Mercurial > libervia-web
comparison libervia.tac @ 215:e830a0c60d32
server side: added the security_limit to setParam
- in addition to the check which is done by the core, libervia checks if the param to be modified was really part of the XML that has been returned by getParams with security_limit = 0.
| author | souliane <souliane@mailoo.org> |
|---|---|
| date | Sat, 07 Sep 2013 02:07:07 +0200 |
| parents | 7b26be266ab1 |
| children | 4e6467efd6bf |
comparison
equal
deleted
inserted
replaced
| 214:7b26be266ab1 | 215:e830a0c60d32 |
|---|---|
| 37 import re, glob | 37 import re, glob |
| 38 import os.path, sys | 38 import os.path, sys |
| 39 import tempfile, shutil, uuid | 39 import tempfile, shutil, uuid |
| 40 from server_side.blog import MicroBlog | 40 from server_side.blog import MicroBlog |
| 41 from zope.interface import Interface, Attribute, implements | 41 from zope.interface import Interface, Attribute, implements |
| 42 from xml.dom import minidom | |
| 43 | |
| 44 | |
| 42 #import time | 45 #import time |
| 43 | 46 |
| 44 TIMEOUT = 300 #Session's time out, after that the user will be disconnected | 47 TIMEOUT = 300 #Session's time out, after that the user will be disconnected |
| 45 LIBERVIA_DIR = "output/" | 48 LIBERVIA_DIR = "output/" |
| 46 MEDIA_DIR = "media/" | 49 MEDIA_DIR = "media/" |
| 47 AVATARS_DIR = "avatars/" | 50 AVATARS_DIR = "avatars/" |
| 48 CARDS_DIR = "games/cards/tarot" | 51 CARDS_DIR = "games/cards/tarot" |
| 52 | |
| 53 # Security limit for Libervia (get/set params) | |
| 54 SECURITY_LIMIT = 0 | |
| 49 | 55 |
| 50 class ISATSession(Interface): | 56 class ISATSession(Interface): |
| 51 profile = Attribute("Sat profile") | 57 profile = Attribute("Sat profile") |
| 52 jid = Attribute("JID associated with the profile") | 58 jid = Attribute("JID associated with the profile") |
| 53 | 59 |
| 119 class MethodHandler(jsonrpc.JSONRPC): | 125 class MethodHandler(jsonrpc.JSONRPC): |
| 120 | 126 |
| 121 def __init__(self, sat_host): | 127 def __init__(self, sat_host): |
| 122 jsonrpc.JSONRPC.__init__(self) | 128 jsonrpc.JSONRPC.__init__(self) |
| 123 self.sat_host=sat_host | 129 self.sat_host=sat_host |
| 130 self.authorized_params = None | |
| 124 | 131 |
| 125 def render(self, request): | 132 def render(self, request): |
| 126 self.session = request.getSession() | 133 self.session = request.getSession() |
| 127 profile = ISATSession(self.session).profile | 134 profile = ISATSession(self.session).profile |
| 128 if not profile: | 135 if not profile: |
| 351 @return: id to retrieve the profile""" | 358 @return: id to retrieve the profile""" |
| 352 profile = ISATSession(self.session).profile | 359 profile = ISATSession(self.session).profile |
| 353 return self.sat_host.bridge.getCard(jid, profile) | 360 return self.sat_host.bridge.getCard(jid, profile) |
| 354 | 361 |
| 355 def jsonrpc_getParamsUI(self): | 362 def jsonrpc_getParamsUI(self): |
| 356 """Return the parameters XMLUI for profile""" | 363 """Return the parameters XML for profile""" |
| 357 profile = ISATSession(self.session).profile | 364 profile = ISATSession(self.session).profile |
| 358 d = defer.Deferred() | 365 d = defer.Deferred() |
| 359 security_limit = 0 | 366 |
| 360 self.sat_host.bridge.getParamsUI(security_limit, profile, callback=d.callback, errback=d.errback) | 367 def setAuthorizedParams(d): |
| 368 if self.authorized_params is None: | |
| 369 self.authorized_params = {} | |
| 370 for cat in minidom.parseString(d.encode('utf-8')).getElementsByTagName("category"): | |
| 371 params = cat.getElementsByTagName("param") | |
| 372 params_list = [param.getAttribute("name") for param in params] | |
| 373 self.authorized_params[cat.getAttribute("name")] = params_list | |
| 374 return d | |
| 375 d.addCallback(setAuthorizedParams) | |
| 376 | |
| 377 from sat.tools.xml_tools import paramsXml2xmlUI | |
| 378 d.addCallback(lambda d: paramsXml2xmlUI(d)) | |
| 379 | |
| 380 self.sat_host.bridge.getParams(SECURITY_LIMIT, profile, callback=d.callback, errback=d.errback) | |
| 361 return d | 381 return d |
| 362 | 382 |
| 363 def jsonrpc_setParam(self, name, value, category): | 383 def jsonrpc_setParam(self, name, value, category): |
| 364 profile = ISATSession(self.session).profile | 384 profile = ISATSession(self.session).profile |
| 365 return self.sat_host.bridge.setParam(name, value, category, profile) | 385 if category in self.authorized_params and name in self.authorized_params[category]: |
| 386 return self.sat_host.bridge.setParam(name, value, category, SECURITY_LIMIT, profile) | |
| 387 else: | |
| 388 warning("Trying to set parameter '%s' in category '%s' without authorization!!!" | |
| 389 % (name, category)) | |
| 366 | 390 |
| 367 def jsonrpc_launchAction(self, action_type, data): | 391 def jsonrpc_launchAction(self, action_type, data): |
| 368 profile = ISATSession(self.session).profile | 392 profile = ISATSession(self.session).profile |
| 369 return self.sat_host.bridge.launchAction(action_type, data, profile) | 393 return self.sat_host.bridge.launchAction(action_type, data, profile) |
| 370 | 394 |