comparison src/server/server.py @ 745:ad733b670cc3

server side: fixed params, and removed self.authorized_params as authorisation is handled by the backend
author Goffi <goffi@goffi.org>
date Mon, 23 Nov 2015 12:59:28 +0100
parents 03ccd68a6dab
children 25984ca4aef2
comparison
equal deleted inserted replaced
744:03ccd68a6dab 745:ad733b670cc3
33 from sat.core.log import getLogger 33 from sat.core.log import getLogger
34 log = getLogger(__name__) 34 log = getLogger(__name__)
35 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT 35 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT
36 from sat.core.i18n import _, D_ 36 from sat.core.i18n import _, D_
37 from sat.core import exceptions 37 from sat.core import exceptions
38 from sat.tools.xml_tools import paramsXML2XMLUI
39 from sat.tools import utils 38 from sat.tools import utils
40 39
41 import re 40 import re
42 import glob 41 import glob
43 import os.path 42 import os.path
44 import sys 43 import sys
45 import tempfile 44 import tempfile
46 import shutil 45 import shutil
47 import uuid 46 import uuid
48 from zope.interface import Interface, Attribute, implements 47 from zope.interface import Interface, Attribute, implements
49 from xml.dom import minidom
50 from httplib import HTTPS_PORT 48 from httplib import HTTPS_PORT
51 import libervia 49 import libervia
52 50
53 try: 51 try:
54 import OpenSSL 52 import OpenSSL
177 175
178 class MethodHandler(JSONRPCMethodManager): 176 class MethodHandler(JSONRPCMethodManager):
179 177
180 def __init__(self, sat_host): 178 def __init__(self, sat_host):
181 JSONRPCMethodManager.__init__(self, sat_host) 179 JSONRPCMethodManager.__init__(self, sat_host)
182 self.authorized_params = None
183 180
184 def render(self, request): 181 def render(self, request):
185 self.session = request.getSession() 182 self.session = request.getSession()
186 profile = ISATSession(self.session).profile 183 profile = ISATSession(self.session).profile
187 if not profile: 184 if not profile:
626 return self.sat_host.bridge.getAccountDialogUI(profile) 623 return self.sat_host.bridge.getAccountDialogUI(profile)
627 624
628 def jsonrpc_getParamsUI(self): 625 def jsonrpc_getParamsUI(self):
629 """Return the parameters XML for profile""" 626 """Return the parameters XML for profile"""
630 profile = ISATSession(self.session).profile 627 profile = ISATSession(self.session).profile
631 d = self.asyncBridgeCall("getParams", C.SECURITY_LIMIT, C.APP_NAME, profile) 628 return self.asyncBridgeCall("getParamsUI", C.SECURITY_LIMIT, C.APP_NAME, profile)
632
633 def setAuthorizedParams(params_xml):
634 if self.authorized_params is None:
635 self.authorized_params = {}
636 for cat in minidom.parseString(params_xml.encode('utf-8')).getElementsByTagName("category"):
637 params = cat.getElementsByTagName("param")
638 params_list = [param.getAttribute("name") for param in params]
639 self.authorized_params[cat.getAttribute("name")] = params_list
640 if self.authorized_params:
641 return params_xml
642 else:
643 return None
644
645 d.addCallback(setAuthorizedParams)
646
647 d.addCallback(lambda params_xml: paramsXML2XMLUI(params_xml) if params_xml else "")
648
649 return d
650 629
651 def jsonrpc_asyncGetParamA(self, param, category, attribute="value"): 630 def jsonrpc_asyncGetParamA(self, param, category, attribute="value"):
652 """Return the parameter value for profile""" 631 """Return the parameter value for profile"""
653 profile = ISATSession(self.session).profile 632 profile = ISATSession(self.session).profile
654 d = self.asyncBridgeCall("asyncGetParamA", param, category, attribute, C.SECURITY_LIMIT, profile_key=profile) 633 d = self.asyncBridgeCall("asyncGetParamA", param, category, attribute, C.SECURITY_LIMIT, profile_key=profile)
655 return d 634 return d
656 635
657 def jsonrpc_setParam(self, name, value, category): 636 def jsonrpc_setParam(self, name, value, category):
658 profile = ISATSession(self.session).profile 637 profile = ISATSession(self.session).profile
659 if category in self.authorized_params and name in self.authorized_params[category]: 638 return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile)
660 return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile)
661 else:
662 log.warning(u"Trying to set parameter '%s' in category '%s' without authorization!!!"
663 % (name, category))
664 639
665 def jsonrpc_launchAction(self, callback_id, data): 640 def jsonrpc_launchAction(self, callback_id, data):
666 #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed 641 #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed
667 # a security system with authorised callback_id must be implemented, similar to the one for authorised params 642 # a security system with authorised callback_id must be implemented, similar to the one for authorised params
668 profile = ISATSession(self.session).profile 643 profile = ISATSession(self.session).profile