def _is_post_ajax_request(request): if not request.is_ajax(): debug_msg = "request is not a ajax request" return bad_request(debug_msg) if request.method != 'POST': debug_msg = "request method %r wrong, only POST allowed" % request.method return bad_request(debug_msg)
def _wrapper(request, *args, **kwargs): if must_post and request.method != 'POST': return bad_request(app_label=app_label, action=action, debug_msg="request method %r wrong, only POST allowed" % request.method ) if must_ajax and request.is_ajax() != True: return bad_request(app_label=app_label, action=action, debug_msg="request is not a ajax request" ) return view_function(request, *args, **kwargs)
def _sha_auth(request): """ login the user with username and sha values. """ form = ShaLoginForm(request.POST) if not form.is_valid(): debug_msg = "ShaLoginForm is not valid: %r" % form.errors return bad_request(APP_LABEL, "_sha_auth() error", debug_msg) try: challenge = request.session.pop("challenge") except KeyError, err: debug_msg = "Can't get 'challenge' from session: %s" % err return bad_request(APP_LABEL, "_sha_auth() error", debug_msg)
def _get_form(request): """ Send the comment form to via AJAX request """ try: ctype = request.GET["content_type"].split(".", 1) model = models.get_model(*ctype) except Exception, err: return bad_request(APP_LABEL, "error", "Wrong content type: %s" % err)
def _sha_auth(request): """ login the user with username and sha values. """ _NORMAL_ERROR_MSG = "_sha_auth() error" form = ShaLoginForm(request.POST) if not form.is_valid(): debug_msg = "ShaLoginForm is not valid: %s" % repr(form.errors) return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg) try: challenge = request.session.pop("challenge") except KeyError, err: debug_msg = "Can't get 'challenge' from session: %s" % err return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg)
def _login_view(request): if DEBUG: print("auth debug mode is on!") if not request.is_ajax(): # Do nothing, if it's not a ajax request. if settings.DEBUG: messages.error(request, "Ignore login request, because it's not AJAX.") return if request.method != 'GET': debug_msg = "request method %r wrong, only GET allowed" % request.method return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest next_url = request.GET.get("next_url", request.path) if "//" in next_url: # FIXME: How to validate this better? # Don't redirect to other pages. debug_msg = "next url %r seems to be wrong!" % next_url return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest form = ShaLoginForm() # create a new challenge and add it to session challenge = _get_challenge(request) context = { "challenge": challenge, "salt_len": crypt.SALT_LEN, "hash_len": crypt.HASH_LEN, "get_salt_url": request.path + "?auth=get_salt", "sha_auth_url": request.path + "?auth=sha_auth", "next_url": next_url, "form": form, "pass_reset_link": "#TODO", } # IMPORTANT: We must do the following, so that the # CsrfViewMiddleware.process_response() would set the CSRF_COOKIE # see also # https://github.com/jedie/PyLucid/issues/61 # XXX in Django => 1.4 we can use @ensure_csrf_cookie # https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie request.META["CSRF_COOKIE_USED"] = True # return a string for replacing the normal cms page content return ajax_response(request, 'auth/sha_form.html', context, context_instance=RequestContext(request))
def _sha_auth(request): """ login the user with username and sha values. """ response = _is_post_ajax_request(request) if response is not None: # It's not a Ajax POST request return response # Return HttpResponseBadRequest form = ShaLoginForm(request.POST) if not form.is_valid(): debug_msg = "ShaLoginForm is not valid: %r" % form.errors return bad_request(debug_msg) try: challenge = request.session.pop("challenge") except KeyError, err: debug_msg = "Can't get 'challenge' from session: %s" % err return bad_request(debug_msg)
def http_get_view(request): """ Login+Logout view via GET parameters """ action = request.GET["poll"] if action == "vote": return _vote(request) else: debug_msg = "Wrong get view parameter!" return bad_request("pylucid_plugin.poll", "error", debug_msg) # Returns a HttpResponseBadRequest
def http_get_view(request): """ Login+Logout view via GET parameters """ action = request.GET["pylucid_comments"] if action == "get_form": return _get_form(request) elif action == "submit": return _form_submission(request) else: debug_msg = "Wrong get view parameter!" return bad_request(APP_LABEL, "error", debug_msg) # Return HttpResponseBadRequest
def http_get_view(request): """ Login+Logout view via GET parameters """ action = request.GET["auth"] if action == "login": return _login_view(request) elif action == "get_salt": return _get_salt(request) elif action == "sha_auth": return _sha_auth(request) elif action == "logout": return _logout_view(request) else: debug_msg = "Wrong get view parameter!" return bad_request(APP_LABEL, "http_get_view() error", debug_msg) # Return HttpResponseBadRequest
def _login_view(request): """ For better JavaScript debugging: Enable settings.DEBUG and request the page via GET with: "...?auth=login" """ if DEBUG: print("auth debug mode is on!") if request.method != 'GET': debug_msg = "request method %r wrong, only GET allowed" % request.method return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest next_url = request.GET.get("next_url", request.path) if "//" in next_url: # FIXME: How to validate this better? # Don't redirect to other pages. debug_msg = "next url %r seems to be wrong!" % next_url return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest form = ShaLoginForm() # create a new challenge and add it to session challenge = _get_challenge(request) try: # url from django-authopenid, only available if the urls.py are included reset_link = urlresolvers.reverse("auth_password_reset") except urlresolvers.NoReverseMatch: try: # DjangoBB glue plugin adds the urls from django-authopenid reset_link = PluginPage.objects.reverse("djangobb_plugin", "auth_password_reset") except KeyError: # plugin is not installed reset_link = None except urlresolvers.NoReverseMatch: # plugin is installed, but not in used (no PluginPage created) reset_link = None loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm context = { "challenge": challenge, "old_salt_len": crypt.OLD_SALT_LEN, "salt_len": crypt.SALT_LEN, "hash_len": crypt.HASH_LEN, "loop_count": loop_count, "get_salt_url": request.path + "?auth=get_salt", "sha_auth_url": request.path + "?auth=sha_auth", "next_url": next_url, "form": form, "pass_reset_link": reset_link, } # IMPORTANT: We must do the following, so that the # CsrfViewMiddleware.process_response() would set the CSRF_COOKIE # see also # https://github.com/jedie/PyLucid/issues/61 # XXX in Django => 1.4 we can use @ensure_csrf_cookie # https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie request.META["CSRF_COOKIE_USED"] = True # return a string for replacing the normal cms page content if not request.is_ajax(): response = render_to_response('auth/sha_form_debug.html', context, context_instance=RequestContext(request)) else: response = ajax_response(request, 'auth/sha_form.html', context, context_instance=RequestContext(request)) return response
return _wrong_login(request, debug_msg) loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm sha_checksum = user_profile.sha_login_checksum sha_a = form.cleaned_data["sha_a"] sha_b = form.cleaned_data["sha_b"] cnonce = form.cleaned_data["cnonce"] # Simple check if 'nonce' from client used in the past. # Limitations: # - Works only when run in a long-term server process, so not in CGI ;) # - dict vary if more than one server process runs (one dict in one process) if cnonce in CNONCE_CACHE: debug_msg = "Client-nonce '%s' used in the past!" % cnonce return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg) CNONCE_CACHE[cnonce] = None if DEBUG: print( "authenticate %r with: challenge: %r, sha_checksum: %r, sha_a: %r, sha_b: %r, cnonce: %r" % (user1, challenge, sha_checksum, sha_a, sha_b, cnonce)) try: # authenticate with: # pylucid.system.auth_backends.SiteSHALoginAuthBackend user2 = auth.authenticate(user=user1, challenge=challenge, sha_a=sha_a, sha_b=sha_b, sha_checksum=sha_checksum,
def _login_view(request): """ For better JavaScript debugging: Enable settings.DEBUG and request the page via GET with: "...?auth=login" """ if DEBUG: print ("auth debug mode is on!") if request.method != "GET": debug_msg = "request method %r wrong, only GET allowed" % request.method return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest next_url = request.GET.get("next_url", request.path) if "//" in next_url: # FIXME: How to validate this better? # Don't redirect to other pages. debug_msg = "next url %r seems to be wrong!" % next_url return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest form = ShaLoginForm() # create a new challenge and add it to session challenge = _get_challenge(request) try: # url from django-authopenid, only available if the urls.py are included reset_link = urlresolvers.reverse("auth_password_reset") except urlresolvers.NoReverseMatch: try: # DjangoBB glue plugin adds the urls from django-authopenid reset_link = PluginPage.objects.reverse("djangobb_plugin", "auth_password_reset") except KeyError: # plugin is not installed reset_link = None except urlresolvers.NoReverseMatch: # plugin is installed, but not in used (no PluginPage created) reset_link = None loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm context = { "challenge": challenge, "old_salt_len": crypt.OLD_SALT_LEN, "salt_len": crypt.SALT_LEN, "hash_len": crypt.HASH_LEN, "loop_count": loop_count, "get_salt_url": request.path + "?auth=get_salt", "sha_auth_url": request.path + "?auth=sha_auth", "next_url": next_url, "form": form, "pass_reset_link": reset_link, } # IMPORTANT: We must do the following, so that the # CsrfViewMiddleware.process_response() would set the CSRF_COOKIE # see also # https://github.com/jedie/PyLucid/issues/61 # XXX in Django => 1.4 we can use @ensure_csrf_cookie # https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie request.META["CSRF_COOKIE_USED"] = True # return a string for replacing the normal cms page content if not request.is_ajax(): response = render_to_response("auth/sha_form_debug.html", context, context_instance=RequestContext(request)) else: response = ajax_response(request, "auth/sha_form.html", context, context_instance=RequestContext(request)) return response
return _wrong_login(request, debug_msg) loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm sha_checksum = user_profile.sha_login_checksum sha_a = form.cleaned_data["sha_a"] sha_b = form.cleaned_data["sha_b"] cnonce = form.cleaned_data["cnonce"] # Simple check if 'nonce' from client used in the past. # Limitations: # - Works only when run in a long-term server process, so not in CGI ;) # - dict vary if more than one server process runs (one dict in one process) if cnonce in CNONCE_CACHE: debug_msg = "Client-nonce '%s' used in the past!" % cnonce return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg) CNONCE_CACHE[cnonce] = None if DEBUG: print ( "authenticate %r with: challenge: %r, sha_checksum: %r, sha_a: %r, sha_b: %r, cnonce: %r" % (user1, challenge, sha_checksum, sha_a, sha_b, cnonce) ) try: # authenticate with: # pylucid.system.auth_backends.SiteSHALoginAuthBackend user2 = auth.authenticate( user=user1, challenge=challenge, sha_a=sha_a,
@ensure_csrf_cookie @check_request(APP_LABEL, "_get_form() error", must_post=False, must_ajax=True) @render_to("pylucid_comments/comment_form.html") def _get_form(request): """ Send the comment form to via AJAX request """ try: ctype = request.GET["content_type"].split(".", 1) model = models.get_model(*ctype) except Exception, err: return bad_request(APP_LABEL, "error", "Wrong content type: %s" % err) try: object_pk = request.GET["object_pk"] target = model._default_manager.using(None).get(pk=object_pk) except Exception, err: return bad_request(APP_LABEL, "error", "Wrong object_pk: %s" % err) data = {} if not request.user.is_authenticated() and COOKIE_KEY in request.COOKIES: # Get user data from secure cookie, set in the past, see _form_submission() c = ClientCookieStorage(cookie_key=COOKIE_KEY) try: data = c.get_data(request) except ClientCookieStorageError, err: LogEntry.objects.log_action( app_label=APP_LABEL, action="wrong cookie data", message="%s" % err, ) if settings.DEBUG: return bad_request(APP_LABEL, "error", "Wrong cookie data: %s" % err) form = comments.get_form()(target, initial=data)