Mercurial > libervia-web

view libervia/web/pages/chat/select/page_meta.py @ 1598:86c7a3a625d5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443
author Goffi <goffi@goffi.org>
date Fri, 23 Feb 2024 13:35:24 +0100
parents c6976c5b85a1
children
line wrap: on
line source

#!/usr/bin/env python3


from libervia.backend.core.i18n import _
from libervia.web.server.constants import Const as C
from twisted.internet import defer
from twisted.words.protocols.jabber import jid
from libervia.backend.tools.common import data_objects
from libervia.backend.core.log import getLogger

log = getLogger(__name__)

name = "chat_select"
access = C.PAGES_ACCESS_PROFILE
template = "chat/select.html"


async def prepare_render(self, request):
    profile = self.get_profile(request)
    template_data = request.template_data
    rooms = template_data["rooms"] = []
    bookmarks = await self.host.bridge_call("bookmarks_list", "muc", "all", profile)
    for bm_values in list(bookmarks.values()):
        for room_jid, room_data in bm_values.items():
            url = self.get_page_by_name("chat").get_url(room_jid)
            rooms.append(data_objects.Room(room_jid, name=room_data.get("name"), url=url))
    rooms.sort(key=lambda r: r.name)


async def on_data_post(self, request):
    jid_ = self.get_posted_data(request, "search")
    if "@" not in jid_:
        profile = self.get_profile(request)
        service = await self.host.bridge_call("muc_get_service", "", profile)
        if service:
            muc_jid = jid.JID(service)
            muc_jid.user = jid_
            jid_ = muc_jid.full()
        else:
            log.warning(_("Invalid jid received: {jid}".format(jid=jid_)))
            return C.POST_NO_CONFIRM
    url = self.get_page_by_name("chat").get_url(jid_)
    self.http_redirect(request, url)