view libervia/web/pages/events/new/page_meta.py @ 1598:86c7a3a625d5

server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443
author Goffi <goffi@goffi.org>
date Fri, 23 Feb 2024 13:35:24 +0100
parents eb00d593801d
children b695b98851fc
line wrap: on
line source

#!/usr/bin/env python3


from libervia.web.server.constants import Const as C
from twisted.internet import defer
from libervia.backend.core.log import getLogger
from libervia.backend.tools.common import date_utils

"""creation of new events"""

name = "event_new"
access = C.PAGES_ACCESS_PROFILE
template = "event/create.html"
log = getLogger(__name__)


@defer.inlineCallbacks
def on_data_post(self, request):
    request_data = self.get_r_data(request)
    profile = self.get_profile(request)
    title, location, body, date, main_img, bg_img = self.get_posted_data(
        request, ("name", "location", "body", "date", "main_image", "bg_image")
    )
    timestamp = date_utils.date_parse(date)
    data = {"name": title, "description": body, "location": location}

    for value, var in ((main_img, "image"), (bg_img, "background-image")):
        value = value.strip()
        if not value:
            continue
        if not value.startswith("http"):
            self.page_error(request, C.HTTP_BAD_REQUEST)
        data[var] = value
    data["register"] = C.BOOL_TRUE
    node = yield self.host.bridge_call("event_create", timestamp, data, "", "", "", profile)
    log.info("Event node created at {node}".format(node=node))

    request_data["post_redirect_page"] = (self.get_page_by_name("event_admin"), "@", node)
    defer.returnValue(C.POST_NO_CONFIRM)