def xmlrpc_getJabberAuthToken(self, jid, secret):
"""
Returns a token which can be used for authentication.
This token can be used in other XMLRPC calls. Generation of
token depends on user's JID and a secret shared between wiki
and Jabber bot.
@param jid: a bare Jabber ID
"""
if self.cfg.secrets['jabberbot'] != secret:
logging.warning("getJabberAuthToken: got wrong secret %r" % secret)
return ""
request = self.request
request.session = request.cfg.session_service.get_session(request)
logging.debug("getJabberAuthToken: got session %r" % request.session)
u = user.get_by_jabber_id(
request,
jid) # XXX is someone talking to use from a jid we have stored in
# XXX some user profile enough to authenticate him as that user?
logging.debug("getJabberAuthToken: got user %r" % u)
if u and u.valid:
u.auth_method = 'moin' # XXX fake 'moin' login so the check for known login methods succeeds
# XXX if not patched, u.auth_method is 'internal', but that is not accepted either
# TODO this should be done more cleanly, somehow
request.user = u
request.cfg.session_service.finalize(request, request.session)
logging.debug("getJabberAuthToken: returning sid %r" %
request.session.sid)
return request.session.sid
else:
return ""
def xmlrpc_getJabberAuthToken(self, jid, secret):
"""
Returns a token which can be used for authentication.
This token can be used in other XMLRPC calls. Generation of
token depends on user's JID and a secret shared between wiki
and Jabber bot.
@param jid: a bare Jabber ID
"""
if self.cfg.secrets['jabberbot'] != secret:
logging.warning("getJabberAuthToken: got wrong secret %r" % secret)
return ""
request = self.request
request.session = request.cfg.session_service.get_session(request)
logging.debug("getJabberAuthToken: got session %r" % request.session)
u = user.get_by_jabber_id(request, jid) # XXX is someone talking to use from a jid we have stored in
# XXX some user profile enough to authenticate him as that user?
logging.debug("getJabberAuthToken: got user %r" % u)
if u and u.valid:
u.auth_method = 'moin' # XXX fake 'moin' login so the check for known login methods succeeds
# XXX if not patched, u.auth_method is 'internal', but that is not accepted either
# TODO this should be done more cleanly, somehow
request.user = u
request.cfg.session_service.finalize(request, request.session)
logging.debug("getJabberAuthToken: returning sid %r" % request.session.sid)
return request.session.sid
else:
return ""
def xmlrpc_getUserLanguageByJID(self, jid):
""" Returns user's language given his/her Jabber ID
It makes no sense to consider this a secret, right? Therefore
an authentication token is not required. We return a default
of "en" if user is not found.
TODO: surge protection? Do we fear account enumeration?
"""
retval = "en"
u = user.get_by_jabber_id(self.request, jid)
if u:
retval = u.language
return retval
def xmlrpc_getUserLanguageByJID(self, jid):
"""
Returns user's language given his/her Jabber ID
It makes no sense to consider this a secret, right? Therefore
an authentication token is not required. We return a default
of "en" if user is not found.
TODO: surge protection? Do we fear account enumeration?
"""
retval = "en"
u = user.get_by_jabber_id(self.request, jid)
if u:
retval = u.language
return retval
def _save_user_prefs(self):
_ = self._
form = self.request.form
request = self.request
if request.request_method != 'POST':
return
if not 'name' in request.user.auth_attribs:
# Require non-empty name
new_name = form.get('name', [request.user.name])[0]
# Don't allow changing the name to an invalid one
if not user.isValidName(request, new_name):
return 'error', _("""Invalid user name {{{'%s'}}}.
Name may contain any Unicode alpha numeric character, with optional one
space between words. Group page name is not allowed.""", wiki=True) % wikiutil.escape(new_name)
# Is this an existing user trying to change information or a new user?
# Name required to be unique. Check if name belong to another user.
existing_id = user.getUserId(request, new_name)
if existing_id is not None and existing_id != request.user.id:
return 'error', _("This user name already belongs to somebody else.")
if not new_name:
return 'error', _("Empty user name. Please enter a user name.")
# done sanity checking the name, set it
request.user.name = new_name
if not 'email' in request.user.auth_attribs:
# try to get the email
new_email = wikiutil.clean_input(form.get('email', [request.user.email])[0])
new_email = new_email.strip()
# Require email
if not new_email and 'email' not in request.cfg.user_form_remove:
return 'error', _("Please provide your email address. If you lose your"
" login information, you can get it by email.")
# Email should be unique - see also MoinMoin/script/accounts/moin_usercheck.py
if new_email and request.cfg.user_email_unique:
other = user.get_by_email_address(request, new_email)
if other is not None and other.id != request.user.id:
return 'error', _("This email already belongs to somebody else.")
# done checking the email, set it
request.user.email = new_email
if not 'jid' in request.user.auth_attribs:
# try to get the jid
new_jid = wikiutil.clean_input(form.get('jid', [''])[0]).strip()
jid_changed = request.user.jid != new_jid
previous_jid = request.user.jid
if new_jid and request.cfg.user_jid_unique:
other = user.get_by_jabber_id(request, new_jid)
if other is not None and other.id != request.user.id:
return 'error', _("This jabber id already belongs to somebody else.")
if jid_changed:
set_event = events.JabberIDSetEvent(request, new_jid)
unset_event = events.JabberIDUnsetEvent(request, previous_jid)
events.send_event(unset_event)
events.send_event(set_event)
# done checking the JID, set it
request.user.jid = new_jid
if not 'aliasname' in request.user.auth_attribs:
# aliasname
request.user.aliasname = wikiutil.clean_input(form.get('aliasname', [''])[0])
# editor size
request.user.edit_rows = util.web.getIntegerInput(request, 'edit_rows',
request.user.edit_rows, 10, 60)
# try to get the editor
request.user.editor_default = form.get('editor_default', [self.cfg.editor_default])[0]
request.user.editor_ui = form.get('editor_ui', [self.cfg.editor_ui])[0]
# time zone
request.user.tz_offset = util.web.getIntegerInput(request, 'tz_offset',
request.user.tz_offset, -84600, 84600)
# datetime format
try:
dt_d_combined = Settings._date_formats.get(form['datetime_fmt'][0], '')
request.user.datetime_fmt, request.user.date_fmt = dt_d_combined.split(' & ')
except (KeyError, ValueError):
request.user.datetime_fmt = '' # default
request.user.date_fmt = '' # default
# try to get the (optional) theme
theme_name = form.get('theme_name', [self.cfg.theme_default])[0]
if theme_name != request.user.theme_name:
# if the theme has changed, load the new theme
# so the user has a direct feedback
# WARNING: this should be refactored (i.e. theme load
# after userform handling), cause currently the
# already loaded theme is just replaced (works cause
# nothing has been emitted yet)
request.user.theme_name = theme_name
if request.loadTheme(theme_name) > 0:
theme_name = wikiutil.escape(theme_name)
return 'error', _("The theme '%(theme_name)s' could not be loaded!") % locals()
# try to get the (optional) preferred language
request.user.language = form.get('language', [''])[0]
if request.user.language == u'': # For language-statistics
from MoinMoin import i18n
request.user.real_language = i18n.get_browser_language(request)
else:
request.user.real_language = ''
# I want to handle all inputs from user_form_fields, but
# don't want to handle the cases that have already been coded
# above.
# This is a horribly fragile kludge that's begging to break.
# Something that might work better would be to define a
# handler for each form field, instead of stuffing them all in
# one long and inextensible method. That would allow for
# plugins to provide methods to validate their fields as well.
already_handled = ['name', 'email',
'aliasname', 'edit_rows', 'editor_default',
'editor_ui', 'tz_offset', 'datetime_fmt',
'theme_name', 'language', 'real_language', 'jid']
for field in self.cfg.user_form_fields:
key = field[0]
if ((key in self.cfg.user_form_disable)
or (key in already_handled)):
continue
default = self.cfg.user_form_defaults[key]
value = form.get(key, [default])[0]
setattr(request.user, key, value)
# checkbox options
for key, label in self.cfg.user_checkbox_fields:
if key not in self.cfg.user_checkbox_disable and key not in self.cfg.user_checkbox_remove:
value = form.get(key, ["0"])[0]
try:
value = int(value)
except ValueError:
pass
else:
setattr(request.user, key, value)
# quicklinks for navibar
request.user.quicklinks = self._decode_pagelist('quicklinks')
# save data
request.user.save()
if request.user.disabled:
# set valid to false so the current request won't
# show the user as logged-in any more
request.user.valid = False
result = _("User preferences saved!")
if _debug:
result = result + util.dumpFormData(form)
return result
def _save_user_prefs(self):
_ = self._
form = self.request.form
request = self.request
if not 'name' in request.user.auth_attribs:
# Require non-empty name
new_name = wikiutil.clean_input(form.get('name', request.user.name)).strip()
# Don't allow changing the name to an invalid one
if not user.isValidName(request, new_name):
return 'error', _("""Invalid user name {{{'%s'}}}.
Name may contain any Unicode alpha numeric character, with optional one
space between words. Group page name is not allowed.""", wiki=True) % wikiutil.escape(new_name)
# Is this an existing user trying to change information or a new user?
# Name required to be unique. Check if name belong to another user.
existing_id = user.getUserId(request, new_name)
if existing_id is not None and existing_id != request.user.id:
return 'error', _("This user name already belongs to somebody else.")
if not new_name:
return 'error', _("Empty user name. Please enter a user name.")
# done sanity checking the name, set it
request.user.name = new_name
if not 'email' in request.user.auth_attribs:
# try to get the email
new_email = wikiutil.clean_input(form.get('email', request.user.email)).strip()
# Require email
if not new_email and 'email' not in request.cfg.user_form_remove:
return 'error', _("Please provide your email address. If you lose your"
" login information, you can get it by email.")
# Email should be unique - see also MoinMoin/script/accounts/moin_usercheck.py
if new_email and request.cfg.user_email_unique:
other = user.get_by_email_address(request, new_email)
if other is not None and other.id != request.user.id:
return 'error', _("This email already belongs to somebody else.")
# done checking the email, set it
request.user.email = new_email
if not 'jid' in request.user.auth_attribs:
# try to get the jid
new_jid = wikiutil.clean_input(form.get('jid', '')).strip()
jid_changed = request.user.jid != new_jid
previous_jid = request.user.jid
if new_jid and request.cfg.user_jid_unique:
other = user.get_by_jabber_id(request, new_jid)
if other is not None and other.id != request.user.id:
return 'error', _("This jabber id already belongs to somebody else.")
if jid_changed:
set_event = events.JabberIDSetEvent(request, new_jid)
unset_event = events.JabberIDUnsetEvent(request, previous_jid)
events.send_event(unset_event)
events.send_event(set_event)
# done checking the JID, set it
request.user.jid = new_jid
if not 'aliasname' in request.user.auth_attribs:
# aliasname
request.user.aliasname = wikiutil.clean_input(form.get('aliasname', '')).strip()
# editor size
request.user.edit_rows = util.web.getIntegerInput(request, 'edit_rows',
request.user.edit_rows, 0, 999)
# try to get the editor
request.user.editor_default = wikiutil.clean_input(form.get('editor_default', self.cfg.editor_default))
request.user.editor_ui = wikiutil.clean_input(form.get('editor_ui', self.cfg.editor_ui))
# time zone
request.user.tz_offset = util.web.getIntegerInput(request, 'tz_offset',
request.user.tz_offset, -84600, 84600)
# datetime format
try:
dt_d_combined = Settings._date_formats.get(form['datetime_fmt'], '')
request.user.datetime_fmt, request.user.date_fmt = dt_d_combined.split(' & ')
except (KeyError, ValueError):
request.user.datetime_fmt = '' # default
request.user.date_fmt = '' # default
# try to get the (optional) theme
theme_name = wikiutil.clean_input(form.get('theme_name', self.cfg.theme_default))
if theme_name != request.user.theme_name:
# if the theme has changed, load the new theme
# so the user has a direct feedback
# WARNING: this should be refactored (i.e. theme load
# after userform handling), cause currently the
# already loaded theme is just replaced (works cause
# nothing has been emitted yet)
request.user.theme_name = theme_name
if load_theme_fallback(request, theme_name) > 0:
theme_name = wikiutil.escape(theme_name)
return 'error', _("The theme '%(theme_name)s' could not be loaded!") % locals()
# try to get the (optional) preferred language
request.user.language = wikiutil.clean_input(form.get('language', ''))
if request.user.language == u'': # For language-statistics
from MoinMoin import i18n
request.user.real_language = i18n.get_browser_language(request)
else:
request.user.real_language = ''
# I want to handle all inputs from user_form_fields, but
# don't want to handle the cases that have already been coded
# above.
# This is a horribly fragile kludge that's begging to break.
# Something that might work better would be to define a
# handler for each form field, instead of stuffing them all in
# one long and inextensible method. That would allow for
# plugins to provide methods to validate their fields as well.
already_handled = ['name', 'email',
'aliasname', 'edit_rows', 'editor_default',
'editor_ui', 'tz_offset', 'datetime_fmt',
'theme_name', 'language', 'real_language', 'jid']
for field in self.cfg.user_form_fields:
key = field[0]
if ((key in self.cfg.user_form_disable)
or (key in already_handled)):
continue
default = self.cfg.user_form_defaults[key]
value = form.get(key, default)
value = wikiutil.clean_input(value)
setattr(request.user, key, value)
# checkbox options
for key, label in self.cfg.user_checkbox_fields:
if key not in self.cfg.user_checkbox_disable and key not in self.cfg.user_checkbox_remove:
value = form.get(key, "0")
try:
value = int(value)
except ValueError:
# value we got is crap, do not setattr this value, just pass
pass
else:
setattr(request.user, key, value)
# quicklinks for navibar
request.user.quicklinks = self._decode_pagelist('quicklinks')
# save data
request.user.save()
if request.user.disabled:
# set valid to false so the current request won't
# show the user as logged-in any more
request.user.valid = False
result = _("User preferences saved!")
return result
