comparison src/server/server.py @ 819:9b9c0fe0a75f

server: fixed bad login check introduced in rev 6a2fd7807770
author Goffi <goffi@goffi.org>
date Sun, 03 Jan 2016 16:24:37 +0100
parents f8a7a046ff9c
children 027139763511
comparison
equal deleted inserted replaced
818:f8a7a046ff9c 819:9b9c0fe0a75f
806 except KeyError: 806 except KeyError:
807 request.write(C.BAD_REQUEST) 807 request.write(C.BAD_REQUEST)
808 request.finish() 808 request.finish()
809 return 809 return
810 810
811 assert login
812
811 if login.startswith('@'): # this is checked by javascript but also here for security reason 813 if login.startswith('@'): # this is checked by javascript but also here for security reason
814 # FIXME: return an error instead of an Exception?
812 raise Exception('No profile_key allowed') 815 raise Exception('No profile_key allowed')
813 816
817 if '@' in login:
818 try:
819 login_jid = jid.JID(login)
820 except (RuntimeError, jid.InvalidFormat, AttributeError):
821 request.write(C.PROFILE_AUTH_ERROR)
822 request.finish()
823 return
824
825 if login_jid.host == new_account_domain:
826 # redirect "user@libervia.org" to the "user" profile
827 login = login_jid.user
828 login_jid = None
829 else:
830 login_jid = None
831
814 try: 832 try:
815 login_jid = jid.JID(login) 833 profile = self.sat_host.bridge.getProfileName(login)
816 except (RuntimeError, jid.InvalidFormat, AttributeError):
817 request.write(C.PROFILE_AUTH_ERROR)
818 request.finish()
819 return
820
821 # XXX: if there's no arobase in the JID, its host part is filled and the SàT profile name
822 # is there ; we need to look in the JID's user part to know if there's an arobase or not.
823
824 if login_jid.user and login_jid.host == new_account_domain:
825 # redirect "user@libervia.org" to the "user" profile
826 login_jid = jid.JID(login_jid.user)
827
828 try:
829 profile = self.sat_host.bridge.getProfileName(login_jid.full())
830 except Exception: # XXX: ProfileUnknownError wouldn't work, it's encapsulated 834 except Exception: # XXX: ProfileUnknownError wouldn't work, it's encapsulated
831 if login_jid.user: # try to create a new sat profile using the XMPP credentials 835 if login_jid is not None and login_jid.user: # try to create a new sat profile using the XMPP credentials
832 profile = login_jid.full() 836 profile = login # FIXME: what if there is a resource?
833 connect_method = "asyncConnectWithXMPPCredentials" 837 connect_method = "asyncConnectWithXMPPCredentials"
834 register_with_ext_jid = True 838 register_with_ext_jid = True
835 else: # non existing username 839 else: # non existing username
836 request.write(C.PROFILE_AUTH_ERROR) 840 request.write(C.PROFILE_AUTH_ERROR)
837 request.finish() 841 request.finish()
838 return 842 return
839 else: 843 else:
840 if profile != login_jid.full() or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']): 844 if profile != login or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']):
841 # profiles with empty passwords are restricted to local frontends 845 # profiles with empty passwords are restricted to local frontends
842 request.write(C.PROFILE_AUTH_ERROR) 846 request.write(C.PROFILE_AUTH_ERROR)
843 request.finish() 847 request.finish()
844 return 848 return
845 register_with_ext_jid = False 849 register_with_ext_jid = False
974 """ 978 """
975 _session = self.request.getSession() 979 _session = self.request.getSession()
976 profile = ISATSession(_session).profile 980 profile = ISATSession(_session).profile
977 if bool(profile): 981 if bool(profile):
978 return (True, None) 982 return (True, None)
979 return (False, self.__getSecurityWarning()) 983 return (False, self._getSecurityWarning())
980 984
981 def jsonrpc_registerParams(self): 985 def jsonrpc_registerParams(self):
982 """Register the frontend specific parameters""" 986 """Register the frontend specific parameters"""
983 # params = """<params><individual>...</category></individual>""" 987 # params = """<params><individual>...</category></individual>"""
984 # self.sat_host.bridge.paramsRegisterApp(params, C.SECURITY_LIMIT, C.APP_NAME) 988 # self.sat_host.bridge.paramsRegisterApp(params, C.SECURITY_LIMIT, C.APP_NAME)
986 def jsonrpc_getMenus(self): 990 def jsonrpc_getMenus(self):
987 """Return the parameters XML for profile""" 991 """Return the parameters XML for profile"""
988 # XXX: we put this method in Register because we get menus before being logged 992 # XXX: we put this method in Register because we get menus before being logged
989 return self.sat_host.bridge.getMenus('', C.SECURITY_LIMIT) 993 return self.sat_host.bridge.getMenus('', C.SECURITY_LIMIT)
990 994
991 def __getSecurityWarning(self): 995 def _getSecurityWarning(self):
992 """@return: a security warning message, or None if the connection is secure""" 996 """@return: a security warning message, or None if the connection is secure"""
993 if self.request.URLPath().scheme == 'https' or not self.sat_host.options['security_warning']: 997 if self.request.URLPath().scheme == 'https' or not self.sat_host.options['security_warning']:
994 return None 998 return None
995 text = "<p>" + D_("You are about to connect to an unsecure service.") + "</p><p>&nbsp;</p><p>" 999 text = "<p>" + D_("You are about to connect to an unsecure service.") + "</p><p>&nbsp;</p><p>"
996 1000