Example #1
0
def inject_template_vars():
    """
    Sets the custom variables that are available inside templates.
    """
    return {
        'logged_in': logged_in(),
        'user': get_session_user(),
        'FolderPermission': FolderPermission,
        'SystemPermission': SystemPermissions
    }
Example #2
0
def login():
    username = ''
    password = ''
    next_url = ''
    login_error = ''
    next_url_default = internal_url_for('browse')

    if request.method == 'POST':
        try:
            # Get parameters
            username = request.form.get('username', '')
            password = request.form.get('password', '')
            next_url = request.form.get('next', '')
            if not password:
                login_error = 'You must enter your password'
            if not username:
                login_error = 'You must enter your username'
            if not login_error:
                # Log in
                user = authenticate_user(username, password, data_engine, logger)
                if user is not None:
                    if user.status == User.STATUS_ACTIVE:
                        # Success
                        log_in(user)
                        return redirect(next_url or next_url_default)
                    else:
                        login_error = 'Sorry, your account is disabled.'
                else:
                    login_error = '''Sorry, your username and password were not recognised.
                                     Please try again.'''
                    # Slow down scripted attacks
                    logger.warn('Incorrect login for username ' + username)
                    sleep(1)
        except Exception as e:
            if not log_security_error(e, request):
                logger.error('Error performing login: '******'DEBUG']:
                raise
            login_error = 'Sorry, an error occurred. Please try again later.'
    else:
        # If already logged in, go to the default page
        if logged_in():
            next_url = request.args.get('next', '')
            return redirect(next_url or next_url_default)

    # Not logged in, or unsuccessful login
    return render_template(
        'login.html',
        username=username,
        next=next_url,
        err_msg=login_error
    )
Example #3
0
def _check_internal_request(request, session, from_web, require_login,
                            required_permission_flag=None):
    """
    A low-level component implementing request scheme, port, session and
    optional system permission checking for an "internal" web request.
    Incorporates _check_port and _check_ssl_request.
    Returns a Flask redirect or response if there is a problem, otherwise None.
    """
    # Check the port first
    if app.config['INTERNAL_BROWSING_PORT']:
        port_response = _check_port(request, app.config['INTERNAL_BROWSING_PORT'], from_web)
        if port_response:
            return port_response
    # Check SSL second, so that if we need to redirect to HTTPS
    # we know we're already on the correct port number
    if app.config['INTERNAL_BROWSING_SSL']:
        ssl_response = _check_ssl_request(request, from_web)
        if ssl_response:
            return ssl_response
    # Check the session is logged in
    if require_login:
        if not logged_in():
            if from_web:
                from_path = request.path
                if len(request.args) > 0:
                    from_path += '?' + url_encode(request.args)
                # Go to login page, redirecting to original destination on success
                return redirect(internal_url_for('login', next=from_path))
            else:
                # Return an error
                return make_api_error_response(AuthenticationError(
                    'You must be logged in to access this function'
                ))
        # Check admin permission
        if required_permission_flag:
            try:
                permissions_engine.ensure_permitted(
                    required_permission_flag, get_session_user()
                )
            except SecurityError as e:
                # Return an error
                if from_web:
                    return make_response(str(e), 403)
                else:
                    return make_api_error_response(e)
    # OK
    return None