def xmlrpc_getJabberAuthToken(self, jid, secret): """ Returns a token which can be used for authentication. This token can be used in other XMLRPC calls. Generation of token depends on user's JID and a secret shared between wiki and Jabber bot. @param jid: a bare Jabber ID """ if self.cfg.secrets['jabberbot'] != secret: logging.warning("getJabberAuthToken: got wrong secret %r" % secret) return "" request = self.request request.session = request.cfg.session_service.get_session(request) logging.debug("getJabberAuthToken: got session %r" % request.session) u = user.get_by_jabber_id( request, jid) # XXX is someone talking to use from a jid we have stored in # XXX some user profile enough to authenticate him as that user? logging.debug("getJabberAuthToken: got user %r" % u) if u and u.valid: u.auth_method = 'moin' # XXX fake 'moin' login so the check for known login methods succeeds # XXX if not patched, u.auth_method is 'internal', but that is not accepted either # TODO this should be done more cleanly, somehow request.user = u request.cfg.session_service.finalize(request, request.session) logging.debug("getJabberAuthToken: returning sid %r" % request.session.sid) return request.session.sid else: return ""
def xmlrpc_getJabberAuthToken(self, jid, secret): """ Returns a token which can be used for authentication. This token can be used in other XMLRPC calls. Generation of token depends on user's JID and a secret shared between wiki and Jabber bot. @param jid: a bare Jabber ID """ if self.cfg.secrets['jabberbot'] != secret: logging.warning("getJabberAuthToken: got wrong secret %r" % secret) return "" request = self.request request.session = request.cfg.session_service.get_session(request) logging.debug("getJabberAuthToken: got session %r" % request.session) u = user.get_by_jabber_id(request, jid) # XXX is someone talking to use from a jid we have stored in # XXX some user profile enough to authenticate him as that user? logging.debug("getJabberAuthToken: got user %r" % u) if u and u.valid: u.auth_method = 'moin' # XXX fake 'moin' login so the check for known login methods succeeds # XXX if not patched, u.auth_method is 'internal', but that is not accepted either # TODO this should be done more cleanly, somehow request.user = u request.cfg.session_service.finalize(request, request.session) logging.debug("getJabberAuthToken: returning sid %r" % request.session.sid) return request.session.sid else: return ""
def xmlrpc_getUserLanguageByJID(self, jid): """ Returns user's language given his/her Jabber ID It makes no sense to consider this a secret, right? Therefore an authentication token is not required. We return a default of "en" if user is not found. TODO: surge protection? Do we fear account enumeration? """ retval = "en" u = user.get_by_jabber_id(self.request, jid) if u: retval = u.language return retval
def _save_user_prefs(self): _ = self._ form = self.request.form request = self.request if request.request_method != 'POST': return if not 'name' in request.user.auth_attribs: # Require non-empty name new_name = form.get('name', [request.user.name])[0] # Don't allow changing the name to an invalid one if not user.isValidName(request, new_name): return 'error', _("""Invalid user name {{{'%s'}}}. Name may contain any Unicode alpha numeric character, with optional one space between words. Group page name is not allowed.""", wiki=True) % wikiutil.escape(new_name) # Is this an existing user trying to change information or a new user? # Name required to be unique. Check if name belong to another user. existing_id = user.getUserId(request, new_name) if existing_id is not None and existing_id != request.user.id: return 'error', _("This user name already belongs to somebody else.") if not new_name: return 'error', _("Empty user name. Please enter a user name.") # done sanity checking the name, set it request.user.name = new_name if not 'email' in request.user.auth_attribs: # try to get the email new_email = wikiutil.clean_input(form.get('email', [request.user.email])[0]) new_email = new_email.strip() # Require email if not new_email and 'email' not in request.cfg.user_form_remove: return 'error', _("Please provide your email address. If you lose your" " login information, you can get it by email.") # Email should be unique - see also MoinMoin/script/accounts/moin_usercheck.py if new_email and request.cfg.user_email_unique: other = user.get_by_email_address(request, new_email) if other is not None and other.id != request.user.id: return 'error', _("This email already belongs to somebody else.") # done checking the email, set it request.user.email = new_email if not 'jid' in request.user.auth_attribs: # try to get the jid new_jid = wikiutil.clean_input(form.get('jid', [''])[0]).strip() jid_changed = request.user.jid != new_jid previous_jid = request.user.jid if new_jid and request.cfg.user_jid_unique: other = user.get_by_jabber_id(request, new_jid) if other is not None and other.id != request.user.id: return 'error', _("This jabber id already belongs to somebody else.") if jid_changed: set_event = events.JabberIDSetEvent(request, new_jid) unset_event = events.JabberIDUnsetEvent(request, previous_jid) events.send_event(unset_event) events.send_event(set_event) # done checking the JID, set it request.user.jid = new_jid if not 'aliasname' in request.user.auth_attribs: # aliasname request.user.aliasname = wikiutil.clean_input(form.get('aliasname', [''])[0]) # editor size request.user.edit_rows = util.web.getIntegerInput(request, 'edit_rows', request.user.edit_rows, 10, 60) # try to get the editor request.user.editor_default = form.get('editor_default', [self.cfg.editor_default])[0] request.user.editor_ui = form.get('editor_ui', [self.cfg.editor_ui])[0] # time zone request.user.tz_offset = util.web.getIntegerInput(request, 'tz_offset', request.user.tz_offset, -84600, 84600) # datetime format try: dt_d_combined = Settings._date_formats.get(form['datetime_fmt'][0], '') request.user.datetime_fmt, request.user.date_fmt = dt_d_combined.split(' & ') except (KeyError, ValueError): request.user.datetime_fmt = '' # default request.user.date_fmt = '' # default # try to get the (optional) theme theme_name = form.get('theme_name', [self.cfg.theme_default])[0] if theme_name != request.user.theme_name: # if the theme has changed, load the new theme # so the user has a direct feedback # WARNING: this should be refactored (i.e. theme load # after userform handling), cause currently the # already loaded theme is just replaced (works cause # nothing has been emitted yet) request.user.theme_name = theme_name if request.loadTheme(theme_name) > 0: theme_name = wikiutil.escape(theme_name) return 'error', _("The theme '%(theme_name)s' could not be loaded!") % locals() # try to get the (optional) preferred language request.user.language = form.get('language', [''])[0] if request.user.language == u'': # For language-statistics from MoinMoin import i18n request.user.real_language = i18n.get_browser_language(request) else: request.user.real_language = '' # I want to handle all inputs from user_form_fields, but # don't want to handle the cases that have already been coded # above. # This is a horribly fragile kludge that's begging to break. # Something that might work better would be to define a # handler for each form field, instead of stuffing them all in # one long and inextensible method. That would allow for # plugins to provide methods to validate their fields as well. already_handled = ['name', 'email', 'aliasname', 'edit_rows', 'editor_default', 'editor_ui', 'tz_offset', 'datetime_fmt', 'theme_name', 'language', 'real_language', 'jid'] for field in self.cfg.user_form_fields: key = field[0] if ((key in self.cfg.user_form_disable) or (key in already_handled)): continue default = self.cfg.user_form_defaults[key] value = form.get(key, [default])[0] setattr(request.user, key, value) # checkbox options for key, label in self.cfg.user_checkbox_fields: if key not in self.cfg.user_checkbox_disable and key not in self.cfg.user_checkbox_remove: value = form.get(key, ["0"])[0] try: value = int(value) except ValueError: pass else: setattr(request.user, key, value) # quicklinks for navibar request.user.quicklinks = self._decode_pagelist('quicklinks') # save data request.user.save() if request.user.disabled: # set valid to false so the current request won't # show the user as logged-in any more request.user.valid = False result = _("User preferences saved!") if _debug: result = result + util.dumpFormData(form) return result
def _save_user_prefs(self): _ = self._ form = self.request.form request = self.request if not 'name' in request.user.auth_attribs: # Require non-empty name new_name = wikiutil.clean_input(form.get('name', request.user.name)).strip() # Don't allow changing the name to an invalid one if not user.isValidName(request, new_name): return 'error', _("""Invalid user name {{{'%s'}}}. Name may contain any Unicode alpha numeric character, with optional one space between words. Group page name is not allowed.""", wiki=True) % wikiutil.escape(new_name) # Is this an existing user trying to change information or a new user? # Name required to be unique. Check if name belong to another user. existing_id = user.getUserId(request, new_name) if existing_id is not None and existing_id != request.user.id: return 'error', _("This user name already belongs to somebody else.") if not new_name: return 'error', _("Empty user name. Please enter a user name.") # done sanity checking the name, set it request.user.name = new_name if not 'email' in request.user.auth_attribs: # try to get the email new_email = wikiutil.clean_input(form.get('email', request.user.email)).strip() # Require email if not new_email and 'email' not in request.cfg.user_form_remove: return 'error', _("Please provide your email address. If you lose your" " login information, you can get it by email.") # Email should be unique - see also MoinMoin/script/accounts/moin_usercheck.py if new_email and request.cfg.user_email_unique: other = user.get_by_email_address(request, new_email) if other is not None and other.id != request.user.id: return 'error', _("This email already belongs to somebody else.") # done checking the email, set it request.user.email = new_email if not 'jid' in request.user.auth_attribs: # try to get the jid new_jid = wikiutil.clean_input(form.get('jid', '')).strip() jid_changed = request.user.jid != new_jid previous_jid = request.user.jid if new_jid and request.cfg.user_jid_unique: other = user.get_by_jabber_id(request, new_jid) if other is not None and other.id != request.user.id: return 'error', _("This jabber id already belongs to somebody else.") if jid_changed: set_event = events.JabberIDSetEvent(request, new_jid) unset_event = events.JabberIDUnsetEvent(request, previous_jid) events.send_event(unset_event) events.send_event(set_event) # done checking the JID, set it request.user.jid = new_jid if not 'aliasname' in request.user.auth_attribs: # aliasname request.user.aliasname = wikiutil.clean_input(form.get('aliasname', '')).strip() # editor size request.user.edit_rows = util.web.getIntegerInput(request, 'edit_rows', request.user.edit_rows, 0, 999) # try to get the editor request.user.editor_default = wikiutil.clean_input(form.get('editor_default', self.cfg.editor_default)) request.user.editor_ui = wikiutil.clean_input(form.get('editor_ui', self.cfg.editor_ui)) # time zone request.user.tz_offset = util.web.getIntegerInput(request, 'tz_offset', request.user.tz_offset, -84600, 84600) # datetime format try: dt_d_combined = Settings._date_formats.get(form['datetime_fmt'], '') request.user.datetime_fmt, request.user.date_fmt = dt_d_combined.split(' & ') except (KeyError, ValueError): request.user.datetime_fmt = '' # default request.user.date_fmt = '' # default # try to get the (optional) theme theme_name = wikiutil.clean_input(form.get('theme_name', self.cfg.theme_default)) if theme_name != request.user.theme_name: # if the theme has changed, load the new theme # so the user has a direct feedback # WARNING: this should be refactored (i.e. theme load # after userform handling), cause currently the # already loaded theme is just replaced (works cause # nothing has been emitted yet) request.user.theme_name = theme_name if load_theme_fallback(request, theme_name) > 0: theme_name = wikiutil.escape(theme_name) return 'error', _("The theme '%(theme_name)s' could not be loaded!") % locals() # try to get the (optional) preferred language request.user.language = wikiutil.clean_input(form.get('language', '')) if request.user.language == u'': # For language-statistics from MoinMoin import i18n request.user.real_language = i18n.get_browser_language(request) else: request.user.real_language = '' # I want to handle all inputs from user_form_fields, but # don't want to handle the cases that have already been coded # above. # This is a horribly fragile kludge that's begging to break. # Something that might work better would be to define a # handler for each form field, instead of stuffing them all in # one long and inextensible method. That would allow for # plugins to provide methods to validate their fields as well. already_handled = ['name', 'email', 'aliasname', 'edit_rows', 'editor_default', 'editor_ui', 'tz_offset', 'datetime_fmt', 'theme_name', 'language', 'real_language', 'jid'] for field in self.cfg.user_form_fields: key = field[0] if ((key in self.cfg.user_form_disable) or (key in already_handled)): continue default = self.cfg.user_form_defaults[key] value = form.get(key, default) value = wikiutil.clean_input(value) setattr(request.user, key, value) # checkbox options for key, label in self.cfg.user_checkbox_fields: if key not in self.cfg.user_checkbox_disable and key not in self.cfg.user_checkbox_remove: value = form.get(key, "0") try: value = int(value) except ValueError: # value we got is crap, do not setattr this value, just pass pass else: setattr(request.user, key, value) # quicklinks for navibar request.user.quicklinks = self._decode_pagelist('quicklinks') # save data request.user.save() if request.user.disabled: # set valid to false so the current request won't # show the user as logged-in any more request.user.valid = False result = _("User preferences saved!") return result