X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Futil%2Fpage.py;h=e1cecb94dcc2847811eefa0db34d8403e8dfe2e6;hp=aa075dec6c1fa9fe77558df8a20747f878a0fefc;hb=cfe24fa3dc15d87f3ace944a2d62a0f4c5ee496c;hpb=73eeae98716c0e25f31cdb2c347c1939525d6ef7 diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py old mode 100755 new mode 100644 index aa075de..e1cecb9 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -1,26 +1,17 @@ -#!/usr/bin/python -# -# Copyright (C) 2013 Simo Sorce -# -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from ipsilon.util.log import Log +# Copyright (C) 2013 Ipsilon project Contributors, for license see COPYING + +import cherrypy +from ipsilon.util.endpoint import Endpoint from ipsilon.util.user import UserSession +from ipsilon.util.trans import Transaction from urllib import unquote -import cherrypy +try: + from urlparse import urlparse + from urlparse import parse_qs +except ImportError: + # pylint: disable=no-name-in-module, import-error + from urllib.parse import urlparse + from urllib.parse import parse_qs def admin_protect(fn): @@ -34,56 +25,64 @@ def admin_protect(fn): return check -def auth_protect(fn): - def check(self, *args, **kwargs): - if UserSession().get_user().is_anonymous: - raise cherrypy.HTTPRedirect(self.basepath) - else: - return fn(self, *args, **kwargs) - - return check - - -class Page(Log): +class Page(Endpoint): def __init__(self, site, form=False): + super(Page, self).__init__(site) if 'template_env' not in site: raise ValueError('Missing template environment') self._site = site self.basepath = cherrypy.config.get('base.mount', "") self.user = None self._is_form_page = form - - def _compare_urls(self, url1, url2): - u1 = unquote(url1) - u2 = unquote(url2) - if u1 == u2: + self.auth_protect = False + + def get_url(self): + return cherrypy.url(relative=False) + + def instance_base_url(self): + url = self.get_url() + s = urlparse(unquote(url)) + return '%s://%s%s' % (s.scheme, s.netloc, self.basepath) + + def _check_referer(self, referer, url): + r = urlparse(unquote(referer)) + u = urlparse(unquote(url)) + if r.scheme != u.scheme: + return False + if r.netloc != u.netloc: + return False + if r.path.startswith(self.basepath): return True return False def __call__(self, *args, **kwargs): - # pylint: disable=star-args + cherrypy.response.headers.update(self.default_headers) + self.user = UserSession().get_user() + if self.auth_protect and self.user.is_anonymous: + raise cherrypy.HTTPError(401) + if len(args) > 0: op = getattr(self, args[0], None) - if callable(op) and getattr(self, args[0]+'.exposed', None): + if callable(op) and getattr(op, 'public_function', None): return op(*args[1:], **kwargs) else: if self._is_form_page: - self._debug("method: %s" % cherrypy.request.method) + self.debug("method: %s" % cherrypy.request.method) op = getattr(self, cherrypy.request.method, None) if callable(op): # Basic CSRF protection if cherrypy.request.method != 'GET': - url = cherrypy.url(relative=False) + url = self.get_url() if 'referer' not in cherrypy.request.headers: - self._debug("Missing referer in %s request to %s" - % (cherrypy.request.method, url)) + self.debug("Missing referer in %s request to %s" + % (cherrypy.request.method, url)) raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - if not self._compare_urls(referer, url): - self._debug("Wrong referer %s in request to %s" - % (referer, url)) + if not self._check_referer(referer, url): + self.debug("Wrong referer %s in request to %s" + % (referer, url)) raise cherrypy.HTTPError(403) return op(*args, **kwargs) else: @@ -101,14 +100,13 @@ class Page(Log): return model def _template(self, *args, **kwargs): - # pylint: disable=star-args t = self._site['template_env'].get_template(args[0]) m = self._template_model() m.update(kwargs) return t.render(**m) def default(self, *args, **kwargs): - raise cherrypy.HTTPError(404) + raise cherrypy.NotFound() def add_subtree(self, name, page): self.__dict__[name] = page @@ -116,4 +114,30 @@ class Page(Log): def del_subtree(self, name): del self.__dict__[name] + def get_valid_transaction(self, provider, **kwargs): + try: + t = Transaction(provider) + # Try with kwargs first + tid = t.find_tid(kwargs) + if not tid: + # If no TID yet See if we have it in a referer or in the + # environment in the REDIRECT_URL + url = None + if 'referer' in cherrypy.request.headers: + url = cherrypy.request.headers['referer'] + r = urlparse(unquote(url)) + if r.query: + tid = t.find_tid(parse_qs(r.query)) + if not tid and 'REQUEST_URI' in cherrypy.request.wsgi_environ: + url = cherrypy.request.wsgi_environ['REQUEST_URI'] + r = urlparse(unquote(url)) + if r.query: + tid = t.find_tid(parse_qs(r.query)) + if not tid: + t.create_tid() + return t + except ValueError: + msg = 'Transaction expired, or cookies not available' + raise cherrypy.HTTPError(401, msg) + exposed = True