# HG changeset patch
# User souliane <souliane@mailoo.org>
# Date 1378512427 -7200
# Node ID e830a0c60d320f14d174f3fd1c7cd2831c9fdf25
# Parent  7b26be266ab164f9b99bfd3379e3d018b7ec4665
server side: added the security_limit to setParam
- in addition to the check which is done by the core, libervia checks if the param to be modified was really part of the XML that has been returned by getParams with security_limit = 0.

diff -r 7b26be266ab1 -r e830a0c60d32 browser_side/menu.py
--- a/browser_side/menu.py	Fri Sep 06 16:23:30 2013 +0200
+++ b/browser_side/menu.py	Sat Sep 07 02:07:07 2013 +0200
@@ -326,6 +326,7 @@
 
     def onParameters(self):
         def gotParams(xmlui):
+            # TODO: don't display the dialog if xmlui contains no param node
             body = XMLUI(self.host, xmlui)
             _dialog = dialog.GenericDialog("Parameters", body, options=['NO_CLOSE'])
             body.setCloseCb(_dialog.close) 
diff -r 7b26be266ab1 -r e830a0c60d32 libervia.py
--- a/libervia.py	Fri Sep 06 16:23:30 2013 +0200
+++ b/libervia.py	Sat Sep 07 02:07:07 2013 +0200
@@ -99,11 +99,14 @@
 class BridgeCall(LiberviaJsonProxy):
     def __init__(self):
         LiberviaJsonProxy.__init__(self, "/json_api",
-                        ["getContacts", "addContact", "sendMessage", "sendMblog", "sendMblogComment", "getLastMblogs", "getMassiveLastMblogs", "getMblogComments", "getProfileJid", "getHistory", "getPresenceStatus",
-                         "joinMUC", "mucLeave", "getRoomsJoined", "launchTarotGame", "getTarotCardsPaths", "tarotGameReady", "tarotGameContratChoosed", "tarotGamePlayCards",
-                         "launchRadioCollective", "getWaitingSub", "subscription", "delContact", "updateContact", "getCard", "getEntityData", "getParamsUI", "chatStateComposing",
-                         #"setParam",
-                         "launchAction", "disconnect",
+                        ["getContacts", "addContact", "sendMessage", "sendMblog", "sendMblogComment",
+                         "getLastMblogs", "getMassiveLastMblogs", "getMblogComments", "getProfileJid",
+                         "getHistory", "getPresenceStatus", "joinMUC", "mucLeave", "getRoomsJoined",
+                         "launchTarotGame", "getTarotCardsPaths", "tarotGameReady",
+                         "tarotGameContratChoosed", "tarotGamePlayCards", "launchRadioCollective",
+                         "getWaitingSub", "subscription", "delContact", "updateContact", "getCard",
+                         "getEntityData", "getParamsUI", "setParam", "launchAction", "disconnect",
+                         "chatStateComposing"
                         ])
 
 class BridgeSignals(LiberviaJsonProxy):
@@ -355,7 +358,7 @@
                     _groups=None
                 mblog_entry = MicroblogItem(mblog)
                 self.mblog_cache.append((_groups, mblog_entry))
-    
+
         if len(self.mblog_cache) > MAX_MBLOG_CACHE:
             del self.mblog_cache[0:len(self.mblog_cache-MAX_MBLOG_CACHE)]
         for lib_wid in self.libervia_widgets:
diff -r 7b26be266ab1 -r e830a0c60d32 libervia.tac
--- a/libervia.tac	Fri Sep 06 16:23:30 2013 +0200
+++ b/libervia.tac	Sat Sep 07 02:07:07 2013 +0200
@@ -39,6 +39,9 @@
 import tempfile, shutil, uuid
 from server_side.blog import MicroBlog
 from zope.interface import Interface, Attribute, implements
+from xml.dom import minidom
+
+
 #import time
 
 TIMEOUT = 300 #Session's time out, after that the user will be disconnected
@@ -47,6 +50,9 @@
 AVATARS_DIR = "avatars/"
 CARDS_DIR = "games/cards/tarot"
 
+# Security limit for Libervia (get/set params)
+SECURITY_LIMIT = 0
+
 class ISATSession(Interface):
     profile = Attribute("Sat profile")
     jid = Attribute("JID associated with the profile")
@@ -121,6 +127,7 @@
     def __init__(self, sat_host):
         jsonrpc.JSONRPC.__init__(self)
         self.sat_host=sat_host
+        self.authorized_params = None
 
     def render(self, request):
         self.session = request.getSession()
@@ -353,16 +360,33 @@
         return self.sat_host.bridge.getCard(jid, profile)
 
     def jsonrpc_getParamsUI(self):
-        """Return the parameters XMLUI for profile"""
+        """Return the parameters XML for profile"""
         profile = ISATSession(self.session).profile
         d = defer.Deferred()
-        security_limit = 0
-        self.sat_host.bridge.getParamsUI(security_limit, profile, callback=d.callback, errback=d.errback)
+
+        def setAuthorizedParams(d):
+            if self.authorized_params is None:
+                self.authorized_params = {}
+                for cat in minidom.parseString(d.encode('utf-8')).getElementsByTagName("category"):
+                    params = cat.getElementsByTagName("param")
+                    params_list = [param.getAttribute("name") for param in params]
+                    self.authorized_params[cat.getAttribute("name")] = params_list
+            return d
+        d.addCallback(setAuthorizedParams)
+
+        from sat.tools.xml_tools import paramsXml2xmlUI
+        d.addCallback(lambda d: paramsXml2xmlUI(d))
+
+        self.sat_host.bridge.getParams(SECURITY_LIMIT, profile, callback=d.callback, errback=d.errback)
         return d
 
     def jsonrpc_setParam(self, name, value, category):
         profile = ISATSession(self.session).profile
-        return self.sat_host.bridge.setParam(name, value, category, profile)
+        if category in self.authorized_params and name in self.authorized_params[category]:
+            return self.sat_host.bridge.setParam(name, value, category, SECURITY_LIMIT, profile)
+        else:
+            warning("Trying to set parameter '%s' in category '%s' without authorization!!!"
+                    % (name, category))
 
     def jsonrpc_launchAction(self, action_type, data):
         profile = ISATSession(self.session).profile