def form_valid(self, form):
signer = Signer()
leaflet_people = {}
for person in form.cleaned_data["people"]:
person_data = json.loads(signer.unsign(person))
if not person_data:
continue
leaflet_people[person_data["person"]["id"]] = person_data
person, _ = Person.objects.get_or_create(
remote_id=person_data["person"]["id"],
defaults={
"name": person_data["person"]["name"],
"source_url": "https://candidates.democracyclub.org.uk/person/{}".format(
person_data["person"]["id"]
),
"source_name": "YNR2017",
},
)
self.object.people = leaflet_people
self.object.person_ids = list(leaflet_people.keys())
self.object.ballots = [
c["ballot"] for ynr_id, c in leaflet_people.items()
]
party_data = json.loads(signer.unsign(form.cleaned_data["parties"]))
if party_data["party_id"]:
self.object.ynr_party_id = party_data["party_id"]
self.object.ynr_party_name = party_data["party_name"]
return super().form_valid(form)
def save(self):
if "people" in self.cleaned_data and self.cleaned_data["people"]:
signer = Signer()
data = json.loads(signer.unsign(self.cleaned_data["people"]))
self.instance.ynr_party_id = data["ynr_party_id"]
self.instance.ynr_party_name = data["ynr_party_name"]
self.instance.ballot_id = data["ballot_id"]
person, _ = Person.objects.get_or_create(
remote_id=data["ynr_person_id"],
defaults={
"name":
data["ynr_person_name"],
"source_url":
"https://candidates.democracyclub.org.uk/person/{}".format(
data["ynr_person_id"]),
"source_name":
"YNR2017",
},
)
self.instance.publisher_person = person
elif self.cleaned_data.get("parties") and self.cleaned_data["parties"]:
signer = Signer()
(
self.instance.ynr_party_id,
self.instance.ynr_party_name,
) = signer.unsign(self.cleaned_data["parties"]).split("--")
self.instance.save()
def verify(self):
"""
Attempts to unsign the signature using the current `SECRET_KEY`. If
unsigning fails, `SECRET_KEY` has changed, and the exception
`django.core.signing.BadSignature` will be raised. If `SECRET_KEY_FILE`
does not exist, `secretkey.errors.SecretKeyFileNotFound` will be
raised.
"""
secret_key = settings.SECRET_KEY
signer = Signer(secret_key)
signer.unsign(self.signed_value)
def get_initial(self):
"""
Validating the redirection from account via session variable
"""
if 'signed_token' not in self.request.session:
raise Http404
signer = Signer()
try:
signer.unsign(self.request.session['signed_token'])
except BadSignature:
raise Http404
return super(EmailChangePasswordView, self).get_initial()
def CheckLogin(request):
if 'user_login' in request.session:
try:
sig = Signer()
sig.unsign(request.session['user_login'])
return True
except:
return False
else:
return False
def get(self, request: HttpRequest, recovery: UUID):
"""
Handle the get request - comes from an E-Mail
"""
url_form = ForgottenCredentialsStep3BaseForm(request.GET)
if not url_form.is_valid():
return self.report(request, 'invalid-link')
signer = Signer(salt=str(recovery))
try:
auth = signer.unsign(url_form.cleaned_data['auth'])
except (BadSignature, ValueError):
return self.report(request, 'invalid-link')
try:
pending_recovery = PendingCredentialRecovery.objects.filter(
user__is_active=True, valid_until__gte=now()).get(
uuid=recovery) # type: PendingCredentialRecovery
except PendingCredentialRecovery.DoesNotExist:
return self.report(request, 'invalid-link')
if pending_recovery.key != auth: # pragma: no cover # Safeguard, can only happen with compromised security key
return self.report(request, 'invalid-link')
if pending_recovery.recovery_type == 'password':
return self.request_password(request,
url_form.cleaned_data['auth'],
str(recovery))
return self.reveal_information(request, url_form.cleaned_data['auth'],
str(recovery),
pending_recovery.recovery_type)
class ConfirmImportManagementForm(forms.Form):
"""
Store the import file name and input format in the form so that it can be used in the next step
The initial values are signed, to prevent them from being tampered with.
"""
import_file_name = forms.CharField(widget=forms.HiddenInput())
input_format = forms.CharField(widget=forms.HiddenInput())
def __init__(self, *args, **kwargs):
self.signer = Signer()
initial = kwargs.get("initial", {})
for key in {"import_file_name", "input_format"}:
if key in initial:
# Sign initial data so it cannot be tampered with
initial[key] = self.signer.sign(initial[key])
super().__init__(*args, **kwargs)
def clean(self):
cleaned_data = super().clean()
for key in {"import_file_name", "input_format"}:
try:
cleaned_data[key] = self.signer.unsign(cleaned_data[key])
except BadSignature as e:
raise forms.ValidationError(e.message)
return cleaned_data
def getUser(request):
if CheckLogin(request) == True:
signer = Signer(web_settings.salt)
username = signer.unsign(request.session['teacher_login'])
return add.objects.get(email=username)
def clean(self):
cleaned_data = super(ExternalURLForm, self).clean()
signer = Signer()
if self.errors:
# if it's not a valid URL, no reason to do further validation
return
url = cleaned_data['ext_url']
matched_whitelist = any((regex.match(url) for regex in EXTERNAL_URL_WHITELIST))
if matched_whitelist:
cleaned_data['validated_url'] = url
elif 'signature' in cleaned_data:
signed_url = "{ext_url}:{signature}".format(**cleaned_data)
try:
cleaned_data['validated_url'] = signer.unsign(signed_url)
except BadSignature:
raise ValidationError(_('Signature validation failed'),
code='invalid')
else:
raise ValidationError(_('URL must either be allowed by '
'settings.EXTERNAL_URL_WHITELIST '
'or have a valid signature'),
code='invalid')
def catalogo(request):
try:
lista = get_lista(request)
cliente = request.user.cliente if request.user.is_authenticated() else None
context = get_base_context(request=request)
signer = Signer()
signed_id = None
if request.method == 'GET':
signed_id = request.GET.get('bien_id',0)
else:
if 'add_to_cart_button' in request.POST:
signed_id = request.POST.get('bien_id',0)
add_to_cart(request)
if signed_id:
bien_id = int(signer.unsign(signed_id),0)
if lista and (bien_id > 0):
bien = lista.get_bienes(include_hidden=False, search_bien_id=bien_id, cliente=cliente)
context['bien'] = bien
context['impuesto'] = lista.impuesto
atributos = models.BienYAtributo.objects.filter(bien__id=bien.id)
context['atributos'] = atributos
except AttributeError as e:
return HttpResponseServerError(e)
return render(request, 'catalogo.html', context)
def get_signed_age(s, salt=None):
signer = Signer(salt=salt)
result = signer.unsign(s)
value, timestamp = result.rsplit(signer.sep, 1)
timestamp = baseconv.base62.decode(timestamp)
age = time.time() - timestamp
return age
def explain(request):
# Make sure that the user can only submit an explanation for the random word we picked
signer = Signer()
if request.method == 'POST':
form = ExplainForm(request.POST)
if form.is_valid():
word_id = signer.unsign(form.cleaned_data['word_signed'])
word = Word.objects.get(pk=word_id)
explanation = Explanation(
word=word,
explanation= form.cleaned_data['explanation'],
author = request.user,
)
explanation.save()
messages.success(request, u"Vielen Dank für Deine Erklärung zu „%s“!" % word.lemma)
return redirect('index')
else:
try:
word = Word.random(player = request.user)
form = ExplainForm(initial = {'word_signed': signer.sign(word.id)})
except NotEnoughWordsException:
messages.error(request, u"Leider gibt es nicht genügend Wörter. Motiviere deine Freunde, ein paar neue Wörter einzugeben!")
return redirect('index')
context = {
'word': word,
'form': form,
}
return render(request, 'nbip/explain.html', context)
def _surveyDelete(requestData, user):
'''
问卷删除的具体处理函数
'''
# 检查是否提供了id
keys = requestData.keys()
if 'id' not in keys:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_ID)
idSigned = requestData['id']
# 对id进行数字签名的检查
try:
signer = Signer()
id = signer.unsign(idSigned)
except BadSignature:
# 篡改发现处理
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.BAD_SAGNATURE)
# 检查对象是否还存在,并将对象锁定
surveyList = Survey.objects.filter(id=id).select_for_update()
if len(surveyList) == 0:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.OBJECT_NOT_EXIST)
survey = surveyList[0]
# 检查当前用户是否有权限修改
if survey.createBy.id != user.id:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_PRIVILEGE)
# 执行删除
# 调查的删除不是直接删除,而是将状态改为P,有些信息还要以备后查
survey.state = 'P'
survey.save()
# 返回成功
return packageResult(RESULT_CODE.SUCCESS, RESULT_MESSAGE.SUCCESS)
def unsign_purpose(signed_purpose):
signer = Signer()
try:
val = signer.unsign(signed_purpose)
return val[len(SALT):]
except BadSignature:
return None
def get(self, *args, **kwargs):
signer = Signer()
sign = self.request.GET.get('sign')
topic = kwargs.get('pk')
if not topic:
data = {'status': 'No topic #{} found.'.format(topic)}
if not sign:
data = {'status': 'No message sign passed.'}
if sign and topic:
try:
topic = Topic.objects.get(pk=topic)
user = User.objects.get(email=signer.unsign(sign))
topic.unsubscribed.add(user)
data = {
'status':
'successfully unsubscribed from topic #{}'.format(topic.pk)
}
except:
data = {'status': 'wrong signature, cannot unsubscribe'}
unsubscribed_serializer = UnsubscribedSerializer(data=data)
unsubscribed_serializer.is_valid(raise_exception=True)
return Response(unsubscribed_serializer.data)
def process_ipn(sender, **kwargs):
query = kwargs['query']
payment_id = None
try:
verify_url = settings.ARTSHOW_PAYPAL_URL + "?cmd=_notify-validate&" + query
paypal_logger.debug("requesting verification from: %s", verify_url)
pipe = urlopen(verify_url)
text = pipe.read(128)
if text != "VERIFIED":
raise IPNProcessingError("Paypal returned %s for verification" % text)
params = parse_qs(query)
paypal_logger.info("validated PayPal IPN: %s", repr(params))
txn_type = params['txn_type'][0]
if txn_type != "web_accept":
raise IPNProcessingError("txn_type is %s not web_accept" % txn_type)
item_number = params['item_number'][0]
payment_status = params['payment_status'][0]
amount_gross = params['mc_gross'][0]
amount_gross = Decimal(amount_gross)
payer_email = params['payer_email'][0]
payment_date_str = params['payment_date'][0]
payment_date = convert_date(payment_date_str)
if payment_status != "Completed":
raise IPNProcessingError("payment status is %s != Completed" % payment_status)
signer = Signer()
payment_id = signer.unsign(item_number)
payment = Payment.objects.get(id=payment_id)
if payment.payment_type_id != settings.ARTSHOW_PAYMENT_PENDING_PK:
if payment.payment_type_id == settings.ARTSHOW_PAYMENT_RECEIVED_PK and payment.amount == amount_gross:
paypal_logger.info("additional notification received for payment id %s. this is normal", payment_id)
return
raise IPNProcessingError("payment is not Payment Pending state")
if payment.amount != amount_gross:
paypal_logger.warning("payment is being changed from %s to %s", payment.amount, amount_gross)
paypal_logger.info("marking payment received. payment id: %s amount: %s paypal email: %s",
payment_id, amount_gross, payer_email)
payment.amount = amount_gross
payment.payment_type_id = settings.ARTSHOW_PAYMENT_RECEIVED_PK
payment.description = "Paypal " + payer_email
payment.date = payment_date
payment.save()
except Exception, x:
paypal_logger.error("Error when getting validation for: %s", query)
if payment_id:
paypal_logger.error("... during processing of payment_id: %s", payment_id)
paypal_logger.error("%s", x)
def user_activate_page(request, signed_value):
"""
Function will decode the 'signed_value' parameter and extract the User
object from this value then set the User account to be active in our
system.
"""
try:
# Convert our signed value into a text.
signer = Signer()
value = signer.unsign(signed_value)
except Exception as e:
return HttpResponseBadRequest(_("Failed activating this account."))
# Get the user account and activate it.
user = get_object_or_404(User, pk=value)
user.is_active = True
user.save()
# Get the domain URL.
try:
org = PublicOrganization.objects.get(users__id=user.id)
group = Group.objects.get(id=constants.ENTREPRENEUR_GROUP_ID)
login_url = org.reverse('foundation_auth_user_login')
if group in user.groups.all():
login_url = org.reverse('foundation_auth_user_login')
except PublicOrganization.DoesNotExist:
login_url = reverse('foundation_auth_user_login')
return render(request, 'foundation_auth/user_activation/view.html',{
'user': user,
'login_url': login_url,
})
def surveyAnswerSubmit(request):
'''
问卷批量提交服务
'''
# 读取surveyId
surveyIdSigned = request.REQUEST.get('surveyId')
if not surveyIdSigned:
# raise Exception(RESULT_MESSAGE.NO_SURVEY_ID) # 没有提供调查对象
template = loader.get_template('www/answerFinished.html')
context = RequestContext(request, {'title': u'出错', 'message': RESULT_MESSAGE.NO_SURVEY_ID, 'returnUrl': '/'})
return HttpResponse(template.render(context))
# 对调查标识的数据签名进行检查
try:
signer = Signer()
surveyId = signer.unsign(surveyIdSigned)
except:
# raise Exception(RESULT_MESSAGE.BAD_SAGNATURE) # 无效的数字签名
template = loader.get_template('www/answerFinished.html')
context = RequestContext(request, {'title': u'出错', 'message': RESULT_MESSAGE.BAD_SAGNATURE, 'returnUrl': '/'})
return HttpResponse(template.render(context))
# 调用提交控制器生成处理数据,并生成返回结果
surveySubmitController = SurveySubmitController(request, surveyId)
return surveySubmitController.process()
def receive_json(self, content, **kwargs):
signer = Signer()
request_id = content.get("request_id")
if request_id is None:
raise TurboStreamException(
"No request_id in subscription request.")
message_type = content.get("type")
if message_type == "subscribe":
try:
channel_name = signer.unsign(
content.get("signed_channel_name", ""))
except BadSignature:
raise TurboStreamException(
"Signature has been tampered with on the client!")
self.requests.setdefault(channel_name, []).append(request_id)
self.groups.append(channel_name)
async_to_sync(self.channel_layer.group_add)(channel_name,
self.channel_name)
elif message_type == "unsubscribe":
try:
channel_name = [
channel_name
for channel_name, requests in self.requests.items()
if request_id in requests
][0]
except IndexError:
raise TurboStreamException(
"No subscription for a given request ID exists to unsubscribe."
)
self.groups.remove(channel_name)
if channel_name not in self.groups:
async_to_sync(self.channel_layer.group_discard)(
channel_name, self.channel_name)
def mute(self, account, courtesy_of=None):
signer = Signer()
sc_client = get_sc_client()
token = self.token_set.get()
# get a new token in terms of expirations
if token.expires_at >= timezone.now():
self.refresh_access_token()
token = self.token_set.get()
sc_client.access_token = signer.unsign(token.access_token)
mute_op = Mute(
self.username,
account,
)
resp = sc_client.broadcast([mute_op.to_operation_structure()])
if 'error' in resp:
raise Exception(resp.get("error"))
if courtesy_of:
action_text = f"Muted {account} in " \
f"courtesy of {courtesy_of}."
else:
action_text = f"Muted {account}."
log = Log(user=self, message=action_text)
log.save()
def Shared_Decks(request):
u_id = request.GET.get('u_id')
user = None
user_name = None
signer = Signer(request.user.id)
try:
user = signer.unsign(u_id)
except signing.BadSignature:
return HttpResponse(json.dumps({"Tampering": "bad signature"}))
shared_decks = Deck.objects.filter(user_id=user,
share_flag=1,
deleted_flag=0)
deck_list = []
for deck in shared_decks:
deck_list.append({
"orig_deck_id": signer.sign(deck.deck_id),
"deck_name": deck.deck_name,
"share": deck.share_flag,
})
form = NewDeck(initial={'user': request.user.id})
getname = User.objects.filter(id=user)
for user_obj in getname:
user_name = user_obj.username
context = {
"shared_user_id": user,
"shared_user_name": user_name,
"shared_decks": deck_list,
"clone_form": form,
"sign": signer.sign(request.user.id)
}
return render(request, 'flash_cards/shared_profile.html', context)
def Study(request):
signer = Signer(request.user.id)
deck_id_signed = request.GET.get('deck_id')
deck_id = None
deckname = ""
card_list = []
current_user_id = request.user.id
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print "Tampering Detected! Study"
return HttpResponseRedirect('/')
deck = Deck.objects.filter(deck_id = deck_id, deleted_flag = 0)
try:
deckname = deck[0].deck_name
deck_creator_id = deck[0].user_id
except IndexError:
deckname = ""
cards = Card.objects.filter(deck_id = deck_id, deleted_flag = 0).order_by('-date_created')
for card in cards:
card_list.append({
"card_id" : card.card_id,
"front" : card.front,
"back" : card.back,
})
context = {
"deckname" : deckname,
"card_list" : card_list,
"deck_id_signed" : deck_id_signed,
"deck_creator_id" : deck_creator_id,
"current_user_id" : current_user_id,
}
return render(request, 'flash_cards/study.html', context)
def Shared_Decks(request):
u_id = request.GET.get('u_id')
user = None
user_name = None
signer = Signer(request.user.id)
try:
user = signer.unsign(u_id)
except signing.BadSignature:
return HttpResponse(json.dumps({"Tampering": "bad signature"}))
shared_decks = Deck.objects.filter(user_id = user, share_flag = 1, deleted_flag = 0)
deck_list = []
for deck in shared_decks:
deck_list.append({
"orig_deck_id" : signer.sign(deck.deck_id),
"deck_name" : deck.deck_name,
"share" : deck.share_flag,
})
form = NewDeck(initial={'user' : request.user.id})
getname = User.objects.filter(id = user)
for user_obj in getname:
user_name = user_obj.username
context = {
"shared_user_id" : user,
"shared_user_name" : user_name,
"shared_decks" : deck_list,
"clone_form" : form,
"sign" : signer.sign(request.user.id)
}
return render(request, 'flash_cards/shared_profile.html', context)
def Edit_Deck(request):
if request.method == 'POST':
deck_id_signed = request.POST.get('deck_id')
deck_id = None
signer = Signer(request.user.id)
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print("Tampering detected!!")
return HttpResponseRedirect('/')
deck_name = request.POST.get('deck_name')
user = request.POST.get('user')
share_flag = request.POST.get('share_flag')
if share_flag == 'false':
share_flag = 0
else:
share_flag = 1
data = {'user' : user, 'deck_name' : deck_name, "share_flag" : share_flag}
deck = get_object_or_404(Deck, deck_id=deck_id)
if deck.deck_name == deck_name:
deck.share_flag = share_flag
deck.save()
else:
form = NewDeck(data)
if form.is_valid():
#deck = get_object_or_404(Deck, deck_id=deck_id)
deck.deck_name = deck_name
deck.share_flag = share_flag
deck.save()
else:
errors = form.errors
return HttpResponse(json.dumps(errors))
return HttpResponse(json.dumps({"success": "success"}))
def _paperDelete(requestData, user):
# 检查是否提供了id
keys = requestData.keys()
if 'id' not in keys:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_ID)
idSigned = requestData['id']
# 对id进行数字签名的检查
try:
signer = Signer()
id = signer.unsign(idSigned)
except BadSignature:
# 篡改发现处理
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.BAD_SAGNATURE)
# 检查对象是否还存在,并将对象锁定
paperList = Paper.objects.filter(id=id).select_for_update()
if len(paperList) == 0:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.OBJECT_NOT_EXIST)
paper = paperList[0]
# 检查当前用户是否有权限修改
if paper.createBy.id != user.id:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_PRIVILEGE)
# 执行删除
paper.delete()
# 返回成功
return packageResult(RESULT_CODE.SUCCESS, RESULT_MESSAGE.SUCCESS)
def clean(self):
cleaned_data = super(ExternalURLForm, self).clean()
signer = Signer()
if self.errors:
# if it's not a valid URL, no reason to do further validation
return
url = cleaned_data['ext_url']
matched_whitelist = any(
(regex.match(url) for regex in EXTERNAL_URL_WHITELIST))
if matched_whitelist:
cleaned_data['validated_url'] = url
elif 'signature' in cleaned_data:
signed_url = "{ext_url}:{signature}".format(**cleaned_data)
try:
cleaned_data['validated_url'] = signer.unsign(signed_url)
except BadSignature:
raise ValidationError(_('Signature validation failed'),
code='invalid')
else:
raise ValidationError(_('URL must either be allowed by '
'settings.EXTERNAL_URL_WHITELIST '
'or have a valid signature'),
code='invalid')
def api_check_magnet2(request):
if request.method == 'POST' and request.FILES['file']:
lancuch = request.FILES['file'].read()
lancuch = lancuch.decode(
"utf-8") # konwersja kodowania z bytes na string utf-8
print(lancuch)
# --
print(string_sha256(lancuch.encode('utf-8')))
# --
# sprawdzenie podpisu
signer = Signer() # salt='jakas_sol'
try:
signed_hash = signer.unsign(lancuch)
except BadSignature:
return JsonResponse({"magnet": {"status": "bad sign"}})
doc = Documents.objects.filter(
hash=signed_hash).first() # szukam pliku do ktorego kieruje magnet
if doc and os.path.isfile("media/" + doc.file.name):
data = {
"id": str(doc.id),
"nazwa": str(doc.file).split("/")[1],
"timestamp": str(doc.timestamp),
"autor": str(doc.owner.username)
}
return JsonResponse(data)
else:
return JsonResponse({"magnet": {"status": "file not exists"}})
def get(self, request, pk, format=None):
try:
signer = Signer()
sign_in_link_id = signer.unsign(pk)
sign_in_link = SignInLink.objects.get(id=sign_in_link_id)
if not sign_in_link.is_valid_link:
if sign_in_link.used:
return HttpResponseRedirect(reverse('login') + '?error=already_used')
return HttpResponseRedirect(reverse('login') + '?error=expired')
user = User.objects.get(email=sign_in_link.email)
if user.is_active:
password = User.objects.make_random_password()
user.set_password(password)
user.save()
user = authenticate_and_login(email=sign_in_link.email, password=password, request=request)
sign_in_link.used = True
sign_in_link.active = False
sign_in_link.save()
return HttpResponseRedirect(reverse('index'))
else:
return HttpResponseRedirect(reverse('login') + '?error=user_is_deactivated')
except:
return HttpResponseRedirect(reverse('login') + '?error=invalid_link')
def _custListItemDelete(requestData, user):
'''
问卷删除的具体处理函数
'''
# 检查是否提供了id
keys = requestData.keys()
if 'id' not in keys:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_ID)
idSigned = requestData['id']
# 对id进行数字签名的检查
try:
signer = Signer()
id = signer.unsign(idSigned)
except BadSignature:
# 篡改发现处理
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.BAD_SAGNATURE)
# 检查对象是否还存在,并将对象锁定
custListListItem = CustListItem.objects.filter(id=id).select_for_update()
if len(custListListItem) == 0:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.OBJECT_NOT_EXIST)
custListItem = custListListItem[0]
# 检查当前用户是否有权限修改
if custListItem.createBy.id != user.id:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_PRIVILEGE)
# 执行删除
custListItem.delete()
# 返回成功
return packageResult(RESULT_CODE.SUCCESS, RESULT_MESSAGE.SUCCESS)
def Study(request):
signer = Signer(request.user.id)
deck_id_signed = request.GET.get('deck_id')
deck_id = None
deckname = ""
card_list = []
current_user_id = request.user.id
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print "Tampering Detected! Study"
return HttpResponseRedirect('/')
deck = Deck.objects.filter(deck_id=deck_id, deleted_flag=0)
try:
deckname = deck[0].deck_name
deck_creator_id = deck[0].user_id
except IndexError:
deckname = ""
cards = Card.objects.filter(deck_id=deck_id,
deleted_flag=0).order_by('-date_created')
for card in cards:
card_list.append({
"card_id": card.card_id,
"front": card.front,
"back": card.back,
})
context = {
"deckname": deckname,
"card_list": card_list,
"deck_id_signed": deck_id_signed,
"deck_creator_id": deck_creator_id,
"current_user_id": current_user_id,
}
return render(request, 'flash_cards/study.html', context)
def Edit_Deck(request):
if request.method == 'POST':
deck_id_signed = request.POST.get('deck_id')
deck_id = None
signer = Signer(request.user.id)
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print("Tampering detected!!")
return HttpResponseRedirect('/')
deck_name = request.POST.get('deck_name')
user = request.POST.get('user')
share_flag = request.POST.get('share_flag')
if share_flag == 'false':
share_flag = 0
else:
share_flag = 1
data = {'user': user, 'deck_name': deck_name, "share_flag": share_flag}
deck = get_object_or_404(Deck, deck_id=deck_id)
if deck.deck_name == deck_name:
deck.share_flag = share_flag
deck.save()
else:
form = NewDeck(data)
if form.is_valid():
#deck = get_object_or_404(Deck, deck_id=deck_id)
deck.deck_name = deck_name
deck.share_flag = share_flag
deck.save()
else:
errors = form.errors
return HttpResponse(json.dumps(errors))
return HttpResponse(json.dumps({"success": "success"}))
def View_Deck(request):
deck_id_signed = request.GET.get('deck_id')
deck_id = None
card_list = []
signer = Signer(request.user.id)
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print("Tampering detected! View deck")
return HttpResponseRedirect('/')
form = NewCard(initial={'deck': request.GET.get('deck_id')})
cards = Card.objects.filter(deck_id=deck_id,
deleted_flag=0).order_by('-date_created')
deck = Deck.objects.filter(deck_id=deck_id, deleted_flag=0)
print "here"
deck_name = ""
try:
deck_name = deck[0].deck_name
except IndexError:
deck_name = ""
for card in cards:
card_list.append({
"card_id": card.card_id,
"front": card.front,
"back": card.back,
})
upload_form = UploadFile(initial={"deck_id": signer.sign(deck_id)})
context = {
"upload_form": upload_form,
"form": form,
"card_list": card_list,
"deck_id": deck_id_signed,
"deck_name": deck_name,
}
return render(request, 'flash_cards/view_deck.html', context)
def has_permission(self, request, view):
signature = request.META.get('HTTP_X_GMTOOLS_SIGNATURE', '')
signer = Signer(sep='/', salt=self.NAMESPACE)
try:
return signer.unsign(signature) == self.RAW_VALUE
except BadSignature:
return False
def get(self, request, link):
signer = Signer()
global email
email = signer.unsign(script_email)
audit = signer.sign(email).split(':')[1]
if link != audit:
message = 'Паге нот фаунд'
form = EmailForm()
return render(request,
'Performer/Forgot_password.html',
context={
'form': form,
'message': message
})
form = ChangePasswordForm()
return render(request,
'Performer/Change_password_page.html',
context={'form': form})
def View_Deck(request):
deck_id_signed = request.GET.get('deck_id')
deck_id = None
card_list =[]
signer = Signer(request.user.id)
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print("Tampering detected! View deck")
return HttpResponseRedirect('/')
form = NewCard(initial={'deck' : request.GET.get('deck_id')})
cards = Card.objects.filter(deck_id=deck_id, deleted_flag = 0).order_by('-date_created')
deck = Deck.objects.filter(deck_id=deck_id, deleted_flag = 0)
print "here"
deck_name = ""
try:
deck_name = deck[0].deck_name
except IndexError:
deck_name = ""
for card in cards:
card_list.append({
"card_id" : card.card_id,
"front" : card.front,
"back" : card.back,
})
upload_form = UploadFile(initial={"deck_id" : signer.sign(deck_id)})
context = {
"upload_form" : upload_form,
"form" : form,
"card_list" : card_list,
"deck_id" : deck_id_signed,
"deck_name" : deck_name,
}
return render(request, 'flash_cards/view_deck.html', context)
def message_view(request, message_id):
message = get_object_or_404(Message, pk=message_id)
try:
signer = Signer()
original = signer.unsign(message.text)
messages.success(
request,
'Tudo certo! Nós garantimos a autenticidade dessa mensagem.')
message.read_status = True
message.save()
return render(request,
'custom_mail/message_view.html',
context={
'message': message,
'message_text': original
})
except signing.BadSignature:
messages.warning(
request,
'Ops! Houve um problema, a mensagem pode ter sido corrompida.')
return redirect('inbox')
print("Tampering detected!")
def changeResestPassword(request):
token = request.POST['token']
if token:
signer = Signer()
try:
original = signer.unsign(token)
except BadSignature:
print("Tampering detected!")
return JsonResponse({'error' : 'token expired'})
user = User.objects.filter(username=original).get()
newPass = request.POST['password']
user.password = make_password(newPass)
user.save()
user = authenticate(username=original, password=newPass)
login(request, user)
request.session['member_id'] = user.id
request.session['username'] = user.username
return JsonResponse({'success' : 'password changed for ' + user.username})
else:
if request.user.is_authenticated():
me = request.user
if check_password(request.POST['password0'], me.password):
newPass = request.POST['password']
me.password = make_password(newPass)
me.save()
me = authenticate(username=me.username, password=newPass)
login(request, me)
return JsonResponse({'success' : 'password changed for ' + me.username})
else:
return JsonResponse({'error' : 'current password doesn\'t match'})
return JsonResponse({'error' : 'password not changed'})
def token(self):
signer = Signer()
try:
original = signer.unsign(self.__input)
except Exception as e:
return False
return True if original != "" else False
def verifyemail(request):
signer = Signer()
userid = request.GET.get('id')
useridclear = signer.unsign(userid)
userprofile = Userprofile.objects.get(user__id=useridclear)
userprofile.emailverified = True
userprofile.save()
return render(request, 'account/email-verified.html', {})
def dispatch(self, request, *args, **kwargs):
signed_email = kwargs['signed_email']
signer = Signer(salt=SUBSCRIPTION_SIGNING_SALT)
try:
self.email = signer.unsign(signed_email)
except BadSignature as e:
raise SuspiciousOperation(e)
return super().dispatch(request, *args, **kwargs)
def verify_signature(self, signature):
"""
Checks if the signature has been tampered with.
:arg str signature: The signature to check, as generated by
:func:`make_signature`.
:returns: ``True`` if the signature has not been tampered with,
``False`` otherwise.
:rtype: bool
"""
signer = Signer()
value = "%s:%s" % (self.new_email, signature)
try:
signer.unsign(value)
except BadSignature:
return False
return True
def dispatch(self, request, *args, **kwargs):
# Get and unsign the key if we have one
key = kwargs.get('key', None)
if key:
signer = Signer(sep='_', salt='manifesto')
key = signer.unsign(key)
self.key = key
return super(ManifestView, self).dispatch(request, *args, **kwargs)
def verify_signature(self, signature):
"""
Checks if the signature has been tampered with.
:arg str signature: The signature to check, as generated by
:func:`make_signature`.
:returns: ``True`` if the signature has not been tampered with,
``False`` otherwise.
:rtype: bool
"""
signer = Signer()
value = "%s:%s" % (self.new_email, signature)
try:
signer.unsign(value)
except BadSignature:
return False
return True
def check_object(obj, signature):
signer = Signer()
value = get_value_to_sign(obj)
try:
return signer.unsign(f"{value}:{signature}") == value
except BadSignature:
return False
def validate_token(self, token):
signer = Signer()
try:
original = signer.unsign(token)
except Exception:
return False
return True if original != "" else False
def confirm_email(request): username = request.GET['username'] signature = request.GET['signature'] signer = Signer() try: received_token = str(signer.unsign(signature)) except Exception, e: response = "Invalid URL"
def getReachableQuestionListForSelect(request):
# 检查用户是否登录,并读取session中的用户信息
if USER_SESSION_NAME not in request.session.keys():
return packageResponse(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_LOGIN)
user = request.session[USER_SESSION_NAME]
# 检查是否提供了branchId
if 'branchId' not in request.REQUEST.keys():
return packageResponse(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_ID)
branchIdSigned = request.REQUEST['branchId']
# 对id进行数字签名的检查
try:
signer = Signer()
branchId = signer.unsign(branchIdSigned)
except BadSignature:
# 篡改发现处理
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.BAD_SAGNATURE)
# 检查对象是否还存在
branchList = Branch.objects.filter(id=branchId).select_for_update()
if len(branchList) == 0:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.OBJECT_NOT_EXIST)
branch = branchList[0]
# 检查当前用户是否有权限修改
if branch.createBy.id != user.id:
return packageResult(RESULT_CODE.ERROR, RESULT_MESSAGE.NO_PRIVILEGE)
# 将数据打包
questionList = []
# 导入问卷内的所有可选问题
for question in branch.getReachableQuestionList():
questionList.append({
'num': question.getNum(),
'id': question.getIdSigned(),
'selected': question == branch.nextQuestion,
'type': question.type
})
# 导入系统预定义
for question in branch.getSystemPredefined():
questionList.append({
'num': question.getNum(),
'id': question.getIdSigned(),
'selected': branch.nextQuestion == question,
'type': question.type
})
# 导入为空是系统预定义的下一题
questionList.append({
'num': '下一题',
'id': None,
'selected': branch.nextQuestion is None,
'type': None
})
return packageResponse(RESULT_CODE.SUCCESS, RESULT_MESSAGE.SUCCESS, {'questionList': questionList})
def get(self, request, *args, **kwargs):
signer = Signer()
pk = signer.unsign(self.kwargs['signature'])
map_inst = get_object_or_404(Map, pk=pk)
url = map_inst.get_absolute_url()
response = HttpResponseRedirect(url)
key, value = map_inst.signed_cookie_elements
response.set_signed_cookie(key, value)
return response
def multi_get_files(request, fieldname, noajax=False):
"""
View to retrieve MultiuploaderFiles based on a list of ids.
"""
if request.method == 'GET':
log.info('received GET to get files view')
if not u'form_type' in request.GET:
response_data = [{"error": _("Error when detecting form type, form_type is missing")}]
return HttpResponse(simplejson.dumps(response_data))
signer = Signer()
try:
form_type = signer.unsign(request.GET.get(u"form_type"))
except BadSignature:
response_data = [{"error": _("Tampering detected!")}]
return HttpResponse(simplejson.dumps(response_data))
#log.info('Got file: "%s"' % filename)
result = []
for p in request.GET.getlist(fieldname):
fl = MultiuploaderFile.objects.get(id=p)
thumb_url = ""
try:
thumb_url = get_thumbnail(fl.file, "80x80", quality=50)
except Exception as e:
log.error(e)
#generating json response array
result.append({"id": fl.id,
"name": fl.filename,
"size": fl.file.size,
"url": reverse('multiuploader_file_link', args=[fl.pk]),
"thumbnail_url": thumb_url,
"delete_url": reverse('multiuploader_delete', args=[fl.pk]),
"delete_type": "POST", })
response_data = simplejson.dumps(result)
#checking for json data type
#big thanks to Guy Shapiro
if noajax:
if request.META['HTTP_REFERER']:
redirect(request.META['HTTP_REFERER'])
if "application/json" in request.META['HTTP_ACCEPT_ENCODING']:
mimetype = 'application/json'
else:
mimetype = 'text/plain'
return HttpResponse(response_data, mimetype=mimetype)
else: # POST
return HttpResponse('Only GET accepted')
def get(self, request, *args, **kwargs):
signed_pk = kwargs['signed_pk']
signer = Signer(salt=MIRROR_SIGNING_SALT)
try:
pk = signer.unsign(signed_pk)
except BadSignature as e:
raise SuspiciousOperation(e)
mail = get_object_or_404(Mail, pk=pk)
return HttpResponse(mail.html_body)
def Delete_Deck(request):
deck_id_signed = request.POST.get('deck')
deck_id = None
signer = Signer(request.user.id)
try:
deck_id = signer.unsign(deck_id_signed)
except signing.BadSignature:
print("Tampering detected! Delete deck")
return HttpResponse(json.dumps(errors))
deck = get_object_or_404(Deck, deck_id=deck_id)
deck.deleted_flag = 1
deck.save()
return HttpResponse(json.dumps({"success": "success"}))
def validate_hash(data):
signer = Signer()
sign_code = ''
try:
sign_code = signer.unsign(data['code'])
except:
pass
if data and data['name'] and data['code'] and data['name'] == sign_code:
return True
return False
def get(self, request, *args, **kwargs):
signer = Signer()
try:
pk = signer.unsign(self.kwargs['signature'])
except BadSignature:
return HttpResponseForbidden('Bad Signature')
else:
map_inst = get_object_or_404(Map, pk=pk)
url = map_inst.get_absolute_url()
response = HttpResponseRedirect(url)
if not map_inst.owner:
key, value = map_inst.signed_cookie_elements
response.set_signed_cookie(key, value)
return response
def from_signature(cls, signature):
signer = Signer()
value = signer.unsign(signature)
try:
value = base64.urlsafe_b64decode(value).decode('utf-8')
except binascii.Error:
# Typically, this would indicate a non-base64-encoded value
return None
email, timestamp = value.rsplit(':', 1)
timestamp = float(timestamp)
elapsed = datetime.utcnow() - datetime.utcfromtimestamp(timestamp)
if elapsed > timedelta(days=1):
return None
return cls.objects.get(email=email)
def payment_made_paypal(request, artist_id):
artist = get_object_or_404(Artist.objects.viewable_by(request.user), pk=artist_id)
payment = None
if request.method == "POST":
ipn_received.send(None, query=request.body)
try:
signer = Signer()
item_number = request.POST['item_number']
payment_id = signer.unsign(item_number)
payment = Payment.objects.get(id=payment_id)
except (KeyError, BadSignature, Payment.DoesNotExist):
pass
return render(request, "artshow/payment_made_paypal.html",
{"artist": artist, "payment": payment, "pr_pk": settings.ARTSHOW_PAYMENT_RECEIVED_PK})
def Delete_Card(request):
card_id = request.POST.get('card')
deck_id_signed = request.POST.get('deck')
deck_id = None
signer = Signer(request.user.id)
try:
deck = signer.unsign(deck_id_signed)
except signing.BadSignature:
print("Tampering detected! Delete card")
return HttpResponse(json.dumps(errors))
card = get_object_or_404(Card, card_id=card_id)
card.deleted_flag = 1
card.save()
return HttpResponse(json.dumps({"success": "success"}))
def check_signed_url(signed_url):
tokens = signed_url.rsplit('&checksum=', 1)
# use a maximum of 1 split to make sure that it's separated at rightmost ':'
if len(tokens) == 1:
return 'not verified'
# join the callback url and checksum with ':'
# this is the format requirement to be fed into signer
signed_url = ':'.join(tokens)
try:
signer = Signer()
original = signer.unsign(signed_url)
return 'verified'
except BadSignature:
return 'not verified'
