def login(self, request, user_obj, **kw): username = kw.get('username') password = kw.get('password') # simply continue if something else already logged in successfully if user_obj and user_obj.valid: return ContinueLogin(user_obj) if not username and not password: return ContinueLogin(user_obj) _ = request.getText logging.debug("%s: performing login action" % self.name) if username and not password: return ContinueLogin(user_obj, _('Missing password. Please enter user name and password.')) if not username and password: return ContinueLogin(user_obj, _('Missing user name. Please enter user name and password.')) check_surge_protect(request, action='auth-ip') check_surge_protect(request, action='auth-name', username=username) u = user.User(request, name=username, password=password, auth_method=self.name) if u.valid: logging.debug("%s: successfully authenticated user %r (valid)" % (self.name, u.name)) log_attempt("auth/login (moin)", True, request, username) return ContinueLogin(u) else: logging.debug("%s: could not authenticate user %r (not valid)" % (self.name, username)) log_attempt("auth/login (moin)", False, request, username) return ContinueLogin(user_obj, _("Invalid username or password."))
def is_allowed(self): # this is not strictly necessary because the underlying storage code checks # as well _ = self._ may = self.request.user.may allowed = may.write(self.pagename) and may.revert(self.pagename) if not allowed: log_attempt('revert/immutable or no permissions', False, self.request, pagename=self.pagename) return allowed, _('You are not allowed to revert this page!')
def checkPermissions(self): """ Check write permission in form, return error msg @rtype: unicode @return: error message """ _ = self.request.getText page = Page(self.request, self.pagename) if not (page.isWritable() and self.request.user.may.read(self.pagename)): # Same error as the edit page for localization reasons log_attempt('newpage/immutable or no permissions', False, self.request, pagename=self.pagename) return _('You are not allowed to edit this page.') return ''
def setup_setuid(request, userobj): """ Check for setuid conditions in the session and setup an user object accordingly. Returns a tuple of the new user objects. @param request: a moin request object @param userobj: a moin user object @rtype: boolean @return: (new_user, user) or (user, None) """ old_user = None if 'setuid' in request.session and userobj and userobj.isSuperUser(): old_user = userobj uid = request.session['setuid'] userobj = user.User(request, uid, auth_method='setuid') userobj.valid = True log_attempt("auth/login (setuid from %r)" % old_user.name, True, request, userobj.name) logging.debug("setup_suid returns %r, %r" % (userobj, old_user)) return (userobj, old_user)
def request(self, request, user_obj, **kw): u = None _ = request.getText # always revalidate auth if user_obj and user_obj.auth_method == self.name: user_obj = None # something else authenticated before us if user_obj: logging.debug("already authenticated, doing nothing") return user_obj, True if self.user_name is not None: auth_username = self.user_name elif self.env_var is None: auth_username = request.remote_user else: auth_username = request.environ.get(self.env_var) logging.debug("auth_username = %r" % auth_username) if auth_username: auth_username = self.decode_username(auth_username) auth_username = self.transform_username(auth_username) logging.debug("auth_username (after decode/transform) = %r" % auth_username) u = user.User(request, auth_username=auth_username, auth_method=self.name, auth_attribs=('name', 'password')) logging.debug("u: %r" % u) if u and self.autocreate: logging.debug("autocreating user") u.create_or_update() if u and u.valid: logging.debug("returning valid user %r" % u) log_attempt("auth/request (given)", True, request, auth_username) return u, True # True to get other methods called, too else: logging.debug("returning %r" % user_obj) if u and not u.valid: log_attempt("auth/request (given)", False, request, auth_username) return user_obj, True
def handle_action(context, pagename, action_name='show'): """ Actual dispatcher function for non-XMLRPC actions. Also sets up the Page object for this request, normalizes and redirects to canonical pagenames and checks for non-allowed actions. """ _ = context.getText cfg = context.cfg # pagename could be empty after normalization e.g. '///' -> '' # Use localized FrontPage if pagename is empty if not pagename: context.page = wikiutil.getFrontPage(context) else: context.page = Page(context, pagename) if '_' in pagename and not context.page.exists(): pagename = pagename.replace('_', ' ') page = Page(context, pagename) if page.exists(): url = page.url(context) return context.http_redirect(url) msg = None # Complain about unknown actions if not action_name in get_names(cfg): msg = _("Unknown action %(action_name)s.") % { 'action_name': wikiutil.escape(action_name), } # Disallow non available actions elif action_name[0].isupper() and not action_name in \ get_available_actions(cfg, context.page, context.user): msg = _("You are not allowed to do %(action_name)s on this page.") % { 'action_name': wikiutil.escape(action_name), } if context.user.valid: log_attempt(action_name + '/action unavailable', False, context.request, context.user.name, pagename=pagename) else: log_attempt(action_name + '/action unavailable', False, context.request, pagename=pagename) # Suggest non valid user to login msg += " " + _("Login and try again.") if msg: context.theme.add_msg(msg, "error") context.page.send_page() # Try action else: from MoinMoin import action handler = action.getHandler(context, action_name) if handler is None: msg = _( "You are not allowed to do %(action_name)s on this page.") % { 'action_name': wikiutil.escape(action_name), } if context.user.valid: log_attempt(action_name + '/no handler', False, context.request, context.user.name, pagename=pagename) else: log_attempt(action_name + '/no handler', False, context.request, pagename=pagename) # Suggest non valid user to login msg += " " + _("Login and try again.") context.theme.add_msg(msg, "error") context.page.send_page() else: handler(context.page.page_name, context) return context
def __init__(self, request, user): log_attempt('account/created', True, request, user.name) Event.__init__(self, request) self.user = user
def execute(pagename, request): """ edit a page """ _ = request.getText if 'button_preview' in request.form and 'button_spellcheck' in request.form: # multiple buttons pressed at once? must be some spammer/bot check_surge_protect(request, kick=True) # get rid of him return if not request.user.may.write(pagename): log_attempt('edit/no permissions', False, request, pagename=pagename) page = wikiutil.getLocalizedPage(request, 'PermissionDeniedPage') page.body = _('You are not allowed to edit this page.') page.page_name = pagename page.send_page(send_special=True) return valideditors = ['text', 'gui', ] editor = '' if request.user.valid: editor = request.user.editor_default if editor not in valideditors: editor = request.cfg.editor_default editorparam = request.values.get('editor', editor) if editorparam == "guipossible": lasteditor = editor elif editorparam == "textonly": editor = lasteditor = 'text' else: editor = lasteditor = editorparam if request.cfg.editor_force: editor = request.cfg.editor_default # if it is still nothing valid, we just use the text editor if editor not in valideditors: editor = 'text' rev = request.rev or 0 savetext = request.form.get('savetext') comment = request.form.get('comment', u'') category = request.form.get('category') rstrip = int(request.form.get('rstrip', '0')) trivial = int(request.form.get('trivial', '0')) if 'button_switch' in request.form: if editor == 'text': editor = 'gui' else: # 'gui' editor = 'text' # load right editor class if editor == 'gui': from MoinMoin.PageGraphicalEditor import PageGraphicalEditor pg = PageGraphicalEditor(request, pagename) else: # 'text' from MoinMoin.PageEditor import PageEditor pg = PageEditor(request, pagename) # is invoked without savetext start editing if savetext is None or 'button_load_draft' in request.form: pg.sendEditor() return # did user hit cancel button? cancelled = 'button_cancel' in request.form from MoinMoin.error import ConvertError try: if lasteditor == 'gui': # convert input from Graphical editor format = request.form.get('format', 'wiki') if format == 'wiki': converter_name = 'text_html_text_moin_wiki' else: converter_name = 'undefined' # XXX we don't have other converters yet convert = wikiutil.importPlugin(request.cfg, "converter", converter_name, 'convert') savetext = convert(request, pagename, savetext) # IMPORTANT: normalize text from the form. This should be done in # one place before we manipulate the text. savetext = pg.normalizeText(savetext, stripspaces=rstrip) except ConvertError: # we don't want to throw an exception if user cancelled anyway if not cancelled: raise if cancelled: pg.sendCancel(savetext or "", rev) pagedir = pg.getPagePath(check_create=0) import os if not os.listdir(pagedir): os.removedirs(pagedir) return comment = wikiutil.clean_input(comment) # Add category # TODO: this code does not work with extended links, and is doing # things behind your back, and in general not needed. Either we have # a full interface for categories (add, delete) or just add them by # markup. if category and category != _('<No addition>'): # opera 8.5 needs this # strip trailing whitespace savetext = savetext.rstrip() # Add category separator if last non-empty line contains # non-categories. lines = [line for line in savetext.splitlines() if line] if lines: #TODO: this code is broken, will not work for extended links #categories, e.g ["category hebrew"] categories = lines[-1].split() if categories: confirmed = wikiutil.filterCategoryPages(request, categories) if len(confirmed) < len(categories): # This was not a categories line, add separator savetext += u'\n----\n' # Add new category if savetext and savetext[-1] != u'\n': savetext += ' ' savetext += category + u'\n' # Should end with newline! if (request.cfg.edit_ticketing and not wikiutil.checkTicket(request, request.form.get('ticket', ''))): request.theme.add_msg(_('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'edit' }, "error") pg.sendEditor(preview=savetext, comment=comment, staytop=1) # Preview, spellcheck or spellcheck add new words elif ('button_preview' in request.form or 'button_spellcheck' in request.form or 'button_newwords' in request.form): pg.sendEditor(preview=savetext, comment=comment) # Preview with mode switch elif 'button_switch' in request.form: pg.sendEditor(preview=savetext, comment=comment, staytop=1) # Save new text else: try: from MoinMoin.security.textcha import TextCha if not TextCha(request).check_answer_from_form(): raise pg.SaveError(_('TextCha: Wrong answer! Try again below...')) if request.cfg.comment_required and not comment: raise pg.SaveError(_('Supplying a comment is mandatory. Write a comment below and try again...')) savemsg = pg.saveText(savetext, rev, trivial=trivial, comment=comment) except pg.EditConflict, e: msg = e.message # Handle conflict and send editor pg.set_raw_body(savetext, modified=1) pg.mergeEditConflict(rev) # We don't send preview when we do merge conflict pg.sendEditor(msg=msg, comment=comment) return except pg.SaveError, msg: # Show the error message request.theme.add_msg(unicode(msg), "error") # And show the editor again pg.sendEditor(preview=savetext, comment=comment, staytop=1) return
def handle_action(context, pagename, action_name="show"): """ Actual dispatcher function for non-XMLRPC actions. Also sets up the Page object for this request, normalizes and redirects to canonical pagenames and checks for non-allowed actions. """ _ = context.getText cfg = context.cfg # pagename could be empty after normalization e.g. '///' -> '' # Use localized FrontPage if pagename is empty if not pagename: context.page = wikiutil.getFrontPage(context) else: context.page = Page(context, pagename) if "_" in pagename and not context.page.exists(): pagename = pagename.replace("_", " ") page = Page(context, pagename) if page.exists(): url = page.url(context) return context.http_redirect(url) msg = None # Complain about unknown actions if not action_name in get_names(cfg): msg = _("Unknown action %(action_name)s.") % {"action_name": wikiutil.escape(action_name)} # Disallow non available actions elif action_name[0].isupper() and not action_name in get_available_actions(cfg, context.page, context.user): msg = _("You are not allowed to do %(action_name)s on this page.") % { "action_name": wikiutil.escape(action_name) } if context.user.valid: log_attempt( action_name + "/action unavailable", False, context.request, context.user.name, pagename=pagename ) else: log_attempt(action_name + "/action unavailable", False, context.request, pagename=pagename) # Suggest non valid user to login msg += " " + _("Login and try again.") if msg: context.theme.add_msg(msg, "error") context.page.send_page() # Try action else: from MoinMoin import action handler = action.getHandler(context, action_name) if handler is None: msg = _("You are not allowed to do %(action_name)s on this page.") % { "action_name": wikiutil.escape(action_name) } if context.user.valid: log_attempt(action_name + "/no handler", False, context.request, context.user.name, pagename=pagename) else: log_attempt(action_name + "/no handler", False, context.request, pagename=pagename) # Suggest non valid user to login msg += " " + _("Login and try again.") context.theme.add_msg(msg, "error") context.page.send_page() else: handler(context.page.page_name, context) return context