changeset 605:917e271975d9 frontends_multi_profiles

server + browser side: implementation of new getEntitiesData bridge method + added a security check: only a white list of entities can be gotten
author Goffi <goffi@goffi.org>
date Mon, 09 Feb 2015 21:46:15 +0100
parents 32dbbc941123
children 7af8f4ab3675
files src/browser/sat_browser/json.py src/server/constants.py src/server/server.py
diffstat 3 files changed, 26 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/browser/sat_browser/json.py	Fri Feb 06 17:53:01 2015 +0100
+++ b/src/browser/sat_browser/json.py	Mon Feb 09 21:46:15 2015 +0100
@@ -185,7 +185,7 @@
                          "getWaitingSub", "subscription", "delContact", "updateContact", "getCard",
                          "getEntityData", "getParamsUI", "asyncGetParamA", "setParam", "launchAction",
                          "disconnect", "chatStateComposing", "getNewAccountDomain", "confirmationAnswer",
-                         "syntaxConvert", "getAccountDialogUI", "getLastResource", "getWaitingConf",
+                         "syntaxConvert", "getAccountDialogUI", "getLastResource", "getWaitingConf", "getEntitiesData",
                         ])
     def __call__(self, *args, **kwargs):
         return LiberviaJsonProxy.__call__(self, *args, **kwargs)
--- a/src/server/constants.py	Fri Feb 06 17:53:01 2015 +0100
+++ b/src/server/constants.py	Mon Feb 09 21:46:15 2015 +0100
@@ -44,3 +44,6 @@
 
     # Security limit for Libervia server_side
     SERVER_SECURITY_LIMIT = constants.Const.NO_SECURITY_LIMIT
+
+    # keys for cache values we can get from browser
+    ALLOWED_ENTITY_DATA = {'avatar', 'nick'}
--- a/src/server/server.py	Fri Feb 06 17:53:01 2015 +0100
+++ b/src/server/server.py	Mon Feb 09 21:46:15 2015 +0100
@@ -34,6 +34,7 @@
 log = getLogger(__name__)
 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT
 from sat.core.i18n import _, D_
+from sat.core import exceptions
 from sat.tools.xml_tools import paramsXML2XMLUI
 
 import re
@@ -463,23 +464,40 @@
             return
         self.sat_host.bridge.radiocolLaunch(invited, room_jid, profile)
 
+    def jsonrpc_getEntitiesData(self, jids, keys):
+        """Get cached data for several entities at once
+
+        @param jids: list jids from who we wants data, or empty list for all jids in cache
+        @param keys: name of data we want (list)
+        @return: requested data"""
+        if not C.ALLOWED_ENTITY_DATA.issuperset(keys):
+            raise exceptions.PermissionError("Trying to access unallowed data (hack attempt ?)")
+        profile = ISATSession(self.session).profile
+        try:
+            return self.sat_host.bridge.getEntitiesData(jids, keys, profile)
+        except Exception as e:
+            raise Failure(jsonrpclib.Fault(C.ERRNUM_BRIDGE_ERRBACK, unicode(e)))
+
     def jsonrpc_getEntityData(self, jid, keys):
-        """Get cached data for an entit
+        """Get cached data for an entity
+
         @param jid: jid of contact from who we want data
         @param keys: name of data we want (list)
         @return: requested data"""
+        if not C.ALLOWED_ENTITY_DATA.issuperset(keys):
+            raise exceptions.PermissionError("Trying to access unallowed data (hack attempt ?)")
         profile = ISATSession(self.session).profile
         try:
             return self.sat_host.bridge.getEntityData(jid, keys, profile)
         except Exception as e:
             raise Failure(jsonrpclib.Fault(C.ERRNUM_BRIDGE_ERRBACK, unicode(e)))
 
-    def jsonrpc_getCard(self, jid):
+    def jsonrpc_getCard(self, jid_):
         """Get VCard for entiry
-        @param jid: jid of contact from who we want data
+        @param jid_: jid of contact from who we want data
         @return: id to retrieve the profile"""
         profile = ISATSession(self.session).profile
-        return self.sat_host.bridge.getCard(jid, profile)
+        return self.sat_host.bridge.getCard(jid_, profile)
 
     def jsonrpc_getAccountDialogUI(self):
         """Get the dialog for managing user account