Mercurial > libervia-web
comparison src/server/server.py @ 745:ad733b670cc3
server side: fixed params, and removed self.authorized_params as authorisation is handled by the backend
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Mon, 23 Nov 2015 12:59:28 +0100 |
| parents | 03ccd68a6dab |
| children | 25984ca4aef2 |
comparison
equal
deleted
inserted
replaced
| 744:03ccd68a6dab | 745:ad733b670cc3 |
|---|---|
| 33 from sat.core.log import getLogger | 33 from sat.core.log import getLogger |
| 34 log = getLogger(__name__) | 34 log = getLogger(__name__) |
| 35 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT | 35 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT |
| 36 from sat.core.i18n import _, D_ | 36 from sat.core.i18n import _, D_ |
| 37 from sat.core import exceptions | 37 from sat.core import exceptions |
| 38 from sat.tools.xml_tools import paramsXML2XMLUI | |
| 39 from sat.tools import utils | 38 from sat.tools import utils |
| 40 | 39 |
| 41 import re | 40 import re |
| 42 import glob | 41 import glob |
| 43 import os.path | 42 import os.path |
| 44 import sys | 43 import sys |
| 45 import tempfile | 44 import tempfile |
| 46 import shutil | 45 import shutil |
| 47 import uuid | 46 import uuid |
| 48 from zope.interface import Interface, Attribute, implements | 47 from zope.interface import Interface, Attribute, implements |
| 49 from xml.dom import minidom | |
| 50 from httplib import HTTPS_PORT | 48 from httplib import HTTPS_PORT |
| 51 import libervia | 49 import libervia |
| 52 | 50 |
| 53 try: | 51 try: |
| 54 import OpenSSL | 52 import OpenSSL |
| 177 | 175 |
| 178 class MethodHandler(JSONRPCMethodManager): | 176 class MethodHandler(JSONRPCMethodManager): |
| 179 | 177 |
| 180 def __init__(self, sat_host): | 178 def __init__(self, sat_host): |
| 181 JSONRPCMethodManager.__init__(self, sat_host) | 179 JSONRPCMethodManager.__init__(self, sat_host) |
| 182 self.authorized_params = None | |
| 183 | 180 |
| 184 def render(self, request): | 181 def render(self, request): |
| 185 self.session = request.getSession() | 182 self.session = request.getSession() |
| 186 profile = ISATSession(self.session).profile | 183 profile = ISATSession(self.session).profile |
| 187 if not profile: | 184 if not profile: |
| 626 return self.sat_host.bridge.getAccountDialogUI(profile) | 623 return self.sat_host.bridge.getAccountDialogUI(profile) |
| 627 | 624 |
| 628 def jsonrpc_getParamsUI(self): | 625 def jsonrpc_getParamsUI(self): |
| 629 """Return the parameters XML for profile""" | 626 """Return the parameters XML for profile""" |
| 630 profile = ISATSession(self.session).profile | 627 profile = ISATSession(self.session).profile |
| 631 d = self.asyncBridgeCall("getParams", C.SECURITY_LIMIT, C.APP_NAME, profile) | 628 return self.asyncBridgeCall("getParamsUI", C.SECURITY_LIMIT, C.APP_NAME, profile) |
| 632 | |
| 633 def setAuthorizedParams(params_xml): | |
| 634 if self.authorized_params is None: | |
| 635 self.authorized_params = {} | |
| 636 for cat in minidom.parseString(params_xml.encode('utf-8')).getElementsByTagName("category"): | |
| 637 params = cat.getElementsByTagName("param") | |
| 638 params_list = [param.getAttribute("name") for param in params] | |
| 639 self.authorized_params[cat.getAttribute("name")] = params_list | |
| 640 if self.authorized_params: | |
| 641 return params_xml | |
| 642 else: | |
| 643 return None | |
| 644 | |
| 645 d.addCallback(setAuthorizedParams) | |
| 646 | |
| 647 d.addCallback(lambda params_xml: paramsXML2XMLUI(params_xml) if params_xml else "") | |
| 648 | |
| 649 return d | |
| 650 | 629 |
| 651 def jsonrpc_asyncGetParamA(self, param, category, attribute="value"): | 630 def jsonrpc_asyncGetParamA(self, param, category, attribute="value"): |
| 652 """Return the parameter value for profile""" | 631 """Return the parameter value for profile""" |
| 653 profile = ISATSession(self.session).profile | 632 profile = ISATSession(self.session).profile |
| 654 d = self.asyncBridgeCall("asyncGetParamA", param, category, attribute, C.SECURITY_LIMIT, profile_key=profile) | 633 d = self.asyncBridgeCall("asyncGetParamA", param, category, attribute, C.SECURITY_LIMIT, profile_key=profile) |
| 655 return d | 634 return d |
| 656 | 635 |
| 657 def jsonrpc_setParam(self, name, value, category): | 636 def jsonrpc_setParam(self, name, value, category): |
| 658 profile = ISATSession(self.session).profile | 637 profile = ISATSession(self.session).profile |
| 659 if category in self.authorized_params and name in self.authorized_params[category]: | 638 return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile) |
| 660 return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile) | |
| 661 else: | |
| 662 log.warning(u"Trying to set parameter '%s' in category '%s' without authorization!!!" | |
| 663 % (name, category)) | |
| 664 | 639 |
| 665 def jsonrpc_launchAction(self, callback_id, data): | 640 def jsonrpc_launchAction(self, callback_id, data): |
| 666 #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed | 641 #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed |
| 667 # a security system with authorised callback_id must be implemented, similar to the one for authorised params | 642 # a security system with authorised callback_id must be implemented, similar to the one for authorised params |
| 668 profile = ISATSession(self.session).profile | 643 profile = ISATSession(self.session).profile |