Mercurial > libervia-web
annotate libervia/web/pages/photos/new/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | eb00d593801d |
| children |
| rev | line source |
|---|---|
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 #!/usr/bin/env python3 |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
3 from libervia.web.server.constants import Const as C |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 from twisted.internet import defer |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
5 from libervia.backend.core.log import getLogger |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
6 from libervia.backend.core.i18n import D_ |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
7 from libervia.backend.core import exceptions |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
8 from libervia.frontends.bridge.bridge_frontend import BridgeException |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 """creation of new events""" |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 name = "photos_new" |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 access = C.PAGES_ACCESS_PROFILE |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 template = "photo/create.html" |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 log = getLogger(__name__) |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 async def on_data_post(self, request): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
19 request_data = self.get_r_data(request) |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
20 profile = self.get_profile(request) |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
21 name = self.get_posted_data(request, "name").replace('/', '_') |
|
1356
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
22 albums_path = "/albums" |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
23 album_path = f"{albums_path}/{name}" |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 if profile is None: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
25 self.page_error(request, C.HTTP_BAD_REQUEST) |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 fis_ns = self.host.ns_map["fis"] |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 http_upload_ns = self.host.ns_map["http_upload"] |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
28 entities_services, __, __ = await self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
29 "disco_find_by_features", |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 [fis_ns, http_upload_ns], |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 [], |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 False, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 True, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 False, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 False, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 False, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
37 profile |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
38 ) |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 try: |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 fis_service = next(iter(entities_services)) |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
41 except StopIteration: |
| 1339 | 42 raise exceptions.DataError(D_( |
| 43 "You server has no service to create a photo album, please ask your server " | |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
44 "administrator to add one")) |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 |
|
1356
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
46 try: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
47 await self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
48 "fis_create_dir", |
|
1356
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
49 fis_service, |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
50 "", |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
51 albums_path, |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
52 {"access_model": "open"}, |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
53 profile |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
54 ) |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
55 except BridgeException as e: |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
56 if e.condition == 'conflict': |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
57 pass |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
58 else: |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
59 log.error(f"Can't create {albums_path} path: {e}") |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
60 raise e |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
61 |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
62 try: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
63 await self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
64 "fis_create_dir", |
|
1356
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
65 fis_service, |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
66 "", |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
67 album_path, |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
68 {"access_model": "whitelist"}, |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
69 profile |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
70 ) |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
71 except BridgeException as e: |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
72 if e.condition == 'conflict': |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
73 pass |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
74 else: |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
75 log.error(f"Can't create {album_path} path: {e}") |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
76 raise e |
|
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
77 |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
78 await self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
79 "interests_file_sharing_register", |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
80 fis_service, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
81 "photos", |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
82 "", |
|
1356
39719ff4fcad
pages (photos/new): fix permissions:
Goffi <goffi@goffi.org>
parents:
1339
diff
changeset
|
83 album_path, |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
84 name, |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
85 "", |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
86 profile |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
87 ) |
|
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
88 log.info(f"album {name} created") |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1356
diff
changeset
|
89 request_data["post_redirect_page"] = self.get_page_by_name("photos") |
|
1278
4385a75e3962
pages (photos/new): photo album creation
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
90 defer.returnValue(C.POST_NO_CONFIRM) |