changeset 215:e830a0c60d32

server side: added the security_limit to setParam - in addition to the check which is done by the core, libervia checks if the param to be modified was really part of the XML that has been returned by getParams with security_limit = 0.
author souliane <souliane@mailoo.org>
date Sat, 07 Sep 2013 02:07:07 +0200
parents 7b26be266ab1
children 9827cda1a6b0
files browser_side/menu.py libervia.py libervia.tac
diffstat 3 files changed, 38 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/browser_side/menu.py	Fri Sep 06 16:23:30 2013 +0200
+++ b/browser_side/menu.py	Sat Sep 07 02:07:07 2013 +0200
@@ -326,6 +326,7 @@
 
     def onParameters(self):
         def gotParams(xmlui):
+            # TODO: don't display the dialog if xmlui contains no param node
             body = XMLUI(self.host, xmlui)
             _dialog = dialog.GenericDialog("Parameters", body, options=['NO_CLOSE'])
             body.setCloseCb(_dialog.close) 
--- a/libervia.py	Fri Sep 06 16:23:30 2013 +0200
+++ b/libervia.py	Sat Sep 07 02:07:07 2013 +0200
@@ -99,11 +99,14 @@
 class BridgeCall(LiberviaJsonProxy):
     def __init__(self):
         LiberviaJsonProxy.__init__(self, "/json_api",
-                        ["getContacts", "addContact", "sendMessage", "sendMblog", "sendMblogComment", "getLastMblogs", "getMassiveLastMblogs", "getMblogComments", "getProfileJid", "getHistory", "getPresenceStatus",
-                         "joinMUC", "mucLeave", "getRoomsJoined", "launchTarotGame", "getTarotCardsPaths", "tarotGameReady", "tarotGameContratChoosed", "tarotGamePlayCards",
-                         "launchRadioCollective", "getWaitingSub", "subscription", "delContact", "updateContact", "getCard", "getEntityData", "getParamsUI", "chatStateComposing",
-                         #"setParam",
-                         "launchAction", "disconnect",
+                        ["getContacts", "addContact", "sendMessage", "sendMblog", "sendMblogComment",
+                         "getLastMblogs", "getMassiveLastMblogs", "getMblogComments", "getProfileJid",
+                         "getHistory", "getPresenceStatus", "joinMUC", "mucLeave", "getRoomsJoined",
+                         "launchTarotGame", "getTarotCardsPaths", "tarotGameReady",
+                         "tarotGameContratChoosed", "tarotGamePlayCards", "launchRadioCollective",
+                         "getWaitingSub", "subscription", "delContact", "updateContact", "getCard",
+                         "getEntityData", "getParamsUI", "setParam", "launchAction", "disconnect",
+                         "chatStateComposing"
                         ])
 
 class BridgeSignals(LiberviaJsonProxy):
@@ -355,7 +358,7 @@
                     _groups=None
                 mblog_entry = MicroblogItem(mblog)
                 self.mblog_cache.append((_groups, mblog_entry))
-    
+
         if len(self.mblog_cache) > MAX_MBLOG_CACHE:
             del self.mblog_cache[0:len(self.mblog_cache-MAX_MBLOG_CACHE)]
         for lib_wid in self.libervia_widgets:
--- a/libervia.tac	Fri Sep 06 16:23:30 2013 +0200
+++ b/libervia.tac	Sat Sep 07 02:07:07 2013 +0200
@@ -39,6 +39,9 @@
 import tempfile, shutil, uuid
 from server_side.blog import MicroBlog
 from zope.interface import Interface, Attribute, implements
+from xml.dom import minidom
+
+
 #import time
 
 TIMEOUT = 300 #Session's time out, after that the user will be disconnected
@@ -47,6 +50,9 @@
 AVATARS_DIR = "avatars/"
 CARDS_DIR = "games/cards/tarot"
 
+# Security limit for Libervia (get/set params)
+SECURITY_LIMIT = 0
+
 class ISATSession(Interface):
     profile = Attribute("Sat profile")
     jid = Attribute("JID associated with the profile")
@@ -121,6 +127,7 @@
     def __init__(self, sat_host):
         jsonrpc.JSONRPC.__init__(self)
         self.sat_host=sat_host
+        self.authorized_params = None
 
     def render(self, request):
         self.session = request.getSession()
@@ -353,16 +360,33 @@
         return self.sat_host.bridge.getCard(jid, profile)
 
     def jsonrpc_getParamsUI(self):
-        """Return the parameters XMLUI for profile"""
+        """Return the parameters XML for profile"""
         profile = ISATSession(self.session).profile
         d = defer.Deferred()
-        security_limit = 0
-        self.sat_host.bridge.getParamsUI(security_limit, profile, callback=d.callback, errback=d.errback)
+
+        def setAuthorizedParams(d):
+            if self.authorized_params is None:
+                self.authorized_params = {}
+                for cat in minidom.parseString(d.encode('utf-8')).getElementsByTagName("category"):
+                    params = cat.getElementsByTagName("param")
+                    params_list = [param.getAttribute("name") for param in params]
+                    self.authorized_params[cat.getAttribute("name")] = params_list
+            return d
+        d.addCallback(setAuthorizedParams)
+
+        from sat.tools.xml_tools import paramsXml2xmlUI
+        d.addCallback(lambda d: paramsXml2xmlUI(d))
+
+        self.sat_host.bridge.getParams(SECURITY_LIMIT, profile, callback=d.callback, errback=d.errback)
         return d
 
     def jsonrpc_setParam(self, name, value, category):
         profile = ISATSession(self.session).profile
-        return self.sat_host.bridge.setParam(name, value, category, profile)
+        if category in self.authorized_params and name in self.authorized_params[category]:
+            return self.sat_host.bridge.setParam(name, value, category, SECURITY_LIMIT, profile)
+        else:
+            warning("Trying to set parameter '%s' in category '%s' without authorization!!!"
+                    % (name, category))
 
     def jsonrpc_launchAction(self, action_type, data):
         profile = ISATSession(self.session).profile