Mercurial > libervia-web
annotate libervia/web/pages/photos/_browser/__init__.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
| rev | line source |
|---|---|
|
1301
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 from browser import window, bind, DOMNode |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 from javascript import JSON |
|
1510
5ea06e8b06ed
browser: make bridge API closer to the one use with other frontends:
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
3 from bridge import Bridge |
|
1301
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 import dialog |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 |
|
1510
5ea06e8b06ed
browser: make bridge API closer to the one use with other frontends:
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
6 bridge = Bridge() |
|
1301
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 def album_delete_cb(item_elt, item): |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 print(f"deleted {item['name']}") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 def album_delete_eb(failure, item_elt, item): |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 # TODO: cleaner error notification |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 window.alert(f"error while deleting {item['name']}: failure") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 def interest_retract_cb(item_elt, item): |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 print(f"{item['name']} removed successfuly from list of interests") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 item_elt.classList.add("state_deleted") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 item_elt.bind("transitionend", lambda evt: item_elt.remove()) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1357
diff
changeset
|
22 bridge.file_sharing_delete( |
|
1301
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 item['service'], |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 item.get('path', ''), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 item.get('files_namespace', ''), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 callback=lambda __: album_delete_cb(item_elt, item), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 errback=lambda failure: album_delete_eb(failure, item_elt, item), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 ) |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 def interest_retract_eb(failure_, item_elt, item): |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 # TODO: cleaner error notification |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 window.alert(f"Can't delete album {item['name']}: {failure_['message']}") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 def delete_ok(evt, notif_elt, item_elt, item): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1357
diff
changeset
|
37 bridge.interest_retract( |
|
1301
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
38 "", item['id'], |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 callback=lambda: interest_retract_cb(item_elt, item), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 errback=lambda failure:interest_retract_eb(failure, item_elt, item)) |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
41 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
42 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
43 def delete_cancel(evt, notif_elt, item_elt, item): |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
44 notif_elt.remove() |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 item_elt.classList.remove("selected_for_deletion") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
46 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
47 |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
48 @bind(".action_delete", "click") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 def on_delete(evt): |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
50 evt.stopPropagation() |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
51 target = evt.currentTarget |
|
1357
dbd573b0bc9c
browser: updated code to work with new Brython 3.8.10:
Goffi <goffi@goffi.org>
parents:
1301
diff
changeset
|
52 item_elt = DOMNode(target.closest('.item')) |
|
1301
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
53 item_elt.classList.add("selected_for_deletion") |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
54 item = JSON.parse(item_elt.dataset.item) |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
55 dialog.Confirm( |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
56 f"album {item['name']!r} will be deleted (inluding all its photos), " |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
57 f"are you sure?", |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
58 ok_label="delete", |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
59 ).show( |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
60 ok_cb=lambda evt, notif_elt: delete_ok(evt, notif_elt, item_elt, item), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
61 cancel_cb=lambda evt, notif_elt: delete_cancel(evt, notif_elt, item_elt, item), |
|
ff44f822bfdd
browser (photos): albums can now be deleted:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
62 ) |