def process_response(self, request, response):
"""Alters HTML responses containing <form> tags to embed the XSRF token."""
content_type = response.get('Content-Type', None)
if content_type and content_type.split(';')[0] in _HTML_TYPES:
xsrf_token = xsrfutil.getGeneratedTokenForCurrentUser(
_GetSecretKey(request))
# there may be multiple forms per page, but we only id= one of them
idattributes = itertools.chain(("id='xsrftoken'", ),
itertools.repeat(''))
# invoked on every matching <form> tag
def add_xsrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return mark_safe(match.group() + (
"<div style='display:none;'>" + "<input type='hidden' " +
idattributes.next() + " name='xsrf_token' value='" +
xsrf_token + "' /></div>"))
response.content, n = _POST_FORM_RE.subn(add_xsrf_field,
response.content)
if n > 0:
# content has changed, so ETag would be invalid
del response['ETag']
return response
def process_response(self, request, response):
"""Alters HTML responses containing <form> tags to embed the XSRF token."""
content_type = response.get('Content-Type', None)
if content_type and content_type.split(';')[0] in _HTML_TYPES:
xsrf_token = \
xsrfutil.getGeneratedTokenForCurrentUser(self._getSecretKey(request))
# there may be multiple forms per page, but we only id= one of them
idattributes = itertools.chain(("id='xsrftoken'",), itertools.repeat(''))
# invoked on every matching <form> tag
def add_xsrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return mark_safe(match.group() + ("<div style='display:none;'>" +
"<input type='hidden' " + idattributes.next() +
" name='xsrf_token' value='" + xsrf_token +
"' /></div>"))
response.content, n = _POST_FORM_RE.subn(add_xsrf_field, response.content)
if n > 0:
# content has changed, so ETag would be invalid
del response['ETag']
return response
def render(self, context):
"""Renders the page using the specified context.
The page is rendered using the template specified in self.templatePath()
and is written to the response object.
The context object is extended with the following values:
app_version: the current version of the application, used e.g. in URL
patterns to avoid JS caching issues.
is_local: Whether the application is running locally.
posted: Whether render is called after a POST is request.
xsrf_token: The xsrf token for the current user.
Args:
context: the context that should be used
"""
context['app_version'] = os.environ.get('CURRENT_VERSION_ID', '').split('.')[0]
context['is_local'] = system.isLocal()
context['posted'] = self.posted
xsrf_secret_key = site.getXsrfSecretKey(self.data.site)
context['xsrf_token'] = xsrfutil.getGeneratedTokenForCurrentUser(xsrf_secret_key)
context['ga_tracking_num'] = self.data.site.ga_tracking_num
if system.isSecondaryHostname(self.request):
context['google_api_key'] = self.data.site.secondary_google_api_key
else:
context['google_api_key'] = self.data.site.google_api_key
rendered = loader.render_to_string(self.templatePath(), dictionary=context)
self.response.write(rendered)
def default(data):
"""Returns a context dictionary with default values set.
The following values are available:
app_version: the current version string of the application
is_local: whether we are running locally
posted: if this was a post/redirect-after-post request
xsrf_token: the xstrf_token for this request
google_api_key: the google api key for this website
ga_tracking_num: the google tracking number for this website
ds_write_disabled: if datastore writes are disabled
css_path: part of the path to the css files to distinguish modules
"""
posted = data.request.POST or 'validated' in data.request.GET
xsrf_secret_key = site.xsrfSecretKey(data.site)
xsrf_token = xsrfutil.getGeneratedTokenForCurrentUser(xsrf_secret_key)
if system.isSecondaryHostname(data):
google_api_key = data.site.secondary_google_api_key
else:
google_api_key = data.site.google_api_key
if data.user and oauth_helper.getAccessToken(data.user):
gdata_is_logged_in = 'true'
else:
gdata_is_logged_in = 'false'
css_path = '/'.join([
'soc', 'content', system.getMelangeVersion(), 'css', 'v2',
data.css_path])
return {
'app_version': system.getMelangeVersion(),
'is_local': system.isLocal(),
'posted': posted,
'xsrf_token': xsrf_token,
'google_api_key': google_api_key,
'ga_tracking_num': data.site.ga_tracking_num,
'ds_write_disabled': data.ds_write_disabled,
'gdata_is_logged_in': gdata_is_logged_in,
'css_path': css_path
}
def default(data):
"""Returns a context dictionary with default values set.
The following values are available:
app_version: the current version string of the application
is_local: whether we are running locally
posted: if this was a post/redirect-after-post request
xsrf_token: the xstrf_token for this request
google_api_key: the google api key for this website
ga_tracking_num: the google tracking number for this website
ds_write_disabled: if datastore writes are disabled
css_path: part of the path to the css files to distinguish modules
"""
app_version = system.getMelangeVersion()
posted = data.request.POST or 'validated' in data.request.GET
xsrf_secret_key = site.xsrfSecretKey(data.site)
xsrf_token = xsrfutil.getGeneratedTokenForCurrentUser(xsrf_secret_key)
if site.isSecondaryHostname(data):
google_api_key = data.site.secondary_google_api_key
else:
google_api_key = data.site.google_api_key
css_path = '/'.join(['soc', 'content', app_version, 'css', data.css_path])
return {
'app_version': app_version,
'is_local': system.isLocal(),
'posted': posted,
'xsrf_token': xsrf_token,
'google_api_key': google_api_key,
'ga_tracking_num': data.site.ga_tracking_num,
'ds_write_disabled': data.ds_write_disabled,
'css_path': css_path,
'site_description': data.site.description,
}
def getUniversalContext(request):
"""Constructs a template context dict will many common variables defined.
Args:
request: the Django HTTP request object
Returns:
a new context dict containing:
{
'request': the Django HTTP request object passed in by the caller
'account': the logged-in Google Account if there is one
'user': the User entity corresponding to the Google Account in
context['account']
'is_admin': True if users.is_current_user_admin() is True
'is_debug': True if system.isDebug() is True
'sign_in': a Google Account login URL
'sign_out': a Google Account logout URL
'sidebar_menu_html': an HTML string that renders the sidebar menu
}
"""
core = callback.getCore()
context = core.getRequestValue('context', {})
if context:
return context
account = accounts.getCurrentAccount()
user = None
is_admin = False
context['request'] = request
if account:
user = user_logic.getForAccount(account)
is_admin = user_logic.isDeveloper(account=account, user=user)
context['account'] = account
context['user'] = user
context['is_admin'] = is_admin
context['is_local'] = system.isLocal()
context['is_debug'] = system.isDebug()
context['sign_in'] = users.create_login_url(request.path)
context['sign_out'] = users.create_logout_url(request.path)
context['sidebar_menu_items'] = core.getSidebar(account, user)
context['gae_version'] = system.getAppVersion()
context['soc_release'] = system.getMelangeVersion()
settings = site.logic.getSingleton()
context['ga_tracking_num'] = settings.ga_tracking_num
context['gmaps_api_key'] = settings.gmaps_api_key
context['site_name'] = settings.site_name
context['site_notice'] = settings.site_notice
context['tos_link'] = redirects.getToSRedirect(settings)
context['in_maintenance'] = timeline.isActivePeriod(
settings, 'maintenance')
# Only one xsrf_token is generated per request.
xsrf_secret_key = site.logic.getXsrfSecretKey(settings)
context['xsrf_token'] = xsrfutil.getGeneratedTokenForCurrentUser(
xsrf_secret_key)
core.setRequestValue('context', context)
return context
