libervia-web: libervia/web/pages/blog/page

annotate libervia/web/pages/blog/page_meta.py @ 1598:86c7a3a625d5

server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443

author	Goffi <goffi@goffi.org>
date	Fri, 23 Feb 2024 13:35:24 +0100
parents	eb00d593801d
children

rev	line source
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	1 #!/usr/bin/env python3
1239 f511f8fbbf8a fixed shebangs Goffi <goffi@goffi.org> parents: 1216 diff changeset	2
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	3 from libervia.backend.core.i18n import _
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	4 from libervia.web.server.constants import Const as C
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	5 from twisted.words.protocols.jabber import jid
880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	6 from twisted.internet import defer
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	7 from libervia.web.server import session_iface
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	8 from libervia.backend.tools.common import data_format
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	9 from libervia.backend.core.log import getLogger
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	10
1145 29eb15062416 pages: set __name__ for imported pages Goffi <goffi@goffi.org> parents: 1139 diff changeset	11 log = getLogger(__name__)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	12
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	13 name = "blog"
1079 3af28f84ce91 pages (blog): blog page is now public (only free jid is available when not connected) Goffi <goffi@goffi.org> parents: 1077 diff changeset	14 access = C.PAGES_ACCESS_PUBLIC
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	15 template = "blog/discover.html"
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	16
880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	17
1416 0554103ec700 pages (blog): new `edit` page: Goffi <goffi@goffi.org> parents: 1269 diff changeset	18 async def prepare_render(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	19 profile = self.get_profile(request)
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	20 template_data = request.template_data
1079 3af28f84ce91 pages (blog): blog page is now public (only free jid is available when not connected) Goffi <goffi@goffi.org> parents: 1077 diff changeset	21 if profile is not None:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	22 __, entities_own, entities_roster = await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	23 "disco_find_by_features",
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	24 [],
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	25 [("pubsub", "pep")],
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	26 True,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	27 False,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	28 True,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	29 True,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	30 True,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	31 profile,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	32 )
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	33 entities = template_data["disco_entities"] = (
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	34 list(entities_own.keys()) + list(entities_roster.keys())
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	35 )
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	36 entities_url = template_data["entities_url"] = {}
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	37 identities = self.host.get_session_data(
1506 ce879da7fcf7 server: fix `on_signal` callback Goffi <goffi@goffi.org> parents: 1416 diff changeset	38 request, session_iface.IWebSession
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	39 ).identities
1269 470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	40 d_list = {}
1079 3af28f84ce91 pages (blog): blog page is now public (only free jid is available when not connected) Goffi <goffi@goffi.org> parents: 1077 diff changeset	41 for entity_jid_s in entities:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	42 entities_url[entity_jid_s] = self.get_page_by_name("blog_view").get_url(
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	43 entity_jid_s
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	44 )
1079 3af28f84ce91 pages (blog): blog page is now public (only free jid is available when not connected) Goffi <goffi@goffi.org> parents: 1077 diff changeset	45 if entity_jid_s not in identities:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	46 d_list[entity_jid_s] = self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	47 "identity_get",
1269 470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	48 entity_jid_s,
470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	49 [],
470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	50 True,
470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	51 profile)
1416 0554103ec700 pages (blog): new `edit` page: Goffi <goffi@goffi.org> parents: 1269 diff changeset	52 identities_data = await defer.DeferredList(d_list.values())
1269 470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	53 entities_idx = list(d_list.keys())
1243 8aff742d0dd0 pages: updated `identityGet` call, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	54 for idx, (success, identity_raw) in enumerate(identities_data):
1269 470c6cfdf4ce pages (blog): fixed identities handling Goffi <goffi@goffi.org> parents: 1266 diff changeset	55 entity_jid_s = entities_idx[idx]
1139 e45480b6ba24 pages (blog): use DeferredList while discovering identities instead or waiting for each request individually. Goffi <goffi@goffi.org> parents: 1124 diff changeset	56 if not success:
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	57 log.warning(_("Can't retrieve identity of {entity}")
1139 e45480b6ba24 pages (blog): use DeferredList while discovering identities instead or waiting for each request individually. Goffi <goffi@goffi.org> parents: 1124 diff changeset	58 .format(entity=entity_jid_s))
e45480b6ba24 pages (blog): use DeferredList while discovering identities instead or waiting for each request individually. Goffi <goffi@goffi.org> parents: 1124 diff changeset	59 else:
1243 8aff742d0dd0 pages: updated `identityGet` call, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	60 identities[entity_jid_s] = data_format.deserialise(identity_raw)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	61
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	62 template_data["url_blog_edit"] = self.get_sub_page_url(request, "blog_edit")
1416 0554103ec700 pages (blog): new `edit` page: Goffi <goffi@goffi.org> parents: 1269 diff changeset	63
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	64
880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	65 def on_data_post(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	66 jid_str = self.get_posted_data(request, "jid")
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	67 try:
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1087 diff changeset	68 jid_ = jid.JID(jid_str)
1077 880ea673aaff blog: moved blog page from /common to /blog: Goffi <goffi@goffi.org> parents: diff changeset	69 except RuntimeError:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	70 self.page_error(request, C.HTTP_BAD_REQUEST)
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	71 url = self.get_page_by_name("blog_view").get_url(jid_.full())
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1506 diff changeset	72 self.http_redirect(request, url)

Mercurial > libervia-web

annotate libervia/web/pages/blog/page_meta.py @ 1598:86c7a3a625d5