Mercurial > libervia-web
annotate src/pages/blog_new/page_meta.py @ 956:dabecab10faa
server (pages): impleted CSRF protection:
A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post.
The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context).
If token is wrong on absent, an unauthorized error page is returned (and client ip is logged).
Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing.
Added HTTP_SEE_OTHER status code in constants.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Mon, 10 Jul 2017 19:10:31 +0200 |
| parents | 96a56856d357 |
| children | d042f194624a |
| rev | line source |
|---|---|
|
918
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 #!/usr/bin/env python2.7 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 # -*- coding: utf-8 -*- |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 from libervia.server.constants import Const as C |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 from twisted.internet import defer |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 from twisted.words.protocols.jabber import jid |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 from sat.tools.common import data_objects |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 access = C.PAGES_ACCESS_PUBLIC # can be a callable |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 template = u"blog/articles.html" |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 @defer.inlineCallbacks |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 def parse_url(self, request): |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 try: |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 prof_requested = self.nextPath(request) |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 except IndexError: |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 self.pageError(request) |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 template_data = request.template_data |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 target_profile = yield self.host.bridge.profileNameGet(prof_requested) |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 template_data[u'target_profile'] = target_profile |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 target_jid = yield self.host.bridge.asyncGetParamA('JabberID', 'Connection', 'value', profile_key=target_profile) |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 target_jid = jid.JID(target_jid).userhost() |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 template_data[u'target_jid'] = target_jid |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 @defer.inlineCallbacks |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 def prepare_render(self, request): |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 target_jid = request.template_data[u'target_jid'] |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 blog_data = yield self.host.bridge.mbGet( |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 target_jid, |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 "", |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 10, |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 [], |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 {}, |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
37 C.SERVICE_PROFILE) |
|
96a56856d357
pages (blog_new/articles): first concert Libervia page, blog articles:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
38 request.template_data[u'items'] = data_objects.BlogItems(blog_data) |