Ejemplo n.º 1
0
def unsecured(fn):
    """A Decorator to make a SecuredController controller method unsecured.
    """

    def wrapper(*args, **kw):
        return fn(*args, **kw)

    return tools.decorated(wrapper, fn, secured=False)
Ejemplo n.º 2
0
def secured(fn):
    """A Decorator to make a SecuredController controller method secured.
    """
    def clear_login_fields(kw):

        if not kw.get('login_action'):
            return

        for k in ('db', 'user', 'password'):
            kw.pop(k, None)
        for k in kw.keys():
            if k.startswith('login_'):
                del kw[k]

    def get_orig_args(kw):
        if not kw.get('login_action'):
            return kw

        new_kw = kw.copy()
        clear_login_fields(new_kw)
        return new_kw

    def wrapper(*args, **kw):
        """The wrapper function to secure exposed methods
        """

        if rpc.session.is_logged() and kw.get('login_action') != 'login':
            # User is logged in; allow access
            clear_login_fields(kw)
            return fn(*args, **kw)
        else:
            action = kw.get('login_action', '')
            # get some settings from cookies
            try:
                db = cherrypy.request.cookie['terp_db'].value
                user = cherrypy.request.cookie['terp_user'].value
            except:
                db = ''
                user = ''

            db = kw.get('db', db)
            user = ustr(kw.get('user', user))
            password = kw.get('password', '')

            # See if the user just tried to log in
            if rpc.session.login(db, user, password) <= 0:
                # Bad login attempt
                if action == 'login':
                    message = _("Bad username or password")
                    return login(cherrypy.request.path_info, message=message,
                        db=db, user=user, action=action, origArgs=get_orig_args(kw))
                else:
                    message = ''

                kwargs = {}
                if action: kwargs['action'] = action
                if message: kwargs['message'] = message
                base = cherrypy.request.path_info
                if cherrypy.request.headers.get('X-Requested-With') == 'XMLHttpRequest':
                    cherrypy.response.status = 401
                    next_key = 'next'
                else:
                    cherrypy.response.status = 303
                    next_key = 'location' # login?location is the redirection destination w/o next

                if base and base != '/' and cherrypy.request.method == 'GET':
                    kwargs[next_key] = "%s?%s" % (base, cherrypy.request.query_string)

                login_url = openobject.tools.url(
                    '/openerp/login', db=db, user=user, **kwargs
                )
                cherrypy.response.headers['Location'] = login_url
                return """
                    <html>
                        <head>
                            <script type="text/javascript">
                                window.location.href="%s"
                            </script>
                        </head>
                        <body>
                        </body>
                    </html>
                """%(login_url)

            # Authorized. Set db, user name in cookies
            cookie = cherrypy.response.cookie
            cookie['terp_db'] = db
            cookie['terp_user'] = user.encode('utf-8')
            cookie['terp_db']['max-age'] = 3600
            cookie['terp_user']['max-age'] = 3600
            cookie['terp_db']['path'] = '/'
            cookie['terp_user']['path'] = '/'

            # User is now logged in, so show the content
            clear_login_fields(kw)
            return fn(*args, **kw)

    return tools.decorated(wrapper, fn, secured=True)