changeset 819:9b9c0fe0a75f

server: fixed bad login check introduced in rev 6a2fd7807770
author Goffi <goffi@goffi.org>
date Sun, 03 Jan 2016 16:24:37 +0100
parents f8a7a046ff9c
children 4d87bc322a6c
files src/server/server.py
diffstat 1 files changed, 24 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/src/server/server.py	Sun Jan 03 16:24:27 2016 +0100
+++ b/src/server/server.py	Sun Jan 03 16:24:37 2016 +0100
@@ -808,28 +808,32 @@
             request.finish()
             return
 
+        assert login
+
         if login.startswith('@'):  # this is checked by javascript but also here for security reason
+            # FIXME: return an error instead of an Exception?
             raise Exception('No profile_key allowed')
 
+        if '@' in login:
+            try:
+                login_jid = jid.JID(login)
+            except (RuntimeError, jid.InvalidFormat, AttributeError):
+                request.write(C.PROFILE_AUTH_ERROR)
+                request.finish()
+                return
+
+            if login_jid.host == new_account_domain:
+                # redirect "user@libervia.org" to the "user" profile
+                login = login_jid.user
+                login_jid = None
+        else:
+            login_jid = None
+
         try:
-            login_jid = jid.JID(login)
-        except (RuntimeError, jid.InvalidFormat, AttributeError):
-            request.write(C.PROFILE_AUTH_ERROR)
-            request.finish()
-            return
-
-        # XXX: if there's no arobase in the JID, its host part is filled and the SàT profile name
-        # is there ; we need to look in the JID's user part to know if there's an arobase or not.
-
-        if login_jid.user and login_jid.host == new_account_domain:
-            # redirect "user@libervia.org" to the "user" profile
-            login_jid = jid.JID(login_jid.user)
-
-        try:
-            profile = self.sat_host.bridge.getProfileName(login_jid.full())
+            profile = self.sat_host.bridge.getProfileName(login)
         except Exception:  # XXX: ProfileUnknownError wouldn't work, it's encapsulated
-            if login_jid.user:  # try to create a new sat profile using the XMPP credentials
-                profile = login_jid.full()
+            if login_jid is not None and login_jid.user:  # try to create a new sat profile using the XMPP credentials
+                profile = login # FIXME: what if there is a resource?
                 connect_method = "asyncConnectWithXMPPCredentials"
                 register_with_ext_jid = True
             else: # non existing username
@@ -837,7 +841,7 @@
                 request.finish()
                 return
         else:
-            if profile != login_jid.full() or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']):
+            if profile != login or (not password and profile not in self.sat_host.options['empty_password_allowed_warning_dangerous_list']):
                 # profiles with empty passwords are restricted to local frontends
                 request.write(C.PROFILE_AUTH_ERROR)
                 request.finish()
@@ -976,7 +980,7 @@
         profile = ISATSession(_session).profile
         if bool(profile):
             return (True, None)
-        return (False, self.__getSecurityWarning())
+        return (False, self._getSecurityWarning())
 
     def jsonrpc_registerParams(self):
         """Register the frontend specific parameters"""
@@ -988,7 +992,7 @@
         # XXX: we put this method in Register because we get menus before being logged
         return self.sat_host.bridge.getMenus('', C.SECURITY_LIMIT)
 
-    def __getSecurityWarning(self):
+    def _getSecurityWarning(self):
         """@return: a security warning message, or None if the connection is secure"""
         if self.request.URLPath().scheme == 'https' or not self.sat_host.options['security_warning']:
             return None