def _is_post_ajax_request(request):
if not request.is_ajax():
debug_msg = "request is not a ajax request"
return bad_request(debug_msg)
if request.method != 'POST':
debug_msg = "request method %r wrong, only POST allowed" % request.method
return bad_request(debug_msg)
def _wrapper(request, *args, **kwargs):
if must_post and request.method != 'POST':
return bad_request(app_label=app_label, action=action,
debug_msg="request method %r wrong, only POST allowed" % request.method
)
if must_ajax and request.is_ajax() != True:
return bad_request(app_label=app_label, action=action,
debug_msg="request is not a ajax request"
)
return view_function(request, *args, **kwargs)
def _wrapper(request, *args, **kwargs):
if must_post and request.method != 'POST':
return bad_request(app_label=app_label, action=action,
debug_msg="request method %r wrong, only POST allowed" % request.method
)
if must_ajax and request.is_ajax() != True:
return bad_request(app_label=app_label, action=action,
debug_msg="request is not a ajax request"
)
return view_function(request, *args, **kwargs)
def _sha_auth(request):
"""
login the user with username and sha values.
"""
form = ShaLoginForm(request.POST)
if not form.is_valid():
debug_msg = "ShaLoginForm is not valid: %r" % form.errors
return bad_request(APP_LABEL, "_sha_auth() error", debug_msg)
try:
challenge = request.session.pop("challenge")
except KeyError, err:
debug_msg = "Can't get 'challenge' from session: %s" % err
return bad_request(APP_LABEL, "_sha_auth() error", debug_msg)
def _get_form(request):
""" Send the comment form to via AJAX request """
try:
ctype = request.GET["content_type"].split(".", 1)
model = models.get_model(*ctype)
except Exception, err:
return bad_request(APP_LABEL, "error", "Wrong content type: %s" % err)
def _sha_auth(request):
"""
login the user with username and sha values.
"""
_NORMAL_ERROR_MSG = "_sha_auth() error"
form = ShaLoginForm(request.POST)
if not form.is_valid():
debug_msg = "ShaLoginForm is not valid: %s" % repr(form.errors)
return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg)
try:
challenge = request.session.pop("challenge")
except KeyError, err:
debug_msg = "Can't get 'challenge' from session: %s" % err
return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg)
def _login_view(request):
if DEBUG:
print("auth debug mode is on!")
if not request.is_ajax():
# Do nothing, if it's not a ajax request.
if settings.DEBUG:
messages.error(request, "Ignore login request, because it's not AJAX.")
return
if request.method != 'GET':
debug_msg = "request method %r wrong, only GET allowed" % request.method
return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest
next_url = request.GET.get("next_url", request.path)
if "//" in next_url: # FIXME: How to validate this better?
# Don't redirect to other pages.
debug_msg = "next url %r seems to be wrong!" % next_url
return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest
form = ShaLoginForm()
# create a new challenge and add it to session
challenge = _get_challenge(request)
context = {
"challenge": challenge,
"salt_len": crypt.SALT_LEN,
"hash_len": crypt.HASH_LEN,
"get_salt_url": request.path + "?auth=get_salt",
"sha_auth_url": request.path + "?auth=sha_auth",
"next_url": next_url,
"form": form,
"pass_reset_link": "#TODO",
}
# IMPORTANT: We must do the following, so that the
# CsrfViewMiddleware.process_response() would set the CSRF_COOKIE
# see also # https://github.com/jedie/PyLucid/issues/61
# XXX in Django => 1.4 we can use @ensure_csrf_cookie
# https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie
request.META["CSRF_COOKIE_USED"] = True
# return a string for replacing the normal cms page content
return ajax_response(request, 'auth/sha_form.html', context, context_instance=RequestContext(request))
def _sha_auth(request):
"""
login the user with username and sha values.
"""
response = _is_post_ajax_request(request)
if response is not None: # It's not a Ajax POST request
return response # Return HttpResponseBadRequest
form = ShaLoginForm(request.POST)
if not form.is_valid():
debug_msg = "ShaLoginForm is not valid: %r" % form.errors
return bad_request(debug_msg)
try:
challenge = request.session.pop("challenge")
except KeyError, err:
debug_msg = "Can't get 'challenge' from session: %s" % err
return bad_request(debug_msg)
def http_get_view(request):
"""
Login+Logout view via GET parameters
"""
action = request.GET["poll"]
if action == "vote":
return _vote(request)
else:
debug_msg = "Wrong get view parameter!"
return bad_request("pylucid_plugin.poll", "error", debug_msg) # Returns a HttpResponseBadRequest
def http_get_view(request):
"""
Login+Logout view via GET parameters
"""
action = request.GET["poll"]
if action == "vote":
return _vote(request)
else:
debug_msg = "Wrong get view parameter!"
return bad_request("pylucid_plugin.poll", "error",
debug_msg) # Returns a HttpResponseBadRequest
def http_get_view(request):
"""
Login+Logout view via GET parameters
"""
action = request.GET["pylucid_comments"]
if action == "get_form":
return _get_form(request)
elif action == "submit":
return _form_submission(request)
else:
debug_msg = "Wrong get view parameter!"
return bad_request(APP_LABEL, "error", debug_msg) # Return HttpResponseBadRequest
def http_get_view(request):
"""
Login+Logout view via GET parameters
"""
action = request.GET["auth"]
if action == "login":
return _login_view(request)
elif action == "get_salt":
return _get_salt(request)
elif action == "sha_auth":
return _sha_auth(request)
elif action == "logout":
return _logout_view(request)
else:
debug_msg = "Wrong get view parameter!"
return bad_request(APP_LABEL, "http_get_view() error", debug_msg) # Return HttpResponseBadRequest
def http_get_view(request):
"""
Login+Logout view via GET parameters
"""
action = request.GET["auth"]
if action == "login":
return _login_view(request)
elif action == "get_salt":
return _get_salt(request)
elif action == "sha_auth":
return _sha_auth(request)
elif action == "logout":
return _logout_view(request)
else:
debug_msg = "Wrong get view parameter!"
return bad_request(APP_LABEL, "http_get_view() error",
debug_msg) # Return HttpResponseBadRequest
def _login_view(request):
"""
For better JavaScript debugging: Enable settings.DEBUG and request the page
via GET with: "...?auth=login"
"""
if DEBUG:
print("auth debug mode is on!")
if request.method != 'GET':
debug_msg = "request method %r wrong, only GET allowed" % request.method
return bad_request(APP_LABEL, "_login_view() error",
debug_msg) # Return HttpResponseBadRequest
next_url = request.GET.get("next_url", request.path)
if "//" in next_url: # FIXME: How to validate this better?
# Don't redirect to other pages.
debug_msg = "next url %r seems to be wrong!" % next_url
return bad_request(APP_LABEL, "_login_view() error",
debug_msg) # Return HttpResponseBadRequest
form = ShaLoginForm()
# create a new challenge and add it to session
challenge = _get_challenge(request)
try:
# url from django-authopenid, only available if the urls.py are included
reset_link = urlresolvers.reverse("auth_password_reset")
except urlresolvers.NoReverseMatch:
try:
# DjangoBB glue plugin adds the urls from django-authopenid
reset_link = PluginPage.objects.reverse("djangobb_plugin",
"auth_password_reset")
except KeyError:
# plugin is not installed
reset_link = None
except urlresolvers.NoReverseMatch:
# plugin is installed, but not in used (no PluginPage created)
reset_link = None
loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm
context = {
"challenge": challenge,
"old_salt_len": crypt.OLD_SALT_LEN,
"salt_len": crypt.SALT_LEN,
"hash_len": crypt.HASH_LEN,
"loop_count": loop_count,
"get_salt_url": request.path + "?auth=get_salt",
"sha_auth_url": request.path + "?auth=sha_auth",
"next_url": next_url,
"form": form,
"pass_reset_link": reset_link,
}
# IMPORTANT: We must do the following, so that the
# CsrfViewMiddleware.process_response() would set the CSRF_COOKIE
# see also # https://github.com/jedie/PyLucid/issues/61
# XXX in Django => 1.4 we can use @ensure_csrf_cookie
# https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie
request.META["CSRF_COOKIE_USED"] = True
# return a string for replacing the normal cms page content
if not request.is_ajax():
response = render_to_response('auth/sha_form_debug.html',
context,
context_instance=RequestContext(request))
else:
response = ajax_response(request,
'auth/sha_form.html',
context,
context_instance=RequestContext(request))
return response
return _wrong_login(request, debug_msg)
loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm
sha_checksum = user_profile.sha_login_checksum
sha_a = form.cleaned_data["sha_a"]
sha_b = form.cleaned_data["sha_b"]
cnonce = form.cleaned_data["cnonce"]
# Simple check if 'nonce' from client used in the past.
# Limitations:
# - Works only when run in a long-term server process, so not in CGI ;)
# - dict vary if more than one server process runs (one dict in one process)
if cnonce in CNONCE_CACHE:
debug_msg = "Client-nonce '%s' used in the past!" % cnonce
return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg)
CNONCE_CACHE[cnonce] = None
if DEBUG:
print(
"authenticate %r with: challenge: %r, sha_checksum: %r, sha_a: %r, sha_b: %r, cnonce: %r"
% (user1, challenge, sha_checksum, sha_a, sha_b, cnonce))
try:
# authenticate with:
# pylucid.system.auth_backends.SiteSHALoginAuthBackend
user2 = auth.authenticate(user=user1,
challenge=challenge,
sha_a=sha_a,
sha_b=sha_b,
sha_checksum=sha_checksum,
def _login_view(request):
"""
For better JavaScript debugging: Enable settings.DEBUG and request the page
via GET with: "...?auth=login"
"""
if DEBUG:
print ("auth debug mode is on!")
if request.method != "GET":
debug_msg = "request method %r wrong, only GET allowed" % request.method
return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest
next_url = request.GET.get("next_url", request.path)
if "//" in next_url: # FIXME: How to validate this better?
# Don't redirect to other pages.
debug_msg = "next url %r seems to be wrong!" % next_url
return bad_request(APP_LABEL, "_login_view() error", debug_msg) # Return HttpResponseBadRequest
form = ShaLoginForm()
# create a new challenge and add it to session
challenge = _get_challenge(request)
try:
# url from django-authopenid, only available if the urls.py are included
reset_link = urlresolvers.reverse("auth_password_reset")
except urlresolvers.NoReverseMatch:
try:
# DjangoBB glue plugin adds the urls from django-authopenid
reset_link = PluginPage.objects.reverse("djangobb_plugin", "auth_password_reset")
except KeyError:
# plugin is not installed
reset_link = None
except urlresolvers.NoReverseMatch:
# plugin is installed, but not in used (no PluginPage created)
reset_link = None
loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm
context = {
"challenge": challenge,
"old_salt_len": crypt.OLD_SALT_LEN,
"salt_len": crypt.SALT_LEN,
"hash_len": crypt.HASH_LEN,
"loop_count": loop_count,
"get_salt_url": request.path + "?auth=get_salt",
"sha_auth_url": request.path + "?auth=sha_auth",
"next_url": next_url,
"form": form,
"pass_reset_link": reset_link,
}
# IMPORTANT: We must do the following, so that the
# CsrfViewMiddleware.process_response() would set the CSRF_COOKIE
# see also # https://github.com/jedie/PyLucid/issues/61
# XXX in Django => 1.4 we can use @ensure_csrf_cookie
# https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie
request.META["CSRF_COOKIE_USED"] = True
# return a string for replacing the normal cms page content
if not request.is_ajax():
response = render_to_response("auth/sha_form_debug.html", context, context_instance=RequestContext(request))
else:
response = ajax_response(request, "auth/sha_form.html", context, context_instance=RequestContext(request))
return response
return _wrong_login(request, debug_msg)
loop_count = _get_loop_count() # get "loop_count" from AuthPreferencesForm
sha_checksum = user_profile.sha_login_checksum
sha_a = form.cleaned_data["sha_a"]
sha_b = form.cleaned_data["sha_b"]
cnonce = form.cleaned_data["cnonce"]
# Simple check if 'nonce' from client used in the past.
# Limitations:
# - Works only when run in a long-term server process, so not in CGI ;)
# - dict vary if more than one server process runs (one dict in one process)
if cnonce in CNONCE_CACHE:
debug_msg = "Client-nonce '%s' used in the past!" % cnonce
return bad_request(APP_LABEL, _NORMAL_ERROR_MSG, debug_msg)
CNONCE_CACHE[cnonce] = None
if DEBUG:
print (
"authenticate %r with: challenge: %r, sha_checksum: %r, sha_a: %r, sha_b: %r, cnonce: %r"
% (user1, challenge, sha_checksum, sha_a, sha_b, cnonce)
)
try:
# authenticate with:
# pylucid.system.auth_backends.SiteSHALoginAuthBackend
user2 = auth.authenticate(
user=user1,
challenge=challenge,
sha_a=sha_a,
@ensure_csrf_cookie
@check_request(APP_LABEL, "_get_form() error", must_post=False, must_ajax=True)
@render_to("pylucid_comments/comment_form.html")
def _get_form(request):
""" Send the comment form to via AJAX request """
try:
ctype = request.GET["content_type"].split(".", 1)
model = models.get_model(*ctype)
except Exception, err:
return bad_request(APP_LABEL, "error", "Wrong content type: %s" % err)
try:
object_pk = request.GET["object_pk"]
target = model._default_manager.using(None).get(pk=object_pk)
except Exception, err:
return bad_request(APP_LABEL, "error", "Wrong object_pk: %s" % err)
data = {}
if not request.user.is_authenticated() and COOKIE_KEY in request.COOKIES:
# Get user data from secure cookie, set in the past, see _form_submission()
c = ClientCookieStorage(cookie_key=COOKIE_KEY)
try:
data = c.get_data(request)
except ClientCookieStorageError, err:
LogEntry.objects.log_action(
app_label=APP_LABEL, action="wrong cookie data", message="%s" % err,
)
if settings.DEBUG:
return bad_request(APP_LABEL, "error", "Wrong cookie data: %s" % err)
form = comments.get_form()(target, initial=data)
