfff3aaae25bd

diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py
index 56a6463..1968009 100755
--- a/ipsilon/util/page.py
+++ b/ipsilon/util/page.py
@@ -21,17 +21,29 @@ from ipsilon.util.user import UserSession
 import cherrypy
 
 
+def admin_protect(fn):
+
+    def check(*args, **kwargs):
+        if UserSession().get_user().is_admin:
+            return fn(*args, **kwargs)
+
+        raise cherrypy.HTTPError(403)
+
+    return check
+
+
 def protect():
     UserSession().remote_login()
 
 
 class Page(object):
-    def __init__(self, site):
-        if not 'template_env' in site:
+    def __init__(self, site, form=False):
+        if 'template_env' not in site:
             raise ValueError('Missing template environment')
         self._site = site
         self.basepath = cherrypy.config.get('base.mount', "")
         self.user = None
+        self.form = form
 
     def __call__(self, *args, **kwargs):
         # pylint: disable=star-args
@@ -42,9 +54,23 @@ class Page(object):
             if callable(op) and getattr(self, args[0]+'.exposed', None):
                 return op(*args[1:], **kwargs)
         else:
-            op = getattr(self, 'root', None)
-            if callable(op):
-                return op(*args, **kwargs)
+            if self.form:
+                self._debug("method: %s" % cherrypy.request.method)
+                op = getattr(self, cherrypy.request.method, None)
+                if callable(op):
+                    # Basic CSRF protection
+                    if cherrypy.request.method != 'GET':
+                        if 'referer' not in cherrypy.request.headers:
+                            return cherrypy.HTTPError(403)
+                        referer = cherrypy.request.headers['referer']
+                        url = cherrypy.url(relative=False)
+                        if referer != url:
+                            return cherrypy.HTTPError(403)
+                    return op(*args, **kwargs)
+            else:
+                op = getattr(self, 'root', None)
+                if callable(op):
+                    return op(*args, **kwargs)
 
         return self.default(*args, **kwargs)
 
@@ -69,4 +95,10 @@ class Page(object):
     def default(self, *args, **kwargs):
         raise cherrypy.HTTPError(404)
 
+    def add_subtree(self, name, page):
+        self.__dict__[name] = page
+
+    def del_subtree(self, name):
+        del self.__dict__[name]
+
     exposed = True