X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Futil%2Fpage.py;h=21c9e3e39c89fb6f968565db62e116ba46e88192;hp=7727dda62bc3b4771cf7b0f5df27b48e06572684;hb=83ec7148841303516fe31e76116b70c8a5f73aab;hpb=134914682267592e2b42276255aff24bd2fabe6b

diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py
old mode 100755
new mode 100644
index 7727dda..21c9e3e
--- a/ipsilon/util/page.py
+++ b/ipsilon/util/page.py
@@ -1,5 +1,3 @@
-#!/usr/bin/python
-#
 # Copyright (C) 2013  Simo Sorce <simo@redhat.com>
 #
 # see file 'COPYING' for use and warranty information
@@ -17,8 +15,18 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipsilon.util.user import UserSession
 import cherrypy
+from ipsilon.util.endpoint import Endpoint
+from ipsilon.util.user import UserSession
+from ipsilon.util.trans import Transaction
+from urllib import unquote
+try:
+    from urlparse import urlparse
+    from urlparse import parse_qs
+except ImportError:
+    # pylint: disable=no-name-in-module, import-error
+    from urllib.parse import urlparse
+    from urllib.parse import parse_qs
 
 
 def admin_protect(fn):
@@ -32,30 +40,71 @@ def admin_protect(fn):
     return check
 
 
-def protect():
-    UserSession().remote_login()
-
-
-class Page(object):
-    def __init__(self, site):
-        if not 'template_env' in site:
+class Page(Endpoint):
+    def __init__(self, site, form=False):
+        super(Page, self).__init__(site)
+        if 'template_env' not in site:
             raise ValueError('Missing template environment')
         self._site = site
         self.basepath = cherrypy.config.get('base.mount', "")
         self.user = None
+        self._is_form_page = form
+        self.auth_protect = False
+
+    def get_url(self):
+        return cherrypy.url(relative=False)
+
+    def instance_base_url(self):
+        url = self.get_url()
+        s = urlparse(unquote(url))
+        return '%s://%s%s' % (s.scheme, s.netloc, self.basepath)
+
+    def _check_referer(self, referer, url):
+        r = urlparse(unquote(referer))
+        u = urlparse(unquote(url))
+        if r.scheme != u.scheme:
+            return False
+        if r.netloc != u.netloc:
+            return False
+        if r.path.startswith(self.basepath):
+            return True
+        return False
 
     def __call__(self, *args, **kwargs):
         # pylint: disable=star-args
+        cherrypy.response.headers.update(self.default_headers)
+
         self.user = UserSession().get_user()
 
+        if self.auth_protect and self.user.is_anonymous:
+            raise cherrypy.HTTPError(401)
+
         if len(args) > 0:
             op = getattr(self, args[0], None)
-            if callable(op) and getattr(self, args[0]+'.exposed', None):
+            if callable(op) and getattr(op, 'public_function', None):
                 return op(*args[1:], **kwargs)
         else:
-            op = getattr(self, 'root', None)
-            if callable(op):
-                return op(*args, **kwargs)
+            if self._is_form_page:
+                self._debug("method: %s" % cherrypy.request.method)
+                op = getattr(self, cherrypy.request.method, None)
+                if callable(op):
+                    # Basic CSRF protection
+                    if cherrypy.request.method != 'GET':
+                        url = self.get_url()
+                        if 'referer' not in cherrypy.request.headers:
+                            self._debug("Missing referer in %s request to %s"
+                                        % (cherrypy.request.method, url))
+                            raise cherrypy.HTTPError(403)
+                        referer = cherrypy.request.headers['referer']
+                        if not self._check_referer(referer, url):
+                            self._debug("Wrong referer %s in request to %s"
+                                        % (referer, url))
+                            raise cherrypy.HTTPError(403)
+                    return op(*args, **kwargs)
+            else:
+                op = getattr(self, 'root', None)
+                if callable(op):
+                    return op(*args, **kwargs)
 
         return self.default(*args, **kwargs)
 
@@ -73,12 +122,8 @@ class Page(object):
         m.update(kwargs)
         return t.render(**m)
 
-    def _debug(self, fact):
-        if cherrypy.config.get('debug', False):
-            cherrypy.log(fact)
-
     def default(self, *args, **kwargs):
-        raise cherrypy.HTTPError(404)
+        raise cherrypy.NotFound()
 
     def add_subtree(self, name, page):
         self.__dict__[name] = page
@@ -86,4 +131,30 @@ class Page(object):
     def del_subtree(self, name):
         del self.__dict__[name]
 
+    def get_valid_transaction(self, provider, **kwargs):
+        try:
+            t = Transaction(provider)
+            # Try with kwargs first
+            tid = t.find_tid(kwargs)
+            if not tid:
+                # If no TID yet See if we have it in a referer or in the
+                # environment in the REDIRECT_URL
+                url = None
+                if 'referer' in cherrypy.request.headers:
+                    url = cherrypy.request.headers['referer']
+                    r = urlparse(unquote(url))
+                    if r.query:
+                        tid = t.find_tid(parse_qs(r.query))
+                if not tid and 'REQUEST_URI' in cherrypy.request.wsgi_environ:
+                    url = cherrypy.request.wsgi_environ['REQUEST_URI']
+                    r = urlparse(unquote(url))
+                    if r.query:
+                        tid = t.find_tid(parse_qs(r.query))
+                if not tid:
+                    t.create_tid()
+            return t
+        except ValueError:
+            msg = 'Transaction expired, or cookies not available'
+            raise cherrypy.HTTPError(401, msg)
+
     exposed = True