Mercurial > libervia-web
annotate libervia/web/pages/events/_browser/__init__.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
| rev | line source |
|---|---|
|
1482
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 from browser import DOMNode, document, aio |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 from javascript import JSON |
|
1510
5ea06e8b06ed
browser: make bridge API closer to the one use with other frontends:
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
3 from bridge import AsyncBridge as Bridge, BridgeException |
|
1482
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 import dialog |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 |
|
1510
5ea06e8b06ed
browser: make bridge API closer to the one use with other frontends:
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
6 bridge = Bridge() |
|
1482
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 async def on_delete(evt): |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 evt.stopPropagation() |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 evt.preventDefault() |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 target = evt.currentTarget |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 item_elt = DOMNode(target.closest('.item')) |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 item_elt.classList.add("selected_for_deletion") |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 item = JSON.parse(item_elt.dataset.item) |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 confirmed = await dialog.Confirm( |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 f"Event {item['name']!r} will be deleted, are you sure?", |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 ok_label="delete", |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 ).ashow() |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 if not confirmed: |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 item_elt.classList.remove("selected_for_deletion") |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 return |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 try: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1482
diff
changeset
|
26 await bridge.interest_retract("", item['interest_id']) |
|
1482
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 except BridgeException as e: |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 dialog.notification.show( |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 f"Can't remove list {item['name']!r} from personal interests: {e}", |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 "error" |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 ) |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 else: |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 print(f"{item['name']!r} removed successfuly from list of interests") |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 item_elt.classList.add("state_deleted") |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 item_elt.bind("transitionend", lambda evt: item_elt.remove()) |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 if item.get("creator", False): |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
37 try: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1482
diff
changeset
|
38 await bridge.ps_node_delete( |
|
1482
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 item['service'], |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 item['node'], |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
41 ) |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
42 except BridgeException as e: |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
43 dialog.notification.show( |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
44 f"Error while deleting {item['name']!r}: {e}", |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 "error" |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
46 ) |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
47 else: |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
48 dialog.notification.show(f"{item['name']!r} has been deleted") |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
50 |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
51 for elt in document.select('.action_delete'): |
|
e35151a2cec1
browser (events): delete implementation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
52 elt.bind("click", lambda evt: aio.run(on_delete(evt))) |