Mercurial > libervia-web
annotate src/pages/u/page_meta.py @ 956:dabecab10faa
server (pages): impleted CSRF protection:
A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post.
The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context).
If token is wrong on absent, an unauthorized error page is returned (and client ip is logged).
Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing.
Added HTTP_SEE_OTHER status code in constants.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Mon, 10 Jul 2017 19:10:31 +0200 |
| parents | 2345577da5ca |
| children | 1c9b6d2c30b5 |
| rev | line source |
|---|---|
|
929
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 #!/usr/bin/env python2.7 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 # -*- coding: utf-8 -*- |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 from libervia.server.constants import Const as C |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 from twisted.internet import defer |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 from twisted.words.protocols.jabber import jid |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 """page used to target a user profile, e.g. for public blog""" |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 name = u"user" |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 access = C.PAGES_ACCESS_PUBLIC # can be a callable |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 template = u"blog/articles.html" |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 @defer.inlineCallbacks |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 def parse_url(self, request): |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 try: |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 prof_requested = self.nextPath(request) |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 except IndexError: |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 self.pageError(request) |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 data = self.getRData(request) |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 target_profile = yield self.host.bridge.profileNameGet(prof_requested) |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 request.template_data[u'target_profile'] = target_profile |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 target_jid = yield self.host.bridge.asyncGetParamA('JabberID', 'Connection', 'value', profile_key=target_profile) |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 target_jid = jid.JID(target_jid) |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 data[u'service'] = target_jid |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 @defer.inlineCallbacks |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 def prepare_render(self, request): |
|
2345577da5ca
pages (u): added u page for user public pages, for now it display blog items
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 self.pageRedirect(u'blog', request) |