X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Futil%2Fpage.py;h=ec3828d90c415c896d447f4797ef063be06153cf;hp=a99d2f496bc3b448111739360eb18e262f585a9b;hb=158c4cdefc0bd5b8dabe38685c1bebccc24d656b;hpb=907d40cac424c9c7bf3a190b445858bc6eab949e

diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py
old mode 100755
new mode 100644
index a99d2f4..ec3828d
--- a/ipsilon/util/page.py
+++ b/ipsilon/util/page.py
@@ -1,5 +1,3 @@
-#!/usr/bin/python
-#
 # Copyright (C) 2013  Simo Sorce <simo@redhat.com>
 #
 # see file 'COPYING' for use and warranty information
@@ -17,10 +15,18 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipsilon.util.log import Log
+import cherrypy
+from ipsilon.util.endpoint import Endpoint
 from ipsilon.util.user import UserSession
+from ipsilon.util.trans import Transaction
 from urllib import unquote
-import cherrypy
+try:
+    from urlparse import urlparse
+    from urlparse import parse_qs
+except ImportError:
+    # pylint: disable=no-name-in-module, import-error
+    from urllib.parse import urlparse
+    from urllib.parse import parse_qs
 
 
 def admin_protect(fn):
@@ -34,56 +40,65 @@ def admin_protect(fn):
     return check
 
 
-def auth_protect(fn):
-    def check(self, *args, **kwargs):
-        if UserSession().get_user().is_anonymous:
-            raise cherrypy.HTTPRedirect(self.basepath)
-        else:
-            return fn(self, *args, **kwargs)
-
-    return check
-
-
-class Page(Log):
+class Page(Endpoint):
     def __init__(self, site, form=False):
+        super(Page, self).__init__(site)
         if 'template_env' not in site:
             raise ValueError('Missing template environment')
         self._site = site
         self.basepath = cherrypy.config.get('base.mount', "")
         self.user = None
         self._is_form_page = form
-
-    def _compare_urls(self, url1, url2):
-        u1 = unquote(url1)
-        u2 = unquote(url2)
-        if u1 == u2:
+        self.auth_protect = False
+
+    def get_url(self):
+        return cherrypy.url(relative=False)
+
+    def instance_base_url(self):
+        url = self.get_url()
+        s = urlparse(unquote(url))
+        return '%s://%s%s' % (s.scheme, s.netloc, self.basepath)
+
+    def _check_referer(self, referer, url):
+        r = urlparse(unquote(referer))
+        u = urlparse(unquote(url))
+        if r.scheme != u.scheme:
+            return False
+        if r.netloc != u.netloc:
+            return False
+        if r.path.startswith(self.basepath):
             return True
         return False
 
     def __call__(self, *args, **kwargs):
         # pylint: disable=star-args
+        cherrypy.response.headers.update(self.default_headers)
+
         self.user = UserSession().get_user()
 
+        if self.auth_protect and self.user.is_anonymous:
+            raise cherrypy.HTTPError(401)
+
         if len(args) > 0:
             op = getattr(self, args[0], None)
             if callable(op) and getattr(op, 'public_function', None):
                 return op(*args[1:], **kwargs)
         else:
             if self._is_form_page:
-                self._debug("method: %s" % cherrypy.request.method)
+                self.debug("method: %s" % cherrypy.request.method)
                 op = getattr(self, cherrypy.request.method, None)
                 if callable(op):
                     # Basic CSRF protection
                     if cherrypy.request.method != 'GET':
-                        url = cherrypy.url(relative=False)
+                        url = self.get_url()
                         if 'referer' not in cherrypy.request.headers:
-                            self._debug("Missing referer in %s request to %s"
-                                        % (cherrypy.request.method, url))
+                            self.debug("Missing referer in %s request to %s"
+                                       % (cherrypy.request.method, url))
                             raise cherrypy.HTTPError(403)
                         referer = cherrypy.request.headers['referer']
-                        if not self._compare_urls(referer, url):
-                            self._debug("Wrong referer %s in request to %s"
-                                        % (referer, url))
+                        if not self._check_referer(referer, url):
+                            self.debug("Wrong referer %s in request to %s"
+                                       % (referer, url))
                             raise cherrypy.HTTPError(403)
                     return op(*args, **kwargs)
             else:
@@ -116,4 +131,30 @@ class Page(Log):
     def del_subtree(self, name):
         del self.__dict__[name]
 
+    def get_valid_transaction(self, provider, **kwargs):
+        try:
+            t = Transaction(provider)
+            # Try with kwargs first
+            tid = t.find_tid(kwargs)
+            if not tid:
+                # If no TID yet See if we have it in a referer or in the
+                # environment in the REDIRECT_URL
+                url = None
+                if 'referer' in cherrypy.request.headers:
+                    url = cherrypy.request.headers['referer']
+                    r = urlparse(unquote(url))
+                    if r.query:
+                        tid = t.find_tid(parse_qs(r.query))
+                if not tid and 'REQUEST_URI' in cherrypy.request.wsgi_environ:
+                    url = cherrypy.request.wsgi_environ['REQUEST_URI']
+                    r = urlparse(unquote(url))
+                    if r.query:
+                        tid = t.find_tid(parse_qs(r.query))
+                if not tid:
+                    t.create_tid()
+            return t
+        except ValueError:
+            msg = 'Transaction expired, or cookies not available'
+            raise cherrypy.HTTPError(401, msg)
+
     exposed = True