Mercurial > libervia-web
diff libervia_server/__init__.py @ 336:629c99bbd031
browser + server side: refactored menus:
- getMenus is added to Register class, so it can be used before being logged
- dynamic menus are added to main menu bar
- security limit is used
- menus use i18n
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Tue, 04 Feb 2014 16:49:20 +0100 |
| parents | c01397d18026 |
| children | 2067d6241927 |
line wrap: on
line diff
--- a/libervia_server/__init__.py Tue Feb 04 16:49:20 2014 +0100 +++ b/libervia_server/__init__.py Tue Feb 04 16:49:20 2014 +0100 @@ -480,6 +480,8 @@ % (name, category)) def jsonrpc_launchAction(self, callback_id, data): + #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed + # a security system with authorised callback_id must be implemented, similar to the one for authorised params profile = ISATSession(self.session).profile d = self.asyncBridgeCall("launchAction", callback_id, data, profile) return d @@ -540,8 +542,8 @@ _session = request.getSession() parsed = jsonrpclib.loads(request.content.read()) method = parsed.get("method") - if method != "isRegistered" and method != "registerParams": - #if we don't call login or isRegistered, we need to be identified + if method not in ['isRegistered', 'registerParams', 'getMenus']: + #if we don't call these methods, we need to be identified profile = ISATSession(_session).profile if not profile: #user is not identified, we return a jsonrpc fault @@ -741,6 +743,11 @@ self.sat_host.bridge.paramsRegisterApp(params, Const.SECURITY_LIMIT, Const.APP_NAME) + def jsonrpc_getMenus(self): + """Return the parameters XML for profile""" + # XXX: we put this method in Register because we get menus before being logged + return self.sat_host.bridge.getMenus('', Const.SECURITY_LIMIT) + class SignalHandler(jsonrpc.JSONRPC):