def protected(req):
cookie = PoorSession(req)
cookie_hash = cookie.data.get('hash')
if 'token_tmp' in req.args:
token = req.args.get('token_tmp')
referer = req.referer.split('?')[0]
if not check_token(token, secret, cookie_hash, referer):
raise SERVER_RETURN(state.HTTP_FORBIDDEN)
return cleandoc(protected_content(token, referer, None))
else:
token = req.args.get('token_ttl')
referer = req.referer.split('?')[0]
if not check_token(token, secret, cookie_hash, referer, 1):
raise SERVER_RETURN(state.HTTP_FORBIDDEN)
return cleandoc(protected_content(token, referer, 1))
def do_check_token(req, token, uri=None):
"""Check token creates by do_create_token."""
if req.referer is None and uri is None:
return False
if uri:
referer = create_referer(req, uri)
else:
referer = req.referer.split("?")[0]
if isinstance(referer, unicode):
referer = referer.encode("utf-8")
return csrf.check_token(token, req.secret_key, req.user_hash, referer)
