From 37ef4b972ea240f085e7d29923aba70787ac1668 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 20 Apr 2014 21:41:24 -0400 Subject: [PATCH] Add New form helper to Page object This removes the need to define a root funciton only to redirect to a GET/POST one. Also adds basic CSRF protection if the page is declared a form. Signed-off-by: Simo Sorce --- ipsilon/util/page.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 7727dda..3a01811 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -37,12 +37,13 @@ def protect(): class Page(object): - def __init__(self, site): + def __init__(self, site, form=False): if not 'template_env' in site: raise ValueError('Missing template environment') self._site = site self.basepath = cherrypy.config.get('base.mount', "") self.user = None + self.form = form def __call__(self, *args, **kwargs): # pylint: disable=star-args @@ -53,9 +54,23 @@ class Page(object): if callable(op) and getattr(self, args[0]+'.exposed', None): return op(*args[1:], **kwargs) else: - op = getattr(self, 'root', None) - if callable(op): - return op(*args, **kwargs) + if self.form: + self._debug("method: %s" % cherrypy.request.method) + op = getattr(self, cherrypy.request.method, None) + if callable(op): + # Basic CSRF protection + if cherrypy.request.method != 'GET': + if 'referer' not in cherrypy.request.headers: + return cherrypy.HTTPError(403) + referer = cherrypy.request.headers['referer'] + url = cherrypy.url(relative=False) + if referer != url: + return cherrypy.HTTPError(403) + return op(*args, **kwargs) + else: + op = getattr(self, 'root', None) + if callable(op): + return op(*args, **kwargs) return self.default(*args, **kwargs) -- 2.20.1