def protected(req): cookie = PoorSession(req) cookie_hash = cookie.data.get('hash') if 'token_tmp' in req.args: token = req.args.get('token_tmp') referer = req.referer.split('?')[0] if not check_token(token, secret, cookie_hash, referer): raise SERVER_RETURN(state.HTTP_FORBIDDEN) return cleandoc(protected_content(token, referer, None)) else: token = req.args.get('token_ttl') referer = req.referer.split('?')[0] if not check_token(token, secret, cookie_hash, referer, 1): raise SERVER_RETURN(state.HTTP_FORBIDDEN) return cleandoc(protected_content(token, referer, 1))
def do_check_token(req, token, uri=None): """Check token creates by do_create_token.""" if req.referer is None and uri is None: return False if uri: referer = create_referer(req, uri) else: referer = req.referer.split("?")[0] if isinstance(referer, unicode): referer = referer.encode("utf-8") return csrf.check_token(token, req.secret_key, req.user_hash, referer)