libervia-web: libervia/web/pages/events/view/page

annotate libervia/web/pages/events/view/page_meta.py @ 1598:86c7a3a625d5

server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443

author	Goffi <goffi@goffi.org>
date	Fri, 23 Feb 2024 13:35:24 +0100
parents	eb00d593801d
children

rev	line source
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	1 #!/usr/bin/env python3
1239 f511f8fbbf8a fixed shebangs Goffi <goffi@goffi.org> parents: 1230 diff changeset	2
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	3
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	4 from libervia.web.server.constants import Const as C
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	5 from libervia.backend.core.i18n import _
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	6 from twisted.internet import defer
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	7 from twisted.words.protocols.jabber import jid
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	8 from libervia.web.server import session_iface
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	9 from libervia.backend.tools.common import uri
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	10 from libervia.backend.tools.common.template import safe
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	11 import time
1229 acec8e9185db pages: replaced deprecated `cgi.escape` by `html.escape` Goffi <goffi@goffi.org> parents: 1216 diff changeset	12 import html
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	13 from libervia.backend.core.log import getLogger
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	14
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	15 name = "event_view"
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	16 access = C.PAGES_ACCESS_PROFILE
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	17 template = "event/invitation.html"
1145 29eb15062416 pages: set __name__ for imported pages Goffi <goffi@goffi.org> parents: 1124 diff changeset	18 log = getLogger(__name__)
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	19
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	20
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	21 @defer.inlineCallbacks
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	22 def prepare_render(self, request):
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	23 template_data = request.template_data
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	24 guest_session = self.host.get_session_data(request, session_iface.IWebGuestSession)
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	25 try:
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	26 event_uri = guest_session.data["event_uri"]
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	27 except KeyError:
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	28 log.warning(_("event URI not found, can't render event page"))
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	29 self.page_error(request, C.HTTP_SERVICE_UNAVAILABLE)
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	30
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	31 data = self.get_r_data(request)
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	32
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	33 ## Event ##
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	34
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	35 event_uri_data = uri.parse_xmpp_uri(event_uri)
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	36 if event_uri_data["type"] != "pubsub":
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	37 self.page_error(request, C.HTTP_SERVICE_UNAVAILABLE)
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	38
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	39 event_service = template_data["event_service"] = jid.JID(event_uri_data["path"])
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	40 event_node = template_data["event_node"] = event_uri_data["node"]
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	41 event_id = template_data["event_id"] = event_uri_data.get("item", "")
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	42 profile = self.get_profile(request)
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	43 event_timestamp, event_data = yield self.host.bridge_call(
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	44 "eventGet", event_service.userhost(), event_node, event_id, profile
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	45 )
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	46 try:
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	47 background_image = event_data.pop("background-image")
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	48 except KeyError:
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	49 pass
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	50 else:
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	51 template_data["dynamic_style"] = safe(
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	52 """
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	53 html {
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	54 background-image: url("%s");
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	55 background-size: 15em;
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	56 }
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	57 """
1229 acec8e9185db pages: replaced deprecated `cgi.escape` by `html.escape` Goffi <goffi@goffi.org> parents: 1216 diff changeset	58 % html.escape(background_image, True)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	59 )
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	60 template_data["event"] = event_data
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	61 event_invitee_data = yield self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	62 "event_invitee_get",
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	63 event_data["invitees_service"],
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	64 event_data["invitees_node"],
1230 b32b74dfe866 pages (events): added empty string for new "eventInviteeGet" parameter Goffi <goffi@goffi.org> parents: 1229 diff changeset	65 '',
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	66 profile,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	67 )
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	68 template_data["invitee"] = event_invitee_data
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	69 template_data["days_left"] = int((event_timestamp - time.time()) / (60 * 60 * 24))
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	70
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	71 ## Blog ##
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	72
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	73 data["service"] = jid.JID(event_data["blog_service"])
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	74 data["node"] = event_data["blog_node"]
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	75 data["allow_commenting"] = "simple"
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	76
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	77 # we now need blog items, using blog common page
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	78 # this will fill the "items" template data
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	79 blog_page = self.get_page_by_name("blog_view")
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	80 yield blog_page.prepare_render(self, request)
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	81
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	82
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	83 @defer.inlineCallbacks
4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	84 def on_data_post(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	85 type_ = self.get_posted_data(request, "type")
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	86 if type_ == "comment":
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	87 blog_page = self.get_page_by_name("blog_view")
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	88 yield blog_page.on_data_post(self, request)
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	89 elif type_ == "attendance":
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	90 profile = self.get_profile(request)
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	91 service, node, attend, guests = self.get_posted_data(
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	92 request, ("service", "node", "attend", "guests")
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1111 diff changeset	93 )
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	94 data = {"attend": attend, "guests": guests}
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1239 diff changeset	95 yield self.host.bridge_call("event_invitee_set", service, node, data, profile)
1111 4d1c4bd4931a pages (events): added root, admin, new, rsvp and view pages Goffi <goffi@goffi.org> parents: diff changeset	96 else:
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1145 diff changeset	97 log.warning(_("Unhandled data type: {}").format(type_))

Mercurial > libervia-web

annotate libervia/web/pages/events/view/page_meta.py @ 1598:86c7a3a625d5