def transformIterable(self, result, encoding):
if CSRF_DISABLED:
return
# only auto CSRF protect authenticated users
if isAnonymousUser(getSecurityManager().getUser()):
return
# if on confirm view, do not check, just abort and
# immediately transform without csrf checking again
if IConfirmView.providedBy(self.request.get('PUBLISHED')):
return
# next, check if we're a resource not connected
# to a ZODB object--no context
context = self.getContext()
if not context:
return
tool = getToolByName(context, 'portal_url', None)
if tool:
self.site = tool.getPortalObject()
try:
self.key_manager = getUtility(IKeyManager)
except ComponentLookupError:
root = getRoot(context)
self.key_manager = getRootKeyManager(root)
if self.site is None and self.key_manager is None:
# key manager not installed and no site object.
# key manager must not be installed on site root, ignore
return
return self.transform(result, encoding)
def transformIterable(self, result, encoding):
if CSRF_DISABLED:
return
# only auto CSRF protect authenticated users
if isAnonymousUser(getSecurityManager().getUser()):
return
# if on confirm view, do not check, just abort and
# immediately transform without csrf checking again
if IConfirmView.providedBy(self.request.get('PUBLISHED')):
return
# next, check if we're a resource not connected
# to a ZODB object--no context
context = self.getContext()
if not context:
return
tool = getToolByName(context, 'portal_url', None)
if tool:
self.site = tool.getPortalObject()
try:
self.key_manager = getUtility(IKeyManager)
except ComponentLookupError:
root = getRoot(context)
self.key_manager = getRootKeyManager(root)
if self.site is None and self.key_manager is None:
# key manager not installed and no site object.
# key manager must not be installed on site root, ignore
return
return self.transform(result, encoding)
def transformIterable(self, result, encoding):
"""Apply the transform if required
"""
# before anything, do the clickjacking protection
if (
X_FRAME_OPTIONS and
not self.request.response.getHeader('X-Frame-Options')
):
self.request.response.setHeader('X-Frame-Options', X_FRAME_OPTIONS)
if CSRF_DISABLED:
return
# only auto CSRF protect authenticated users
if isAnonymousUser(getSecurityManager().getUser()):
return
# if on confirm view, do not check, just abort and
# immediately transform without csrf checking again
if IConfirmView.providedBy(self.request.get('PUBLISHED')):
# abort it, show the confirmation...
transaction.abort()
return self.transform(result, encoding)
# next, check if we're a resource not connected
# to a ZODB object--no context
context = self.getContext()
if not context:
return
try:
tool = getToolByName(context, 'portal_url', None)
if tool:
self.site = tool.getPortalObject()
except TypeError:
self.site = getSite()
try:
self.key_manager = getUtility(IKeyManager)
except ComponentLookupError:
root = getRoot(context)
self.key_manager = getRootKeyManager(root)
if self.site is None and self.key_manager is None:
# key manager not installed and no site object.
# key manager must not be installed on site root, ignore
return
if not self.check():
# we don't need to transform the doc, we're getting redirected
return
# finally, let's run the transform
return self.transform(result, encoding)
def transformIterable(self, result, encoding):
"""Apply the transform if required
"""
# before anything, do the clickjacking protection
if X_FRAME_OPTIONS and not self.request.response.getHeader(
'X-Frame-Options'):
self.request.response.setHeader('X-Frame-Options', X_FRAME_OPTIONS)
if CSRF_DISABLED:
return
# only auto CSRF protect authenticated users
if isAnonymousUser(getSecurityManager().getUser()):
return
# if on confirm view, do not check, just abort and
# immediately transform without csrf checking again
if IConfirmView.providedBy(self.request.get('PUBLISHED')):
# abort it, show the confirmation...
transaction.abort()
return self.transform(result, encoding)
# next, check if we're a resource not connected
# to a ZODB object--no context
context = self.getContext()
if not context:
return
try:
tool = getToolByName(context, 'portal_url', None)
if tool:
self.site = tool.getPortalObject()
except TypeError:
self.site = getSite()
try:
self.key_manager = getUtility(IKeyManager)
except ComponentLookupError:
root = getRoot(context)
self.key_manager = getRootKeyManager(root)
if self.site is None and self.key_manager is None:
# key manager not installed and no site object.
# key manager must not be installed on site root, ignore
return
if not self.check():
# we don't need to transform the doc, we're getting redirected
return
# finally, let's run the transform
return self.transform(result, encoding)
def render_ajax_form(context, request, name):
"""Render ajax form on context by view name.
By default contents of div with id ``content`` gets replaced. If fiddle
mode or selector needs to get customized, ``bda.plone.ajax.form.mode``
and ``bda.plone.ajax.form.selector`` must be given as request parameters.
"""
try:
key_manager = getUtility(IKeyManager)
except ComponentLookupError:
key_manager = getRootKeyManager(getRoot(context))
token = createToken(manager=key_manager)
try:
result = context.restrictedTraverse(name)()
selector = request.get('bda.plone.ajax.form.selector', '#content')
mode = request.get('bda.plone.ajax.form.mode', 'inner')
continuation = request.get('bda.plone.ajax.continuation')
form_continue = AjaxFormContinue(continuation)
response = ajax_form_template % {
'form': result,
'token': token,
'selector': selector,
'mode': mode,
'next': form_continue.next,
}
return response
except Exception:
result = '<div>Form rendering error</div>'
selector = request.get('bda.plone.ajax.form.selector', '#content')
mode = request.get('bda.plone.ajax.form.mode', 'inner')
tb = format_traceback()
continuation = AjaxMessage(tb, 'error', None)
form_continue = AjaxFormContinue([continuation])
response = ajax_form_template % {
'form': result,
'token': token,
'selector': selector,
'mode': mode,
'next': form_continue.next,
}
return response
def onUserLogsIn(event):
"""
since we already write to the database when a user logs in,
let's check for key rotation here
"""
# disable csrf protection on login requests
req = getRequest()
alsoProvides(req, IDisableCSRFProtection)
try:
manager = getUtility(IKeyManager)
_rotate(manager)
# also check rotation of zope root keyring
root = getRoot(getSite())
manager = getRootKeyManager(root)
if manager:
_rotate(manager)
except ComponentLookupError:
if req:
url = req.URL
else:
url = ''
LOGGER.warn('cannot find key manager for url %s' % url)
def onUserLogsIn(event):
"""
since we already write to the database when a user logs in,
let's check for key rotation here
"""
# disable csrf protection on login requests
req = getRequest()
alsoProvides(req, IDisableCSRFProtection)
try:
manager = getUtility(IKeyManager)
_rotate(manager)
# also check rotation of zope root keyring
root = getRoot(getSite())
manager = getRootKeyManager(root)
if manager:
_rotate(manager)
except ComponentLookupError:
if req:
url = req.URL
else:
url = ''
LOGGER.warn('cannot find key manager for url %s' % url)