view libervia/server/restricted_bridge.py @ 1479:095e94ca6728

pages: disable CSRF token check when service profile is used: CSRF token check doesn't make sense when no user is logged in, and it causes trouble for caching. fix 400
author Goffi <goffi@goffi.org>
date Fri, 22 Oct 2021 16:04:23 +0200
parents 97b8ce9ce54b
children e739600267cd
line wrap: on
line source

#!/usr/bin/env python3

# Libervia: a SàT frontend
# Copyright (C) 2009-2021 Jérôme Poisson (goffi@goffi.org)

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from libervia.server.constants import Const as C
from sat.tools.common import data_format


class RestrictedBridge:
    """Bridge with limited access, which can be used in browser

    Only a few method are implemented, with potentially dangerous argument controlled.
    Security limit is used
    """

    def __init__(self, host):
        self.host = host
        self.security_limit = C.SECURITY_LIMIT

    async def getContacts(self, profile):
        return await self.host.bridgeCall("getContacts", profile)

    async def identityGet(self, entity, metadata_filter, use_cache, profile):
        return await self.host.bridgeCall(
            "identityGet", entity, metadata_filter, use_cache, profile)

    async def identitiesGet(self, entities, metadata_filter, profile):
        return await self.host.bridgeCall(
            "identitiesGet", entities, metadata_filter, profile)

    async def identitiesBaseGet(self, profile):
        return await self.host.bridgeCall(
            "identitiesBaseGet", profile)

    async def psNodeDelete(self, service_s, node, profile):
        return await self.host.bridgeCall(
            "psNodeDelete", service_s, node, profile)

    async def psNodeAffiliationsSet(self, service_s, node, affiliations, profile):
        return await self.host.bridgeCall(
            "psNodeAffiliationsSet", service_s, node, affiliations, profile)

    async def psItemRetract(self, service_s, node, item_id, notify, profile):
        return await self.host.bridgeCall(
            "psItemRetract", service_s, node, item_id, notify, profile)

    async def mbPreview(self, service_s, node, data, profile):
        return await self.host.bridgeCall(
            "mbPreview", service_s, node, data, profile)

    async def listSet(self, service_s, node, values, schema, item_id, extra, profile):
        return await self.host.bridgeCall(
            "listSet", service_s, node, values, "", item_id, "", profile)


    async def fileHTTPUploadGetSlot(
        self, filename, size, content_type, upload_jid, profile):
        return await self.host.bridgeCall(
            "fileHTTPUploadGetSlot", filename, size, content_type,
            upload_jid, profile)

    async def fileSharingDelete(
        self, service_jid, path, namespace, profile):
        return await self.host.bridgeCall(
            "fileSharingDelete", service_jid, path, namespace, profile)

    async def interestsRegisterFileSharing(
        self, service, repos_type, namespace, path, name, extra_s, profile
    ):
        if extra_s:
            # we only allow "thumb_url" here
            extra = data_format.deserialise(extra_s)
            if "thumb_url" in extra:
                extra_s = data_format.serialise({"thumb_url": extra["thumb_url"]})
            else:
                extra_s = ""

        return await self.host.bridgeCall(
            "interestsRegisterFileSharing", service, repos_type, namespace, path, name,
            extra_s, profile
        )

    async def interestRetract(
        self, service_jid, item_id, profile
    ):
        return await self.host.bridgeCall(
            "interestRetract", service_jid, item_id, profile)

    async def psInvite(
        self, invitee_jid_s, service_s, node, item_id, name, extra_s, profile
    ):
        return await self.host.bridgeCall(
            "psInvite", invitee_jid_s, service_s, node, item_id, name, extra_s, profile
        )

    async def FISInvite(
        self, invitee_jid_s, service_s, repos_type, namespace, path, name, extra_s,
        profile
    ):
        if extra_s:
            # we only allow "thumb_url" here
            extra = data_format.deserialise(extra_s)
            if "thumb_url" in extra:
                extra_s = data_format.serialise({"thumb_url": extra["thumb_url"]})
            else:
                extra_s = ""

        return await self.host.bridgeCall(
            "FISInvite", invitee_jid_s, service_s, repos_type, namespace, path, name,
            extra_s, profile
        )

    async def FISAffiliationsSet(
        self, service_s, namespace, path, affiliations, profile
    ):
        return await self.host.bridgeCall(
            "FISAffiliationsSet", service_s, namespace, path, affiliations, profile
        )

    async def invitationSimpleCreate(
        self, invitee_email, invitee_name, url_template, extra_s, profile
    ):
        return await self.host.bridgeCall(
            "invitationSimpleCreate", invitee_email, invitee_name, url_template, extra_s,
            profile
        )