Mercurial > libervia-web
comparison src/server/server.py @ 819:9b9c0fe0a75f
server: fixed bad login check introduced in rev 6a2fd7807770
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Sun, 03 Jan 2016 16:24:37 +0100 |
| parents | f8a7a046ff9c |
| children | 027139763511 |
comparison
equal
deleted
inserted
replaced
| 818:f8a7a046ff9c | 819:9b9c0fe0a75f |
|---|---|
| 806 except KeyError: | 806 except KeyError: |
| 807 request.write(C.BAD_REQUEST) | 807 request.write(C.BAD_REQUEST) |
| 808 request.finish() | 808 request.finish() |
| 809 return | 809 return |
| 810 | 810 |
| 811 assert login | |
| 812 | |
| 811 if login.startswith('@'): # this is checked by javascript but also here for security reason | 813 if login.startswith('@'): # this is checked by javascript but also here for security reason |
| 814 # FIXME: return an error instead of an Exception? | |
| 812 raise Exception('No profile_key allowed') | 815 raise Exception('No profile_key allowed') |
| 813 | 816 |
| 817 if '@' in login: | |
| 818 try: | |
| 819 login_jid = jid.JID(login) | |
| 820 except (RuntimeError, jid.InvalidFormat, AttributeError): | |
| 821 request.write(C.PROFILE_AUTH_ERROR) | |
| 822 request.finish() | |
| 823 return | |
| 824 | |
| 825 if login_jid.host == new_account_domain: | |
| 826 # redirect "user@libervia.org" to the "user" profile | |
| 827 login = login_jid.user | |
| 828 login_jid = None | |
| 829 else: | |
| 830 login_jid = None | |
| 831 | |
| 814 try: | 832 try: |
| 815 login_jid = jid.JID(login) | 833 profile = self.sat_host.bridge.getProfileName(login) |
| 816 except (RuntimeError, jid.InvalidFormat, AttributeError): | |
| 817 request.write(C.PROFILE_AUTH_ERROR) | |
| 818 request.finish() | |
| 819 return | |
| 820 | |
| 821 # XXX: if there's no arobase in the JID, its host part is filled and the SàT profile name | |
| 822 # is there ; we need to look in the JID's user part to know if there's an arobase or not. | |
| 823 | |
| 824 if login_jid.user and login_jid.host == new_account_domain: | |
| 825 # redirect "user@libervia.org" to the "user" profile | |
| 826 login_jid = jid.JID(login_jid.user) | |
| 827 | |
| 828 try: | |
| 829 profile = self.sat_host.bridge.getProfileName(login_jid.full()) | |
| 830 except Exception: # XXX: ProfileUnknownError wouldn't work, it's encapsulated | 834 except Exception: # XXX: ProfileUnknownError wouldn't work, it's encapsulated |
| 831 if login_jid.user: # try to create a new sat profile using the XMPP credentials | 835 if login_jid is not None and login_jid.user: # try to create a new sat profile using the XMPP credentials |
| 832 profile = login_jid.full() | 836 profile = login # FIXME: what if there is a resource? |
| 833 connect_method = "asyncConnectWithXMPPCredentials" | 837 connect_method = "asyncConnectWithXMPPCredentials" |
| 834 register_with_ext_jid = True | 838 register_with_ext_jid = True |
| 835 else: # non existing username | 839 else: # non existing username |
| 836 request.write(C.PROFILE_AUTH_ERROR) | 840 request.write(C.PROFILE_AUTH_ERROR) |
| 837 request.finish() | 841 request.finish() |
| 838 return | 842 return |
| 839 else: | 843 else: |
| 840 if profile != login_jid.full() or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']): | 844 if profile != login or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']): |
| 841 # profiles with empty passwords are restricted to local frontends | 845 # profiles with empty passwords are restricted to local frontends |
| 842 request.write(C.PROFILE_AUTH_ERROR) | 846 request.write(C.PROFILE_AUTH_ERROR) |
| 843 request.finish() | 847 request.finish() |
| 844 return | 848 return |
| 845 register_with_ext_jid = False | 849 register_with_ext_jid = False |
| 974 """ | 978 """ |
| 975 _session = self.request.getSession() | 979 _session = self.request.getSession() |
| 976 profile = ISATSession(_session).profile | 980 profile = ISATSession(_session).profile |
| 977 if bool(profile): | 981 if bool(profile): |
| 978 return (True, None) | 982 return (True, None) |
| 979 return (False, self.__getSecurityWarning()) | 983 return (False, self._getSecurityWarning()) |
| 980 | 984 |
| 981 def jsonrpc_registerParams(self): | 985 def jsonrpc_registerParams(self): |
| 982 """Register the frontend specific parameters""" | 986 """Register the frontend specific parameters""" |
| 983 # params = """<params><individual>...</category></individual>""" | 987 # params = """<params><individual>...</category></individual>""" |
| 984 # self.sat_host.bridge.paramsRegisterApp(params, C.SECURITY_LIMIT, C.APP_NAME) | 988 # self.sat_host.bridge.paramsRegisterApp(params, C.SECURITY_LIMIT, C.APP_NAME) |
| 986 def jsonrpc_getMenus(self): | 990 def jsonrpc_getMenus(self): |
| 987 """Return the parameters XML for profile""" | 991 """Return the parameters XML for profile""" |
| 988 # XXX: we put this method in Register because we get menus before being logged | 992 # XXX: we put this method in Register because we get menus before being logged |
| 989 return self.sat_host.bridge.getMenus('', C.SECURITY_LIMIT) | 993 return self.sat_host.bridge.getMenus('', C.SECURITY_LIMIT) |
| 990 | 994 |
| 991 def __getSecurityWarning(self): | 995 def _getSecurityWarning(self): |
| 992 """@return: a security warning message, or None if the connection is secure""" | 996 """@return: a security warning message, or None if the connection is secure""" |
| 993 if self.request.URLPath().scheme == 'https' or not self.sat_host.options['security_warning']: | 997 if self.request.URLPath().scheme == 'https' or not self.sat_host.options['security_warning']: |
| 994 return None | 998 return None |
| 995 text = "<p>" + D_("You are about to connect to an unsecure service.") + "</p><p> </p><p>" | 999 text = "<p>" + D_("You are about to connect to an unsecure service.") + "</p><p> </p><p>" |
| 996 | 1000 |