libervia-web: libervia/web/pages/forums/view/page

annotate libervia/web/pages/forums/view/page_meta.py @ 1598:86c7a3a625d5

server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443

author	Goffi <goffi@goffi.org>
date	Fri, 23 Feb 2024 13:35:24 +0100
parents	eb00d593801d
children

rev	line source
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1173 diff changeset	1 #!/usr/bin/env python3
1239 f511f8fbbf8a fixed shebangs Goffi <goffi@goffi.org> parents: 1220 diff changeset	2
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	3
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	4 from libervia.web.server.constants import Const as C
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	5 from libervia.backend.core.i18n import _, D_
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	6 from libervia.backend.core.log import getLogger
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	7 from libervia.backend.tools.common import data_format
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1077 diff changeset	8
1145 29eb15062416 pages: set __name__ for imported pages Goffi <goffi@goffi.org> parents: 1124 diff changeset	9 log = getLogger(__name__)
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	10
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1173 diff changeset	11 name = "forum_view"
1427 eaf36fffcbdb pages (forums): better breadcrumbs Goffi <goffi@goffi.org> parents: 1426 diff changeset	12 label = D_("View")
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	13 access = C.PAGES_ACCESS_PUBLIC
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1173 diff changeset	14 template = "forum/view.html"
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	15
2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	16
2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	17 def parse_url(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	18 self.get_path_args(request, ["service", "node"], 2, service="jid")
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1077 diff changeset	19
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	20
1427 eaf36fffcbdb pages (forums): better breadcrumbs Goffi <goffi@goffi.org> parents: 1426 diff changeset	21 async def prepare_render(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	22 data = self.get_r_data(request)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1077 diff changeset	23 data["show_comments"] = False
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	24 blog_page = self.get_page_by_name("blog_view")
1219 0f0c36992f3c pages (blog/view, forums/view): fixed encoding of request.args following Python3 port Goffi <goffi@goffi.org> parents: 1216 diff changeset	25 request.args[b"before"] = [b""]
0f0c36992f3c pages (blog/view, forums/view): fixed encoding of request.args following Python3 port Goffi <goffi@goffi.org> parents: 1216 diff changeset	26 request.args[b"reverse"] = [b"1"]
1427 eaf36fffcbdb pages (forums): better breadcrumbs Goffi <goffi@goffi.org> parents: 1426 diff changeset	27 await blog_page.prepare_render(self, request)
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	28 request.template_data["login_url"] = self.get_page_redirect_url(request)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1077 diff changeset	29
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	30
1426 4cf2b73e63aa pages (forums/view): use rich content to post a reply Goffi <goffi@goffi.org> parents: 1239 diff changeset	31 async def on_data_post(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	32 profile = self.get_profile(request)
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	33 if profile is None:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	34 self.page_error(request, C.HTTP_FORBIDDEN)
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	35 type_ = self.get_posted_data(request, "type")
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1173 diff changeset	36 if type_ == "comment":
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	37 service, node, body = self.get_posted_data(request, ("service", "node", "body"))
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	38
2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	39 if not body:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	40 self.page_error(request, C.HTTP_BAD_REQUEST)
1426 4cf2b73e63aa pages (forums/view): use rich content to post a reply Goffi <goffi@goffi.org> parents: 1239 diff changeset	41 mb_data = {"content_rich": body}
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	42 try:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	43 await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	44 "mb_send", service, node, data_format.serialise(mb_data), profile)
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	45 except Exception as e:
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1173 diff changeset	46 if "forbidden" in str(e):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1427 diff changeset	47 self.page_error(request, 401)
1058 2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	48 else:
2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	49 raise e
2290b6ec3991 pages (forums): first draft Goffi <goffi@goffi.org> parents: diff changeset	50 else:
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1173 diff changeset	51 log.warning(_("Unhandled data type: {}").format(type_))

Mercurial > libervia-web

annotate libervia/web/pages/forums/view/page_meta.py @ 1598:86c7a3a625d5