From: Simo Sorce Date: Wed, 15 Oct 2014 02:30:32 +0000 (-0400) Subject: Allow to call forms from any of the admin pages X-Git-Tag: v0.3.0~39 X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=5ebec54b30ae7cfeef98761894732f52b30d2441 Allow to call forms from any of the admin pages Signed-off-by: Simo Sorce Reviewed-by: Patrick Uiterwijk --- diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 213f945..eeb9ca3 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -17,11 +17,16 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import cherrypy from ipsilon.util.log import Log from ipsilon.util.user import UserSession from ipsilon.util.trans import Transaction from urllib import unquote -import cherrypy +try: + from urlparse import urlparse +except ImportError: + # pylint: disable=no-name-in-module, import-error + from urllib.parse import urlparse def admin_protect(fn): @@ -46,10 +51,14 @@ class Page(Log): self.default_headers = dict() self.auth_protect = False - def _compare_urls(self, url1, url2): - u1 = unquote(url1) - u2 = unquote(url2) - if u1 == u2: + def _check_referer(self, referer, url): + r = urlparse(unquote(referer)) + u = urlparse(unquote(url)) + if r.scheme != u.scheme: + return False + if r.netloc != u.netloc: + return False + if r.path.startswith(self.basepath): return True return False @@ -79,7 +88,7 @@ class Page(Log): % (cherrypy.request.method, url)) raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - if not self._compare_urls(referer, url): + if not self._check_referer(referer, url): self._debug("Wrong referer %s in request to %s" % (referer, url)) raise cherrypy.HTTPError(403)