Mercurial > libervia-web
diff src/server/server.py @ 745:ad733b670cc3
server side: fixed params, and removed self.authorized_params as authorisation is handled by the backend
author | Goffi <goffi@goffi.org> |
---|---|
date | Mon, 23 Nov 2015 12:59:28 +0100 |
parents | 03ccd68a6dab |
children | 25984ca4aef2 |
line wrap: on
line diff
--- a/src/server/server.py Sun Nov 22 21:28:06 2015 +0100 +++ b/src/server/server.py Mon Nov 23 12:59:28 2015 +0100 @@ -35,7 +35,6 @@ from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT from sat.core.i18n import _, D_ from sat.core import exceptions -from sat.tools.xml_tools import paramsXML2XMLUI from sat.tools import utils import re @@ -46,7 +45,6 @@ import shutil import uuid from zope.interface import Interface, Attribute, implements -from xml.dom import minidom from httplib import HTTPS_PORT import libervia @@ -179,7 +177,6 @@ def __init__(self, sat_host): JSONRPCMethodManager.__init__(self, sat_host) - self.authorized_params = None def render(self, request): self.session = request.getSession() @@ -628,25 +625,7 @@ def jsonrpc_getParamsUI(self): """Return the parameters XML for profile""" profile = ISATSession(self.session).profile - d = self.asyncBridgeCall("getParams", C.SECURITY_LIMIT, C.APP_NAME, profile) - - def setAuthorizedParams(params_xml): - if self.authorized_params is None: - self.authorized_params = {} - for cat in minidom.parseString(params_xml.encode('utf-8')).getElementsByTagName("category"): - params = cat.getElementsByTagName("param") - params_list = [param.getAttribute("name") for param in params] - self.authorized_params[cat.getAttribute("name")] = params_list - if self.authorized_params: - return params_xml - else: - return None - - d.addCallback(setAuthorizedParams) - - d.addCallback(lambda params_xml: paramsXML2XMLUI(params_xml) if params_xml else "") - - return d + return self.asyncBridgeCall("getParamsUI", C.SECURITY_LIMIT, C.APP_NAME, profile) def jsonrpc_asyncGetParamA(self, param, category, attribute="value"): """Return the parameter value for profile""" @@ -656,11 +635,7 @@ def jsonrpc_setParam(self, name, value, category): profile = ISATSession(self.session).profile - if category in self.authorized_params and name in self.authorized_params[category]: - return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile) - else: - log.warning(u"Trying to set parameter '%s' in category '%s' without authorization!!!" - % (name, category)) + return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile) def jsonrpc_launchAction(self, callback_id, data): #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed