def renew(self, clear_session=False): if clear_session: self.clear() request = current.request response = current.response session = response.session masterapp = response.session_masterapp cookies = request.cookies if response.session_storage_type == 'cookie': return # if the session goes in file if response.session_storage_type == 'file': self._close(response) uuid = web2py_uuid() response.session_id = '%s-%s' % (response.session_client, uuid) separate = (lambda s: s[-2:]) if session and response.session_id[2:3]=="/" else None if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db elif response.session_storage_type == 'db': table = response.session_db_table # verify that session_id exists if response.session_file: self._close(response) if response.session_new: return # Get session data out of the database if response.session_id is None: return (record_id, sep, unique_key) = response.session_id.partition(':') if record_id.isdigit() and long(record_id)>1: new_unique_key = web2py_uuid() row = table(record_id) if row and row.unique_key==unique_key: row.update_record(unique_key=new_unique_key) else: row = None else: row = None if row: response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_record_id = record_id response.session_db_unique_key = new_unique_key else: response.session_new = True
def app_create(app, request): """ Create a copy of welcome.w2p (scaffolding) app Parameters ---------- app: application name request: the global request object """ did_mkdir = False try: path = apath(app, request) os.mkdir(path) did_mkdir = True w2p_unpack('welcome.w2p', path) db = os.path.join(path,'models/db.py') if os.path.exists(db): fp = open(db,'r') data = fp.read() fp.close() data = data.replace('<your secret key>','sha512:'+web2py_uuid()) fp = open(db,'w') fp.write(data) fp.close() return True except: if did_mkdir: rmtree(path) return False
def log(self, request): """ logs the exception. """ try: a = request.application d = { 'layer': str(self.layer), 'code': str(self.code), 'output': str(self.output), 'traceback': str(self.traceback), 'snapshot': self.snapshot, } fmt = '%Y-%m-%d.%H-%M-%S' f = '%s.%s.%s' % (request.client.replace(':', '_'), datetime.datetime.now().strftime(fmt), web2py_uuid()) ticket_storage = TicketStorage(db=request.tickets_db) ticket_storage.store(request, f, d) return '%s/%s' % (a, f) except: logging.error(self.traceback) return None
def toolbar(self): from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A BUTTON = TAG.button admin = URL("admin", "default", "design", args=current.request.application) from gluon.dal import DAL dbstats = [] dbtables = {} infos = DAL.get_instances() for k, v in infos.iteritems(): dbstats.append(TABLE(*[TR(PRE(row[0]), "%.2fms" % (row[1] * 1000)) for row in v["dbstats"]])) dbtables[k] = dict( defined=v["dbtables"]["defined"] or "[no defined tables]", lazy=v["dbtables"]["lazy"] or "[no lazy tables]", ) u = web2py_uuid() backtotop = A("Back to top", _href="#totop-%s" % u) return DIV( BUTTON("design", _onclick="document.location='%s'" % admin), BUTTON("request", _onclick="jQuery('#request-%s').slideToggle()" % u), BUTTON("response", _onclick="jQuery('#response-%s').slideToggle()" % u), BUTTON("session", _onclick="jQuery('#session-%s').slideToggle()" % u), BUTTON("db tables", _onclick="jQuery('#db-tables-%s').slideToggle()" % u), BUTTON("db stats", _onclick="jQuery('#db-stats-%s').slideToggle()" % u), DIV(BEAUTIFY(current.request), backtotop, _class="hidden", _id="request-%s" % u), DIV(BEAUTIFY(current.session), backtotop, _class="hidden", _id="session-%s" % u), DIV(BEAUTIFY(current.response), backtotop, _class="hidden", _id="response-%s" % u), DIV(BEAUTIFY(dbtables), backtotop, _class="hidden", _id="db-tables-%s" % u), DIV(BEAUTIFY(dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u), SCRIPT("jQuery('.hidden').hide()"), _id="totop-%s" % u, )
def run( appname, plain=False, import_models=False, startfile=None, bpython=False, python_code=False ): """ Start interactive shell or run Python script (startfile) in web2py controller environment. appname is formatted like: a web2py application name a/c exec the controller c into the application environment """ (a, c, f) = parse_path_info(appname) errmsg = 'invalid application name: %s' % appname if not a: die(errmsg) adir = os.path.join('applications', a) if not os.path.exists(adir): if raw_input('application %s does not exist, create (y/n)?' % a).lower() in ['y', 'yes']: os.mkdir(adir) w2p_unpack('welcome.w2p', adir) for subfolder in ['models','views','controllers', 'databases', 'modules','cron','errors','sessions', 'languages','static','private','uploads']: subpath = os.path.join(adir,subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(adir,'models/db.py') if os.path.exists(db): data = fileutils.read_file(db) data = data.replace('<your secret key>','sha512:'+web2py_uuid()) fileutils.write_file(db, data) if c: import_models = True _env = env(a, c=c, import_models=import_models) if c: cfile = os.path.join('applications', a, 'controllers', c + '.py') if not os.path.isfile(cfile): cfile = os.path.join('applications', a, 'compiled', "controllers_%s_%s.pyc" % (c,f)) if not os.path.isfile(cfile): die(errmsg) else: exec read_pyc(cfile) in _env else: execfile(cfile, _env) if f: exec ('print %s()' % f, _env) elif startfile: exec_pythonrc() try: execfile(startfile, _env) except RestrictedError, e: print e.traceback
def toolbar(self): from html import DIV, SCRIPT, BEAUTIFY, TAG, URL BUTTON = TAG.button admin = URL("admin","default","design", args=current.request.application) from gluon.dal import thread if hasattr(thread,'instances'): dbstats = [TABLE(*[TR(PRE(row[0]),'%.2fms' % (row[1]*1000)) \ for row in i.db._timings]) \ for i in thread.instances] else: dbstats = [] # if no db or on GAE u = web2py_uuid() return DIV( BUTTON('design',_onclick="document.location='%s'" % admin), BUTTON('request',_onclick="jQuery('#request-%s').slideToggle()"%u), DIV(BEAUTIFY(current.request),_class="hidden",_id="request-%s"%u), BUTTON('session',_onclick="jQuery('#session-%s').slideToggle()"%u), DIV(BEAUTIFY(current.session),_class="hidden",_id="session-%s"%u), BUTTON('response',_onclick="jQuery('#response-%s').slideToggle()"%u), DIV(BEAUTIFY(current.response),_class="hidden",_id="response-%s"%u), BUTTON('db stats',_onclick="jQuery('#db-stats-%s').slideToggle()"%u), DIV(BEAUTIFY(dbstats),_class="hidden",_id="db-stats-%s"%u), SCRIPT("jQuery('.hidden').hide()") )
def accepts( self, vars, session=None, formname='default', keepvalues=False, onvalidation=None, ): self.errors.clear() self.request_vars = Storage() self.request_vars.update(vars) self.session = session self.formname = formname self.keepvalues = keepvalues # if this tag is a form and we are in accepting mode (status=True) # check formname and formkey status = True if self.session and self.session.get('_formkey[%s]' % self.formname, None) != self.request_vars._formkey: status = False if self.formname != self.request_vars._formname: status = False status = self._traverse(status) if status and onvalidation: onvalidation(self) if self.errors: status = False if session != None: self.formkey = session['_formkey[%s]' % formname] = web2py_uuid() if status and not keepvalues: self._traverse(False) return status
def compute_uuid(self): self.uuid = '%s/%s.%s.%s' % ( self.application, self.client.replace(':', '_'), self.now.strftime('%Y-%m-%d.%H-%M-%S'), web2py_uuid()) return self.uuid
def _try_store_in_db(self, request, response): # don't save if file-based sessions, # no session id, or session being forgotten # or no changes to session if not response.session_db_table or self._forget or self._unchanged(): if (not response.session_db_table and global_settings.db_sessions is not True and response.session_masterapp in global_settings.db_sessions): global_settings.db_sessions.remove(response.session_masterapp) return False table = response.session_db_table record_id = response.session_db_record_id if response.session_new: unique_key = web2py_uuid() else: unique_key = response.session_db_unique_key dd = dict(locked=False, client_ip=response.session_client, modified_datetime=request.now, session_data=cPickle.dumps(dict(self)), unique_key=unique_key) if record_id: table(record_id).update_record(**dd) if not record_id: record_id = table.insert(**dd) response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_unique_key = unique_key response.session_db_record_id = record_id self.save_session_id_cookie() return True
def compute_uuid(self): self.uuid = "%s/%s.%s.%s" % ( self.application, self.client.replace(":", "_"), self.now.strftime("%Y-%m-%d.%H-%M-%S"), web2py_uuid(), ) return self.uuid
def run( appname, plain=False, import_models=False, startfile=None, ): """ Start interactive shell or run Python script (startfile) in web2py controller environment. appname is formatted like: a web2py application name a/c exec the controller c into the application environment """ (a, c, f) = parse_path_info(appname) errmsg = 'invalid application name: %s' % appname if not a: die(errmsg) adir = os.path.join('applications', a) if not os.path.exists(adir): if raw_input('application %s does not exist, create (y/n)?' % a).lower() in ['y', 'yes']: os.mkdir(adir) w2p_unpack('welcome.w2p', adir) db = os.path.join(adir,'models/db.py') if os.path.exists(db): fp = open(db,'r') data = fp.read() fp.close() data = data.replace('<your secret key>','sha512:'+web2py_uuid()) fp = open(db,'w') fp.write(data) fp.close() if c: import_models = True _env = env(a, c=c, import_models=import_models) if c: cfile = os.path.join('applications', a, 'controllers', c + '.py') if not os.path.isfile(cfile): die(errmsg) execfile(cfile, _env) if f: exec ('print %s()' % f, _env) elif startfile: exec_pythonrc() try: execfile(startfile, _env) except RestrictedError, e: print e.traceback
def app_create(app, request, force=False, key=None, info=False): """ Create a copy of welcome.w2p (scaffolding) app Parameters ---------- app: application name request: the global request object """ path = apath(app, request) if not os.path.exists(path): try: os.mkdir(path) except: if info: return False, traceback.format_exc(sys.exc_info) else: return False elif not force: if info: return False, "Application exists" else: return False try: w2p_unpack('welcome.w2p', path) for subfolder in [ 'models', 'views', 'controllers', 'databases', 'modules', 'cron', 'errors', 'sessions', 'cache', 'languages', 'static', 'private', 'uploads']: subpath = os.path.join(path, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(path, 'models', 'db.py') if os.path.exists(db): data = read_file(db) data = data.replace('<your secret key>', 'sha512:' + (key or web2py_uuid())) write_file(db, data) if info: return True, None else: return True except: rmtree(path) if info: return False, traceback.format_exc(sys.exc_info) else: return False
def POST(rp_user): doc = POST.func_doc return_dict = dict(doc=doc) user_dict = {} logger.debug("rp_user: "******"mail"] table_user = auth.settings.table_user user = auth.db(table_user.email == user_mail).select().first() if not user: msg = "Cannot reset password. Mail not registered" return_dict["err_found"] = True return_dict["err_msg"] = msg return gluon.contrib.simplejson.dumps(return_dict) elif user.registration_key in ["pending", "disabled"]: msg = "Cannot reset password. User registration pending or disabled" return_dict["err_found"] = True return_dict["err_msg"] = msg return gluon.contrib.simplejson.dumps(return_dict) reset_password_key = str(int(time.time())) + "-" + web2py_uuid() # link = auth.url(auth.settings.function, # args=('reset_password',), # vars={'key': reset_password_key}, # scheme=True) # d = dict(user) # d.update(dict(key=reset_password_key, link=link)) main_url = "http://" + str(request.env.http_host) + "/" + str(request.application) reset_msg = ( "Click on the link " + main_url + "/routes/#/logging/user_resetpasswd?key=" + reset_password_key + " to reset your password" ) if auth.settings.mailer and auth.settings.mailer.send( to=user_mail, subject=auth.messages.reset_password_subject, message=reset_msg ): # message=auth.messages.reset_password % d): user.update_record(reset_password_key=reset_password_key) else: msg = "Cannot complete the password reset request. Cannot send mail" return_dict["err_found"] = True return_dict["err_msg"] = msg return gluon.contrib.simplejson.dumps(return_dict) return gluon.contrib.simplejson.dumps(return_dict)
def toolbar(self): from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A BUTTON = TAG.button admin = URL("admin", "default", "design", args=current.request.application) from gluon.dal import DAL dbstats = [] dbtables = {} infos = DAL.get_instances() for k,v in infos.iteritems(): dbstats.append(TABLE(*[TR(PRE(row[0]),'%.2fms' % (row[1]*1000)) for row in v['dbstats']])) dbtables[k] = dict(defined=v['dbtables']['defined'] or '[no defined tables]', lazy=v['dbtables']['lazy'] or '[no lazy tables]') u = web2py_uuid() backtotop = A('Back to top', _href="#totop-%s" % u) # Convert lazy request.vars from property to Storage so they # will be displayed in the toolbar. request = copy.copy(current.request) request.update(vars=current.request.vars, get_vars=current.request.get_vars, post_vars=current.request.post_vars) return DIV( BUTTON('design', _onclick="document.location='%s'" % admin), BUTTON('request', _onclick="jQuery('#request-%s').slideToggle()" % u), BUTTON('response', _onclick="jQuery('#response-%s').slideToggle()" % u), BUTTON('session', _onclick="jQuery('#session-%s').slideToggle()" % u), BUTTON('db tables', _onclick="jQuery('#db-tables-%s').slideToggle()" % u), BUTTON('db stats', _onclick="jQuery('#db-stats-%s').slideToggle()" % u), DIV(BEAUTIFY(request), backtotop, _class="hidden", _id="request-%s" % u), DIV(BEAUTIFY(current.session), backtotop, _class="hidden", _id="session-%s" % u), DIV(BEAUTIFY(current.response), backtotop, _class="hidden", _id="response-%s" % u), DIV(BEAUTIFY(dbtables), backtotop, _class="hidden", _id="db-tables-%s" % u), DIV(BEAUTIFY( dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u), SCRIPT("jQuery('.hidden').hide()"), _id="totop-%s" % u )
def toolbar(self): from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A BUTTON = TAG.button admin = URL("admin", "default", "design", args=current.request.application) from gluon.dal import THREAD_LOCAL if hasattr(THREAD_LOCAL, 'instances'): dbstats = [TABLE(*[TR(PRE(row[0]), '%.2fms' % (row[1] * 1000)) for row in i.db._timings]) for i in THREAD_LOCAL.instances] dbtables = dict([(regex_nopasswd.sub('******', i.uri), {'defined': sorted(list(set(i.db.tables) - set(i.db._LAZY_TABLES.keys()))) or '[no defined tables]', 'lazy': sorted(i.db._LAZY_TABLES.keys()) or '[no lazy tables]'}) for i in THREAD_LOCAL.instances]) else: dbstats = [] # if no db or on GAE dbtables = {} u = web2py_uuid() backtotop = A('Back to top', _href="#totop-%s" % u) return DIV( BUTTON('design', _onclick="document.location='%s'" % admin), BUTTON('request', _onclick="jQuery('#request-%s').slideToggle()" % u), BUTTON('response', _onclick="jQuery('#response-%s').slideToggle()" % u), BUTTON('session', _onclick="jQuery('#session-%s').slideToggle()" % u), BUTTON('db tables', _onclick="jQuery('#db-tables-%s').slideToggle()" % u), BUTTON('db stats', _onclick="jQuery('#db-stats-%s').slideToggle()" % u), DIV(BEAUTIFY(current.request), backtotop, _class="hidden", _id="request-%s" % u), DIV(BEAUTIFY(current.session), backtotop, _class="hidden", _id="session-%s" % u), DIV(BEAUTIFY(current.response), backtotop, _class="hidden", _id="response-%s" % u), DIV(BEAUTIFY(dbtables), backtotop, _class="hidden", _id="db-tables-%s" % u), DIV(BEAUTIFY( dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u), SCRIPT("jQuery('.hidden').hide()"), _id="totop-%s" % u )
def app_with_logging(environ, responder): """ a wsgi app that does logging and profiling and calls wsgibase """ status_headers = [] def responder2(s, h): """ wsgi responder app """ status_headers.append(s) status_headers.append(h) return responder(s, h) time_in = time.time() ret = [0] if not profiler_dir: ret[0] = wsgiapp(environ, responder2) else: import cProfile prof = cProfile.Profile() prof.enable() ret[0] = wsgiapp(environ, responder2) prof.disable() destfile = pjoin(profiler_dir, "req_%s.prof" % web2py_uuid()) prof.dump_stats(destfile) try: line = '%s, %s, %s, %s, %s, %s, %f\n' % ( environ['REMOTE_ADDR'], datetime.datetime.today().strftime('%Y-%m-%d %H:%M:%S'), environ['REQUEST_METHOD'], environ['PATH_INFO'].replace(',', '%2C'), environ['SERVER_PROTOCOL'], (status_headers[0])[:3], time.time() - time_in, ) if not logfilename: sys.stdout.write(line) elif isinstance(logfilename, str): write_file(logfilename, line, 'a') else: logfilename.write(line) except: pass return ret[0]
def app_create(app, request,force=False,key=None): """ Create a copy of welcome.w2p (scaffolding) app Parameters ---------- app: application name request: the global request object """ did_mkdir = False try: path = apath(app, request) os.mkdir(path) except: if not force: return False try: w2p_unpack('welcome.w2p', path) for subfolder in ['models','views','controllers', 'databases', 'modules','cron','errors','sessions', 'languages','static','private','uploads']: subpath = os.path.join(path,subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(path, 'models', 'db.py') if os.path.exists(db): fp = open(db,'r') data = fp.read() fp.close() data = data.replace('<your secret key>', 'sha512:'+(key or web2py_uuid())) fp = open(db,'w') fp.write(data) fp.close() return True except: rmtree(path) return False
def toolbar(self): from html import DIV, SCRIPT, BEAUTIFY, TAG, URL BUTTON = TAG.button admin = URL("admin", "default", "design", args=current.request.application) from gluon.dal import thread if hasattr(thread, 'instances'): dbstats = [TABLE(*[TR(PRE(row[0]),'%.2fms' % (row[1]*1000)) \ for row in i.db._timings]) \ for i in thread.instances] else: dbstats = [] # if no db or on GAE u = web2py_uuid() return DIV( BUTTON('design', _onclick="document.location='%s'" % admin), BUTTON('request', _onclick="jQuery('#request-%s').slideToggle()" % u), DIV(BEAUTIFY(current.request), _class="hidden", _id="request-%s" % u), BUTTON('session', _onclick="jQuery('#session-%s').slideToggle()" % u), DIV(BEAUTIFY(current.session), _class="hidden", _id="session-%s" % u), BUTTON('response', _onclick="jQuery('#response-%s').slideToggle()" % u), DIV(BEAUTIFY(current.response), _class="hidden", _id="response-%s" % u), BUTTON('db stats', _onclick="jQuery('#db-stats-%s').slideToggle()" % u), DIV(BEAUTIFY(dbstats), _class="hidden", _id="db-stats-%s" % u), SCRIPT("jQuery('.hidden').hide()"))
def renew(self, request=None, response=None, db=None, tablename='web2py_session', masterapp=None, clear_session=False): if request is None: request = current.request if response is None: response = current.response #check if session is separate separate = None if response.session and response.session_id[2:3] == "/": separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application # Load session data from cookie cookies = request.cookies # check if there is a session_id in cookies if response.session_id_name in cookies: response.session_id = \ cookies[response.session_id_name].value else: response.session_id = None # if the session goes in file if response.session_storage_type == 'file': if global_settings.db_sessions is True \ or masterapp in global_settings.db_sessions: return client = request.client and request.client.replace(':', '.') uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db elif response.session_storage_type == 'db': # verify that session_id exists if not response.session_id: return # verify if tablename was set or used in connect if response.session_table_name and tablename == 'web2py_session': tablename = response.session_table_name if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db tname = tablename + '_' + masterapp if not db: raise Exception('No database parameter passed: "db=database"') table = db.get(tname, None) if table is None: raise Exception('No session to renew') # Get session data out of the database (record_id, unique_key) = response.session_id.split(':') if record_id == '0': raise Exception('record_id == 0') # Select from database row = db(table.id == record_id).select() row = row and row[0] or None # Make sure the session data exists in the database if not row or row.unique_key != unique_key: raise Exception('No record') unique_key = web2py_uuid() db(table.id == record_id).update(unique_key=unique_key) response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_table = table response.session_db_record_id = record_id response.session_db_unique_key = unique_key rcookies = response.cookies if response.session_id_name: rcookies[response.session_id_name] = response.session_id rcookies[response.session_id_name]['path'] = '/' if clear_session: self.clear()
def connect( self, request, response, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate=None, check_client=False, ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if separate == True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp.lower() if not db: if global_settings.db_sessions is True or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client.replace(':', '.') if response.session_id_name in request.cookies: response.session_id = \ request.cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None if response.session_id: try: response.session_file = \ open(response.session_filename, 'rb+') portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1].split('-')[0] if check_client and client != oc: raise Exception, "cookie attack" except: self._close(response) response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True else: if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) response.session_db = True if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) if table is None: table = db.define_table( tname, db.Field('locked', 'boolean', default=False), db.Field('client_ip', length=64), db.Field('created_datetime', 'datetime', default=request.now), db.Field('modified_datetime', 'datetime'), db.Field('unique_key', length=64), db.Field('session_data', 'blob'), migrate=table_migrate, ) try: key = request.cookies[response.session_id_name].value (record_id, unique_key) = key.split(':') if record_id == '0': raise Exception, 'record_id == 0' rows = db(table.id == record_id).select() if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, 'No record' # rows[0].update_record(locked=True) session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = \ (response.session_id_name, table, record_id, unique_key) response.session_id = '%s:%s' % (record_id, unique_key) response.cookies[response.session_id_name] = response.session_id response.cookies[response.session_id_name]['path'] = '/' self.__hash = hashlib.md5(str(self)).digest() if self.flash: (response.flash, self.flash) = (self.flash, None)
def toolbar(self): from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A BUTTON = TAG.button admin = URL("admin", "default", "design", args=current.request.application) from gluon.dal import DAL dbstats = [] dbtables = {} infos = DAL.get_instances() for k, v in infos.iteritems(): dbstats.append( TABLE(*[ TR(PRE(row[0]), '%.2fms' % (row[1] * 1000)) for row in v['dbstats'] ])) dbtables[k] = dict(defined=v['dbtables']['defined'] or '[no defined tables]', lazy=v['dbtables']['lazy'] or '[no lazy tables]') u = web2py_uuid() backtotop = A('Back to top', _href="#totop-%s" % u) # Convert lazy request.vars from property to Storage so they # will be displayed in the toolbar. request = copy.copy(current.request) request.update(vars=current.request.vars, get_vars=current.request.get_vars, post_vars=current.request.post_vars) return DIV(BUTTON('design', _onclick="document.location='%s'" % admin), BUTTON('request', _onclick="jQuery('#request-%s').slideToggle()" % u), BUTTON('response', _onclick="jQuery('#response-%s').slideToggle()" % u), BUTTON('session', _onclick="jQuery('#session-%s').slideToggle()" % u), BUTTON('db tables', _onclick="jQuery('#db-tables-%s').slideToggle()" % u), BUTTON('db stats', _onclick="jQuery('#db-stats-%s').slideToggle()" % u), DIV(BEAUTIFY(request), backtotop, _class="hidden", _id="request-%s" % u), DIV(BEAUTIFY(current.session), backtotop, _class="hidden", _id="session-%s" % u), DIV(BEAUTIFY(current.response), backtotop, _class="hidden", _id="response-%s" % u), DIV(BEAUTIFY(dbtables), backtotop, _class="hidden", _id="db-tables-%s" % u), DIV(BEAUTIFY(dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u), SCRIPT("jQuery('.hidden').hide()"), _id="totop-%s" % u)
def POST(reg_user): doc = POST.func_doc return_dict = dict(doc=doc) user_dict = {} table_user = auth.settings.table_user user = auth.db( table_user['username'] == reg_user['username']).select().first() if user: return_dict['err_found'] = True return_dict['err_msg'] = 'Username already registered' return gluon.contrib.simplejson.dumps(return_dict) user = auth.db( table_user['email'] == reg_user['email']).select().first() if user: return_dict['err_found'] = True return_dict['err_msg'] = 'Mail already registered' return gluon.contrib.simplejson.dumps(return_dict) user_dict['username'] = reg_user['username'] user_dict['first_name'] = reg_user['firstname'] user_dict['last_name'] = reg_user['lastname'] user_dict['email'] = reg_user['email'] if not re.match(r"[^@]+@[^@]+\.[^@]+", reg_user['email']): return_dict['err_found'] = True return_dict['err_msg'] = 'Invalid mail' return gluon.contrib.simplejson.dumps(return_dict) passwd = reg_user['passwd'] if len(passwd) < 4: return_dict['err_found'] = True return_dict[ 'err_msg'] = 'Password must have at least four characters' return gluon.contrib.simplejson.dumps(return_dict) passfield = auth.settings.password_field #alg = 'pbkdf2(1000,20,sha512)' #user_dict[passfield] = CRYPT(digest_alg=alg,salt=True)(passwd)[0] user_dict[passfield] = CRYPT(key=auth.settings.hmac_key)(passwd)[0] logger.debug("pass_field: " + str(user_dict) + " with passwd:" + passwd) if auth.settings.registration_requires_verification: table_user.registration_key.default = verify_key = web2py_uuid() main_url = "http://" + str(request.env.http_host) + "/" + str( request.application) verify_msg = "Welcome " + user_dict[ 'username'] + " click on the link " + main_url + "/routes/#/logging/user_verify?key=" + verify_key + " to verify your mail" logger.debug("registration requires mail verification") if not auth.settings.mailer or \ not auth.settings.mailer.send(to=user_dict['email'], subject=auth.messages.verify_email_subject, message=verify_msg): return_dict['err_found'] = True return_dict['err_msg'] = 'Invalid mail' return gluon.contrib.simplejson.dumps(return_dict) return_dict['to_verify'] = True # the next function also creates the user_groups user = auth.get_or_create_user(user_dict, login=False) logger.debug("User registered: " + str(user)) if user_passphrase_active: # improve random string following http://stackoverflow.com/questions/7479442/high-quality-simple-random-password-generator # alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' # os.urandom() # instead of http://stackoverflow.com/questions/2257441/random-string-generation-with-upper-case-letters-and-digits-in-python db.auth_user.passphrase.writable = True import random, string pf = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(16)) db(db.auth_user.username == user_dict['username']).update( passphrase=pf) db.auth_user.passphrase.writable = False # print "db.auth_user.passphrase.writable :",db.auth_user.passphrase.writable db.commit() user_db = auth.db( table_user['username'] == reg_user['username']).select().first() if not auth.settings.registration_requires_verification and auth.settings.registration_requires_approval: user_db.update_record(registration_key='pending') return_dict['to_approve'] = True # After registration the user is automatically logged in (uncomment the next) # But it has to be modified in case approval and/or verification are active # user = auth.login_bare(user_dict['username'],passwd) return gluon.contrib.simplejson.dumps(return_dict)
def connect( self, request, response, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate = None, check_client=False, ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if separate == True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp.lower() if not db: if global_settings.db_sessions is True or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client and request.client.replace(':', '.') if response.session_id_name in request.cookies: response.session_id = \ request.cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None if response.session_id: try: response.session_file = \ open(response.session_filename, 'rb+') try: portalocker.lock(response.session_file,portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1].split('-')[0] if check_client and client!=oc: raise Exception, "cookie attack" finally: pass #This causes admin login to break. Must find out why. #self._close(response) except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % (prefix,response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True else: if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) response.session_db = True if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) if table is None: table = db.define_table( tname, db.Field('locked', 'boolean', default=False), db.Field('client_ip', length=64), db.Field('created_datetime', 'datetime', default=request.now), db.Field('modified_datetime', 'datetime'), db.Field('unique_key', length=64), db.Field('session_data', 'blob'), migrate=table_migrate, ) try: key = request.cookies[response.session_id_name].value (record_id, unique_key) = key.split(':') if record_id == '0': raise Exception, 'record_id == 0' rows = db(table.id == record_id).select() if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, 'No record' # rows[0].update_record(locked=True) session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = \ (response.session_id_name, table, record_id, unique_key) response.session_id = '%s:%s' % (record_id, unique_key) response.cookies[response.session_id_name] = response.session_id response.cookies[response.session_id_name]['path'] = '/' self.__hash = hashlib.md5(str(self)).digest() if self.flash: (response.flash, self.flash) = (self.flash, None)
def app_create(app, request, force=False, key=None, info=False): """ Create a copy of welcome.w2p (scaffolding) app Parameters ---------- app: application name request: the global request object """ path = apath(app, request) if not os.path.exists(path): try: os.mkdir(path) except: if info: return False, traceback.format_exc(sys.exc_info) else: return False elif not force: if info: return False, "Application exists" else: return False try: w2p_unpack("welcome.w2p", path) for subfolder in [ "models", "views", "controllers", "databases", "modules", "cron", "errors", "sessions", "cache", "languages", "static", "private", "uploads", ]: subpath = os.path.join(path, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(path, "models", "db.py") if os.path.exists(db): data = read_file(db) data = data.replace("<your secret key>", "sha512:" + (key or web2py_uuid())) write_file(db, data) if info: return True, None else: return True except: rmtree(path) if info: return False, traceback.format_exc(sys.exc_info) else: return False
def connect( self, request, response, db=None, tablename="web2py_session", masterapp=None, migrate=True, separate=None, check_client=False, cookie_key=None, ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if separate == True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = "session_id_%s" % masterapp.lower() # Load session data from cookie if cookie_key: response.session_cookie_key = cookie_key response.session_cookie_key2 = hashlib.md5(cookie_key).digest() cookie_name = request.application.lower() + "_session_data" response.session_cookie_name = cookie_name if cookie_data in request.cookies: cookie_value = request.cookies[cookie_name].value cookie_parts = cookie_value.split(":") enc = cookie_parts[2] cipher = AES.new(cookie_key) decrypted = cipher.decrypt(base64.b64decode(enc)).rstrip("{") check = hmac.new(response.session_cookie_key2, enc).hexdigest() if cookie_parts[0] == check: session_data = cPickle.loads(decrypted) self.update(session_data) else: return if not db: if global_settings.db_sessions is True or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client and request.client.replace(":", ".") if response.session_id_name in request.cookies: response.session_id = request.cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = os.path.join( up(request.folder), masterapp, "sessions", response.session_id ) else: response.session_id = None if response.session_id: try: response.session_file = open(response.session_filename, "rb+") try: portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split("/")[-1].split("-")[0] if check_client and client != oc: raise Exception, "cookie attack" finally: pass # This causes admin login to break. Must find out why. # self._close(response) except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = "%s-%s" % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = "%s/%s" % (prefix, response.session_id) response.session_filename = os.path.join(up(request.folder), masterapp, "sessions", response.session_id) response.session_new = True else: if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) response.session_db = True if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + "_" + masterapp table = db.get(tname, None) if table is None: table = db.define_table( tname, db.Field("locked", "boolean", default=False), db.Field("client_ip", length=64), db.Field("created_datetime", "datetime", default=request.now), db.Field("modified_datetime", "datetime"), db.Field("unique_key", length=64), db.Field("session_data", "blob"), migrate=table_migrate, ) try: # Get session data out of the database # Key comes from the cookie key = request.cookies[response.session_id_name].value (record_id, unique_key) = key.split(":") if record_id == "0": raise Exception, "record_id == 0" # Select from database. rows = db(table.id == record_id).select() # Make sure the session data exists in the database if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, "No record" # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = (response.session_id_name, table, record_id, unique_key) response.session_id = "%s:%s" % (record_id, unique_key) response.cookies[response.session_id_name] = response.session_id response.cookies[response.session_id_name]["path"] = "/" self.__hash = hashlib.md5(str(self)).digest() if self.flash: (response.flash, self.flash) = (self.flash, None)
def run(appname, plain=False, import_models=False, startfile=None, bpython=False): """ Start interactive shell or run Python script (startfile) in web2py controller environment. appname is formatted like: a web2py application name a/c exec the controller c into the application environment """ (a, c, f) = parse_path_info(appname) errmsg = 'invalid application name: %s' % appname if not a: die(errmsg) adir = os.path.join('applications', a) if not os.path.exists(adir): if raw_input('application %s does not exist, create (y/n)?' % a).lower() in ['y', 'yes']: os.mkdir(adir) w2p_unpack('welcome.w2p', adir) for subfolder in [ 'models', 'views', 'controllers', 'databases', 'modules', 'cron', 'errors', 'sessions', 'languages', 'static', 'private', 'uploads' ]: subpath = os.path.join(adir, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(adir, 'models/db.py') if os.path.exists(db): data = fileutils.read_file(db) data = data.replace('<your secret key>', 'sha512:' + web2py_uuid()) fileutils.write_file(db, data) if c: import_models = True _env = env(a, c=c, import_models=import_models) if c: cfile = os.path.join('applications', a, 'controllers', c + '.py') if not os.path.isfile(cfile): cfile = os.path.join('applications', a, 'compiled', "controllers_%s_%s.pyc" % (c, f)) if not os.path.isfile(cfile): die(errmsg) else: exec read_pyc(cfile) in _env else: execfile(cfile, _env) if f: exec('print %s()' % f, _env) elif startfile: exec_pythonrc() try: execfile(startfile, _env) except RestrictedError, e: print e.traceback
def connect( self, request=None, response=None, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate=None, check_client=False, cookie_key=None, cookie_expires=None, compression_level=None ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if request is None: request = current.request if response is None: response = current.response if separate == True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp.lower() response.session_data_name = 'session_data_%s' % masterapp.lower() response.session_cookie_expires = cookie_expires # Load session data from cookie cookies = request.cookies # check if there is a session_id in cookies if response.session_id_name in cookies: response.session_id = \ cookies[response.session_id_name].value else: response.session_id = None # check if there is session data in cookies if response.session_data_name in cookies: session_cookie_data = cookies[response.session_data_name].value else: session_cookie_data = None # if we are supposed to use cookie based session data if cookie_key: response.session_storage_type = 'cookie' response.session_cookie_key = cookie_key response.session_cookie_compression_level = compression_level if session_cookie_data: data = secure_loads(session_cookie_data, cookie_key, compression_level=compression_level) if data: self.update(data) # else if we are supposed to use file based sessions elif not db: response.session_storage_type = 'file' if global_settings.db_sessions is True \ or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client and request.client.replace(':', '.') if response.session_id: if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None # do not try load the data from file is these was data in cookie if response.session_id and not session_cookie_data: try: response.session_file = \ open(response.session_filename, 'rb+') try: portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1]\ .split('-')[0] if check_client and client != oc: raise Exception("cookie attack") finally: pass #This causes admin login to break. Must find out why. #self._close(response) except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db else: response.session_storage_type = 'db' if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) Field = db.Field if table is None: db.define_table( tname, Field('locked', 'boolean', default=False), Field('client_ip', length=64), Field('created_datetime', 'datetime', default=request.now), Field('modified_datetime', 'datetime'), Field('unique_key', length=64), Field('session_data', 'blob'), migrate=table_migrate, ) table = db[tname] # to allow for lazy table try: # Get session data out of the database (record_id, unique_key) = response.session_id.split(':') if record_id == '0': raise Exception('record_id == 0') # Select from database if not session_cookie_data: rows = db(table.id == record_id).select() # Make sure the session data exists in the database if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception('No record') # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_table = table response.session_db_record_id = record_id response.session_db_unique_key = unique_key rcookies = response.cookies rcookies[response.session_id_name] = response.session_id rcookies[response.session_id_name]['path'] = '/' if cookie_expires: rcookies[response.session_id_name][ 'expires'] = cookie_expires.strftime(FMT) # if not cookie_key, but session_data_name in cookies # expire session_data_name from cookies if session_cookie_data: rcookies[response.session_data_name] = 'expired' rcookies[response.session_data_name]['path'] = '/' rcookies[response.session_data_name]['expires'] = PAST if self.flash: (response.flash, self.flash) = (self.flash, None)
def connect( self, request, response, db=None, tablename='web2py_session', masterapp=None, migrate=True, ): self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp if not db: if response.session_id_name in request.cookies: response.session_id = \ request.cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None if response.session_id: try: response.session_file = \ open(response.session_filename, 'rb+') portalocker.lock(response.session_file, portalocker.LOCK_EX) self.update(cPickle.load(response.session_file)) response.session_file.seek(0) except: self._unlock(response) response.session_id = None if not response.session_id: response.session_id = '%s-%s'\ % (request.client.replace(':', '-').replace('.', '-'), web2py_uuid()) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True else: if settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) if table is None: table = db.define_table( tname, db.Field('locked', 'boolean', default=False), db.Field('client_ip', length=64), db.Field('created_datetime', 'datetime', default=request.now), db.Field('modified_datetime', 'datetime'), db.Field('unique_key', length=64), db.Field('session_data', 'blob'), migrate=table_migrate, ) try: key = request.cookies[response.session_id_name].value (record_id, unique_key) = key.split(':') if record_id == '0': raise Exception, 'record_id == 0' rows = db(table.id == record_id).select() if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, 'No record' # rows[0].update_record(locked=True) session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = \ (response.session_id_name, table, record_id, unique_key) response.session_id = '%s:%s' % (record_id, unique_key) response.cookies[response.session_id_name] = response.session_id response.cookies[response.session_id_name]['path'] = '/' if self.flash: (response.flash, self.flash) = (self.flash, None)
def connect( self, request, response, db=None, tablename='web2py_session', masterapp=None, migrate=True, ): self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp if not db: if response.session_id_name in request.cookies: response.session_id = \ request.cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None if response.session_id: try: response.session_file = \ open(response.session_filename, 'rb+') portalocker.lock(response.session_file, portalocker.LOCK_EX) self.update(cPickle.load(response.session_file)) response.session_file.seek(0) except: self._unlock(response) if response.session_file: # Only if open succeeded and later an exception was raised response.session_file.close() del response.session_file response.session_id = None if not response.session_id: response.session_id = '%s-%s'\ % (request.client.replace(':', '-').replace('.', '-'), web2py_uuid()) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True else: if settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) if table is None: table = db.define_table( tname, db.Field('locked', 'boolean', default=False), db.Field('client_ip', length=64), db.Field('created_datetime', 'datetime', default=request.now), db.Field('modified_datetime', 'datetime'), db.Field('unique_key', length=64), db.Field('session_data', 'blob'), migrate=table_migrate, ) try: key = request.cookies[response.session_id_name].value (record_id, unique_key) = key.split(':') if record_id == '0': raise Exception, 'record_id == 0' rows = db(table.id == record_id).select() if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, 'No record' # rows[0].update_record(locked=True) session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = \ (response.session_id_name, table, record_id, unique_key) response.session_id = '%s:%s' % (record_id, unique_key) response.cookies[response.session_id_name] = response.session_id response.cookies[response.session_id_name]['path'] = '/' if self.flash: (response.flash, self.flash) = (self.flash, None)
def renew( self, request=None, response=None, db=None, tablename='web2py_session', masterapp=None, clear_session=False ): if request is None: request = current.request if response is None: response = current.response #check if session is separate separate = None if response.session and response.session_id[2:3] == "/": separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application # Load session data from cookie cookies = request.cookies # check if there is a session_id in cookies if response.session_id_name in cookies: response.session_id = \ cookies[response.session_id_name].value else: response.session_id = None # if the session goes in file if response.session_storage_type == 'file': if global_settings.db_sessions is True \ or masterapp in global_settings.db_sessions: return client = request.client and request.client.replace(':', '.') uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db elif response.session_storage_type == 'db': # verify that session_id exists if not response.session_id: return # verify if tablename was set or used in connect if response.session_table_name and tablename == 'web2py_session': tablename = response.session_table_name if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db tname = tablename + '_' + masterapp if not db: raise Exception('No database parameter passed: "db=database"') table = db.get(tname, None) if table is None: raise Exception('No session to renew') # Get session data out of the database (record_id, unique_key) = response.session_id.split(':') if record_id == '0': raise Exception('record_id == 0') # Select from database row = record_id and db(table.id == record_id).select() row = row and row[0] or None # Make sure the session data exists in the database if not row or row.unique_key != unique_key: raise Exception('No record') unique_key = web2py_uuid() db(table.id == record_id).update(unique_key=unique_key) response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_table = table response.session_db_record_id = record_id response.session_db_unique_key = unique_key rcookies = response.cookies if response.session_id_name: rcookies[response.session_id_name] = response.session_id rcookies[response.session_id_name]['path'] = '/' if clear_session: self.clear()
def connect(self, request=None, response=None, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate=None, check_client=False, cookie_key=None, cookie_expires=None, compression_level=None): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if request is None: request = current.request if response is None: response = current.response if separate is True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp.lower() response.session_data_name = 'session_data_%s' % masterapp.lower() response.session_cookie_expires = cookie_expires # Load session data from cookie cookies = request.cookies # check if there is a session_id in cookies if response.session_id_name in cookies: response.session_id = \ cookies[response.session_id_name].value else: response.session_id = None # check if there is session data in cookies if response.session_data_name in cookies: session_cookie_data = cookies[response.session_data_name].value else: session_cookie_data = None # if we are supposed to use cookie based session data if cookie_key: response.session_storage_type = 'cookie' response.session_cookie_key = cookie_key response.session_cookie_compression_level = compression_level if session_cookie_data: data = secure_loads(session_cookie_data, cookie_key, compression_level=compression_level) if data: self.update(data) # else if we are supposed to use file based sessions elif not db: response.session_storage_type = 'file' if global_settings.db_sessions is True \ or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client and request.client.replace(':', '.') if response.session_id: if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None # do not try load the data from file is these was data in cookie if response.session_id and not session_cookie_data: # os.path.exists(response.session_filename): try: response.session_file = \ open(response.session_filename, 'rb+') try: portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1]\ .split('-')[0] if check_client and client != oc: raise Exception("cookie attack") except: response.session_id = None finally: pass #This causes admin login to break. Must find out why. #self._close(response) except: response.session_file = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db else: response.session_storage_type = 'db' if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) Field = db.Field if table is None: db.define_table( tname, Field('locked', 'boolean', default=False), Field('client_ip', length=64), Field('created_datetime', 'datetime', default=request.now), Field('modified_datetime', 'datetime'), Field('unique_key', length=64), Field('session_data', 'blob'), migrate=table_migrate, ) table = db[tname] # to allow for lazy table try: # Get session data out of the database (record_id, unique_key) = response.session_id.split(':') if record_id == '0': raise Exception('record_id == 0') # Select from database if not session_cookie_data: rows = db(table.id == record_id).select() # Make sure the session data exists in the database if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception('No record') # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_table = table response.session_db_record_id = record_id response.session_db_unique_key = unique_key # keep tablename parameter for use in session renew response.session_table_name = tablename rcookies = response.cookies rcookies[response.session_id_name] = response.session_id rcookies[response.session_id_name]['path'] = '/' if cookie_expires: rcookies[response. session_id_name]['expires'] = cookie_expires.strftime(FMT) # if not cookie_key, but session_data_name in cookies # expire session_data_name from cookies if session_cookie_data: rcookies[response.session_data_name] = 'expired' rcookies[response.session_data_name]['path'] = '/' rcookies[response.session_data_name]['expires'] = PAST if self.flash: (response.flash, self.flash) = (self.flash, None)
def test_web2py_uuid(self): from uuid import UUID self.assertTrue(UUID(web2py_uuid()))
def run(appname, plain=False, import_models=False, startfile=None, bpython=False, python_code=False): """ Start interactive shell or run Python script (startfile) in web2py controller environment. appname is formatted like: a web2py application name a/c exec the controller c into the application environment """ (a, c, f) = parse_path_info(appname) errmsg = "invalid application name: %s" % appname if not a: die(errmsg) adir = os.path.join("applications", a) if not os.path.exists(adir): if raw_input("application %s does not exist, create (y/n)?" % a).lower() in ["y", "yes"]: os.mkdir(adir) w2p_unpack("welcome.w2p", adir) for subfolder in [ "models", "views", "controllers", "databases", "modules", "cron", "errors", "sessions", "languages", "static", "private", "uploads", ]: subpath = os.path.join(adir, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(adir, "models/db.py") if os.path.exists(db): data = fileutils.read_file(db) data = data.replace("<your secret key>", "sha512:" + web2py_uuid()) fileutils.write_file(db, data) if c: import_models = True _env = env(a, c=c, f=f, import_models=import_models) if c: cfile = os.path.join("applications", a, "controllers", c + ".py") if not os.path.isfile(cfile): cfile = os.path.join("applications", a, "compiled", "controllers_%s_%s.pyc" % (c, f)) if not os.path.isfile(cfile): die(errmsg) else: exec read_pyc(cfile) in _env else: execfile(cfile, _env) if f: exec ("print %s()" % f, _env) return # "woodoo magic" workaround: reinitialize main.py g = {} exec "import main" in g del g _env.update(exec_pythonrc()) if startfile: try: execfile(startfile, _env) if import_models: BaseAdapter.close_all_instances("commit") except Exception, e: print traceback.format_exc() if import_models: BaseAdapter.close_all_instances("rollback")
def connect( self, request, response, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate=None, check_client=False, cookie_key=None, ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if separate == True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp.lower() # Load session data from cookie cookies = request.cookies if cookie_key: response.session_cookie_key = cookie_key response.session_cookie_key2 = hashlib.md5(cookie_key).digest() cookie_name = masterapp.lower() + '_session_data' response.session_cookie_name = cookie_name if cookie_name in cookies: cookie_value = cookies[cookie_name].value cookie_parts = cookie_value.split(":") enc = cookie_parts[2] cipher = AES.new(cookie_key) decrypted = cipher.decrypt(base64.b64decode(enc)).rstrip('{') check = hmac.new(response.session_cookie_key2, enc).hexdigest() if cookie_parts[0] == check: session_data = cPickle.loads(decrypted) self.update(session_data) else: return if not db: if global_settings.db_sessions is True \ or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client and request.client.replace(':', '.') if response.session_id_name in cookies: response.session_id = \ cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None if response.session_id: try: response.session_file = \ open(response.session_filename, 'rb+') try: portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1]\ .split('-')[0] if check_client and client != oc: raise Exception, "cookie attack" finally: pass #This causes admin login to break. Must find out why. #self._close(response) except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix,response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True else: if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) response.session_db = True if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) Field = db.Field if table is None: db.define_table( tname, Field('locked', 'boolean', default=False), Field('client_ip', length=64), Field('created_datetime', 'datetime', default=request.now), Field('modified_datetime', 'datetime'), Field('unique_key', length=64), Field('session_data', 'blob'), migrate=table_migrate, ) table = db[tname] # to allow for lazy table try: # Get session data out of the database # Key comes from the cookie key = cookies[response.session_id_name].value (record_id, unique_key) = key.split(':') if record_id == '0': raise Exception, 'record_id == 0' # Select from database rows = db(table.id == record_id).select() # Make sure the session data exists in the database if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, 'No record' # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = \ (response.session_id_name, table, record_id, unique_key) response.session_id = '%s:%s' % (record_id, unique_key) rcookies = response.cookies rcookies[response.session_id_name] = response.session_id rcookies[response.session_id_name]['path'] = '/' self.__hash = hashlib.md5(str(self)).digest() if self.flash: (response.flash, self.flash) = (self.flash, None)
def run( appname, plain=False, import_models=False, startfile=None, bpython=False, python_code=False, cronjob=False): """ Start interactive shell or run Python script (startfile) in web2py controller environment. appname is formatted like: a web2py application name a/c exec the controller c into the application environment """ (a, c, f, args, vars) = parse_path_info(appname, av=True) errmsg = 'invalid application name: %s' % appname if not a: die(errmsg) adir = os.path.join('applications', a) if not os.path.exists(adir): if sys.stdin and not sys.stdin.name == '/dev/null': confirm = raw_input( 'application %s does not exist, create (y/n)?' % a) else: logging.warn('application does not exist and will not be created') return if confirm.lower() in ['y', 'yes']: os.mkdir(adir) w2p_unpack('welcome.w2p', adir) for subfolder in ['models', 'views', 'controllers', 'databases', 'modules', 'cron', 'errors', 'sessions', 'languages', 'static', 'private', 'uploads']: subpath = os.path.join(adir, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(adir, 'models/db.py') if os.path.exists(db): data = fileutils.read_file(db) data = data.replace( '<your secret key>', 'sha512:' + web2py_uuid()) fileutils.write_file(db, data) if c: import_models = True extra_request = {} if args: extra_request['args'] = args if vars: extra_request['vars'] = vars _env = env(a, c=c, f=f, import_models=import_models, extra_request=extra_request) if c: pyfile = os.path.join('applications', a, 'controllers', c + '.py') pycfile = os.path.join('applications', a, 'compiled', "controllers_%s_%s.pyc" % (c, f)) if ((cronjob and os.path.isfile(pycfile)) or not os.path.isfile(pyfile)): exec read_pyc(pycfile) in _env elif os.path.isfile(pyfile): execfile(pyfile, _env) else: die(errmsg) if f: exec ('print %s()' % f, _env) return _env.update(exec_pythonrc()) if startfile: try: ccode = None if startfile.endswith('.pyc'): ccode = read_pyc(startfile) exec ccode in _env else: execfile(startfile, _env) if import_models: BaseAdapter.close_all_instances('commit') except Exception, e: print traceback.format_exc() if import_models: BaseAdapter.close_all_instances('rollback')
def POST(reg_user): doc = POST.func_doc return_dict = dict(doc=doc) user_dict = {} table_user = auth.settings.table_user user = auth.db(table_user["username"] == reg_user["username"]).select().first() if user: return_dict["err_found"] = True return_dict["err_msg"] = "Username already registered" return gluon.contrib.simplejson.dumps(return_dict) user = auth.db(table_user["email"] == reg_user["email"]).select().first() if user: return_dict["err_found"] = True return_dict["err_msg"] = "Mail already registered" return gluon.contrib.simplejson.dumps(return_dict) user_dict["username"] = reg_user["username"] user_dict["first_name"] = reg_user["firstname"] user_dict["last_name"] = reg_user["lastname"] user_dict["email"] = reg_user["email"] if not re.match(r"[^@]+@[^@]+\.[^@]+", reg_user["email"]): return_dict["err_found"] = True return_dict["err_msg"] = "Invalid mail" return gluon.contrib.simplejson.dumps(return_dict) passwd = reg_user["passwd"] if len(passwd) < 4: return_dict["err_found"] = True return_dict["err_msg"] = "Password must have at least four characters" return gluon.contrib.simplejson.dumps(return_dict) passfield = auth.settings.password_field # alg = 'pbkdf2(1000,20,sha512)' # user_dict[passfield] = CRYPT(digest_alg=alg,salt=True)(passwd)[0] user_dict[passfield] = CRYPT(key=auth.settings.hmac_key)(passwd)[0] logger.debug("pass_field: " + str(user_dict) + " with passwd:" + passwd) if auth.settings.registration_requires_verification: table_user.registration_key.default = verify_key = web2py_uuid() main_url = "http://" + str(request.env.http_host) + "/" + str(request.application) verify_msg = ( "Welcome " + user_dict["username"] + " click on the link " + main_url + "/routes/#/logging/user_verify?key=" + verify_key + " to verify your mail" ) logger.debug("registration requires mail verification") if not auth.settings.mailer or not auth.settings.mailer.send( to=user_dict["email"], subject=auth.messages.verify_email_subject, message=verify_msg ): return_dict["err_found"] = True return_dict["err_msg"] = "Invalid mail" return gluon.contrib.simplejson.dumps(return_dict) return_dict["to_verify"] = True # the next function also creates the user_groups user = auth.get_or_create_user(user_dict, login=False) logger.debug("User registered: " + str(user)) if user_passphrase_active: # improve random string following http://stackoverflow.com/questions/7479442/high-quality-simple-random-password-generator # alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' # os.urandom() # instead of http://stackoverflow.com/questions/2257441/random-string-generation-with-upper-case-letters-and-digits-in-python db.auth_user.passphrase.writable = True import random, string pf = "".join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(16)) db(db.auth_user.username == user_dict["username"]).update(passphrase=pf) db.auth_user.passphrase.writable = False # print "db.auth_user.passphrase.writable :",db.auth_user.passphrase.writable db.commit() user_db = auth.db(table_user["username"] == reg_user["username"]).select().first() if not auth.settings.registration_requires_verification and auth.settings.registration_requires_approval: user_db.update_record(registration_key="pending") return_dict["to_approve"] = True # After registration the user is automatically logged in (uncomment the next) # But it has to be modified in case approval and/or verification are active # user = auth.login_bare(user_dict['username'],passwd) return gluon.contrib.simplejson.dumps(return_dict)
def log(self, request): """ logs the exception. """ try: a = request.application d = { "layer": str(self.layer), "code": str(self.code), "output": str(self.output), "traceback": str(self.traceback), } fmt = "%Y-%m-%d.%H-%M-%S" f = "%s.%s.%s" % (request.client.replace(":", "_"), datetime.datetime.now().strftime(fmt), web2py_uuid()) ticket_storage = TicketStorage(db=request.tickets_db) ticket_storage.store(request, f, d) return "%s/%s" % (a, f) except: logging.error(self.traceback) return None
def connect(self, request=None, response=None, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate=None, check_client=False, cookie_key=None, cookie_expires=None, compression_level=None): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ request = request or current.request response = response or current.response masterapp = masterapp or request.application cookies = request.cookies self._unlock(response) response.session_masterapp = masterapp response.session_id_name = 'session_id_%s' % masterapp.lower() response.session_data_name = 'session_data_%s' % masterapp.lower() response.session_cookie_expires = cookie_expires response.session_client = str(request.client).replace(':', '.') response.session_cookie_key = cookie_key response.session_cookie_compression_level = compression_level # check if there is a session_id in cookies try: response.session_id = cookies[response.session_id_name].value except KeyError: response.session_id = None # if we are supposed to use cookie based session data if cookie_key: response.session_storage_type = 'cookie' elif db: response.session_storage_type = 'db' else: response.session_storage_type = 'file' # why do we do this? # because connect may be called twice, by web2py and in models. # the first time there is no db yet so it should do nothing if (global_settings.db_sessions is True or masterapp in global_settings.db_sessions): return if response.session_storage_type == 'cookie': # check if there is session data in cookies if response.session_data_name in cookies: session_cookie_data = cookies[response.session_data_name].value else: session_cookie_data = None if session_cookie_data: data = secure_loads(session_cookie_data, cookie_key, compression_level=compression_level) if data: self.update(data) response.session_id = True # else if we are supposed to use file based sessions elif response.session_storage_type == 'file': response.session_new = False response.session_file = None # check if the session_id points to a valid sesion filename if response.session_id: if not regex_session_id.match(response.session_id): response.session_id = None else: response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) try: response.session_file = \ open(response.session_filename, 'rb+') portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1].split( '-')[0] if check_client and response.session_client != oc: raise Exception("cookie attack") except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (response.session_client, uuid) separate = separate and ( lambda session_name: session_name[-2:]) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db elif response.session_storage_type == 'db': if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) # if had a session on file alreday, close it (yes, can happen) if response.session_file: self._close(response) # if on GAE tickets go also in DB if settings.global_settings.web2py_runtime_gae: request.tickets_db = db table_migrate = (masterapp == request.application) tname = tablename + '_' + masterapp table = db.get(tname, None) Field = db.Field if table is None: db.define_table( tname, Field('locked', 'boolean', default=False), Field('client_ip', length=64), Field('created_datetime', 'datetime', default=request.now), Field('modified_datetime', 'datetime'), Field('unique_key', length=64), Field('session_data', 'blob'), migrate=table_migrate, ) table = db[tname] # to allow for lazy table response.session_db_table = table if response.session_id: # Get session data out of the database try: (record_id, unique_key) = response.session_id.split(':') record_id = long(record_id) except (TypeError, ValueError): record_id = None # Select from database if record_id: row = table(record_id) #,unique_key=unique_key) # Make sure the session data exists in the database if row: # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(row.session_data) self.update(session_data) else: record_id = None if record_id: response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_unique_key = unique_key response.session_db_record_id = record_id else: response.session_id = None response.session_new = True if self.flash: (response.flash, self.flash) = (self.flash, None) session_pickled = cPickle.dumps(self) response.session_hash = hashlib.md5(session_pickled).hexdigest()
def paste(): """ Import and parse password pasted to a textbox into t_accounts """ from skaldship.general import check_datadir check_datadir(request.folder) # Service_id is primary, host_id is secondary, if none then list # all the services svc_set = [] url = URL('accounts', 'paste') if request.vars.has_key('service_id'): try: record = db.t_services[request.vars.service_id] svc_set.append((record.id, "%s :: %s/%s" % (host_title_maker(db.t_hosts[record.f_hosts_id]), record.f_proto, record.f_number))) url = URL('accounts', 'paste', vars={'service_id': request.vars.service_id}) except: pass elif request.vars.has_key('host_id'): try: host_record = get_host_record(request.vars.host_id) svc_records = db( db.t_services.f_hosts_id == host_record.id).select( cache=(cache.ram, 30)) url = URL('accounts', 'paste', vars={'host_id': request.vars.host_id}) for record in svc_records: svc_set.append( (record.id, "%s :: %s/%s" % (host_title_maker(db.t_hosts[record.f_hosts_id]), record.f_proto, record.f_number))) except: pass if len(svc_set) == 0: # all services svc_records = db(db.t_services).select(cache=(cache.ram, 30)) svc_set = [] for record in svc_records: svc_set.append((record.id, "%s :: %s/%s" % (host_title_maker(db.t_hosts[record.f_hosts_id]), record.f_proto, record.f_number))) if request.extension == "load": buttons = [] else: buttons = ['submit'] form = SQLFORM.factory( Field('f_service', 'string', label=T('Host / Service'), requires=IS_IN_SET(svc_set), default=svc_set[0][0]), Field('f_pwtext', 'text', label=T('Password text')), Field('f_type', 'string', label=T('File type'), default='PWDUMP', requires=IS_IN_SET(settings.password_file_types)), Field('f_source', 'string', label=T('Source (if necessary)')), Field('f_add_to_evidence', 'boolean', label=T('Add file to Evidence')), buttons=buttons, _action=url, _id='accounts_paste_form' #_action=url, _id='accounts_paste_form', formstyle='bootstrap_modal' ) resp_text = "" accounts_added = [] accounts_updated = [] if form.errors: response.flash = 'Error in form' return TABLE(*[TR(k, v) for k, v in form.errors.items()]) elif form.accepts(request.vars, session): from utils import web2py_uuid host_id = db.t_services[form.vars.f_service].f_hosts_id pwd_file_dir = os.path.join(request.folder, 'data', 'passwords', 'other') if not os.path.exists(pwd_file_dir): from gluon.fileutils import mktree mktree(pwd_file_dir) filename = "%s-pwfile-%s" % (host_id, web2py_uuid()) full_file_path = os.path.join(request.folder, 'data/passwords/other', filename) of = open(full_file_path, "w") of.write(form.vars.f_pwtext) of.close() logger.debug("Processing password file: %s" % (full_file_path)) account_data = process_password_file(pw_file=full_file_path, file_type=request.vars.f_type, source=request.vars.f_source) response.headers[ 'web2py-component-command'] = 'accounttable.fnReloadAjax();' resp_text = insert_or_update_acct(form.vars.f_service, account_data) if form.vars.f_add_to_evidence is True: # add the password file to evidence try: pwdata = open(full_file_path, "r").readlines() except Exception, e: logger.error("Error opening %s: %s" % (full_file_path, e)) resp_text += "Error opening %s: %s\n" % (full_file_path, e) db.t_evidence.insert(f_hosts_id=host_id, f_type='Password File', f_text=form.vars.f_type, f_filename=filename, f_evidence=filename, f_data=pwdata) resp_text += "\n%s added to evidence\n" % (filename) db.commit()
def connect( self, request, response, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate = None, check_client=False, cookie_key=None, ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ if separate == True: separate = lambda session_name: session_name[-2:] self._unlock(response) if not masterapp: masterapp = request.application response.session_id_name = 'session_id_%s' % masterapp.lower() # Load session data from cookie cookies = request.cookies if cookie_key: response.session_cookie_key = cookie_key response.session_cookie_key2 = hashlib.md5(cookie_key).digest() cookie_name = masterapp.lower()+'_session_data' response.session_cookie_name = cookie_name if cookie_name in cookies: cookie_value = cookies[cookie_name].value cookie_parts = cookie_value.split(":") enc = cookie_parts[2] cipher = AES.new(cookie_key) decrypted = cipher.decrypt(base64.b64decode(enc)).rstrip('{') check = hmac.new(response.session_cookie_key2,enc).hexdigest() if cookie_parts[0] == check: session_data = cPickle.loads(decrypted) self.update(session_data) else: return if not db: if global_settings.db_sessions is True \ or masterapp in global_settings.db_sessions: return response.session_new = False client = request.client and request.client.replace(':', '.') if response.session_id_name in cookies: response.session_id = \ cookies[response.session_id_name].value if regex_session_id.match(response.session_id): response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) else: response.session_id = None if response.session_id: try: response.session_file = \ open(response.session_filename, 'rb+') try: portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1]\ .split('-')[0] if check_client and client!=oc: raise Exception, "cookie attack" finally: pass #This causes admin login to break. Must find out why. #self._close(response) except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (client, uuid) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % \ (prefix,response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True else: if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) response.session_db = True if response.session_file: self._close(response) if settings.global_settings.web2py_runtime_gae: # in principle this could work without GAE request.tickets_db = db if masterapp == request.application: table_migrate = migrate else: table_migrate = False tname = tablename + '_' + masterapp table = db.get(tname, None) Field = db.Field if table is None: db.define_table( tname, Field('locked', 'boolean', default=False), Field('client_ip', length=64), Field('created_datetime', 'datetime', default=request.now), Field('modified_datetime', 'datetime'), Field('unique_key', length=64), Field('session_data', 'blob'), migrate=table_migrate, ) table = db[tname] # to allow for lazy table try: # Get session data out of the database # Key comes from the cookie key = cookies[response.session_id_name].value (record_id, unique_key) = key.split(':') if record_id == '0': raise Exception, 'record_id == 0' # Select from database rows = db(table.id == record_id).select() # Make sure the session data exists in the database if len(rows) == 0 or rows[0].unique_key != unique_key: raise Exception, 'No record' # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(rows[0].session_data) self.update(session_data) except Exception: record_id = None unique_key = web2py_uuid() session_data = {} response._dbtable_and_field = \ (response.session_id_name, table, record_id, unique_key) response.session_id = '%s:%s' % (record_id, unique_key) rcookies = response.cookies rcookies[response.session_id_name] = response.session_id rcookies[response.session_id_name]['path'] = '/' self.__hash = hashlib.md5(str(self)).digest() if self.flash: (response.flash, self.flash) = (self.flash, None)
def connect( self, request=None, response=None, db=None, tablename='web2py_session', masterapp=None, migrate=True, separate=None, check_client=False, cookie_key=None, cookie_expires=None, compression_level=None ): """ separate can be separate=lambda(session_name): session_name[-2:] and it is used to determine a session prefix. separate can be True and it is set to session_name[-2:] """ request = request or current.request response = response or current.response masterapp = masterapp or request.application cookies = request.cookies self._unlock(response) response.session_masterapp = masterapp response.session_id_name = 'session_id_%s' % masterapp.lower() response.session_data_name = 'session_data_%s' % masterapp.lower() response.session_cookie_expires = cookie_expires response.session_client = str(request.client).replace(':', '.') response.session_cookie_key = cookie_key response.session_cookie_compression_level = compression_level # check if there is a session_id in cookies try: response.session_id = cookies[response.session_id_name].value except KeyError: response.session_id = None # if we are supposed to use cookie based session data if cookie_key: response.session_storage_type = 'cookie' elif db: response.session_storage_type = 'db' else: response.session_storage_type = 'file' # why do we do this? # because connect may be called twice, by web2py and in models. # the first time there is no db yet so it should do nothing if (global_settings.db_sessions is True or masterapp in global_settings.db_sessions): return if response.session_storage_type == 'cookie': # check if there is session data in cookies if response.session_data_name in cookies: session_cookie_data = cookies[response.session_data_name].value else: session_cookie_data = None if session_cookie_data: data = secure_loads(session_cookie_data, cookie_key, compression_level=compression_level) if data: self.update(data) response.session_id = True # else if we are supposed to use file based sessions elif response.session_storage_type == 'file': response.session_new = False response.session_file = None # check if the session_id points to a valid sesion filename if response.session_id: if not regex_session_id.match(response.session_id): response.session_id = None else: response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) try: response.session_file = \ open(response.session_filename, 'rb+') portalocker.lock(response.session_file, portalocker.LOCK_EX) response.session_locked = True self.update(cPickle.load(response.session_file)) response.session_file.seek(0) oc = response.session_filename.split('/')[-1].split('-')[0] if check_client and response.session_client != oc: raise Exception("cookie attack") except: response.session_id = None if not response.session_id: uuid = web2py_uuid() response.session_id = '%s-%s' % (response.session_client, uuid) separate = separate and (lambda session_name: session_name[-2:]) if separate: prefix = separate(response.session_id) response.session_id = '%s/%s' % (prefix, response.session_id) response.session_filename = \ os.path.join(up(request.folder), masterapp, 'sessions', response.session_id) response.session_new = True # else the session goes in db elif response.session_storage_type == 'db': if global_settings.db_sessions is not True: global_settings.db_sessions.add(masterapp) # if had a session on file alreday, close it (yes, can happen) if response.session_file: self._close(response) # if on GAE tickets go also in DB if settings.global_settings.web2py_runtime_gae: request.tickets_db = db table_migrate = (masterapp == request.application) tname = tablename + '_' + masterapp table = db.get(tname, None) Field = db.Field if table is None: db.define_table( tname, Field('locked', 'boolean', default=False), Field('client_ip', length=64), Field('created_datetime', 'datetime', default=request.now), Field('modified_datetime', 'datetime'), Field('unique_key', length=64), Field('session_data', 'blob'), migrate=table_migrate, ) table = db[tname] # to allow for lazy table response.session_db_table = table if response.session_id: # Get session data out of the database try: (record_id, unique_key) = response.session_id.split(':') record_id = long(record_id) except (TypeError,ValueError): record_id = None # Select from database if record_id: row = table(record_id) #,unique_key=unique_key) # Make sure the session data exists in the database if row: # rows[0].update_record(locked=True) # Unpickle the data session_data = cPickle.loads(row.session_data) self.update(session_data) else: record_id = None if record_id: response.session_id = '%s:%s' % (record_id, unique_key) response.session_db_unique_key = unique_key response.session_db_record_id = record_id else: response.session_id = None response.session_new = True if self.flash: (response.flash, self.flash) = (self.flash, None)
def run(appname, plain=False, import_models=False, startfile=None, bpython=False, python_code=False): """ Start interactive shell or run Python script (startfile) in web2py controller environment. appname is formatted like: a web2py application name a/c exec the controller c into the application environment """ (a, c, f) = parse_path_info(appname) errmsg = 'invalid application name: %s' % appname if not a: die(errmsg) adir = os.path.join('applications', a) if not os.path.exists(adir): if sys.stdin and not sys.stdin.name == '/dev/null': confirm = raw_input( 'application %s does not exist, create (y/n)?' % a) else: logging.warn('application does not exist and will not be created') return if confirm.lower() in ['y', 'yes']: os.mkdir(adir) w2p_unpack('welcome.w2p', adir) for subfolder in [ 'models', 'views', 'controllers', 'databases', 'modules', 'cron', 'errors', 'sessions', 'languages', 'static', 'private', 'uploads' ]: subpath = os.path.join(adir, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) db = os.path.join(adir, 'models/db.py') if os.path.exists(db): data = fileutils.read_file(db) data = data.replace('<your secret key>', 'sha512:' + web2py_uuid()) fileutils.write_file(db, data) if c: import_models = True _env = env(a, c=c, f=f, import_models=import_models) if c: cfile = os.path.join('applications', a, 'controllers', c + '.py') if not os.path.isfile(cfile): cfile = os.path.join('applications', a, 'compiled', "controllers_%s_%s.pyc" % (c, f)) if not os.path.isfile(cfile): die(errmsg) else: exec read_pyc(cfile) in _env else: execfile(cfile, _env) if f: exec('print %s()' % f, _env) return _env.update(exec_pythonrc()) if startfile: try: execfile(startfile, _env) if import_models: BaseAdapter.close_all_instances('commit') except Exception, e: print traceback.format_exc() if import_models: BaseAdapter.close_all_instances('rollback')
def app_create(db, app, request, force=False, key=None, info=False): """ Create a copy of welcome.w2p (scaffolding) app Parameters ---------- app: application name request: the global request object """ path = apath(app, request) if not os.path.exists(path): try: os.mkdir(path) except: if info: return False, traceback.format_exc(sys.exc_info) else: return False, None elif not force: if info: return False, "Application exists" else: return False, None try: w2p_unpack('welcome.w2p', path) for subfolder in [ 'models', 'views', 'controllers', 'databases', 'modules', 'cron', 'errors', 'sessions', 'cache', 'languages', 'static', 'private', 'uploads']: subpath = os.path.join(path, subfolder) if not os.path.exists(subpath): os.mkdir(subpath) dbt = os.path.join(path, 'models', 'db.py') if os.path.exists(dbt): data = read_file(dbt) data = data.replace('<your secret key>', 'sha512:' + (key or web2py_uuid())) write_file(dbt, data) parms = db(db.parametros.id==1).select()[0] templates = os.path.join('\\\\' , '127.0.0.1' , 'c$' , parms.web2py , 'applications' , parms.soag , 'Template' , 'web2py') for subfolder in ['controllers', 'languages', 'models', 'modules', 'static', 'views']: template = os.path.join(templates, subfolder) subpath = os.path.join(path, subfolder) shutil.rmtree(subpath) shutil.copytree(template, subpath) # shutil.copyfile(os.path.join(templates, 'routes.py'), os.path.join(path, 'routes.py')) if info: return True, None else: return True, None except: shutil.rmtree(path) if info: return False, traceback.format_exc(sys.exc_info) else: return False, None