Mercurial > libervia-web

diff libervia.tac @ 215:e830a0c60d32

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server side: added the security_limit to setParam - in addition to the check which is done by the core, libervia checks if the param to be modified was really part of the XML that has been returned by getParams with security_limit = 0.
author souliane <souliane@mailoo.org>
date Sat, 07 Sep 2013 02:07:07 +0200
parents 7b26be266ab1
children 4e6467efd6bf
line wrap: on
line diff
--- a/libervia.tac	Fri Sep 06 16:23:30 2013 +0200
+++ b/libervia.tac	Sat Sep 07 02:07:07 2013 +0200
@@ -39,6 +39,9 @@
 import tempfile, shutil, uuid
 from server_side.blog import MicroBlog
 from zope.interface import Interface, Attribute, implements
+from xml.dom import minidom
+
+
 #import time
 
 TIMEOUT = 300 #Session's time out, after that the user will be disconnected
@@ -47,6 +50,9 @@
 AVATARS_DIR = "avatars/"
 CARDS_DIR = "games/cards/tarot"
 
+# Security limit for Libervia (get/set params)
+SECURITY_LIMIT = 0
+
 class ISATSession(Interface):
     profile = Attribute("Sat profile")
     jid = Attribute("JID associated with the profile")
@@ -121,6 +127,7 @@
     def __init__(self, sat_host):
         jsonrpc.JSONRPC.__init__(self)
         self.sat_host=sat_host
+        self.authorized_params = None
 
     def render(self, request):
         self.session = request.getSession()
@@ -353,16 +360,33 @@
         return self.sat_host.bridge.getCard(jid, profile)
 
     def jsonrpc_getParamsUI(self):
-        """Return the parameters XMLUI for profile"""
+        """Return the parameters XML for profile"""
         profile = ISATSession(self.session).profile
         d = defer.Deferred()
-        security_limit = 0
-        self.sat_host.bridge.getParamsUI(security_limit, profile, callback=d.callback, errback=d.errback)
+
+        def setAuthorizedParams(d):
+            if self.authorized_params is None:
+                self.authorized_params = {}
+                for cat in minidom.parseString(d.encode('utf-8')).getElementsByTagName("category"):
+                    params = cat.getElementsByTagName("param")
+                    params_list = [param.getAttribute("name") for param in params]
+                    self.authorized_params[cat.getAttribute("name")] = params_list
+            return d
+        d.addCallback(setAuthorizedParams)
+
+        from sat.tools.xml_tools import paramsXml2xmlUI
+        d.addCallback(lambda d: paramsXml2xmlUI(d))
+
+        self.sat_host.bridge.getParams(SECURITY_LIMIT, profile, callback=d.callback, errback=d.errback)
         return d
 
     def jsonrpc_setParam(self, name, value, category):
         profile = ISATSession(self.session).profile
-        return self.sat_host.bridge.setParam(name, value, category, profile)
+        if category in self.authorized_params and name in self.authorized_params[category]:
+            return self.sat_host.bridge.setParam(name, value, category, SECURITY_LIMIT, profile)
+        else:
+            warning("Trying to set parameter '%s' in category '%s' without authorization!!!"
+                    % (name, category))
 
     def jsonrpc_launchAction(self, action_type, data):
         profile = ISATSession(self.session).profile