libervia-web: libervia/web/pages/merge-requests/edit/page

annotate libervia/web/pages/merge-requests/edit/page_meta.py @ 1598:86c7a3a625d5

server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443

author	Goffi <goffi@goffi.org>
date	Fri, 23 Feb 2024 13:35:24 +0100
parents	eb00d593801d
children

rev	line source
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	1 #!/usr/bin/env python3
1239 f511f8fbbf8a fixed shebangs Goffi <goffi@goffi.org> parents: 1216 diff changeset	2
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	3
1518 eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	4 from libervia.web.server.constants import Const as C
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	5 from libervia.backend.core.i18n import _
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	6 from libervia.backend.tools.common import template_xmlui
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	7 from libervia.backend.tools.common import data_format
eb00d593801d refactoring: rename `libervia` to `libervia.web` + update imports following backend changes Goffi <goffi@goffi.org> parents: 1509 diff changeset	8 from libervia.backend.core.log import getLogger
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	9
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	10 """merge-requests edition"""
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	11
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	12 name = "merge-requests_edit"
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	13 access = C.PAGES_ACCESS_PROFILE
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	14 template = "merge-request/edit.html"
1145 29eb15062416 pages: set __name__ for imported pages Goffi <goffi@goffi.org> parents: 1143 diff changeset	15 log = getLogger(__name__)
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	16
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	17
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	18 def parse_url(self, request):
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	19 try:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	20 item_id = self.next_path(request)
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	21 except IndexError:
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	22 log.warning(_("no list item id specified"))
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	23 self.page_error(request, C.HTTP_BAD_REQUEST)
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	24
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	25 data = self.get_r_data(request)
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	26 data["list_item_id"] = item_id
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	27
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	28
1302 04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	29 async def prepare_render(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	30 data = self.get_r_data(request)
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	31 template_data = request.template_data
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	32 service, node, list_item_id = (
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	33 data.get("service", ""),
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	34 data.get("node", ""),
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	35 data["list_item_id"],
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	36 )
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	37 profile = self.get_profile(request)
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	38
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	39 ignore = (
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	40 "publisher",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	41 "author",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	42 "author_jid",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	43 "author_email",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	44 "created",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	45 "updated",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	46 "comments_uri",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	47 "request_data",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	48 "type",
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	49 )
1302 04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	50 merge_requests = data_format.deserialise(
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	51 await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	52 "merge_requests_get",
1302 04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	53 service.full() if service else "",
04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	54 node,
04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	55 C.NO_LIMIT,
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	56 [list_item_id],
1302 04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	57 "",
1500 0f9409b831f7 pages (merge-requests/edit): serialise extra following backend change Goffi <goffi@goffi.org> parents: 1378 diff changeset	58 data_format.serialise({}),
1302 04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	59 profile,
04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	60 )
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	61 )
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	62 list_item = template_xmlui.create(
e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	63 self.host, merge_requests['items'][0], ignore=ignore
e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	64 )
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	65
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	66 try:
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	67 # small trick to get a one line text input instead of the big textarea
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	68 list_item.widgets["labels"].type = "string"
e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	69 list_item.widgets["labels"].value = list_item.widgets["labels"].value.replace(
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	70 "\n", ", "
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	71 )
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	72 except KeyError:
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	73 pass
1143 7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	74
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	75 # same as list_edit
e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	76 wid = list_item.widgets['body']
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	77 if wid.type == "xhtmlbox":
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	78 wid.type = "textbox"
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	79 wid.value = await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	80 "syntax_convert", wid.value, C.SYNTAX_XHTML, "markdown",
1143 7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	81 False, profile)
7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	82
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	83 template_data["new_list_item_xmlui"] = list_item
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	84
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	85
1302 04e7dd6b6f4d pages (blog, tickets, merge-requests): updated code to handle new serialisation, following backend changes Goffi <goffi@goffi.org> parents: 1239 diff changeset	86 async def on_data_post(self, request):
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	87 data = self.get_r_data(request)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	88 service = data["service"]
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	89 node = data["node"]
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	90 list_item_id = data["list_item_id"]
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	91 posted_data = self.get_all_posted_data(request)
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	92 if not posted_data["title"] or not posted_data["body"]:
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	93 self.page_error(request, C.HTTP_BAD_REQUEST)
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	94 try:
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	95 posted_data["labels"] = [l.strip() for l in posted_data["labels"][0].split(",")]
1096 01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	96 except (KeyError, IndexError):
01538d8a77be merge-requests, tickets: new "edit" pages Goffi <goffi@goffi.org> parents: diff changeset	97 pass
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	98 profile = self.get_profile(request)
1143 7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	99
7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	100 # we convert back body to XHTML
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	101 body = await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	102 "syntax_convert", posted_data['body'][0], "markdown", C.SYNTAX_XHTML,
1143 7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	103 False, profile)
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	104 posted_data['body'] = ['<div xmlns="{ns}">{body}</div>'.format(ns=C.NS_XHTML,
1143 7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	105 body=body)]
7bd47d32da87 pages (tickets, merge-requests): convert body from/to markdown while editing/creating new ticket: Goffi <goffi@goffi.org> parents: 1124 diff changeset	106
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	107 extra = {'update': True}
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	108 await self.host.bridge_call(
106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	109 "merge_request_set",
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	110 service.full(),
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	111 node,
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	112 "",
b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	113 "auto",
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	114 posted_data,
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	115 "",
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	116 list_item_id,
1194 bed008b65d7c pages (merge-requests/edit, tickets/edit, tickets/new): use serialised extra following backend change + fixed use of "update" when editing ticket: Goffi <goffi@goffi.org> parents: 1145 diff changeset	117 data_format.serialise(extra),
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	118 profile,
cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	119 )
1378 e3e303a30a74 pages (tickets): renamed "tickets" to "lists": Goffi <goffi@goffi.org> parents: 1302 diff changeset	120 # we don't want to redirect to edit page on success, but to list overview
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	121 data["post_redirect_page"] = (
1509 106bae41f5c8 massive refactoring from camelCase -> snake_case. See backend commit log for more details Goffi <goffi@goffi.org> parents: 1500 diff changeset	122 self.get_page_by_name("merge-requests"),
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	123 service.full(),
1216 b2d067339de3 python 3 port: Goffi <goffi@goffi.org> parents: 1194 diff changeset	124 node or "@",
1113 cdd389ef97bc server: code style reformatting using black Goffi <goffi@goffi.org> parents: 1098 diff changeset	125 )

Mercurial > libervia-web

annotate libervia/web/pages/merge-requests/edit/page_meta.py @ 1598:86c7a3a625d5