def _check(self):
registered = self._registered_objects()
if len(registered) > 0 and \
not IDisableCSRFProtection.providedBy(self.request):
# Okay, we're writing here, we need to protect!
try:
check(self.request)
return True
except ComponentLookupError:
# okay, it's possible we're at the zope root and the KeyManager
# hasn't been installed yet. Let's check and carry on
# if this is the case
if IApplication.providedBy(self.getContext()):
LOGGER.info('skipping csrf protection on zope root until '
'keymanager gets installed')
return True
raise
except Forbidden:
if self.request.REQUEST_METHOD != 'GET':
# only try to be "smart" with GET requests
raise
# XXX
# okay, so right now, we're going to check if the current
# registered objects to write, are just portlet assignments.
# I don't know why, but when a site is created, these
# cause some writes on read. ALL, registered objects
# need to be portlet assignments. XXX needs to be fixed
# somehow...
safe = True
for obj in registered:
if (not IPortletAssignment.providedBy(obj) and
not getattr(obj, '_v_safe_write', False)):
safe = False
break
if not safe:
LOGGER.info('aborting transaction due to no CSRF '
'protection on url %s' % self.request.URL)
transaction.abort()
# conditions for doing the confirm form are:
# 1. 301, 302 response code
# 2. text/html response
# 3. getSite could be none, zope root maybe, carry on
# otherwise,
# just abort with a log entry because we tried to
# write on read, without a POST request and we don't
# know what to do with it gracefully.
resp = self.request.response
ct = resp.headers.get('content-type')
if self.site and (
resp.status in (301, 302) or 'text/html' in ct):
data = self.request.form.copy()
data['original_url'] = self.request.URL
resp.redirect('%s/@@confirm-action?%s' % (
self.site.absolute_url(),
urlencode(data)
))
return False
return True
def _check(self):
registered = self._registered_objects()
if len(registered) > 0 and \
not IDisableCSRFProtection.providedBy(self.request):
# Okay, we're writing here, we need to protect!
try:
check(self.request)
return True
except ComponentLookupError:
# okay, it's possible we're at the zope root and the KeyManager
# hasn't been installed yet. Let's check and carry on
# if this is the case
if IApplication.providedBy(self.getContext()):
LOGGER.info('skipping csrf protection on zope root until '
'keymanager gets installed')
return True
raise
except Forbidden:
if self.request.REQUEST_METHOD != 'GET':
# only try to be "smart" with GET requests
raise
# XXX
# okay, so right now, we're going to check if the current
# registered objects to write, are just portlet assignments.
# I don't know why, but when a site is created, these
# cause some writes on read. ALL, registered objects
# need to be portlet assignments. XXX needs to be fixed
# somehow...
safe = True
for obj in registered:
if (not IPortletAssignment.providedBy(obj)
and not getattr(obj, '_v_safe_write', False)):
safe = False
break
if not safe:
LOGGER.info('aborting transaction due to no CSRF '
'protection on url %s' % self.request.URL)
transaction.abort()
# conditions for doing the confirm form are:
# 1. 301, 302 response code
# 2. text/html response
# 3. getSite could be none, zope root maybe, carry on
# otherwise,
# just abort with a log entry because we tried to
# write on read, without a POST request and we don't
# know what to do with it gracefully.
resp = self.request.response
ct = resp.headers.get('content-type')
if self.site and (resp.status in (301, 302)
or 'text/html' in ct):
data = self.request.form.copy()
data['original_url'] = self.request.URL
resp.redirect(
'%s/@@confirm-action?%s' %
(self.site.absolute_url(), urlencode(data)))
return False
return True
def _check(self):
registered = self._registered_objects()
if len(registered) > 0 and \
not IDisableCSRFProtection.providedBy(self.request):
# Okay, we're writing here, we need to protect!
try:
check(self.request, manager=self.key_manager)
return True
except ComponentLookupError:
LOGGER.info('Can not find key manager for CSRF protection. '
'This should not happen.')
raise
except Forbidden:
# XXX
# okay, so right now, we're going to check if the current
# registered objects to write, are just portlet assignments.
# I don't know why, but when a site is created, these
# cause some writes on read. ALL, registered objects
# need to be portlet assignments. XXX needs to be fixed
# somehow...
safe_oids = []
if SAFE_WRITE_KEY in getattr(self.request, 'environ', {}):
safe_oids = self.request.environ[SAFE_WRITE_KEY]
safe = True
for obj in registered:
if (not IPortletAssignment.providedBy(obj) and
getattr(obj, '_p_oid', False) not in safe_oids):
safe = False
break
if not safe:
if self.request.REQUEST_METHOD != 'GET':
# only try to be "smart" with GET requests
raise
LOGGER.info('%s\naborting transaction due to no CSRF '
'protection on url %s'%(traceback.print_stack(), self.request.URL))
transaction.abort()
# conditions for doing the confirm form are:
# 1. 301, 302 response code
# 2. text/html response
# 3. getSite could be none, zope root maybe, carry on
# otherwise,
# just abort with a log entry because we tried to
# write on read, without a POST request and we don't
# know what to do with it gracefully.
resp = self.request.response
ct = resp.getHeader('Content-Type', '') or ''
if self.site and (
resp.status in (301, 302) or 'text/html' in ct):
data = self.request.form.copy()
data['original_url'] = self.request.URL
resp.redirect('%s/@@confirm-action?%s' % (
self.site.absolute_url(),
urlencode(data)
))
return False
return True
def _check(self):
registered = self._registered_objects()
if len(registered) > 0 and \
not IDisableCSRFProtection.providedBy(self.request):
# Okay, we're writing here, we need to protect!
try:
check(self.request, manager=self.key_manager)
return True
except ComponentLookupError:
LOGGER.info('Can not find key manager for CSRF protection. '
'This should not happen.')
raise
except Forbidden:
# XXX
# okay, so right now, we're going to check if the current
# registered objects to write, are just portlet assignments.
# I don't know why, but when a site is created, these
# cause some writes on read. ALL, registered objects
# need to be portlet assignments. XXX needs to be fixed
# somehow...
safe_oids = []
if SAFE_WRITE_KEY in getattr(self.request, 'environ', {}):
safe_oids = self.request.environ[SAFE_WRITE_KEY]
safe = True
for obj in registered:
if (not IPortletAssignment.providedBy(obj) and getattr(
obj, '_p_oid', False) not in safe_oids):
safe = False
break
if not safe:
if self.request.REQUEST_METHOD != 'GET':
# only try to be "smart" with GET requests
raise
LOGGER.info('aborting transaction due to no CSRF '
'protection on url %s' % self.request.URL)
transaction.abort()
# conditions for doing the confirm form are:
# 1. 301, 302 response code
# 2. text/html response
# 3. getSite could be none, zope root maybe, carry on
# otherwise,
# just abort with a log entry because we tried to
# write on read, without a POST request and we don't
# know what to do with it gracefully.
resp = self.request.response
ct = resp.getHeader('Content-Type', '') or ''
if self.site and (resp.status in (301, 302)
or 'text/html' in ct):
data = self.request.form.copy()
data['original_url'] = self.request.URL
resp.redirect(
'%s/@@confirm-action?%s' %
(self.site.absolute_url(), urlencode(data)))
return False
return True
def save(self):
"""Save the image"""
context, request, form = self.context, self.request, self.request.form
check(self.request) # raise an error if not authenficated
if not "image" in form:
raise Exception("invalid request")
data = self.fetch(form["image"])
if not data:
raise Exception("image download fails")
if IATImage.providedBy(self.context):
self.at_store(self.context, data)
parent = aq_parent(self.context)
if IATContentType.providedBy(parent):
self.at_store(parent, data, self.context.id())