def csrf_validation(event):
""" CSRF token validation Subscriber
As of Pyramid 1.2a3, passing messages through HTTPForbidden broke,
and don't appear to be exposed to exception handlers.
It appears that we cannot decorate a view and have it affect an event
until after the event has fired, so, temporarily we're going to
have to use a value in the config to specify a list of paths that
should not have CSRF validation.
Ideally, we'll be able to do
::
@no_csrf
@view_config(route_name='test')
def test(request):
which would prevent CSRF tracking on that view. With the event hooks,
our decorator is not read until AFTER the event, which makes this
method fail at this point.
Temporarily, we'll use a field in the development.ini:
apex.no_csrf = routename1:routename2
"""
if event.request.method == 'POST':
token = event.request.POST.get('csrf_token') or event.request.GET.get('csrf_token')
no_csrf = apex_settings('no_csrf', '').split(',')
if (token is None or token != event.request.session.get_csrf_token()):
if event.request.matched_route and event.request.matched_route.name not in no_csrf \
and not event.request.matched_route.name.startswith('debugtoolbar.'):
raise HTTPForbidden(_('CSRF token is missing or invalid'))
def csrf_validation(event):
""" CSRF token validation Subscriber
As of Pyramid 1.2a3, passing messages through HTTPForbidden broke,
and don't appear to be exposed to exception handlers.
It appears that we cannot decorate a view and have it affect an event
until after the event has fired, so, temporarily we're going to
have to use a value in the config to specify a list of paths that
should not have CSRF validation.
Ideally, we'll be able to do
::
@no_csrf
@view_config(route_name='test')
def test(request):
which would prevent CSRF tracking on that view. With the event hooks,
our decorator is not read until AFTER the event, which makes this
method fail at this point.
Temporarily, we'll use a field in the development.ini:
apex.no_csrf = routename1:routename2
"""
if event.request.method == 'POST':
token = event.request.POST.get('csrf_token') or event.request.GET.get('csrf_token')
no_csrf = apex_settings('no_csrf', '').split(':')
if (token is None or token != event.request.session.get_csrf_token()):
if event.request.matched_route and event.request.matched_route.name not in no_csrf:
raise HTTPForbidden(_('CSRF token is missing or invalid'))
def csrf_validation(event):
""" CSRF token validation Subscriber
As of Pyramid 1.2a3, passing messages through HTTPForbidden broke,
and don't appear to be exposed to exception handlers.
It appears that we cannot decorate a view and have it affect an event
until after the event has fired, so, temporarily we're going to
have to use a value in the config to specify a list of paths that
should not have CSRF validation.
Ideally, we'll be able to do
::
@no_csrf
@view_config(route_name='test')
def test(request):
which would prevent CSRF tracking on that view. With the event hooks,
our decorator is not read until AFTER the event, which makes this
method fail at this point.
Temporarily, we'll use a field in the development.ini:
apex.no_csrf = routename1:routename2
Disabled apex CSRF (20121118) - CSRF token not being passed
through new Velruse
"""
#import pdb; pdb.set_trace()
if event.request.method == 'POST':
# will never hit GET
token = event.request.POST.get('csrf_token') \
or event.request.GET.get('csrf_token') \
or event.request.headers.get('X-CSRF-Token')
# or event.request.json_body.get('csrf_token') \
no_csrf = apex_settings('no_csrf', '').split(',')
if (token is None or token != event.request.session.get_csrf_token()):
if event.request.matched_route and \
event.request.matched_route.name not in no_csrf \
and not event.request.matched_route.name.startswith('debugtoolbar.') \
and not event.request.matched_route.name.startswith('apex_'):
log.debug('apex: CSRF token received %s didn\'t match %s' % \
(token, event.request.session.get_csrf_token()))
raise HTTPForbidden(_('CSRF token is missing or invalid'))
def csrf_validation(event):
""" CSRF token validation Subscriber
As of Pyramid 1.2a3, passing messages through HTTPForbidden broke,
and don't appear to be exposed to exception handlers.
It appears that we cannot decorate a view and have it affect an event
until after the event has fired, so, temporarily we're going to
have to use a value in the config to specify a list of paths that
should not have CSRF validation.
Ideally, we'll be able to do
::
@no_csrf
@view_config(route_name='test')
def test(request):
which would prevent CSRF tracking on that view. With the event hooks,
our decorator is not read until AFTER the event, which makes this
method fail at this point.
Temporarily, we'll use a field in the development.ini:
apex.no_csrf = routename1:routename2
Disabled apex CSRF (20121118) - CSRF token not being passed
through new Velruse
"""
if event.request.method == 'POST':
# will never hit GET
token = event.request.POST.get('csrf_token') \
or event.request.GET.get('csrf_token') \
or event.request.json_body.get('csrf_token') \
or event.request.headers.get('X-CSRF-Token')
no_csrf = apex_settings('no_csrf', '').split(',')
if (token is None or token != event.request.session.get_csrf_token()):
if event.request.matched_route and \
event.request.matched_route.name not in no_csrf \
and not event.request.matched_route.name.startswith('debugtoolbar.') \
and not event.request.matched_route.name.startswith('apex_'):
log.debug('apex: CSRF token received %s didn\'t match %s' % \
(token, event.request.session.get_csrf_token()))
raise HTTPForbidden(_('CSRF token is missing or invalid'))
def create_user(**kwargs):
"""
::
from apex.lib.libapex import create_user
create_user(username='******', password='******', active='Y', group='group')
Returns: AuthUser object
"""
request = get_current_request()
registry = get_current_registry()
if 'registry' in kwargs:
registry = kwargs['registry']
del kwargs['registry']
settings = registry.settings
# map default groups
groups = []
if settings.has_key('apex.default_user_group'):
group = DBSession.query(AuthGroup).filter(
AuthGroup.name==settings['apex.default_user_group']).one()
if not group in groups:
groups.append(group)
# add user to users groups
qgroup = DBSession.query(AuthGroup).filter(
AuthGroup.name=='users').first()
if qgroup:
if not qgroup in groups:
groups.append(qgroup)
# extra kw group
if 'group' in kwargs:
try:
group = DBSession.query(AuthGroup).filter(
AuthGroup.name==kwargs['group']).one()
groups.append(group)
except NoResultFound:
pass
del kwargs['group']
# extra kw groups splitted on ','
if 'groups' in kwargs:
try:
sgroups = kwargs['groups'].split(',')
qgroups= DBSession.query(AuthGroup).filter(
AuthGroup.name.in_(sgroups)).all()
for group in qgroups:
if not group in groups:
groups.append(group)
except NoResultFound:
pass
del kwargs['groups']
# register user
user = AuthUser()
for key, value in kwargs.items():
setattr(user, key, value)
DBSession.add(user)
try:
transaction.commit()
DBSession.add(user)
# link groups
for group in groups:
try:
user.groups.append(group)
transaction.commit()
except Exception, e:
error = _('Cant add user :%s to group: %s (%s)') % (user, group, e)
logging.getLogger('apex.add_user_to_group').error(error)
request.session.flash(error, 'error')
transaction.commit()
DBSession.add(user)
# when request is not available fake it a bit
class obj(object): pass
class session:
def flash(self, *args, **kwargs):pass
obj.registry = registry
obj.session = session()
if request is None:
request = obj()
registry.notify(UserCreatedEvent(request, user))
transaction.commit()
DBSession.add(user)
def create_user(**kwargs):
"""
::
from apex.lib.libapex import create_user
create_user(username='******', password='******', active='Y', group='group')
Returns: AuthUser object
"""
request = get_current_request()
registry = get_current_registry()
if 'registry' in kwargs:
registry = kwargs['registry']
del kwargs['registry']
settings = registry.settings
# map default groups
groups = []
if settings.has_key('apex.default_user_group'):
group = DBSession.query(AuthGroup).filter(
AuthGroup.name == settings['apex.default_user_group']).one()
if not group in groups:
groups.append(group)
# add user to users groups
qgroup = DBSession.query(AuthGroup).filter(
AuthGroup.name == 'users').first()
if qgroup:
if not qgroup in groups:
groups.append(qgroup)
# extra kw group
if 'group' in kwargs:
try:
group = DBSession.query(AuthGroup).filter(
AuthGroup.name == kwargs['group']).one()
groups.append(group)
except NoResultFound:
pass
del kwargs['group']
# extra kw groups splitted on ','
if 'groups' in kwargs:
try:
sgroups = kwargs['groups'].split(',')
qgroups = DBSession.query(AuthGroup).filter(
AuthGroup.name.in_(sgroups)).all()
for group in qgroups:
if not group in groups:
groups.append(group)
except NoResultFound:
pass
del kwargs['groups']
# register user
user = AuthUser()
for key, value in kwargs.items():
setattr(user, key, value)
DBSession.add(user)
try:
transaction.commit()
DBSession.add(user)
# link groups
for group in groups:
try:
user.groups.append(group)
transaction.commit()
except Exception, e:
error = _('Cant add user :%s to group: %s (%s)') % (user,
group, e)
logging.getLogger('apex.add_user_to_group').error(error)
request.session.flash(error, 'error')
transaction.commit()
DBSession.add(user)
# when request is not available fake it a bit
class obj(object):
pass
class session:
def flash(self, *args, **kwargs):
pass
obj.registry = registry
obj.session = session()
if request is None:
request = obj()
registry.notify(UserCreatedEvent(request, user))
transaction.commit()
DBSession.add(user)
