# HG changeset patch # User Goffi # Date 1423514775 -3600 # Node ID 917e271975d9e686348b42a33be22bbc37f4a7a6 # Parent 32dbbc9411231d36c5c8af2d8a2f4d06c0965c5d server + browser side: implementation of new getEntitiesData bridge method + added a security check: only a white list of entities can be gotten diff -r 32dbbc941123 -r 917e271975d9 src/browser/sat_browser/json.py --- a/src/browser/sat_browser/json.py Fri Feb 06 17:53:01 2015 +0100 +++ b/src/browser/sat_browser/json.py Mon Feb 09 21:46:15 2015 +0100 @@ -185,7 +185,7 @@ "getWaitingSub", "subscription", "delContact", "updateContact", "getCard", "getEntityData", "getParamsUI", "asyncGetParamA", "setParam", "launchAction", "disconnect", "chatStateComposing", "getNewAccountDomain", "confirmationAnswer", - "syntaxConvert", "getAccountDialogUI", "getLastResource", "getWaitingConf", + "syntaxConvert", "getAccountDialogUI", "getLastResource", "getWaitingConf", "getEntitiesData", ]) def __call__(self, *args, **kwargs): return LiberviaJsonProxy.__call__(self, *args, **kwargs) diff -r 32dbbc941123 -r 917e271975d9 src/server/constants.py --- a/src/server/constants.py Fri Feb 06 17:53:01 2015 +0100 +++ b/src/server/constants.py Mon Feb 09 21:46:15 2015 +0100 @@ -44,3 +44,6 @@ # Security limit for Libervia server_side SERVER_SECURITY_LIMIT = constants.Const.NO_SECURITY_LIMIT + + # keys for cache values we can get from browser + ALLOWED_ENTITY_DATA = {'avatar', 'nick'} diff -r 32dbbc941123 -r 917e271975d9 src/server/server.py --- a/src/server/server.py Fri Feb 06 17:53:01 2015 +0100 +++ b/src/server/server.py Mon Feb 09 21:46:15 2015 +0100 @@ -34,6 +34,7 @@ log = getLogger(__name__) from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT from sat.core.i18n import _, D_ +from sat.core import exceptions from sat.tools.xml_tools import paramsXML2XMLUI import re @@ -463,23 +464,40 @@ return self.sat_host.bridge.radiocolLaunch(invited, room_jid, profile) + def jsonrpc_getEntitiesData(self, jids, keys): + """Get cached data for several entities at once + + @param jids: list jids from who we wants data, or empty list for all jids in cache + @param keys: name of data we want (list) + @return: requested data""" + if not C.ALLOWED_ENTITY_DATA.issuperset(keys): + raise exceptions.PermissionError("Trying to access unallowed data (hack attempt ?)") + profile = ISATSession(self.session).profile + try: + return self.sat_host.bridge.getEntitiesData(jids, keys, profile) + except Exception as e: + raise Failure(jsonrpclib.Fault(C.ERRNUM_BRIDGE_ERRBACK, unicode(e))) + def jsonrpc_getEntityData(self, jid, keys): - """Get cached data for an entit + """Get cached data for an entity + @param jid: jid of contact from who we want data @param keys: name of data we want (list) @return: requested data""" + if not C.ALLOWED_ENTITY_DATA.issuperset(keys): + raise exceptions.PermissionError("Trying to access unallowed data (hack attempt ?)") profile = ISATSession(self.session).profile try: return self.sat_host.bridge.getEntityData(jid, keys, profile) except Exception as e: raise Failure(jsonrpclib.Fault(C.ERRNUM_BRIDGE_ERRBACK, unicode(e))) - def jsonrpc_getCard(self, jid): + def jsonrpc_getCard(self, jid_): """Get VCard for entiry - @param jid: jid of contact from who we want data + @param jid_: jid of contact from who we want data @return: id to retrieve the profile""" profile = ISATSession(self.session).profile - return self.sat_host.bridge.getCard(jid, profile) + return self.sat_host.bridge.getCard(jid_, profile) def jsonrpc_getAccountDialogUI(self): """Get the dialog for managing user account