def renew(self, clear_session=False):
if clear_session:
self.clear()
request = current.request
response = current.response
session = response.session
masterapp = response.session_masterapp
cookies = request.cookies
if response.session_storage_type == 'cookie':
return
# if the session goes in file
if response.session_storage_type == 'file':
self._close(response)
uuid = web2py_uuid()
response.session_id = '%s-%s' % (response.session_client, uuid)
separate = (lambda s: s[-2:]) if session and response.session_id[2:3]=="/" else None
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix, response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
elif response.session_storage_type == 'db':
table = response.session_db_table
# verify that session_id exists
if response.session_file:
self._close(response)
if response.session_new:
return
# Get session data out of the database
if response.session_id is None:
return
(record_id, sep, unique_key) = response.session_id.partition(':')
if record_id.isdigit() and long(record_id)>1:
new_unique_key = web2py_uuid()
row = table(record_id)
if row and row.unique_key==unique_key:
row.update_record(unique_key=new_unique_key)
else:
row = None
else:
row = None
if row:
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_record_id = record_id
response.session_db_unique_key = new_unique_key
else:
response.session_new = True
def app_create(app, request):
"""
Create a copy of welcome.w2p (scaffolding) app
Parameters
----------
app:
application name
request:
the global request object
"""
did_mkdir = False
try:
path = apath(app, request)
os.mkdir(path)
did_mkdir = True
w2p_unpack('welcome.w2p', path)
db = os.path.join(path,'models/db.py')
if os.path.exists(db):
fp = open(db,'r')
data = fp.read()
fp.close()
data = data.replace('<your secret key>','sha512:'+web2py_uuid())
fp = open(db,'w')
fp.write(data)
fp.close()
return True
except:
if did_mkdir:
rmtree(path)
return False
def log(self, request):
"""
logs the exception.
"""
try:
a = request.application
d = {
'layer': str(self.layer),
'code': str(self.code),
'output': str(self.output),
'traceback': str(self.traceback),
'snapshot': self.snapshot,
}
fmt = '%Y-%m-%d.%H-%M-%S'
f = '%s.%s.%s' % (request.client.replace(':', '_'),
datetime.datetime.now().strftime(fmt),
web2py_uuid())
ticket_storage = TicketStorage(db=request.tickets_db)
ticket_storage.store(request, f, d)
return '%s/%s' % (a, f)
except:
logging.error(self.traceback)
return None
def toolbar(self):
from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A
BUTTON = TAG.button
admin = URL("admin", "default", "design", args=current.request.application)
from gluon.dal import DAL
dbstats = []
dbtables = {}
infos = DAL.get_instances()
for k, v in infos.iteritems():
dbstats.append(TABLE(*[TR(PRE(row[0]), "%.2fms" % (row[1] * 1000)) for row in v["dbstats"]]))
dbtables[k] = dict(
defined=v["dbtables"]["defined"] or "[no defined tables]",
lazy=v["dbtables"]["lazy"] or "[no lazy tables]",
)
u = web2py_uuid()
backtotop = A("Back to top", _href="#totop-%s" % u)
return DIV(
BUTTON("design", _onclick="document.location='%s'" % admin),
BUTTON("request", _onclick="jQuery('#request-%s').slideToggle()" % u),
BUTTON("response", _onclick="jQuery('#response-%s').slideToggle()" % u),
BUTTON("session", _onclick="jQuery('#session-%s').slideToggle()" % u),
BUTTON("db tables", _onclick="jQuery('#db-tables-%s').slideToggle()" % u),
BUTTON("db stats", _onclick="jQuery('#db-stats-%s').slideToggle()" % u),
DIV(BEAUTIFY(current.request), backtotop, _class="hidden", _id="request-%s" % u),
DIV(BEAUTIFY(current.session), backtotop, _class="hidden", _id="session-%s" % u),
DIV(BEAUTIFY(current.response), backtotop, _class="hidden", _id="response-%s" % u),
DIV(BEAUTIFY(dbtables), backtotop, _class="hidden", _id="db-tables-%s" % u),
DIV(BEAUTIFY(dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u),
SCRIPT("jQuery('.hidden').hide()"),
_id="totop-%s" % u,
)
def run(
appname,
plain=False,
import_models=False,
startfile=None,
bpython=False,
python_code=False
):
"""
Start interactive shell or run Python script (startfile) in web2py
controller environment. appname is formatted like:
a web2py application name
a/c exec the controller c into the application environment
"""
(a, c, f) = parse_path_info(appname)
errmsg = 'invalid application name: %s' % appname
if not a:
die(errmsg)
adir = os.path.join('applications', a)
if not os.path.exists(adir):
if raw_input('application %s does not exist, create (y/n)?'
% a).lower() in ['y', 'yes']:
os.mkdir(adir)
w2p_unpack('welcome.w2p', adir)
for subfolder in ['models','views','controllers', 'databases',
'modules','cron','errors','sessions',
'languages','static','private','uploads']:
subpath = os.path.join(adir,subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(adir,'models/db.py')
if os.path.exists(db):
data = fileutils.read_file(db)
data = data.replace('<your secret key>','sha512:'+web2py_uuid())
fileutils.write_file(db, data)
if c:
import_models = True
_env = env(a, c=c, import_models=import_models)
if c:
cfile = os.path.join('applications', a, 'controllers', c + '.py')
if not os.path.isfile(cfile):
cfile = os.path.join('applications', a, 'compiled', "controllers_%s_%s.pyc" % (c,f))
if not os.path.isfile(cfile):
die(errmsg)
else:
exec read_pyc(cfile) in _env
else:
execfile(cfile, _env)
if f:
exec ('print %s()' % f, _env)
elif startfile:
exec_pythonrc()
try:
execfile(startfile, _env)
except RestrictedError, e:
print e.traceback
def toolbar(self):
from html import DIV, SCRIPT, BEAUTIFY, TAG, URL
BUTTON = TAG.button
admin = URL("admin","default","design",
args=current.request.application)
from gluon.dal import thread
if hasattr(thread,'instances'):
dbstats = [TABLE(*[TR(PRE(row[0]),'%.2fms' % (row[1]*1000)) \
for row in i.db._timings]) \
for i in thread.instances]
else:
dbstats = [] # if no db or on GAE
u = web2py_uuid()
return DIV(
BUTTON('design',_onclick="document.location='%s'" % admin),
BUTTON('request',_onclick="jQuery('#request-%s').slideToggle()"%u),
DIV(BEAUTIFY(current.request),_class="hidden",_id="request-%s"%u),
BUTTON('session',_onclick="jQuery('#session-%s').slideToggle()"%u),
DIV(BEAUTIFY(current.session),_class="hidden",_id="session-%s"%u),
BUTTON('response',_onclick="jQuery('#response-%s').slideToggle()"%u),
DIV(BEAUTIFY(current.response),_class="hidden",_id="response-%s"%u),
BUTTON('db stats',_onclick="jQuery('#db-stats-%s').slideToggle()"%u),
DIV(BEAUTIFY(dbstats),_class="hidden",_id="db-stats-%s"%u),
SCRIPT("jQuery('.hidden').hide()")
)
def accepts(
self,
vars,
session=None,
formname='default',
keepvalues=False,
onvalidation=None,
):
self.errors.clear()
self.request_vars = Storage()
self.request_vars.update(vars)
self.session = session
self.formname = formname
self.keepvalues = keepvalues
# if this tag is a form and we are in accepting mode (status=True)
# check formname and formkey
status = True
if self.session and self.session.get('_formkey[%s]'
% self.formname, None) != self.request_vars._formkey:
status = False
if self.formname != self.request_vars._formname:
status = False
status = self._traverse(status)
if status and onvalidation:
onvalidation(self)
if self.errors:
status = False
if session != None:
self.formkey = session['_formkey[%s]' % formname] = web2py_uuid()
if status and not keepvalues:
self._traverse(False)
return status
def compute_uuid(self):
self.uuid = '%s/%s.%s.%s' % (
self.application,
self.client.replace(':', '_'),
self.now.strftime('%Y-%m-%d.%H-%M-%S'),
web2py_uuid())
return self.uuid
def _try_store_in_db(self, request, response):
# don't save if file-based sessions,
# no session id, or session being forgotten
# or no changes to session
if not response.session_db_table or self._forget or self._unchanged():
if (not response.session_db_table and
global_settings.db_sessions is not True and
response.session_masterapp in global_settings.db_sessions):
global_settings.db_sessions.remove(response.session_masterapp)
return False
table = response.session_db_table
record_id = response.session_db_record_id
if response.session_new:
unique_key = web2py_uuid()
else:
unique_key = response.session_db_unique_key
dd = dict(locked=False,
client_ip=response.session_client,
modified_datetime=request.now,
session_data=cPickle.dumps(dict(self)),
unique_key=unique_key)
if record_id:
table(record_id).update_record(**dd)
if not record_id:
record_id = table.insert(**dd)
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_unique_key = unique_key
response.session_db_record_id = record_id
self.save_session_id_cookie()
return True
def compute_uuid(self):
self.uuid = "%s/%s.%s.%s" % (
self.application,
self.client.replace(":", "_"),
self.now.strftime("%Y-%m-%d.%H-%M-%S"),
web2py_uuid(),
)
return self.uuid
def run(
appname,
plain=False,
import_models=False,
startfile=None,
):
"""
Start interactive shell or run Python script (startfile) in web2py
controller environment. appname is formatted like:
a web2py application name
a/c exec the controller c into the application environment
"""
(a, c, f) = parse_path_info(appname)
errmsg = 'invalid application name: %s' % appname
if not a:
die(errmsg)
adir = os.path.join('applications', a)
if not os.path.exists(adir):
if raw_input('application %s does not exist, create (y/n)?'
% a).lower() in ['y', 'yes']:
os.mkdir(adir)
w2p_unpack('welcome.w2p', adir)
db = os.path.join(adir,'models/db.py')
if os.path.exists(db):
fp = open(db,'r')
data = fp.read()
fp.close()
data = data.replace('<your secret key>','sha512:'+web2py_uuid())
fp = open(db,'w')
fp.write(data)
fp.close()
if c:
import_models = True
_env = env(a, c=c, import_models=import_models)
if c:
cfile = os.path.join('applications', a, 'controllers', c + '.py')
if not os.path.isfile(cfile):
die(errmsg)
execfile(cfile, _env)
if f:
exec ('print %s()' % f, _env)
elif startfile:
exec_pythonrc()
try:
execfile(startfile, _env)
except RestrictedError, e:
print e.traceback
def app_create(app, request, force=False, key=None, info=False):
"""
Create a copy of welcome.w2p (scaffolding) app
Parameters
----------
app:
application name
request:
the global request object
"""
path = apath(app, request)
if not os.path.exists(path):
try:
os.mkdir(path)
except:
if info:
return False, traceback.format_exc(sys.exc_info)
else:
return False
elif not force:
if info:
return False, "Application exists"
else:
return False
try:
w2p_unpack('welcome.w2p', path)
for subfolder in [
'models', 'views', 'controllers', 'databases',
'modules', 'cron', 'errors', 'sessions', 'cache',
'languages', 'static', 'private', 'uploads']:
subpath = os.path.join(path, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(path, 'models', 'db.py')
if os.path.exists(db):
data = read_file(db)
data = data.replace('<your secret key>',
'sha512:' + (key or web2py_uuid()))
write_file(db, data)
if info:
return True, None
else:
return True
except:
rmtree(path)
if info:
return False, traceback.format_exc(sys.exc_info)
else:
return False
def POST(rp_user):
doc = POST.func_doc
return_dict = dict(doc=doc)
user_dict = {}
logger.debug("rp_user: "******"mail"]
table_user = auth.settings.table_user
user = auth.db(table_user.email == user_mail).select().first()
if not user:
msg = "Cannot reset password. Mail not registered"
return_dict["err_found"] = True
return_dict["err_msg"] = msg
return gluon.contrib.simplejson.dumps(return_dict)
elif user.registration_key in ["pending", "disabled"]:
msg = "Cannot reset password. User registration pending or disabled"
return_dict["err_found"] = True
return_dict["err_msg"] = msg
return gluon.contrib.simplejson.dumps(return_dict)
reset_password_key = str(int(time.time())) + "-" + web2py_uuid()
# link = auth.url(auth.settings.function,
# args=('reset_password',),
# vars={'key': reset_password_key},
# scheme=True)
# d = dict(user)
# d.update(dict(key=reset_password_key, link=link))
main_url = "http://" + str(request.env.http_host) + "/" + str(request.application)
reset_msg = (
"Click on the link "
+ main_url
+ "/routes/#/logging/user_resetpasswd?key="
+ reset_password_key
+ " to reset your password"
)
if auth.settings.mailer and auth.settings.mailer.send(
to=user_mail, subject=auth.messages.reset_password_subject, message=reset_msg
):
# message=auth.messages.reset_password % d):
user.update_record(reset_password_key=reset_password_key)
else:
msg = "Cannot complete the password reset request. Cannot send mail"
return_dict["err_found"] = True
return_dict["err_msg"] = msg
return gluon.contrib.simplejson.dumps(return_dict)
return gluon.contrib.simplejson.dumps(return_dict)
def toolbar(self):
from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A
BUTTON = TAG.button
admin = URL("admin", "default", "design",
args=current.request.application)
from gluon.dal import DAL
dbstats = []
dbtables = {}
infos = DAL.get_instances()
for k,v in infos.iteritems():
dbstats.append(TABLE(*[TR(PRE(row[0]),'%.2fms' %
(row[1]*1000))
for row in v['dbstats']]))
dbtables[k] = dict(defined=v['dbtables']['defined'] or '[no defined tables]',
lazy=v['dbtables']['lazy'] or '[no lazy tables]')
u = web2py_uuid()
backtotop = A('Back to top', _href="#totop-%s" % u)
# Convert lazy request.vars from property to Storage so they
# will be displayed in the toolbar.
request = copy.copy(current.request)
request.update(vars=current.request.vars,
get_vars=current.request.get_vars,
post_vars=current.request.post_vars)
return DIV(
BUTTON('design', _onclick="document.location='%s'" % admin),
BUTTON('request',
_onclick="jQuery('#request-%s').slideToggle()" % u),
BUTTON('response',
_onclick="jQuery('#response-%s').slideToggle()" % u),
BUTTON('session',
_onclick="jQuery('#session-%s').slideToggle()" % u),
BUTTON('db tables',
_onclick="jQuery('#db-tables-%s').slideToggle()" % u),
BUTTON('db stats',
_onclick="jQuery('#db-stats-%s').slideToggle()" % u),
DIV(BEAUTIFY(request), backtotop,
_class="hidden", _id="request-%s" % u),
DIV(BEAUTIFY(current.session), backtotop,
_class="hidden", _id="session-%s" % u),
DIV(BEAUTIFY(current.response), backtotop,
_class="hidden", _id="response-%s" % u),
DIV(BEAUTIFY(dbtables), backtotop, _class="hidden",
_id="db-tables-%s" % u),
DIV(BEAUTIFY(
dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u),
SCRIPT("jQuery('.hidden').hide()"), _id="totop-%s" % u
)
def toolbar(self):
from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A
BUTTON = TAG.button
admin = URL("admin", "default", "design",
args=current.request.application)
from gluon.dal import THREAD_LOCAL
if hasattr(THREAD_LOCAL, 'instances'):
dbstats = [TABLE(*[TR(PRE(row[0]), '%.2fms' % (row[1] * 1000))
for row in i.db._timings])
for i in THREAD_LOCAL.instances]
dbtables = dict([(regex_nopasswd.sub('******', i.uri),
{'defined':
sorted(list(set(i.db.tables) -
set(i.db._LAZY_TABLES.keys()))) or
'[no defined tables]',
'lazy': sorted(i.db._LAZY_TABLES.keys()) or
'[no lazy tables]'})
for i in THREAD_LOCAL.instances])
else:
dbstats = [] # if no db or on GAE
dbtables = {}
u = web2py_uuid()
backtotop = A('Back to top', _href="#totop-%s" % u)
return DIV(
BUTTON('design', _onclick="document.location='%s'" % admin),
BUTTON('request',
_onclick="jQuery('#request-%s').slideToggle()" % u),
BUTTON('response',
_onclick="jQuery('#response-%s').slideToggle()" % u),
BUTTON('session',
_onclick="jQuery('#session-%s').slideToggle()" % u),
BUTTON('db tables',
_onclick="jQuery('#db-tables-%s').slideToggle()" % u),
BUTTON('db stats',
_onclick="jQuery('#db-stats-%s').slideToggle()" % u),
DIV(BEAUTIFY(current.request), backtotop,
_class="hidden", _id="request-%s" % u),
DIV(BEAUTIFY(current.session), backtotop,
_class="hidden", _id="session-%s" % u),
DIV(BEAUTIFY(current.response), backtotop,
_class="hidden", _id="response-%s" % u),
DIV(BEAUTIFY(dbtables), backtotop, _class="hidden",
_id="db-tables-%s" % u),
DIV(BEAUTIFY(
dbstats), backtotop, _class="hidden", _id="db-stats-%s" % u),
SCRIPT("jQuery('.hidden').hide()"), _id="totop-%s" % u
)
def app_with_logging(environ, responder):
"""
a wsgi app that does logging and profiling and calls wsgibase
"""
status_headers = []
def responder2(s, h):
"""
wsgi responder app
"""
status_headers.append(s)
status_headers.append(h)
return responder(s, h)
time_in = time.time()
ret = [0]
if not profiler_dir:
ret[0] = wsgiapp(environ, responder2)
else:
import cProfile
prof = cProfile.Profile()
prof.enable()
ret[0] = wsgiapp(environ, responder2)
prof.disable()
destfile = pjoin(profiler_dir, "req_%s.prof" % web2py_uuid())
prof.dump_stats(destfile)
try:
line = '%s, %s, %s, %s, %s, %s, %f\n' % (
environ['REMOTE_ADDR'],
datetime.datetime.today().strftime('%Y-%m-%d %H:%M:%S'),
environ['REQUEST_METHOD'],
environ['PATH_INFO'].replace(',', '%2C'),
environ['SERVER_PROTOCOL'],
(status_headers[0])[:3],
time.time() - time_in,
)
if not logfilename:
sys.stdout.write(line)
elif isinstance(logfilename, str):
write_file(logfilename, line, 'a')
else:
logfilename.write(line)
except:
pass
return ret[0]
def app_create(app, request,force=False,key=None):
"""
Create a copy of welcome.w2p (scaffolding) app
Parameters
----------
app:
application name
request:
the global request object
"""
did_mkdir = False
try:
path = apath(app, request)
os.mkdir(path)
except:
if not force:
return False
try:
w2p_unpack('welcome.w2p', path)
for subfolder in ['models','views','controllers', 'databases',
'modules','cron','errors','sessions',
'languages','static','private','uploads']:
subpath = os.path.join(path,subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(path, 'models', 'db.py')
if os.path.exists(db):
fp = open(db,'r')
data = fp.read()
fp.close()
data = data.replace('<your secret key>',
'sha512:'+(key or web2py_uuid()))
fp = open(db,'w')
fp.write(data)
fp.close()
return True
except:
rmtree(path)
return False
def toolbar(self):
from html import DIV, SCRIPT, BEAUTIFY, TAG, URL
BUTTON = TAG.button
admin = URL("admin",
"default",
"design",
args=current.request.application)
from gluon.dal import thread
if hasattr(thread, 'instances'):
dbstats = [TABLE(*[TR(PRE(row[0]),'%.2fms' % (row[1]*1000)) \
for row in i.db._timings]) \
for i in thread.instances]
else:
dbstats = [] # if no db or on GAE
u = web2py_uuid()
return DIV(
BUTTON('design', _onclick="document.location='%s'" % admin),
BUTTON('request',
_onclick="jQuery('#request-%s').slideToggle()" % u),
DIV(BEAUTIFY(current.request),
_class="hidden",
_id="request-%s" % u),
BUTTON('session',
_onclick="jQuery('#session-%s').slideToggle()" % u),
DIV(BEAUTIFY(current.session),
_class="hidden",
_id="session-%s" % u),
BUTTON('response',
_onclick="jQuery('#response-%s').slideToggle()" % u),
DIV(BEAUTIFY(current.response),
_class="hidden",
_id="response-%s" % u),
BUTTON('db stats',
_onclick="jQuery('#db-stats-%s').slideToggle()" % u),
DIV(BEAUTIFY(dbstats), _class="hidden", _id="db-stats-%s" % u),
SCRIPT("jQuery('.hidden').hide()"))
def renew(self,
request=None,
response=None,
db=None,
tablename='web2py_session',
masterapp=None,
clear_session=False):
if request is None:
request = current.request
if response is None:
response = current.response
#check if session is separate
separate = None
if response.session and response.session_id[2:3] == "/":
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
# Load session data from cookie
cookies = request.cookies
# check if there is a session_id in cookies
if response.session_id_name in cookies:
response.session_id = \
cookies[response.session_id_name].value
else:
response.session_id = None
# if the session goes in file
if response.session_storage_type == 'file':
if global_settings.db_sessions is True \
or masterapp in global_settings.db_sessions:
return
client = request.client and request.client.replace(':', '.')
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix, response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
elif response.session_storage_type == 'db':
# verify that session_id exists
if not response.session_id:
return
# verify if tablename was set or used in connect
if response.session_table_name and tablename == 'web2py_session':
tablename = response.session_table_name
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
tname = tablename + '_' + masterapp
if not db:
raise Exception('No database parameter passed: "db=database"')
table = db.get(tname, None)
if table is None:
raise Exception('No session to renew')
# Get session data out of the database
(record_id, unique_key) = response.session_id.split(':')
if record_id == '0':
raise Exception('record_id == 0')
# Select from database
row = db(table.id == record_id).select()
row = row and row[0] or None
# Make sure the session data exists in the database
if not row or row.unique_key != unique_key:
raise Exception('No record')
unique_key = web2py_uuid()
db(table.id == record_id).update(unique_key=unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_table = table
response.session_db_record_id = record_id
response.session_db_unique_key = unique_key
rcookies = response.cookies
if response.session_id_name:
rcookies[response.session_id_name] = response.session_id
rcookies[response.session_id_name]['path'] = '/'
if clear_session:
self.clear()
def connect(
self,
request,
response,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate=None,
check_client=False,
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if separate == True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp.lower()
if not db:
if global_settings.db_sessions is True or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client.replace(':', '.')
if response.session_id_name in request.cookies:
response.session_id = \
request.cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = \
open(response.session_filename, 'rb+')
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1].split('-')[0]
if check_client and client != oc:
raise Exception, "cookie attack"
except:
self._close(response)
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % (prefix,
response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
else:
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
response.session_db = True
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
if table is None:
table = db.define_table(
tname,
db.Field('locked', 'boolean', default=False),
db.Field('client_ip', length=64),
db.Field('created_datetime',
'datetime',
default=request.now),
db.Field('modified_datetime', 'datetime'),
db.Field('unique_key', length=64),
db.Field('session_data', 'blob'),
migrate=table_migrate,
)
try:
key = request.cookies[response.session_id_name].value
(record_id, unique_key) = key.split(':')
if record_id == '0':
raise Exception, 'record_id == 0'
rows = db(table.id == record_id).select()
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, 'No record'
# rows[0].update_record(locked=True)
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = \
(response.session_id_name, table, record_id, unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
response.cookies[response.session_id_name] = response.session_id
response.cookies[response.session_id_name]['path'] = '/'
self.__hash = hashlib.md5(str(self)).digest()
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def toolbar(self):
from html import DIV, SCRIPT, BEAUTIFY, TAG, URL, A
BUTTON = TAG.button
admin = URL("admin",
"default",
"design",
args=current.request.application)
from gluon.dal import DAL
dbstats = []
dbtables = {}
infos = DAL.get_instances()
for k, v in infos.iteritems():
dbstats.append(
TABLE(*[
TR(PRE(row[0]), '%.2fms' % (row[1] * 1000))
for row in v['dbstats']
]))
dbtables[k] = dict(defined=v['dbtables']['defined']
or '[no defined tables]',
lazy=v['dbtables']['lazy']
or '[no lazy tables]')
u = web2py_uuid()
backtotop = A('Back to top', _href="#totop-%s" % u)
# Convert lazy request.vars from property to Storage so they
# will be displayed in the toolbar.
request = copy.copy(current.request)
request.update(vars=current.request.vars,
get_vars=current.request.get_vars,
post_vars=current.request.post_vars)
return DIV(BUTTON('design', _onclick="document.location='%s'" % admin),
BUTTON('request',
_onclick="jQuery('#request-%s').slideToggle()" % u),
BUTTON('response',
_onclick="jQuery('#response-%s').slideToggle()" % u),
BUTTON('session',
_onclick="jQuery('#session-%s').slideToggle()" % u),
BUTTON('db tables',
_onclick="jQuery('#db-tables-%s').slideToggle()" %
u),
BUTTON('db stats',
_onclick="jQuery('#db-stats-%s').slideToggle()" % u),
DIV(BEAUTIFY(request),
backtotop,
_class="hidden",
_id="request-%s" % u),
DIV(BEAUTIFY(current.session),
backtotop,
_class="hidden",
_id="session-%s" % u),
DIV(BEAUTIFY(current.response),
backtotop,
_class="hidden",
_id="response-%s" % u),
DIV(BEAUTIFY(dbtables),
backtotop,
_class="hidden",
_id="db-tables-%s" % u),
DIV(BEAUTIFY(dbstats),
backtotop,
_class="hidden",
_id="db-stats-%s" % u),
SCRIPT("jQuery('.hidden').hide()"),
_id="totop-%s" % u)
def POST(reg_user):
doc = POST.func_doc
return_dict = dict(doc=doc)
user_dict = {}
table_user = auth.settings.table_user
user = auth.db(
table_user['username'] == reg_user['username']).select().first()
if user:
return_dict['err_found'] = True
return_dict['err_msg'] = 'Username already registered'
return gluon.contrib.simplejson.dumps(return_dict)
user = auth.db(
table_user['email'] == reg_user['email']).select().first()
if user:
return_dict['err_found'] = True
return_dict['err_msg'] = 'Mail already registered'
return gluon.contrib.simplejson.dumps(return_dict)
user_dict['username'] = reg_user['username']
user_dict['first_name'] = reg_user['firstname']
user_dict['last_name'] = reg_user['lastname']
user_dict['email'] = reg_user['email']
if not re.match(r"[^@]+@[^@]+\.[^@]+", reg_user['email']):
return_dict['err_found'] = True
return_dict['err_msg'] = 'Invalid mail'
return gluon.contrib.simplejson.dumps(return_dict)
passwd = reg_user['passwd']
if len(passwd) < 4:
return_dict['err_found'] = True
return_dict[
'err_msg'] = 'Password must have at least four characters'
return gluon.contrib.simplejson.dumps(return_dict)
passfield = auth.settings.password_field
#alg = 'pbkdf2(1000,20,sha512)'
#user_dict[passfield] = CRYPT(digest_alg=alg,salt=True)(passwd)[0]
user_dict[passfield] = CRYPT(key=auth.settings.hmac_key)(passwd)[0]
logger.debug("pass_field: " + str(user_dict) + " with passwd:" +
passwd)
if auth.settings.registration_requires_verification:
table_user.registration_key.default = verify_key = web2py_uuid()
main_url = "http://" + str(request.env.http_host) + "/" + str(
request.application)
verify_msg = "Welcome " + user_dict[
'username'] + " click on the link " + main_url + "/routes/#/logging/user_verify?key=" + verify_key + " to verify your mail"
logger.debug("registration requires mail verification")
if not auth.settings.mailer or \
not auth.settings.mailer.send(to=user_dict['email'],
subject=auth.messages.verify_email_subject,
message=verify_msg):
return_dict['err_found'] = True
return_dict['err_msg'] = 'Invalid mail'
return gluon.contrib.simplejson.dumps(return_dict)
return_dict['to_verify'] = True
# the next function also creates the user_groups
user = auth.get_or_create_user(user_dict, login=False)
logger.debug("User registered: " + str(user))
if user_passphrase_active:
# improve random string following http://stackoverflow.com/questions/7479442/high-quality-simple-random-password-generator
# alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
# os.urandom()
# instead of http://stackoverflow.com/questions/2257441/random-string-generation-with-upper-case-letters-and-digits-in-python
db.auth_user.passphrase.writable = True
import random, string
pf = ''.join(random.SystemRandom().choice(string.ascii_lowercase +
string.digits)
for _ in range(16))
db(db.auth_user.username == user_dict['username']).update(
passphrase=pf)
db.auth_user.passphrase.writable = False
# print "db.auth_user.passphrase.writable :",db.auth_user.passphrase.writable
db.commit()
user_db = auth.db(
table_user['username'] == reg_user['username']).select().first()
if not auth.settings.registration_requires_verification and auth.settings.registration_requires_approval:
user_db.update_record(registration_key='pending')
return_dict['to_approve'] = True
# After registration the user is automatically logged in (uncomment the next)
# But it has to be modified in case approval and/or verification are active
# user = auth.login_bare(user_dict['username'],passwd)
return gluon.contrib.simplejson.dumps(return_dict)
def connect(
self,
request,
response,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate = None,
check_client=False,
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if separate == True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp.lower()
if not db:
if global_settings.db_sessions is True or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client and request.client.replace(':', '.')
if response.session_id_name in request.cookies:
response.session_id = \
request.cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = \
open(response.session_filename, 'rb+')
try:
portalocker.lock(response.session_file,portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1].split('-')[0]
if check_client and client!=oc:
raise Exception, "cookie attack"
finally:
pass
#This causes admin login to break. Must find out why.
#self._close(response)
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % (prefix,response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
else:
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
response.session_db = True
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
if table is None:
table = db.define_table(
tname,
db.Field('locked', 'boolean', default=False),
db.Field('client_ip', length=64),
db.Field('created_datetime', 'datetime',
default=request.now),
db.Field('modified_datetime', 'datetime'),
db.Field('unique_key', length=64),
db.Field('session_data', 'blob'),
migrate=table_migrate,
)
try:
key = request.cookies[response.session_id_name].value
(record_id, unique_key) = key.split(':')
if record_id == '0':
raise Exception, 'record_id == 0'
rows = db(table.id == record_id).select()
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, 'No record'
# rows[0].update_record(locked=True)
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = \
(response.session_id_name, table, record_id, unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
response.cookies[response.session_id_name] = response.session_id
response.cookies[response.session_id_name]['path'] = '/'
self.__hash = hashlib.md5(str(self)).digest()
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def app_create(app, request, force=False, key=None, info=False):
"""
Create a copy of welcome.w2p (scaffolding) app
Parameters
----------
app:
application name
request:
the global request object
"""
path = apath(app, request)
if not os.path.exists(path):
try:
os.mkdir(path)
except:
if info:
return False, traceback.format_exc(sys.exc_info)
else:
return False
elif not force:
if info:
return False, "Application exists"
else:
return False
try:
w2p_unpack("welcome.w2p", path)
for subfolder in [
"models",
"views",
"controllers",
"databases",
"modules",
"cron",
"errors",
"sessions",
"cache",
"languages",
"static",
"private",
"uploads",
]:
subpath = os.path.join(path, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(path, "models", "db.py")
if os.path.exists(db):
data = read_file(db)
data = data.replace("<your secret key>", "sha512:" + (key or web2py_uuid()))
write_file(db, data)
if info:
return True, None
else:
return True
except:
rmtree(path)
if info:
return False, traceback.format_exc(sys.exc_info)
else:
return False
def connect(
self,
request,
response,
db=None,
tablename="web2py_session",
masterapp=None,
migrate=True,
separate=None,
check_client=False,
cookie_key=None,
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if separate == True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = "session_id_%s" % masterapp.lower()
# Load session data from cookie
if cookie_key:
response.session_cookie_key = cookie_key
response.session_cookie_key2 = hashlib.md5(cookie_key).digest()
cookie_name = request.application.lower() + "_session_data"
response.session_cookie_name = cookie_name
if cookie_data in request.cookies:
cookie_value = request.cookies[cookie_name].value
cookie_parts = cookie_value.split(":")
enc = cookie_parts[2]
cipher = AES.new(cookie_key)
decrypted = cipher.decrypt(base64.b64decode(enc)).rstrip("{")
check = hmac.new(response.session_cookie_key2, enc).hexdigest()
if cookie_parts[0] == check:
session_data = cPickle.loads(decrypted)
self.update(session_data)
else:
return
if not db:
if global_settings.db_sessions is True or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client and request.client.replace(":", ".")
if response.session_id_name in request.cookies:
response.session_id = request.cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = os.path.join(
up(request.folder), masterapp, "sessions", response.session_id
)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = open(response.session_filename, "rb+")
try:
portalocker.lock(response.session_file, portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split("/")[-1].split("-")[0]
if check_client and client != oc:
raise Exception, "cookie attack"
finally:
pass
# This causes admin login to break. Must find out why.
# self._close(response)
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = "%s-%s" % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = "%s/%s" % (prefix, response.session_id)
response.session_filename = os.path.join(up(request.folder), masterapp, "sessions", response.session_id)
response.session_new = True
else:
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
response.session_db = True
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + "_" + masterapp
table = db.get(tname, None)
if table is None:
table = db.define_table(
tname,
db.Field("locked", "boolean", default=False),
db.Field("client_ip", length=64),
db.Field("created_datetime", "datetime", default=request.now),
db.Field("modified_datetime", "datetime"),
db.Field("unique_key", length=64),
db.Field("session_data", "blob"),
migrate=table_migrate,
)
try:
# Get session data out of the database
# Key comes from the cookie
key = request.cookies[response.session_id_name].value
(record_id, unique_key) = key.split(":")
if record_id == "0":
raise Exception, "record_id == 0"
# Select from database.
rows = db(table.id == record_id).select()
# Make sure the session data exists in the database
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, "No record"
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = (response.session_id_name, table, record_id, unique_key)
response.session_id = "%s:%s" % (record_id, unique_key)
response.cookies[response.session_id_name] = response.session_id
response.cookies[response.session_id_name]["path"] = "/"
self.__hash = hashlib.md5(str(self)).digest()
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def run(appname,
plain=False,
import_models=False,
startfile=None,
bpython=False):
"""
Start interactive shell or run Python script (startfile) in web2py
controller environment. appname is formatted like:
a web2py application name
a/c exec the controller c into the application environment
"""
(a, c, f) = parse_path_info(appname)
errmsg = 'invalid application name: %s' % appname
if not a:
die(errmsg)
adir = os.path.join('applications', a)
if not os.path.exists(adir):
if raw_input('application %s does not exist, create (y/n)?' %
a).lower() in ['y', 'yes']:
os.mkdir(adir)
w2p_unpack('welcome.w2p', adir)
for subfolder in [
'models', 'views', 'controllers', 'databases', 'modules',
'cron', 'errors', 'sessions', 'languages', 'static',
'private', 'uploads'
]:
subpath = os.path.join(adir, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(adir, 'models/db.py')
if os.path.exists(db):
data = fileutils.read_file(db)
data = data.replace('<your secret key>',
'sha512:' + web2py_uuid())
fileutils.write_file(db, data)
if c:
import_models = True
_env = env(a, c=c, import_models=import_models)
if c:
cfile = os.path.join('applications', a, 'controllers', c + '.py')
if not os.path.isfile(cfile):
cfile = os.path.join('applications', a, 'compiled',
"controllers_%s_%s.pyc" % (c, f))
if not os.path.isfile(cfile):
die(errmsg)
else:
exec read_pyc(cfile) in _env
else:
execfile(cfile, _env)
if f:
exec('print %s()' % f, _env)
elif startfile:
exec_pythonrc()
try:
execfile(startfile, _env)
except RestrictedError, e:
print e.traceback
def connect(
self,
request=None,
response=None,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate=None,
check_client=False,
cookie_key=None,
cookie_expires=None,
compression_level=None
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if request is None:
request = current.request
if response is None:
response = current.response
if separate == True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp.lower()
response.session_data_name = 'session_data_%s' % masterapp.lower()
response.session_cookie_expires = cookie_expires
# Load session data from cookie
cookies = request.cookies
# check if there is a session_id in cookies
if response.session_id_name in cookies:
response.session_id = \
cookies[response.session_id_name].value
else:
response.session_id = None
# check if there is session data in cookies
if response.session_data_name in cookies:
session_cookie_data = cookies[response.session_data_name].value
else:
session_cookie_data = None
# if we are supposed to use cookie based session data
if cookie_key:
response.session_storage_type = 'cookie'
response.session_cookie_key = cookie_key
response.session_cookie_compression_level = compression_level
if session_cookie_data:
data = secure_loads(session_cookie_data, cookie_key,
compression_level=compression_level)
if data:
self.update(data)
# else if we are supposed to use file based sessions
elif not db:
response.session_storage_type = 'file'
if global_settings.db_sessions is True \
or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client and request.client.replace(':', '.')
if response.session_id:
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
# do not try load the data from file is these was data in cookie
if response.session_id and not session_cookie_data:
try:
response.session_file = \
open(response.session_filename, 'rb+')
try:
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1]\
.split('-')[0]
if check_client and client != oc:
raise Exception("cookie attack")
finally:
pass
#This causes admin login to break. Must find out why.
#self._close(response)
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix, response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
else:
response.session_storage_type = 'db'
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
Field = db.Field
if table is None:
db.define_table(
tname,
Field('locked', 'boolean', default=False),
Field('client_ip', length=64),
Field('created_datetime', 'datetime',
default=request.now),
Field('modified_datetime', 'datetime'),
Field('unique_key', length=64),
Field('session_data', 'blob'),
migrate=table_migrate,
)
table = db[tname] # to allow for lazy table
try:
# Get session data out of the database
(record_id, unique_key) = response.session_id.split(':')
if record_id == '0':
raise Exception('record_id == 0')
# Select from database
if not session_cookie_data:
rows = db(table.id == record_id).select()
# Make sure the session data exists in the database
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception('No record')
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_table = table
response.session_db_record_id = record_id
response.session_db_unique_key = unique_key
rcookies = response.cookies
rcookies[response.session_id_name] = response.session_id
rcookies[response.session_id_name]['path'] = '/'
if cookie_expires:
rcookies[response.session_id_name][
'expires'] = cookie_expires.strftime(FMT)
# if not cookie_key, but session_data_name in cookies
# expire session_data_name from cookies
if session_cookie_data:
rcookies[response.session_data_name] = 'expired'
rcookies[response.session_data_name]['path'] = '/'
rcookies[response.session_data_name]['expires'] = PAST
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def connect(
self,
request,
response,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
):
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp
if not db:
if response.session_id_name in request.cookies:
response.session_id = \
request.cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = \
open(response.session_filename, 'rb+')
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
except:
self._unlock(response)
response.session_id = None
if not response.session_id:
response.session_id = '%s-%s'\
% (request.client.replace(':', '-').replace('.',
'-'), web2py_uuid())
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
else:
if settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
if table is None:
table = db.define_table(
tname,
db.Field('locked', 'boolean', default=False),
db.Field('client_ip', length=64),
db.Field('created_datetime', 'datetime',
default=request.now),
db.Field('modified_datetime', 'datetime'),
db.Field('unique_key', length=64),
db.Field('session_data', 'blob'),
migrate=table_migrate,
)
try:
key = request.cookies[response.session_id_name].value
(record_id, unique_key) = key.split(':')
if record_id == '0':
raise Exception, 'record_id == 0'
rows = db(table.id == record_id).select()
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, 'No record'
# rows[0].update_record(locked=True)
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = \
(response.session_id_name, table, record_id, unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
response.cookies[response.session_id_name] = response.session_id
response.cookies[response.session_id_name]['path'] = '/'
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def connect(
self,
request,
response,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
):
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp
if not db:
if response.session_id_name in request.cookies:
response.session_id = \
request.cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = \
open(response.session_filename, 'rb+')
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
except:
self._unlock(response)
if response.session_file:
# Only if open succeeded and later an exception was raised
response.session_file.close()
del response.session_file
response.session_id = None
if not response.session_id:
response.session_id = '%s-%s'\
% (request.client.replace(':', '-').replace('.',
'-'), web2py_uuid())
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
else:
if settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
if table is None:
table = db.define_table(
tname,
db.Field('locked', 'boolean', default=False),
db.Field('client_ip', length=64),
db.Field('created_datetime',
'datetime',
default=request.now),
db.Field('modified_datetime', 'datetime'),
db.Field('unique_key', length=64),
db.Field('session_data', 'blob'),
migrate=table_migrate,
)
try:
key = request.cookies[response.session_id_name].value
(record_id, unique_key) = key.split(':')
if record_id == '0':
raise Exception, 'record_id == 0'
rows = db(table.id == record_id).select()
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, 'No record'
# rows[0].update_record(locked=True)
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = \
(response.session_id_name, table, record_id, unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
response.cookies[response.session_id_name] = response.session_id
response.cookies[response.session_id_name]['path'] = '/'
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def renew(
self,
request=None,
response=None,
db=None,
tablename='web2py_session',
masterapp=None,
clear_session=False
):
if request is None:
request = current.request
if response is None:
response = current.response
#check if session is separate
separate = None
if response.session and response.session_id[2:3] == "/":
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
# Load session data from cookie
cookies = request.cookies
# check if there is a session_id in cookies
if response.session_id_name in cookies:
response.session_id = \
cookies[response.session_id_name].value
else:
response.session_id = None
# if the session goes in file
if response.session_storage_type == 'file':
if global_settings.db_sessions is True \
or masterapp in global_settings.db_sessions:
return
client = request.client and request.client.replace(':', '.')
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix, response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
elif response.session_storage_type == 'db':
# verify that session_id exists
if not response.session_id:
return
# verify if tablename was set or used in connect
if response.session_table_name and tablename == 'web2py_session':
tablename = response.session_table_name
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
tname = tablename + '_' + masterapp
if not db:
raise Exception('No database parameter passed: "db=database"')
table = db.get(tname, None)
if table is None:
raise Exception('No session to renew')
# Get session data out of the database
(record_id, unique_key) = response.session_id.split(':')
if record_id == '0':
raise Exception('record_id == 0')
# Select from database
row = record_id and db(table.id == record_id).select()
row = row and row[0] or None
# Make sure the session data exists in the database
if not row or row.unique_key != unique_key:
raise Exception('No record')
unique_key = web2py_uuid()
db(table.id == record_id).update(unique_key=unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_table = table
response.session_db_record_id = record_id
response.session_db_unique_key = unique_key
rcookies = response.cookies
if response.session_id_name:
rcookies[response.session_id_name] = response.session_id
rcookies[response.session_id_name]['path'] = '/'
if clear_session:
self.clear()
def connect(self,
request=None,
response=None,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate=None,
check_client=False,
cookie_key=None,
cookie_expires=None,
compression_level=None):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if request is None:
request = current.request
if response is None:
response = current.response
if separate is True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp.lower()
response.session_data_name = 'session_data_%s' % masterapp.lower()
response.session_cookie_expires = cookie_expires
# Load session data from cookie
cookies = request.cookies
# check if there is a session_id in cookies
if response.session_id_name in cookies:
response.session_id = \
cookies[response.session_id_name].value
else:
response.session_id = None
# check if there is session data in cookies
if response.session_data_name in cookies:
session_cookie_data = cookies[response.session_data_name].value
else:
session_cookie_data = None
# if we are supposed to use cookie based session data
if cookie_key:
response.session_storage_type = 'cookie'
response.session_cookie_key = cookie_key
response.session_cookie_compression_level = compression_level
if session_cookie_data:
data = secure_loads(session_cookie_data,
cookie_key,
compression_level=compression_level)
if data:
self.update(data)
# else if we are supposed to use file based sessions
elif not db:
response.session_storage_type = 'file'
if global_settings.db_sessions is True \
or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client and request.client.replace(':', '.')
if response.session_id:
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
# do not try load the data from file is these was data in cookie
if response.session_id and not session_cookie_data:
# os.path.exists(response.session_filename):
try:
response.session_file = \
open(response.session_filename, 'rb+')
try:
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1]\
.split('-')[0]
if check_client and client != oc:
raise Exception("cookie attack")
except:
response.session_id = None
finally:
pass
#This causes admin login to break. Must find out why.
#self._close(response)
except:
response.session_file = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix, response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
else:
response.session_storage_type = 'db'
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
Field = db.Field
if table is None:
db.define_table(
tname,
Field('locked', 'boolean', default=False),
Field('client_ip', length=64),
Field('created_datetime', 'datetime', default=request.now),
Field('modified_datetime', 'datetime'),
Field('unique_key', length=64),
Field('session_data', 'blob'),
migrate=table_migrate,
)
table = db[tname] # to allow for lazy table
try:
# Get session data out of the database
(record_id, unique_key) = response.session_id.split(':')
if record_id == '0':
raise Exception('record_id == 0')
# Select from database
if not session_cookie_data:
rows = db(table.id == record_id).select()
# Make sure the session data exists in the database
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception('No record')
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_table = table
response.session_db_record_id = record_id
response.session_db_unique_key = unique_key
# keep tablename parameter for use in session renew
response.session_table_name = tablename
rcookies = response.cookies
rcookies[response.session_id_name] = response.session_id
rcookies[response.session_id_name]['path'] = '/'
if cookie_expires:
rcookies[response.
session_id_name]['expires'] = cookie_expires.strftime(FMT)
# if not cookie_key, but session_data_name in cookies
# expire session_data_name from cookies
if session_cookie_data:
rcookies[response.session_data_name] = 'expired'
rcookies[response.session_data_name]['path'] = '/'
rcookies[response.session_data_name]['expires'] = PAST
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def test_web2py_uuid(self):
from uuid import UUID
self.assertTrue(UUID(web2py_uuid()))
def run(appname, plain=False, import_models=False, startfile=None, bpython=False, python_code=False):
"""
Start interactive shell or run Python script (startfile) in web2py
controller environment. appname is formatted like:
a web2py application name
a/c exec the controller c into the application environment
"""
(a, c, f) = parse_path_info(appname)
errmsg = "invalid application name: %s" % appname
if not a:
die(errmsg)
adir = os.path.join("applications", a)
if not os.path.exists(adir):
if raw_input("application %s does not exist, create (y/n)?" % a).lower() in ["y", "yes"]:
os.mkdir(adir)
w2p_unpack("welcome.w2p", adir)
for subfolder in [
"models",
"views",
"controllers",
"databases",
"modules",
"cron",
"errors",
"sessions",
"languages",
"static",
"private",
"uploads",
]:
subpath = os.path.join(adir, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(adir, "models/db.py")
if os.path.exists(db):
data = fileutils.read_file(db)
data = data.replace("<your secret key>", "sha512:" + web2py_uuid())
fileutils.write_file(db, data)
if c:
import_models = True
_env = env(a, c=c, f=f, import_models=import_models)
if c:
cfile = os.path.join("applications", a, "controllers", c + ".py")
if not os.path.isfile(cfile):
cfile = os.path.join("applications", a, "compiled", "controllers_%s_%s.pyc" % (c, f))
if not os.path.isfile(cfile):
die(errmsg)
else:
exec read_pyc(cfile) in _env
else:
execfile(cfile, _env)
if f:
exec ("print %s()" % f, _env)
return
# "woodoo magic" workaround: reinitialize main.py
g = {}
exec "import main" in g
del g
_env.update(exec_pythonrc())
if startfile:
try:
execfile(startfile, _env)
if import_models:
BaseAdapter.close_all_instances("commit")
except Exception, e:
print traceback.format_exc()
if import_models:
BaseAdapter.close_all_instances("rollback")
def test_web2py_uuid(self):
from uuid import UUID
self.assertTrue(UUID(web2py_uuid()))
def connect(
self,
request,
response,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate=None,
check_client=False,
cookie_key=None,
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if separate == True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp.lower()
# Load session data from cookie
cookies = request.cookies
if cookie_key:
response.session_cookie_key = cookie_key
response.session_cookie_key2 = hashlib.md5(cookie_key).digest()
cookie_name = masterapp.lower() + '_session_data'
response.session_cookie_name = cookie_name
if cookie_name in cookies:
cookie_value = cookies[cookie_name].value
cookie_parts = cookie_value.split(":")
enc = cookie_parts[2]
cipher = AES.new(cookie_key)
decrypted = cipher.decrypt(base64.b64decode(enc)).rstrip('{')
check = hmac.new(response.session_cookie_key2, enc).hexdigest()
if cookie_parts[0] == check:
session_data = cPickle.loads(decrypted)
self.update(session_data)
else:
return
if not db:
if global_settings.db_sessions is True \
or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client and request.client.replace(':', '.')
if response.session_id_name in cookies:
response.session_id = \
cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = \
open(response.session_filename, 'rb+')
try:
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1]\
.split('-')[0]
if check_client and client != oc:
raise Exception, "cookie attack"
finally:
pass
#This causes admin login to break. Must find out why.
#self._close(response)
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix,response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
else:
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
response.session_db = True
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
Field = db.Field
if table is None:
db.define_table(
tname,
Field('locked', 'boolean', default=False),
Field('client_ip', length=64),
Field('created_datetime', 'datetime', default=request.now),
Field('modified_datetime', 'datetime'),
Field('unique_key', length=64),
Field('session_data', 'blob'),
migrate=table_migrate,
)
table = db[tname] # to allow for lazy table
try:
# Get session data out of the database
# Key comes from the cookie
key = cookies[response.session_id_name].value
(record_id, unique_key) = key.split(':')
if record_id == '0':
raise Exception, 'record_id == 0'
# Select from database
rows = db(table.id == record_id).select()
# Make sure the session data exists in the database
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, 'No record'
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = \
(response.session_id_name, table, record_id, unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
rcookies = response.cookies
rcookies[response.session_id_name] = response.session_id
rcookies[response.session_id_name]['path'] = '/'
self.__hash = hashlib.md5(str(self)).digest()
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def run(
appname,
plain=False,
import_models=False,
startfile=None,
bpython=False,
python_code=False,
cronjob=False):
"""
Start interactive shell or run Python script (startfile) in web2py
controller environment. appname is formatted like:
a web2py application name
a/c exec the controller c into the application environment
"""
(a, c, f, args, vars) = parse_path_info(appname, av=True)
errmsg = 'invalid application name: %s' % appname
if not a:
die(errmsg)
adir = os.path.join('applications', a)
if not os.path.exists(adir):
if sys.stdin and not sys.stdin.name == '/dev/null':
confirm = raw_input(
'application %s does not exist, create (y/n)?' % a)
else:
logging.warn('application does not exist and will not be created')
return
if confirm.lower() in ['y', 'yes']:
os.mkdir(adir)
w2p_unpack('welcome.w2p', adir)
for subfolder in ['models', 'views', 'controllers', 'databases',
'modules', 'cron', 'errors', 'sessions',
'languages', 'static', 'private', 'uploads']:
subpath = os.path.join(adir, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(adir, 'models/db.py')
if os.path.exists(db):
data = fileutils.read_file(db)
data = data.replace(
'<your secret key>', 'sha512:' + web2py_uuid())
fileutils.write_file(db, data)
if c:
import_models = True
extra_request = {}
if args:
extra_request['args'] = args
if vars:
extra_request['vars'] = vars
_env = env(a, c=c, f=f, import_models=import_models, extra_request=extra_request)
if c:
pyfile = os.path.join('applications', a, 'controllers', c + '.py')
pycfile = os.path.join('applications', a, 'compiled',
"controllers_%s_%s.pyc" % (c, f))
if ((cronjob and os.path.isfile(pycfile))
or not os.path.isfile(pyfile)):
exec read_pyc(pycfile) in _env
elif os.path.isfile(pyfile):
execfile(pyfile, _env)
else:
die(errmsg)
if f:
exec ('print %s()' % f, _env)
return
_env.update(exec_pythonrc())
if startfile:
try:
ccode = None
if startfile.endswith('.pyc'):
ccode = read_pyc(startfile)
exec ccode in _env
else:
execfile(startfile, _env)
if import_models:
BaseAdapter.close_all_instances('commit')
except Exception, e:
print traceback.format_exc()
if import_models:
BaseAdapter.close_all_instances('rollback')
def POST(reg_user):
doc = POST.func_doc
return_dict = dict(doc=doc)
user_dict = {}
table_user = auth.settings.table_user
user = auth.db(table_user["username"] == reg_user["username"]).select().first()
if user:
return_dict["err_found"] = True
return_dict["err_msg"] = "Username already registered"
return gluon.contrib.simplejson.dumps(return_dict)
user = auth.db(table_user["email"] == reg_user["email"]).select().first()
if user:
return_dict["err_found"] = True
return_dict["err_msg"] = "Mail already registered"
return gluon.contrib.simplejson.dumps(return_dict)
user_dict["username"] = reg_user["username"]
user_dict["first_name"] = reg_user["firstname"]
user_dict["last_name"] = reg_user["lastname"]
user_dict["email"] = reg_user["email"]
if not re.match(r"[^@]+@[^@]+\.[^@]+", reg_user["email"]):
return_dict["err_found"] = True
return_dict["err_msg"] = "Invalid mail"
return gluon.contrib.simplejson.dumps(return_dict)
passwd = reg_user["passwd"]
if len(passwd) < 4:
return_dict["err_found"] = True
return_dict["err_msg"] = "Password must have at least four characters"
return gluon.contrib.simplejson.dumps(return_dict)
passfield = auth.settings.password_field
# alg = 'pbkdf2(1000,20,sha512)'
# user_dict[passfield] = CRYPT(digest_alg=alg,salt=True)(passwd)[0]
user_dict[passfield] = CRYPT(key=auth.settings.hmac_key)(passwd)[0]
logger.debug("pass_field: " + str(user_dict) + " with passwd:" + passwd)
if auth.settings.registration_requires_verification:
table_user.registration_key.default = verify_key = web2py_uuid()
main_url = "http://" + str(request.env.http_host) + "/" + str(request.application)
verify_msg = (
"Welcome "
+ user_dict["username"]
+ " click on the link "
+ main_url
+ "/routes/#/logging/user_verify?key="
+ verify_key
+ " to verify your mail"
)
logger.debug("registration requires mail verification")
if not auth.settings.mailer or not auth.settings.mailer.send(
to=user_dict["email"], subject=auth.messages.verify_email_subject, message=verify_msg
):
return_dict["err_found"] = True
return_dict["err_msg"] = "Invalid mail"
return gluon.contrib.simplejson.dumps(return_dict)
return_dict["to_verify"] = True
# the next function also creates the user_groups
user = auth.get_or_create_user(user_dict, login=False)
logger.debug("User registered: " + str(user))
if user_passphrase_active:
# improve random string following http://stackoverflow.com/questions/7479442/high-quality-simple-random-password-generator
# alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
# os.urandom()
# instead of http://stackoverflow.com/questions/2257441/random-string-generation-with-upper-case-letters-and-digits-in-python
db.auth_user.passphrase.writable = True
import random, string
pf = "".join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(16))
db(db.auth_user.username == user_dict["username"]).update(passphrase=pf)
db.auth_user.passphrase.writable = False
# print "db.auth_user.passphrase.writable :",db.auth_user.passphrase.writable
db.commit()
user_db = auth.db(table_user["username"] == reg_user["username"]).select().first()
if not auth.settings.registration_requires_verification and auth.settings.registration_requires_approval:
user_db.update_record(registration_key="pending")
return_dict["to_approve"] = True
# After registration the user is automatically logged in (uncomment the next)
# But it has to be modified in case approval and/or verification are active
# user = auth.login_bare(user_dict['username'],passwd)
return gluon.contrib.simplejson.dumps(return_dict)
def compute_uuid(self):
self.uuid = '%s/%s.%s.%s' % (
self.application, self.client.replace(':', '_'),
self.now.strftime('%Y-%m-%d.%H-%M-%S'), web2py_uuid())
return self.uuid
def log(self, request):
"""
logs the exception.
"""
try:
a = request.application
d = {
"layer": str(self.layer),
"code": str(self.code),
"output": str(self.output),
"traceback": str(self.traceback),
}
fmt = "%Y-%m-%d.%H-%M-%S"
f = "%s.%s.%s" % (request.client.replace(":", "_"), datetime.datetime.now().strftime(fmt), web2py_uuid())
ticket_storage = TicketStorage(db=request.tickets_db)
ticket_storage.store(request, f, d)
return "%s/%s" % (a, f)
except:
logging.error(self.traceback)
return None
def connect(self,
request=None,
response=None,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate=None,
check_client=False,
cookie_key=None,
cookie_expires=None,
compression_level=None):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
request = request or current.request
response = response or current.response
masterapp = masterapp or request.application
cookies = request.cookies
self._unlock(response)
response.session_masterapp = masterapp
response.session_id_name = 'session_id_%s' % masterapp.lower()
response.session_data_name = 'session_data_%s' % masterapp.lower()
response.session_cookie_expires = cookie_expires
response.session_client = str(request.client).replace(':', '.')
response.session_cookie_key = cookie_key
response.session_cookie_compression_level = compression_level
# check if there is a session_id in cookies
try:
response.session_id = cookies[response.session_id_name].value
except KeyError:
response.session_id = None
# if we are supposed to use cookie based session data
if cookie_key:
response.session_storage_type = 'cookie'
elif db:
response.session_storage_type = 'db'
else:
response.session_storage_type = 'file'
# why do we do this?
# because connect may be called twice, by web2py and in models.
# the first time there is no db yet so it should do nothing
if (global_settings.db_sessions is True
or masterapp in global_settings.db_sessions):
return
if response.session_storage_type == 'cookie':
# check if there is session data in cookies
if response.session_data_name in cookies:
session_cookie_data = cookies[response.session_data_name].value
else:
session_cookie_data = None
if session_cookie_data:
data = secure_loads(session_cookie_data,
cookie_key,
compression_level=compression_level)
if data:
self.update(data)
response.session_id = True
# else if we are supposed to use file based sessions
elif response.session_storage_type == 'file':
response.session_new = False
response.session_file = None
# check if the session_id points to a valid sesion filename
if response.session_id:
if not regex_session_id.match(response.session_id):
response.session_id = None
else:
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
try:
response.session_file = \
open(response.session_filename, 'rb+')
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1].split(
'-')[0]
if check_client and response.session_client != oc:
raise Exception("cookie attack")
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (response.session_client, uuid)
separate = separate and (
lambda session_name: session_name[-2:])
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % (prefix,
response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
elif response.session_storage_type == 'db':
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
# if had a session on file alreday, close it (yes, can happen)
if response.session_file:
self._close(response)
# if on GAE tickets go also in DB
if settings.global_settings.web2py_runtime_gae:
request.tickets_db = db
table_migrate = (masterapp == request.application)
tname = tablename + '_' + masterapp
table = db.get(tname, None)
Field = db.Field
if table is None:
db.define_table(
tname,
Field('locked', 'boolean', default=False),
Field('client_ip', length=64),
Field('created_datetime', 'datetime', default=request.now),
Field('modified_datetime', 'datetime'),
Field('unique_key', length=64),
Field('session_data', 'blob'),
migrate=table_migrate,
)
table = db[tname] # to allow for lazy table
response.session_db_table = table
if response.session_id:
# Get session data out of the database
try:
(record_id, unique_key) = response.session_id.split(':')
record_id = long(record_id)
except (TypeError, ValueError):
record_id = None
# Select from database
if record_id:
row = table(record_id) #,unique_key=unique_key)
# Make sure the session data exists in the database
if row:
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(row.session_data)
self.update(session_data)
else:
record_id = None
if record_id:
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_unique_key = unique_key
response.session_db_record_id = record_id
else:
response.session_id = None
response.session_new = True
if self.flash:
(response.flash, self.flash) = (self.flash, None)
session_pickled = cPickle.dumps(self)
response.session_hash = hashlib.md5(session_pickled).hexdigest()
def paste():
"""
Import and parse password pasted to a textbox into t_accounts
"""
from skaldship.general import check_datadir
check_datadir(request.folder)
# Service_id is primary, host_id is secondary, if none then list
# all the services
svc_set = []
url = URL('accounts', 'paste')
if request.vars.has_key('service_id'):
try:
record = db.t_services[request.vars.service_id]
svc_set.append((record.id, "%s :: %s/%s" %
(host_title_maker(db.t_hosts[record.f_hosts_id]),
record.f_proto, record.f_number)))
url = URL('accounts',
'paste',
vars={'service_id': request.vars.service_id})
except:
pass
elif request.vars.has_key('host_id'):
try:
host_record = get_host_record(request.vars.host_id)
svc_records = db(
db.t_services.f_hosts_id == host_record.id).select(
cache=(cache.ram, 30))
url = URL('accounts',
'paste',
vars={'host_id': request.vars.host_id})
for record in svc_records:
svc_set.append(
(record.id, "%s :: %s/%s" %
(host_title_maker(db.t_hosts[record.f_hosts_id]),
record.f_proto, record.f_number)))
except:
pass
if len(svc_set) == 0:
# all services
svc_records = db(db.t_services).select(cache=(cache.ram, 30))
svc_set = []
for record in svc_records:
svc_set.append((record.id, "%s :: %s/%s" %
(host_title_maker(db.t_hosts[record.f_hosts_id]),
record.f_proto, record.f_number)))
if request.extension == "load":
buttons = []
else:
buttons = ['submit']
form = SQLFORM.factory(
Field('f_service',
'string',
label=T('Host / Service'),
requires=IS_IN_SET(svc_set),
default=svc_set[0][0]),
Field('f_pwtext', 'text', label=T('Password text')),
Field('f_type',
'string',
label=T('File type'),
default='PWDUMP',
requires=IS_IN_SET(settings.password_file_types)),
Field('f_source', 'string', label=T('Source (if necessary)')),
Field('f_add_to_evidence', 'boolean', label=T('Add file to Evidence')),
buttons=buttons,
_action=url,
_id='accounts_paste_form'
#_action=url, _id='accounts_paste_form', formstyle='bootstrap_modal'
)
resp_text = ""
accounts_added = []
accounts_updated = []
if form.errors:
response.flash = 'Error in form'
return TABLE(*[TR(k, v) for k, v in form.errors.items()])
elif form.accepts(request.vars, session):
from utils import web2py_uuid
host_id = db.t_services[form.vars.f_service].f_hosts_id
pwd_file_dir = os.path.join(request.folder, 'data', 'passwords',
'other')
if not os.path.exists(pwd_file_dir):
from gluon.fileutils import mktree
mktree(pwd_file_dir)
filename = "%s-pwfile-%s" % (host_id, web2py_uuid())
full_file_path = os.path.join(request.folder, 'data/passwords/other',
filename)
of = open(full_file_path, "w")
of.write(form.vars.f_pwtext)
of.close()
logger.debug("Processing password file: %s" % (full_file_path))
account_data = process_password_file(pw_file=full_file_path,
file_type=request.vars.f_type,
source=request.vars.f_source)
response.headers[
'web2py-component-command'] = 'accounttable.fnReloadAjax();'
resp_text = insert_or_update_acct(form.vars.f_service, account_data)
if form.vars.f_add_to_evidence is True:
# add the password file to evidence
try:
pwdata = open(full_file_path, "r").readlines()
except Exception, e:
logger.error("Error opening %s: %s" % (full_file_path, e))
resp_text += "Error opening %s: %s\n" % (full_file_path, e)
db.t_evidence.insert(f_hosts_id=host_id,
f_type='Password File',
f_text=form.vars.f_type,
f_filename=filename,
f_evidence=filename,
f_data=pwdata)
resp_text += "\n%s added to evidence\n" % (filename)
db.commit()
def connect(
self,
request,
response,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate = None,
check_client=False,
cookie_key=None,
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
if separate == True:
separate = lambda session_name: session_name[-2:]
self._unlock(response)
if not masterapp:
masterapp = request.application
response.session_id_name = 'session_id_%s' % masterapp.lower()
# Load session data from cookie
cookies = request.cookies
if cookie_key:
response.session_cookie_key = cookie_key
response.session_cookie_key2 = hashlib.md5(cookie_key).digest()
cookie_name = masterapp.lower()+'_session_data'
response.session_cookie_name = cookie_name
if cookie_name in cookies:
cookie_value = cookies[cookie_name].value
cookie_parts = cookie_value.split(":")
enc = cookie_parts[2]
cipher = AES.new(cookie_key)
decrypted = cipher.decrypt(base64.b64decode(enc)).rstrip('{')
check = hmac.new(response.session_cookie_key2,enc).hexdigest()
if cookie_parts[0] == check:
session_data = cPickle.loads(decrypted)
self.update(session_data)
else:
return
if not db:
if global_settings.db_sessions is True \
or masterapp in global_settings.db_sessions:
return
response.session_new = False
client = request.client and request.client.replace(':', '.')
if response.session_id_name in cookies:
response.session_id = \
cookies[response.session_id_name].value
if regex_session_id.match(response.session_id):
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
else:
response.session_id = None
if response.session_id:
try:
response.session_file = \
open(response.session_filename, 'rb+')
try:
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1]\
.split('-')[0]
if check_client and client!=oc:
raise Exception, "cookie attack"
finally:
pass
#This causes admin login to break. Must find out why.
#self._close(response)
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (client, uuid)
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % \
(prefix,response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
else:
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
response.session_db = True
if response.session_file:
self._close(response)
if settings.global_settings.web2py_runtime_gae:
# in principle this could work without GAE
request.tickets_db = db
if masterapp == request.application:
table_migrate = migrate
else:
table_migrate = False
tname = tablename + '_' + masterapp
table = db.get(tname, None)
Field = db.Field
if table is None:
db.define_table(
tname,
Field('locked', 'boolean', default=False),
Field('client_ip', length=64),
Field('created_datetime', 'datetime',
default=request.now),
Field('modified_datetime', 'datetime'),
Field('unique_key', length=64),
Field('session_data', 'blob'),
migrate=table_migrate,
)
table = db[tname] # to allow for lazy table
try:
# Get session data out of the database
# Key comes from the cookie
key = cookies[response.session_id_name].value
(record_id, unique_key) = key.split(':')
if record_id == '0':
raise Exception, 'record_id == 0'
# Select from database
rows = db(table.id == record_id).select()
# Make sure the session data exists in the database
if len(rows) == 0 or rows[0].unique_key != unique_key:
raise Exception, 'No record'
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(rows[0].session_data)
self.update(session_data)
except Exception:
record_id = None
unique_key = web2py_uuid()
session_data = {}
response._dbtable_and_field = \
(response.session_id_name, table, record_id, unique_key)
response.session_id = '%s:%s' % (record_id, unique_key)
rcookies = response.cookies
rcookies[response.session_id_name] = response.session_id
rcookies[response.session_id_name]['path'] = '/'
self.__hash = hashlib.md5(str(self)).digest()
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def connect(
self,
request=None,
response=None,
db=None,
tablename='web2py_session',
masterapp=None,
migrate=True,
separate=None,
check_client=False,
cookie_key=None,
cookie_expires=None,
compression_level=None
):
"""
separate can be separate=lambda(session_name): session_name[-2:]
and it is used to determine a session prefix.
separate can be True and it is set to session_name[-2:]
"""
request = request or current.request
response = response or current.response
masterapp = masterapp or request.application
cookies = request.cookies
self._unlock(response)
response.session_masterapp = masterapp
response.session_id_name = 'session_id_%s' % masterapp.lower()
response.session_data_name = 'session_data_%s' % masterapp.lower()
response.session_cookie_expires = cookie_expires
response.session_client = str(request.client).replace(':', '.')
response.session_cookie_key = cookie_key
response.session_cookie_compression_level = compression_level
# check if there is a session_id in cookies
try:
response.session_id = cookies[response.session_id_name].value
except KeyError:
response.session_id = None
# if we are supposed to use cookie based session data
if cookie_key:
response.session_storage_type = 'cookie'
elif db:
response.session_storage_type = 'db'
else:
response.session_storage_type = 'file'
# why do we do this?
# because connect may be called twice, by web2py and in models.
# the first time there is no db yet so it should do nothing
if (global_settings.db_sessions is True or
masterapp in global_settings.db_sessions):
return
if response.session_storage_type == 'cookie':
# check if there is session data in cookies
if response.session_data_name in cookies:
session_cookie_data = cookies[response.session_data_name].value
else:
session_cookie_data = None
if session_cookie_data:
data = secure_loads(session_cookie_data, cookie_key,
compression_level=compression_level)
if data:
self.update(data)
response.session_id = True
# else if we are supposed to use file based sessions
elif response.session_storage_type == 'file':
response.session_new = False
response.session_file = None
# check if the session_id points to a valid sesion filename
if response.session_id:
if not regex_session_id.match(response.session_id):
response.session_id = None
else:
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
try:
response.session_file = \
open(response.session_filename, 'rb+')
portalocker.lock(response.session_file,
portalocker.LOCK_EX)
response.session_locked = True
self.update(cPickle.load(response.session_file))
response.session_file.seek(0)
oc = response.session_filename.split('/')[-1].split('-')[0]
if check_client and response.session_client != oc:
raise Exception("cookie attack")
except:
response.session_id = None
if not response.session_id:
uuid = web2py_uuid()
response.session_id = '%s-%s' % (response.session_client, uuid)
separate = separate and (lambda session_name: session_name[-2:])
if separate:
prefix = separate(response.session_id)
response.session_id = '%s/%s' % (prefix, response.session_id)
response.session_filename = \
os.path.join(up(request.folder), masterapp,
'sessions', response.session_id)
response.session_new = True
# else the session goes in db
elif response.session_storage_type == 'db':
if global_settings.db_sessions is not True:
global_settings.db_sessions.add(masterapp)
# if had a session on file alreday, close it (yes, can happen)
if response.session_file:
self._close(response)
# if on GAE tickets go also in DB
if settings.global_settings.web2py_runtime_gae:
request.tickets_db = db
table_migrate = (masterapp == request.application)
tname = tablename + '_' + masterapp
table = db.get(tname, None)
Field = db.Field
if table is None:
db.define_table(
tname,
Field('locked', 'boolean', default=False),
Field('client_ip', length=64),
Field('created_datetime', 'datetime',
default=request.now),
Field('modified_datetime', 'datetime'),
Field('unique_key', length=64),
Field('session_data', 'blob'),
migrate=table_migrate,
)
table = db[tname] # to allow for lazy table
response.session_db_table = table
if response.session_id:
# Get session data out of the database
try:
(record_id, unique_key) = response.session_id.split(':')
record_id = long(record_id)
except (TypeError,ValueError):
record_id = None
# Select from database
if record_id:
row = table(record_id) #,unique_key=unique_key)
# Make sure the session data exists in the database
if row:
# rows[0].update_record(locked=True)
# Unpickle the data
session_data = cPickle.loads(row.session_data)
self.update(session_data)
else:
record_id = None
if record_id:
response.session_id = '%s:%s' % (record_id, unique_key)
response.session_db_unique_key = unique_key
response.session_db_record_id = record_id
else:
response.session_id = None
response.session_new = True
if self.flash:
(response.flash, self.flash) = (self.flash, None)
def run(appname,
plain=False,
import_models=False,
startfile=None,
bpython=False,
python_code=False):
"""
Start interactive shell or run Python script (startfile) in web2py
controller environment. appname is formatted like:
a web2py application name
a/c exec the controller c into the application environment
"""
(a, c, f) = parse_path_info(appname)
errmsg = 'invalid application name: %s' % appname
if not a:
die(errmsg)
adir = os.path.join('applications', a)
if not os.path.exists(adir):
if sys.stdin and not sys.stdin.name == '/dev/null':
confirm = raw_input(
'application %s does not exist, create (y/n)?' % a)
else:
logging.warn('application does not exist and will not be created')
return
if confirm.lower() in ['y', 'yes']:
os.mkdir(adir)
w2p_unpack('welcome.w2p', adir)
for subfolder in [
'models', 'views', 'controllers', 'databases', 'modules',
'cron', 'errors', 'sessions', 'languages', 'static',
'private', 'uploads'
]:
subpath = os.path.join(adir, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
db = os.path.join(adir, 'models/db.py')
if os.path.exists(db):
data = fileutils.read_file(db)
data = data.replace('<your secret key>',
'sha512:' + web2py_uuid())
fileutils.write_file(db, data)
if c:
import_models = True
_env = env(a, c=c, f=f, import_models=import_models)
if c:
cfile = os.path.join('applications', a, 'controllers', c + '.py')
if not os.path.isfile(cfile):
cfile = os.path.join('applications', a, 'compiled',
"controllers_%s_%s.pyc" % (c, f))
if not os.path.isfile(cfile):
die(errmsg)
else:
exec read_pyc(cfile) in _env
else:
execfile(cfile, _env)
if f:
exec('print %s()' % f, _env)
return
_env.update(exec_pythonrc())
if startfile:
try:
execfile(startfile, _env)
if import_models:
BaseAdapter.close_all_instances('commit')
except Exception, e:
print traceback.format_exc()
if import_models:
BaseAdapter.close_all_instances('rollback')
def app_create(db, app, request, force=False, key=None, info=False):
"""
Create a copy of welcome.w2p (scaffolding) app
Parameters
----------
app:
application name
request:
the global request object
"""
path = apath(app, request)
if not os.path.exists(path):
try:
os.mkdir(path)
except:
if info:
return False, traceback.format_exc(sys.exc_info)
else:
return False, None
elif not force:
if info:
return False, "Application exists"
else:
return False, None
try:
w2p_unpack('welcome.w2p', path)
for subfolder in [
'models', 'views', 'controllers', 'databases',
'modules', 'cron', 'errors', 'sessions', 'cache',
'languages', 'static', 'private', 'uploads']:
subpath = os.path.join(path, subfolder)
if not os.path.exists(subpath):
os.mkdir(subpath)
dbt = os.path.join(path, 'models', 'db.py')
if os.path.exists(dbt):
data = read_file(dbt)
data = data.replace('<your secret key>',
'sha512:' + (key or web2py_uuid()))
write_file(dbt, data)
parms = db(db.parametros.id==1).select()[0]
templates = os.path.join('\\\\'
, '127.0.0.1'
, 'c$'
, parms.web2py
, 'applications'
, parms.soag
, 'Template'
, 'web2py')
for subfolder in ['controllers', 'languages', 'models', 'modules', 'static', 'views']:
template = os.path.join(templates, subfolder)
subpath = os.path.join(path, subfolder)
shutil.rmtree(subpath)
shutil.copytree(template, subpath)
# shutil.copyfile(os.path.join(templates, 'routes.py'), os.path.join(path, 'routes.py'))
if info:
return True, None
else:
return True, None
except:
shutil.rmtree(path)
if info:
return False, traceback.format_exc(sys.exc_info)
else:
return False, None
