def logout_client():
"""
Client-initiated logout
"""
client = Client.query.filter_by(key=request.args['client_id']).first()
if client is None:
# No such client. Possible CSRF. Don't logout and don't send them back
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
if client.trusted:
# This is a trusted client. Does the referring domain match?
clienthost = urlparse.urlsplit(client.redirect_uri).hostname
if request.referrer:
if clienthost != urlparse.urlsplit(request.referrer).hostname:
# Doesn't. Don't logout and don't send back
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
# else: no referrer? Either stripped out by browser or a proxy, or this is a direct link.
# We can't do anything about that, so assume it's a legit case.
#
# If there is a next destination, is it in the same domain?
if 'next' in request.args:
if clienthost != urlparse.urlsplit(request.args['next']).hostname:
# Doesn't. Assume CSRF and redirect to index without logout
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
# All good. Log them out and send them back
logout_internal()
return redirect(get_next_url(external=True))
else:
# We know this client, but it's not trusted. Send back without logout.
return redirect(get_next_url(external=True))
def decorated_function(*args, **kwargs):
g.login_required = True
data = f(*args, **kwargs)
metarefresh = getbool(request.args.get('metarefresh'))
if 'cookietest' in request.args:
next = get_next_url()
else:
next = data.get('next') or get_next_url(referrer=True)
if session.new and 'cookietest' not in request.args:
# Check if the user's browser supports cookies
session['cookies'] = True
# Reconstruct current URL with ?cookietest=1 or &cookietest=1 appended
url_parts = urlparse.urlsplit(request.url)
if url_parts.query:
return redirect(request.url + '&cookietest=1&next=' + urllib.quote(next))
else:
return redirect(request.url + '?cookietest=1&next=' + urllib.quote(next))
else:
if session.new:
# No support for cookies. Abort login
return self._auth_error_handler('no_cookies',
error_description=u"Your browser must accept cookies for you to login.",
error_uri="")
else:
# The 'cookies' key is not needed anymore
session.pop('cookies', None)
scope = data.get('scope', 'id')
message = data.get('message') or request.args.get('message')
if isinstance(message, unicode):
message = message.encode('utf-8')
return self._login_handler_internal(scope, next, message, metarefresh)
def logout_client():
"""
Client-initiated logout
"""
client = Client.query.filter_by(key=request.args['client_id']).first()
if client is None:
# No such client. Possible CSRF. Don't logout and don't send them back
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
if client.trusted:
# This is a trusted client. Does the referring domain match?
clienthost = urlparse.urlsplit(client.redirect_uri).hostname
if request.referrer:
if clienthost != urlparse.urlsplit(request.referrer).hostname:
# Doesn't. Don't logout and don't send back
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
# else: no referrer? Either stripped out by browser or a proxy, or this is a direct link.
# We can't do anything about that, so assume it's a legit case.
#
# If there is a next destination, is it in the same domain?
if 'next' in request.args:
if clienthost != urlparse.urlsplit(request.args['next']).hostname:
# Doesn't. Assume CSRF and redirect to index without logout
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
# All good. Log them out and send them back
logout_internal()
return redirect(get_next_url(external=True))
else:
# We know this client, but it's not trusted. Send back without logout.
return redirect(get_next_url(external=True))
def login():
# If user is already logged in, send them back
if g.user:
return redirect(get_next_url(referrer=True), code=303)
loginform = LoginForm()
service_forms = {}
for service, provider in login_registry.items():
if provider.at_login and provider.form is not None:
service_forms[service] = provider.get_form()
loginmethod = None
if request.method == 'GET':
loginmethod = request.cookies.get('login')
formid = request.form.get('form.id')
if request.method == 'POST' and formid == 'passwordlogin':
if loginform.validate():
user = loginform.user
login_internal(user)
db.session.commit()
flash('You are now logged in', category='success')
return set_loginmethod_cookie(render_redirect(get_next_url(session=True), code=303),
'password')
elif request.method == 'POST' and formid in service_forms:
form = service_forms[formid]['form']
if form.validate():
return set_loginmethod_cookie(login_registry[formid].do(form=form), formid)
elif request.method == 'POST':
abort(500)
if request.is_xhr and formid == 'passwordlogin':
return render_template('forms/loginform.html', loginform=loginform, Markup=Markup)
else:
return render_template('login.html', loginform=loginform, lastused=loginmethod,
service_forms=service_forms, Markup=Markup)
def login():
# If user is already logged in, send them back
if g.user:
return redirect(get_next_url(referrer=True), code=303)
loginform = LoginForm()
openidform = OpenIdForm()
if request.method == 'GET':
openidform.openid.data = 'http://'
formid = request.form.get('form.id')
if request.method == 'POST' and formid == 'openid':
if openidform.validate():
return oid.try_login(openidform.openid.data,
ask_for=['email', 'fullname', 'nickname'])
elif request.method == 'POST' and formid == 'login':
if loginform.validate():
user = loginform.user
login_internal(user)
if loginform.remember.data:
session.permanent = True
else:
session.permanent = False
db.session.commit()
flash('You are now logged in', category='success')
return render_redirect(get_next_url(session=True), code=303)
if request.is_xhr and formid == 'login':
return render_template('forms/loginform.html', loginform=loginform, Markup=Markup)
else:
return render_template('login.html', openidform=openidform, loginform=loginform,
oiderror=oid.fetch_error(), oidnext=oid.get_next_url(), Markup=Markup)
def account_merge():
if 'merge_buid' not in session:
return redirect(get_next_url(), code=302)
other_user = User.get(buid=session['merge_buid'])
if other_user is None:
session.pop('merge_buid', None)
return redirect(get_next_url(), code=302)
form = ProfileMergeForm()
if form.validate_on_submit():
if 'merge' in request.form:
new_user = merge_users(current_auth.user, other_user)
login_internal(new_user)
flash(_("Your accounts have been merged"), 'success')
session.pop('merge_buid', None)
db.session.commit()
user_data_changed.send(new_user, changes=['merge'])
return redirect(get_next_url(), code=303)
else:
session.pop('merge_buid', None)
return redirect(get_next_url(), code=303)
return render_template(
'merge.html.jinja2',
form=form,
user=current_auth.user,
other_user=other_user,
login_registry=login_registry,
)
def login():
# If user is already logged in, send them back
if g.user:
return redirect(get_next_url(referrer=True), code=303)
loginform = LoginForm()
service_forms = {}
for service, provider in login_registry.items():
if provider.at_login and provider.form is not None:
service_forms[service] = provider.get_form()
loginmethod = None
if request.method == 'GET':
loginmethod = request.cookies.get('login')
formid = request.form.get('form.id')
if request.method == 'POST' and formid == 'passwordlogin':
if loginform.validate():
user = loginform.user
login_internal(user)
db.session.commit()
flash('You are now logged in', category='success')
return set_loginmethod_cookie(render_redirect(get_next_url(session=True), code=303),
'password')
elif request.method == 'POST' and formid in service_forms:
form = service_forms[formid]['form']
if form.validate():
return set_loginmethod_cookie(login_registry[formid].do(form=form), formid)
elif request.method == 'POST':
abort(500)
if request.is_xhr and formid == 'passwordlogin':
return render_template('forms/loginform.html', loginform=loginform, Markup=Markup)
else:
return render_template('login.html', loginform=loginform, lastused=loginmethod,
service_forms=service_forms, Markup=Markup, login_registry=login_registry)
def decorated_function(*args, **kwargs):
data = f(*args, **kwargs)
if "cookietest" in request.args:
next = get_next_url()
else:
next = data.get("next") or get_next_url(referrer=True)
if session.new and "cookietest" not in request.args:
# Check if the user's browser supports cookies
session["cookies"] = True
# Reconstruct current URL with ?cookietest=1 or &cookietest=1 appended
url_parts = urlparse.urlsplit(request.url)
if url_parts.query:
return redirect(request.url + "&cookietest=1&next=" + urllib.quote(next))
else:
return redirect(request.url + "?cookietest=1&next=" + urllib.quote(next))
else:
if session.new:
# No support for cookies. Abort login
return self._auth_error_handler(
"no_cookies",
error_description=u"Your browser must accept cookies for you to login.",
error_uri="",
)
else:
# The 'cookies' key is not needed anymore
session.pop("cookies", None)
scope = data.get("scope", "id")
return self._login_handler_internal(scope, next)
def decorated_function(*args, **kwargs):
data = f(*args, **kwargs)
if 'cookietest' in request.args:
next = get_next_url()
else:
next = data.get('next') or get_next_url(referrer=True)
if session.new and 'cookietest' not in request.args:
# Check if the user's browser supports cookies
session['cookies'] = True
# Reconstruct current URL with ?cookietest=1 or &cookietest=1 appended
url_parts = urlparse.urlsplit(request.url)
if url_parts.query:
return redirect(request.url + '&cookietest=1&next=' +
urllib.quote(next))
else:
return redirect(request.url + '?cookietest=1&next=' +
urllib.quote(next))
else:
if session.new:
# No support for cookies. Abort login
return self._auth_error_handler(
'no_cookies',
error_description=
u"Your browser must accept cookies for you to login.",
error_uri="")
else:
# The 'cookies' key is not needed anymore
session.pop('cookies', None)
scope = data.get('scope', 'id')
return self._login_handler_internal(scope, next)
def test_get_next_url(self):
with self.app.test_request_context('/?next=http://example.com'):
self.assertEqual(get_next_url(external=True), 'http://example.com')
self.assertEqual(get_next_url(), '/')
self.assertEqual(get_next_url(default=()), ())
with self.app.test_request_context('/'):
session['next'] = '/external'
self.assertEqual(get_next_url(session=True), '/external')
def test_get_next_url(self):
with self.app.test_request_context('/?next=http://example.com'):
assert get_next_url(external=True) == 'http://example.com'
assert get_next_url() == '/'
assert get_next_url(default=()) == ()
with self.app.test_request_context('/'):
session['next'] = '/external'
assert get_next_url(session=True) == '/external'
def test_get_next_url(self):
with self.app.test_request_context('/?next=http://example.com'):
self.assertEqual(get_next_url(external=True), 'http://example.com')
self.assertEqual(get_next_url(), '/')
self.assertEqual(get_next_url(default=()), ())
with self.app.test_request_context('/'):
session['next'] = '/external'
self.assertEqual(get_next_url(session=True), '/external')
def login_service(service):
"""
Handle login with a registered service.
"""
if service not in login_registry:
abort(404)
provider = login_registry[service]
next_url = get_next_url(referrer=False, default=None)
callback_url = url_for('.login_service_callback', service=service, next=next_url, _external=True)
try:
return provider.do(callback_url=callback_url)
except LoginInitError, e:
flash("%s login failed: %s" % (provider.title, unicode(e)), category='error')
return redirect(next_url or get_next_url(referrer=True))
def login():
# If user is already logged in, send them back
if current_auth.is_authenticated:
return redirect(get_next_url(referrer=True), code=303)
loginform = LoginForm()
service_forms = {}
for service, provider in login_registry.items():
if provider.at_login and provider.form is not None:
service_forms[service] = provider.get_form()
loginmethod = None
if request.method == 'GET':
loginmethod = request.cookies.get('login')
formid = request.form.get('form.id')
if request.method == 'POST' and formid == 'passwordlogin':
try:
if loginform.validate():
user = loginform.user
login_internal(user)
db.session.commit()
flash(_("You are now logged in"), category='success')
return set_loginmethod_cookie(
render_redirect(get_next_url(session=True), code=303),
'password')
except LoginPasswordResetException:
return render_redirect(
url_for('.reset', expired=1, username=loginform.username.data))
elif request.method == 'POST' and formid in service_forms:
form = service_forms[formid]['form']
if form.validate():
return set_loginmethod_cookie(login_registry[formid].do(form=form),
formid)
elif request.method == 'POST':
abort(500)
iframe_block = {'X-Frame-Options': 'SAMEORIGIN'}
if request.is_xhr and formid == 'passwordlogin':
return render_template('loginform.html.jinja2',
loginform=loginform,
Markup=Markup), 200, iframe_block
else:
return render_template(
'login.html.jinja2',
loginform=loginform,
lastused=loginmethod,
service_forms=service_forms,
Markup=Markup,
login_registry=login_registry), 200, iframe_block
def logout_return():
if 'code' in request.args:
code = LoginCode.query.filter_by(code=request.args['code']).first()
if code:
db.session.delete(code)
db.session.commit()
return redirect(get_next_url(external=False, referrer=True))
def lastuserauth():
# Make profiles for the user's organizations
username = g.user.username or g.user.userid
profile = Profile.query.filter_by(userid=g.user.userid).first()
if profile is None:
profile = Profile(userid=g.user.userid,
name=g.user.username or g.user.userid,
title=g.user.fullname,
type=PROFILE_TYPE.PERSON)
db.session.add(profile)
else:
if profile.name != username:
profile.name = username
if profile.title != g.user.fullname:
profile.title = g.user.fullname
for org in g.user.organizations_owned():
profile = Profile.query.filter_by(userid=org['userid']).first()
if profile is None:
profile = Profile(userid=org['userid'],
name=org['name'],
title=org['title'],
type=PROFILE_TYPE.ORGANIZATION)
db.session.add(profile)
else:
if profile.name != org['name']:
profile.name = org['name']
if profile.title != org['title']:
profile.title = org['title']
db.session.commit()
return redirect(get_next_url())
def new(self):
if not current_auth.user.has_verified_contact_info:
flash(
_("You need to have a verified email address "
"or phone number to create an organization"),
'error',
)
return redirect(get_next_url(referrer=True), code=303)
form = OrganizationForm()
if form.validate_on_submit():
org = Organization(owner=current_auth.user)
form.populate_obj(org)
db.session.add(org)
org.profile.make_public()
db.session.commit()
org_data_changed.send(org, changes=['new'], user=current_auth.user)
return render_redirect(org.profile.url_for('edit'), code=303)
return render_form(
form=form,
title=_("Create a new organization"),
formid='org_new',
submit=_("Next"),
ajax=False,
)
def logout_return():
if 'code' in request.args:
code = LoginCode.query.filter_by(code=request.args['code']).first()
if code:
db.session.delete(code)
db.session.commit()
return redirect(get_next_url(external=False, referrer=True))
def lastuserauth():
# Make channels for the user's organizations
username = g.user.username or g.user.userid
channel = Channel.query.filter_by(userid=g.user.userid).first()
if channel is None:
channel = Channel(userid=g.user.userid,
name=g.user.username or g.user.userid,
title=g.user.fullname,
type=CHANNEL_TYPE.PERSON)
db.session.add(channel)
else:
if channel.name != username:
channel.name = username
if channel.title != g.user.fullname:
channel.title = g.user.fullname
for org in g.user.organizations_owned():
channel = Channel.query.filter_by(userid=org['userid']).first()
if channel is None:
channel = Channel(userid=org['userid'],
name=org['name'],
title=org['title'],
type=CHANNEL_TYPE.ORGANIZATION)
db.session.add(channel)
else:
if channel.name != org['name']:
channel.name = org['name']
if channel.title != org['title']:
channel.title = org['title']
db.session.commit()
return redirect(get_next_url())
def lastuserauth():
# Make profiles for the user's organizations
username = g.user.username or g.user.userid
profile = Profile.query.filter_by(userid=g.user.userid).first()
if profile is None:
profile = Profile(userid=g.user.userid,
name=g.user.username or g.user.userid,
title=g.user.fullname,
type=PROFILE_TYPE.PERSON)
db.session.add(profile)
else:
if profile.name != username:
profile.name = username
if profile.title != g.user.fullname:
profile.title = g.user.fullname
for org in g.user.organizations_owned():
profile = Profile.query.filter_by(userid=org['userid']).first()
if profile is None:
profile = Profile(userid=org['userid'],
name=org['name'],
title=org['title'],
type=PROFILE_TYPE.ORGANIZATION)
db.session.add(profile)
else:
if profile.name != org['name']:
profile.name = org['name']
if profile.title != org['title']:
profile.title = org['title']
db.session.commit()
return redirect(get_next_url())
def lastuserauth():
# Make channels for the user's organizations
username = g.user.username or g.user.userid
channel = Channel.query.filter_by(userid=g.user.userid).first()
if channel is None:
channel = Channel(userid=g.user.userid,
name=g.user.username or g.user.userid,
title=g.user.fullname,
type=CHANNEL_TYPE.PERSON)
db.session.add(channel)
else:
if channel.name != username:
channel.name = username
if channel.title != g.user.fullname:
channel.title = g.user.fullname
for org in g.user.organizations_owned():
channel = Channel.query.filter_by(userid=org['userid']).first()
if channel is None:
channel = Channel(userid=org['userid'],
name=org['name'],
title=org['title'],
type=CHANNEL_TYPE.ORGANIZATION)
db.session.add(channel)
else:
if channel.name != org['name']:
channel.name = org['name']
if channel.title != org['title']:
channel.title = org['title']
db.session.commit()
return redirect(get_next_url())
def profile_new():
form = ProfileNewForm(obj=g.user)
form.fullname.description = app.config.get('FULLNAME_REASON')
form.email.description = app.config.get('EMAIL_REASON')
form.username.description = app.config.get('USERNAME_REASON')
form.description.description = app.config.get('BIO_REASON')
if form.validate_on_submit():
# Can't auto-populate here because user.email is read-only
g.user.fullname = form.fullname.data
g.user.username = form.username.data
g.user.description = form.description.data
if form.existing_email is None:
useremail = UserEmailClaim(user=g.user, email=form.email.data)
db.session.add(useremail)
db.session.commit()
send_email_verify_link(useremail)
flash("Your profile was successfully updated. We sent you an email to confirm your address", category='success')
else:
db.session.commit()
flash("Your profile was successfully updated.", category='success')
return render_redirect(get_next_url(), code=303)
return render_form(form, title="Update profile", formid="profile_new", submit="Continue",
message=u"Hello, %s. Please spare a minute to fill out your profile." % g.user.fullname,
ajax=True)
def login_github():
next_url = get_next_url(referrer=False)
try:
return redirect(github['auth_url'] % (github['key'], quote(url_for('login_github_authorized', _external=True, next=next_url))))
except OAuthException, e:
flash(u"GitHub login failed: %s" % unicode(e), category="error")
return redirect(next_url)
def logout_client():
"""
Client-initiated logout
"""
cred = ClientCredential.get(request.args['client_id'])
client = cred.client if cred else None
if client is None or not request.referrer or not client.host_matches(
request.referrer):
# No referrer or such client, or request didn't come from the client website.
# Possible CSRF. Don't logout and don't send them back
flash(
current_app.config.get('LOGOUT_UNAUTHORIZED_MESSAGE')
or logout_errormsg, 'danger')
return redirect(url_for('index'))
# If there is a next destination, is it in the same domain as the client?
if 'next' in request.args:
if not client.host_matches(request.args['next']):
# Host doesn't match. Assume CSRF and redirect to index without logout
flash(
current_app.config.get('LOGOUT_UNAUTHORIZED_MESSAGE')
or logout_errormsg, 'danger')
return redirect(url_for('index'))
# All good. Log them out and send them back
logout_internal()
db.session.commit()
return redirect(get_next_url(external=True))
def login_service(service):
"""
Handle login with a registered service.
"""
if service not in login_registry:
abort(404)
provider = login_registry[service]
next_url = get_next_url(referrer=False, default=None)
callback_url = url_for('.login_service_callback', service=service, next=next_url, _external=True)
try:
return provider.do(callback_url=callback_url)
except (LoginInitError, LoginCallbackError) as e:
msg = _(u"{service} login failed: {error}").format(service=provider.title, error=unicode(e))
exception_catchall.send(e, message=msg)
flash(msg, category='danger')
return redirect(next_url or get_next_url(referrer=True))
def lastuser_error(error, error_description=None, error_uri=None):
if error == "access_denied":
flash("You denied the request to login", category="error")
return redirect(get_next_url())
return Response(
u"Error: %s\n" u"Description: %s\n" u"URI: %s" % (error, error_description, error_uri), mimetype="text/plain"
)
def register():
if current_auth.is_authenticated:
return redirect(url_for('index'))
form = RegisterForm()
# Make Recaptcha optional
if not (current_app.config.get('RECAPTCHA_PUBLIC_KEY')
and current_app.config.get('RECAPTCHA_PRIVATE_KEY')):
del form.recaptcha
form.fullname.description = current_app.config.get('FULLNAME_REASON')
form.email.description = current_app.config.get('EMAIL_REASON')
form.username.description = current_app.config.get('USERNAME_REASON')
if form.validate_on_submit():
user = register_internal(form.username.data, form.fullname.data,
form.password.data)
useremail = UserEmailClaim(user=user, email=form.email.data)
db.session.add(useremail)
send_email_verify_link(useremail)
login_internal(user)
db.session.commit()
flash(_("You are now one of us. Welcome aboard!"), category='success')
return redirect(get_next_url(session=True), code=303)
return render_form(
form=form,
title=_("Create an account"),
formid='register',
submit=_("Register"),
message=current_app.config.get('CREATE_ACCOUNT_MESSAGE'))
def lastuserauth():
Workspace.update_from_user(g.user,
db.session,
make_user_profiles=False,
make_org_profiles=False)
db.session.commit()
return redirect(get_next_url())
def login_twitter_authorized(resp):
if resp is None:
flash(u'You denied the request to login via Twitter.', 'error')
return redirect(url_for('login'))
next_url = get_next_url(session=True)
# Try to read more from the user's Twitter profile
try:
twinfo = json.loads(urlopen('http://api.twitter.com/1/users/lookup.json?%s' % urlencode({'user_id': resp['user_id']})).read())[0]
except URLError:
twinfo = {}
return_url = config_external_id(service='twitter',
service_name='Twitter',
user=None,
userid=resp['user_id'],
username=resp['screen_name'],
fullname=twinfo.get('name', '@' + resp['screen_name']),
avatar=twinfo.get('profile_image_url', '').replace("normal.", "bigger."),
access_token=resp['oauth_token'],
secret=resp['oauth_token_secret'],
token_type=None,
next_url=next_url)
if return_url is not None:
next_url = return_url
# Redirect with 303 because users hitting the back button
# cause invalid/expired token errors from Twitter
return redirect(next_url, code=303)
def lastuserauth():
Profile.update_from_user(g.user,
db.session,
type_user=PROFILE_TYPE.PERSON,
type_org=PROFILE_TYPE.ORGANIZATION)
db.session.commit()
return redirect(get_next_url())
def profile_new():
form = ProfileNewForm(obj=g.user)
form.fullname.description = app.config.get('FULLNAME_REASON')
form.email.description = app.config.get('EMAIL_REASON')
form.username.description = app.config.get('USERNAME_REASON')
form.description.description = app.config.get('BIO_REASON')
if form.validate_on_submit():
# Can't auto-populate here because user.email is read-only
g.user.fullname = form.fullname.data
g.user.username = form.username.data
g.user.description = form.description.data
if form.existing_email is None:
useremail = UserEmailClaim(user=g.user, email=form.email.data)
db.session.add(useremail)
db.session.commit()
send_email_verify_link(useremail)
flash(
"Your profile was successfully updated. We sent you an email to confirm your address",
category='success')
else:
db.session.commit()
flash("Your profile was successfully updated.", category='success')
return render_redirect(get_next_url(), code=303)
return render_form(
form,
title="Update profile",
formid="profile_new",
submit="Continue",
message=u"Hello, %s. Please spare a minute to fill out your profile." %
g.user.fullname,
ajax=True)
def toggle_featured(self):
if not current_auth.user.is_site_editor:
return abort(403)
featured_form = forms.Form()
if featured_form.validate_on_submit():
self.obj.featured = not self.obj.featured
db.session.commit()
return redirect(get_next_url(referrer=True), 303)
def lastuserauth():
Board.update_from_user(g.user,
db.session,
make_user_profiles=False,
make_org_profiles=False)
signal_login.send(app, user=g.user)
db.session.commit()
return redirect(get_next_url())
def logout_session(session):
if not request.referrer or (urlparse.urlsplit(request.referrer).netloc != urlparse.urlsplit(request.url).netloc) or (session.user != current_auth.user):
flash(current_app.config.get('LOGOUT_UNAUTHORIZED_MESSAGE') or logout_errormsg, 'danger')
return redirect(url_for('index'))
session.revoke()
db.session.commit()
return redirect(get_next_url(referrer=True), code=303)
def lastuser_error(error, error_description=None, error_uri=None):
if error == 'access_denied':
flash("You denied the request to login", category='error')
return redirect(get_next_url())
return render_template("autherror.html",
error=error,
error_description=error_description,
error_uri=error_uri)
def login_twitter():
next_url = get_next_url(referrer=False)
try:
return twitter.authorize(callback=url_for('login_twitter_authorized',
next=next_url))
except (OAuthException, BadStatusLine), e:
flash("Twitter login failed: %s" % unicode(e), category="error")
return redirect(url_for('login'))
def lastuser_error(error, error_description=None, error_uri=None):
if error == 'access_denied':
flash("You denied the request to login", category='error')
return redirect(get_next_url())
return Response(u"Error: %s\n"
u"Description: %s\n"
u"URI: %s" % (error, error_description, error_uri),
mimetype="text/plain")
def logout_session(session):
if not request.referrer or (urlparse.urlsplit(request.referrer).netloc != urlparse.urlsplit(request.url).netloc) or (session.user != current_auth.user):
flash(current_app.config.get('LOGOUT_UNAUTHORIZED_MESSAGE') or logout_errormsg, 'danger')
return redirect(url_for('index'))
session.revoke()
db.session.commit()
return redirect(get_next_url(referrer=True), code=303)
def login_service(service):
"""
Handle login with a registered service.
"""
if service not in login_registry:
abort(404)
provider = login_registry[service]
next_url = get_next_url(referrer=False, default=None)
callback_url = url_for('.login_service_callback',
service=service,
next=next_url,
_external=True)
try:
return provider.do(callback_url=callback_url)
except LoginInitError, e:
flash("%s login failed: %s" % (provider.title, unicode(e)),
category='error')
return redirect(next_url or get_next_url(referrer=True))
def lastuser_error(error, error_description=None, error_uri=None):
if error == 'access_denied':
flash(_("You denied the request to login"), category='error')
return redirect(get_next_url())
return render_message(title=_("Error: {error}").format(error=error),
message=Markup(
"<p>{desc}</p><p>URI: {uri}</p>".format(
desc=escape(error_description or ''),
uri=escape(error_uri or _('NA')))))
def account_edit(newprofile=False):
form = ProfileForm(obj=current_auth.user)
form.edit_user = current_auth.user
form.fullname.description = current_app.config.get('FULLNAME_REASON')
form.email.description = current_app.config.get('EMAIL_REASON')
form.username.description = current_app.config.get('USERNAME_REASON')
form.timezone.description = current_app.config.get('TIMEZONE_REASON')
if current_auth.user.email or newprofile is False:
del form.email
if form.validate_on_submit():
# Can't auto-populate here because user.email is read-only
current_auth.user.fullname = form.fullname.data
current_auth.user.username = form.username.data
current_auth.user.timezone = form.timezone.data
if newprofile and not current_auth.user.email:
useremail = UserEmailClaim.get(user=current_auth.user,
email=form.email.data)
if useremail is None:
useremail = UserEmailClaim(user=current_auth.user,
email=form.email.data)
db.session.add(useremail)
send_email_verify_link(useremail)
db.session.commit()
user_data_changed.send(current_auth.user,
changes=['profile', 'email-claim'])
flash(_(
"Your profile has been updated. We sent you an email to confirm your address"
),
category='success')
else:
db.session.commit()
user_data_changed.send(current_auth.user, changes=['profile'])
flash(_("Your profile has been updated"), category='success')
if newprofile:
return render_redirect(get_next_url(), code=303)
else:
return render_redirect(url_for('account'), code=303)
if newprofile:
return render_form(
form,
title=_("Update profile"),
formid='account_new',
submit=_("Continue"),
message=Markup(
_(u"Hello, <strong>{fullname}</strong>. Please spare a minute to fill out your profile"
).format(fullname=escape(current_auth.user.fullname))),
ajax=True)
else:
return render_form(form,
title=_("Edit profile"),
formid='account_edit',
submit=_("Save changes"),
ajax=True)
def lastuserauth():
for org in g.user.organizations_memberof():
workspace = Workspace.query.filter_by(userid=org['userid']).first()
if workspace:
if workspace.name != org['name']:
workspace.name = org['name']
if workspace.title != org['title']:
workspace.title = org['title']
db.session.commit()
return redirect(get_next_url())
def login():
code = LoginCode(next_url=get_next_url(external=False, referrer=True),
return_url=url_for('login_return', _external=True))
db.session.add(code)
db.session.commit()
if app.config.get('USE_SSL'):
scheme = 'https://'
else:
scheme = 'http://'
return redirect(urljoin(scheme + app.config['ADMIN_HOSTS'][0], '/login/event?code=' + code.code))
def logout():
code = None
if 'code' in request.args:
code = LoginCode.query.filter_by(code=request.args['code']).first()
if code:
next = url_for('logout_event', code=code.code)
else:
next = get_next_url()
flash(u"You are now logged out", category='success')
signal_logout.send(app, user=g.user)
return next
def profile_merge():
if "merge_userid" not in session:
return redirect(get_next_url(), code=302)
other_user = User.query.filter_by(userid=session["merge_userid"]).first()
if other_user is None:
session.pop("merge_userid", None)
return redirect(get_next_url(), code=302)
form = ProfileMergeForm()
if form.validate_on_submit():
if "merge" in request.form:
new_user = merge_users(g.user, other_user)
login_internal(new_user)
user_data_changed.send(new_user, changes=["merge"])
flash("Your accounts have been merged.", "success")
session.pop("merge_userid", None)
return redirect(get_next_url(), code=303)
else:
session.pop("merge_userid", None)
return redirect(get_next_url(), code=303)
return render_template("merge.html", form=form, user=g.user, other_user=other_user, login_registry=login_registry)
def lastuser_error(error, error_description=None, error_uri=None):
if error == 'access_denied':
flash("You denied the request to login", category='error')
return redirect(get_next_url())
return render_message(
title="Error: {0}".format(error),
message=Markup(
"<p>{desc}</p><p>URI: {uri}</p>".format(
desc=escape(error_description or ''), uri=escape(error_uri or _('NA')))
)
)
def logout():
code = None
if 'code' in request.args:
code = LoginCode.query.filter_by(code=request.args['code']).first()
if code:
next = url_for('logout_event', code=code.code)
else:
next = get_next_url()
flash(u"You are now logged out", category='success')
signal_logout.send(app, user=g.user)
return next
def login_service(service):
"""
Handle login with a registered service.
"""
if service not in login_registry:
abort(404)
provider = login_registry[service]
next_url = get_next_url(referrer=False, default=None)
callback_url = url_for('.login_service_callback',
service=service,
next=next_url,
_external=True)
try:
return provider.do(callback_url=callback_url)
except (LoginInitError, LoginCallbackError) as e:
msg = _("{service} login failed: {error}").format(
service=provider.title, error=str(e))
exception_catchall.send(e, message=msg)
flash(msg, category='danger')
return redirect(next_url or get_next_url(referrer=True))
def login():
# If user is already logged in, send them back
if current_auth.is_authenticated:
return redirect(get_next_url(referrer=True), code=303)
loginform = LoginForm()
service_forms = {}
for service, provider in login_registry.items():
if provider.at_login and provider.form is not None:
service_forms[service] = provider.get_form()
loginmethod = None
if request.method == 'GET':
loginmethod = request.cookies.get('login')
formid = request.form.get('form.id')
if request.method == 'POST' and formid == 'passwordlogin':
try:
if loginform.validate():
user = loginform.user
login_internal(user)
db.session.commit()
flash(_("You are now logged in"), category='success')
return set_loginmethod_cookie(render_redirect(get_next_url(session=True), code=303),
'password')
except LoginPasswordResetException:
flash(_(u"Your account does not have a password set. Please enter your username "
"or email address to request a reset code and set a new password"), category='danger')
return render_redirect(url_for('.reset', username=loginform.username.data))
elif request.method == 'POST' and formid in service_forms:
form = service_forms[formid]['form']
if form.validate():
return set_loginmethod_cookie(login_registry[formid].do(form=form), formid)
elif request.method == 'POST':
abort(500)
iframe_block = {'X-Frame-Options': 'SAMEORIGIN'}
if request.is_xhr and formid == 'passwordlogin':
return render_template('loginform.html.jinja2', loginform=loginform, Markup=Markup), 200, iframe_block
else:
return render_template('login.html.jinja2', loginform=loginform, lastused=loginmethod,
service_forms=service_forms, Markup=Markup, login_registry=login_registry), 200, iframe_block
def logout_user():
"""
User-initiated logout
"""
if not request.referrer or (urlparse.urlsplit(request.referrer).hostname != urlparse.urlsplit(request.url).hostname):
# TODO: present a logout form
flash(current_app.config.get('LOGOUT_UNAUTHORIZED_MESSAGE') or logout_errormsg, 'danger')
return redirect(url_for('index'))
else:
logout_internal()
flash('You are now logged out', category='info')
return redirect(get_next_url())
def lastuser_error(error, error_description=None, error_uri=None):
if error == "access_denied":
flash(_(u"You denied the request to login"), category="error")
return redirect(get_next_url())
return render_message(
title=_(u"Error: {error}").format(error=error),
message=Markup(
u"<p>{desc}</p><p>URI: {uri}</p>".format(
desc=escape(error_description or u""), uri=escape(error_uri or _(u"NA"))
)
),
)
def logout_user():
"""
User-initiated logout
"""
if not request.referrer or (urlparse.urlsplit(request.referrer).hostname != urlparse.urlsplit(request.url).hostname):
# TODO: present a logout form
flash(logout_errormsg, 'error')
return redirect(url_for('index'))
else:
logout_internal()
flash('You are now logged out', category='success')
return redirect(get_next_url())
def login(scope='', next=None):
if next is None:
next = get_next_url(external=False, referrer=True)
code = LoginCode(next_url=next,
return_url=url_for('login_return', _external=True), scope=scope)
db.session.add(code)
db.session.commit()
if app.config.get('USE_SSL'):
scheme = 'https://'
else:
scheme = 'http://'
return redirect(urljoin(scheme + app.config['LOGIN_HOST'], '/login/event?code=' + code.code))
def transition(self):
form = self.obj.forms.transition(obj=self.obj)
if form.validate_on_submit():
transition_name = form.transition.data
getattr(self.obj, transition_name)()
db.session.commit()
flash(_("Your changes have been saved"), 'info')
else:
flash(
_("There was a problem saving your changes. Please try again"),
'error')
return redirect(get_next_url(referrer=True), code=303)
def logout():
code = LoginCode(next_url=get_next_url(external=False, referrer=True),
return_url=url_for('logout_return', _external=True))
session.pop('userid', None)
signal_logout.send(eventapp, user=g.user)
g.user = None
db.session.add(code)
db.session.commit()
if app.config.get('USE_SSL'):
scheme = 'https://'
else:
scheme = 'http://'
return redirect(urljoin(scheme + app.config['LOGIN_HOST'], '/logout?code=' + code.code))
def account_merge():
if 'merge_buid' not in session:
return redirect(get_next_url(), code=302)
other_user = User.get(buid=session['merge_buid'])
if other_user is None:
session.pop('merge_buid', None)
return redirect(get_next_url(), code=302)
form = ProfileMergeForm()
if form.validate_on_submit():
if 'merge' in request.form:
new_user = merge_users(current_auth.user, other_user)
login_internal(new_user)
flash(_("Your accounts have been merged"), 'success')
session.pop('merge_buid', None)
db.session.commit()
user_data_changed.send(new_user, changes=['merge'])
return redirect(get_next_url(), code=303)
else:
session.pop('merge_buid', None)
return redirect(get_next_url(), code=303)
return render_template('merge.html.jinja2', form=form, user=current_auth.user, other_user=other_user,
login_registry=login_registry)
