def page_internal_edit_post(request): check_csrf_token(request) page_query_svc = request.find_service(IPageQueryService) page_slug = request.matchdict["page"] try: page = page_query_svc.internal_page_from_slug(page_slug) except ValueError: raise HTTPNotFound() except NoResultFound: page = None if page: form = AdminPageForm(request.POST, obj=page, request=request) else: form = AdminPageForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"page_slug": page_slug, "page": page, "form": form} if page: page_update_svc = request.find_service(IPageUpdateService) page = page_update_svc.update_internal(page.slug, body=form.body.data) else: page_create_svc = request.find_service(IPageCreateService) page = page_create_svc.create_internal(page_slug, body=form.body.data) return HTTPFound(location=request.route_path( route_name="admin_page_internal", page=page.slug))
def page_internal_delete_post(request): check_csrf_token(request) page_delete_svc = request.find_service(IPageDeleteService) page_slug = request.matchdict["page"] page_delete_svc.delete_internal(page_slug) return HTTPFound(location=request.route_path(route_name="admin_pages"))
def board_topic_new_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) user_login_svc = request.find_service(IUserLoginService) user_ip_address = request.client_addr user = user_login_svc.user_from_token(request.authenticated_userid, user_ip_address) form = TopicForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "user": user, "form": form} topic_create_svc = request.find_service(ITopicCreateService) topic = topic_create_svc.create_with_user(board.slug, user.id, form.title.data, form.body.data, user_ip_address) dbsession = request.find_service(name="db") dbsession.flush() return HTTPFound(location=request.route_path( route_name="admin_board_topic", board=board.slug, topic=topic.id))
def board_topic_posts_delete_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) post_query_svc = request.find_service(IPostQueryService) query = None if "query" in request.matchdict: query = request.matchdict["query"] posts = post_query_svc.list_from_topic_id(topic_id, query) if not posts or posts[0].number == 1: raise HTTPNotFound(request.path) post_delete_svc = request.find_service(IPostDeleteService) for post in posts: post_delete_svc.delete_from_topic_id(post.topic_id, post.number) return HTTPFound(location=request.route_path( route_name="admin_board_topic_posts", board=board.slug, topic=topic.id, query="recent", ))
def board_topic_edit_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) form = AdminTopicForm(request.POST, obj=topic, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "topic": topic, "form": form} topic_update_svc = request.find_service(ITopicUpdateService) topic_update_svc.update(topic.id, status=form.status.data) return HTTPFound(location=request.route_path( route_name="admin_board_topic_posts", board=board.slug, topic=topic.id, query="recent", ))
def board_topic_new_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) user_login_svc = request.find_service(IUserLoginService) user_ip_address = request.client_addr user = user_login_svc.user_from_token(request.authenticated_userid, user_ip_address) form = TopicForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "user": user, "form": form} topic_create_svc = request.find_service(ITopicCreateService) topic = topic_create_svc.create_with_user( board.slug, user.id, form.title.data, form.body.data, user_ip_address ) dbsession = request.find_service(name="db") dbsession.flush() return HTTPFound( location=request.route_path( route_name="admin_board_topic", board=board.slug, topic=topic.id ) )
def board_topic_edit_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) form = AdminTopicForm(request.POST, obj=topic, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "topic": topic, "form": form} topic_update_svc = request.find_service(ITopicUpdateService) topic_update_svc.update(topic.id, status=form.status.data) return HTTPFound( location=request.route_path( route_name="admin_board_topic_posts", board=board.slug, topic=topic.id, query="recent", ) )
def board_topic_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) user_login_svc = request.find_service(IUserLoginService) user_ip_address = request.client_addr user = user_login_svc.user_from_token(request.authenticated_userid, user_ip_address) form = PostForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "topic": topic, "user": user, "form": form} post_create_svc = request.find_service(IPostCreateService) post_create_svc.create_with_user( topic.id, user.id, form.body.data, form.bumped.data, user_ip_address ) return HTTPFound( location=request.route_path( route_name="admin_board_topic_posts", board=board.slug, topic=topic.id, query="recent", ) )
def board_topic_posts_delete_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) post_query_svc = request.find_service(IPostQueryService) query = None if "query" in request.matchdict: query = request.matchdict["query"] posts = post_query_svc.list_from_topic_id(topic_id, query) if not posts or posts[0].number == 1: raise HTTPNotFound(request.path) post_delete_svc = request.find_service(IPostDeleteService) for post in posts: post_delete_svc.delete_from_topic_id(post.topic_id, post.number) return HTTPFound( location=request.route_path( route_name="admin_board_topic_posts", board=board.slug, topic=topic.id, query="recent", ) )
def csrf_view(context, request): if request.method not in safe_methods and ( callback is None or callback(request) ): check_csrf_origin(request, raises=True) check_csrf_token(request, token, header, raises=True) return view(context, request)
def page_internal_edit_post(request): check_csrf_token(request) page_query_svc = request.find_service(IPageQueryService) page_slug = request.matchdict["page"] try: page = page_query_svc.internal_page_from_slug(page_slug) except ValueError: raise HTTPNotFound() except NoResultFound: page = None if page: form = AdminPageForm(request.POST, obj=page, request=request) else: form = AdminPageForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"page_slug": page_slug, "page": page, "form": form} if page: page_update_svc = request.find_service(IPageUpdateService) page = page_update_svc.update_internal(page.slug, body=form.body.data) else: page_create_svc = request.find_service(IPageCreateService) page = page_create_svc.create_internal(page_slug, body=form.body.data) return HTTPFound( location=request.route_path(route_name="admin_page_internal", page=page.slug) )
def board_topic_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) user_login_svc = request.find_service(IUserLoginService) user_ip_address = request.client_addr user = user_login_svc.user_from_token(request.authenticated_userid, user_ip_address) form = PostForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "topic": topic, "user": user, "form": form} post_create_svc = request.find_service(IPostCreateService) post_create_svc.create_with_user(topic.id, user.id, form.body.data, form.bumped.data, user_ip_address) return HTTPFound(location=request.route_path( route_name="admin_board_topic_posts", board=board.slug, topic=topic.id, query="recent", ))
def csrf_view(context, request): if ( request.method not in safe_methods and (callback is None or callback(request)) ): check_csrf_origin(request, raises=True) check_csrf_token(request, token, header, raises=True) return view(context, request)
def page_new_post(request): check_csrf_token(request) form = AdminPublicPageNewForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} page_create_svc = request.find_service(IPageCreateService) page = page_create_svc.create(form.slug.data, title=form.title.data, body=form.body.data) return HTTPFound( location=request.route_path(route_name="admin_page", page=page.slug))
def validator(node, cstruct): # check_csrf_token will also check the X-CSRF-Token # request header. Also, not sure if I should even do # validation here since pyramid can automatically # do CSRF validation on unsafe HTTP methods if not check_csrf_token(request, node.name, raises=False): raise colander.Invalid(node, "Invalid CSRF Token!")
def delete_banner_view(self): if not check_csrf_token(self.request): raise HTTPBadRequest bid = int(self.request.matchdict['id']) if bid is None: raise HTTPNotFound try: banner = DBSession.query(Banner).filter(Banner.id == bid).first() if banner is None: raise HTTPNotFound if os.path.exists(f"server/{banner.image_path}" or ""): os.remove(f"server/{banner.image_path}") DBSession.delete(banner) except Exception as e: log.debug(e) raise HTTPInternalServerError url = self.request.route_url('admin_view') return HTTPFound(url)
def page_edit_post(request): check_csrf_token(request) page_query_svc = request.find_service(IPageQueryService) page_slug = request.matchdict["page"] page = page_query_svc.public_page_from_slug(page_slug) form = AdminPublicPageForm(request.POST, obj=page, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"page": page, "form": form} page_update_svc = request.find_service(IPageUpdateService) page = page_update_svc.update(page.slug, title=form.title.data, body=form.body.data) return HTTPFound( location=request.route_path(route_name="admin_page", page=page.slug) )
def page_new_post(request): check_csrf_token(request) form = AdminPublicPageNewForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} page_create_svc = request.find_service(IPageCreateService) page = page_create_svc.create( form.slug.data, title=form.title.data, body=form.body.data ) return HTTPFound( location=request.route_path(route_name="admin_page", page=page.slug) )
def __init__(self, request): # common class variables self.request = request self.sess = DBSession() body = request.body.decode('utf8') method = json.loads(body)['method'] if request.is_weixin and method == 'wechat.jssdk.config': return # Step 1: check for valid session # # For any rpc request from a client which does not declare itself # as bot, a proper session must be present. Otherwise we block it if not request.is_bot and ( not request.session or request.session.new): # request.log(action='REJECT_RPC', title='RPC no valid session', # payload=body[:300]) raise HTTPForbidden() # Step 2: check for valid csfr # # We are not using the csrf checking mechanism of view predicate # provided by pyramid since it does not allow us to block the # malicious IP and log the event. if not check_csrf_token(request, raises=False): # request.log(action='REJECT_RPC', title='RPC bad csrf token', # payload=body[:300]) raise HTTPForbidden() version = request.headers.get('X-Client-Version') if version and version != siteConfig.version: raise RPCClientVersionError()
def board_topic_delete_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) topic_delete_svc = request.find_service(ITopicDeleteService) topic_delete_svc.delete(topic_id) return HTTPFound(location=request.route_path( route_name="admin_board_topics", board=board.slug))
def page_edit_post(request): check_csrf_token(request) page_query_svc = request.find_service(IPageQueryService) page_slug = request.matchdict["page"] page = page_query_svc.public_page_from_slug(page_slug) form = AdminPublicPageForm(request.POST, obj=page, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"page": page, "form": form} page_update_svc = request.find_service(IPageUpdateService) page = page_update_svc.update(page.slug, title=form.title.data, body=form.body.data) return HTTPFound( location=request.route_path(route_name="admin_page", page=page.slug))
def board_topic_delete_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) topic_query_svc = request.find_service(ITopicQueryService) topic_id = request.matchdict["topic"] topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) topic_delete_svc = request.find_service(ITopicDeleteService) topic_delete_svc.delete(topic_id) return HTTPFound( location=request.route_path(route_name="admin_board_topics", board=board.slug) )
def setup_post(request): if not _setup_required(None, request): raise HTTPNotFound() check_csrf_token(request) form = AdminSetupForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} setting_update_svc = request.find_service(ISettingUpdateService) setting_update_svc.update("setup.version", __VERSION__) user_create_svc = request.find_service(IUserCreateService) user_create_svc.create(None, form.username.data, form.password.data, form.name.data, ["admin"]) return HTTPFound(location=request.route_path(route_name="admin_root"))
def setup_post(request): if not _setup_required(None, request): raise HTTPNotFound() check_csrf_token(request) form = AdminSetupForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} setting_update_svc = request.find_service(ISettingUpdateService) setting_update_svc.update("setup.version", __VERSION__) user_create_svc = request.find_service(IUserCreateService) user_create_svc.create( None, form.username.data, form.password.data, form.name.data, ["admin"] ) return HTTPFound(location=request.route_path(route_name="admin_root"))
def setting_post(request): check_csrf_token(request) setting_query_svc = request.find_service(ISettingQueryService) setting_key = request.matchdict["setting"] try: setting_query_svc.value_from_key(setting_key, use_cache=False, safe_keys=True) except KeyError: raise HTTPNotFound() form = AdminSettingForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"key": setting_key, "form": form} setting_update_svc = request.find_service(ISettingUpdateService) setting_update_svc.update(setting_key, json.loads(form.value.data)) return HTTPFound(location=request.route_path(route_name="admin_settings"))
def banword_new_post(request): check_csrf_token(request) form = AdminBanwordForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} banword_create_svc = request.find_service(IBanwordCreateService) banword = banword_create_svc.create(form.expr.data, description=form.description.data, active=form.active.data) # Explicitly flush so that ID is available. dbsession = request.find_service(name="db") dbsession.flush() return HTTPFound(location=request.route_path(route_name="admin_banword", banword=banword.id))
def banword_edit_post(request): check_csrf_token(request) banword_query_svc = request.find_service(IBanwordQueryService) banword_id = request.matchdict["banword"] banword = banword_query_svc.banword_from_id(banword_id) form = AdminBanwordForm(request.POST, obj=banword, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"banword": banword, "form": form} banword_update_svc = request.find_service(IBanwordUpdateService) banword = banword_update_svc.update( banword.id, expr=form.expr.data, description=form.description.data, active=form.active.data, ) return HTTPFound(location=request.route_path(route_name="admin_banword", banword=banword.id))
def board_new_post(request): check_csrf_token(request) form = AdminBoardNewForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} board_create_svc = request.find_service(IBoardCreateService) board = board_create_svc.create( form.slug.data, title=form.title.data, description=form.description.data, status=form.status.data, agreements=form.agreements.data, settings=json.loads(form.settings.data), ) return HTTPFound(location=request.route_path(route_name="admin_board", board=board.slug))
def process_interstitial(request: Request, choices: t.List[Choice], *args, **kwargs): """Check if user pressed any of the buttons on form and the choice accordingly. For example use case see :py:class:`websauna.system.crud.views.Delete`. :param args: Passed to choice callback :param kwargs: Passed to choice callback :return: HTTP response given by a choice callback """ assert request.method == "POST" # Force CSRF check always check_csrf_token(request) for c in choices: if c.id in request.POST: return c.callback(*args, **kwargs) raise HTTPBadRequest("Unknown choice made")
def ban_edit_post(request): check_csrf_token(request) ban_query_svc = request.find_service(IBanQueryService) ban_id = request.matchdict["ban"] ban = ban_query_svc.ban_from_id(ban_id) form = AdminBanForm(request.POST, obj=ban, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"ban": ban, "form": form} ban_update_svc = request.find_service(IBanUpdateService) ban = ban_update_svc.update( ban.id, ip_address=form.ip_address.data, description=form.description.data, duration=form.duration.data, scope=form.scope.data, active=form.active.data, ) return HTTPFound(location=request.route_path(route_name="admin_ban", ban=ban.id))
def ban_new_post(request): check_csrf_token(request) form = AdminBanForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} ban_create_svc = request.find_service(IBanCreateService) ban = ban_create_svc.create( form.ip_address.data, description=form.description.data, duration=form.duration.data, scope=form.scope.data, active=form.active.data, ) # Explicitly flush so that ID is available. dbsession = request.find_service(name="db") dbsession.flush() return HTTPFound(location=request.route_path(route_name="admin_ban", ban=ban.id))
def ban_edit_post(request): check_csrf_token(request) ban_query_svc = request.find_service(IBanQueryService) ban_id = request.matchdict["ban"] ban = ban_query_svc.ban_from_id(ban_id) form = AdminBanForm(request.POST, obj=ban, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"ban": ban, "form": form} ban_update_svc = request.find_service(IBanUpdateService) ban = ban_update_svc.update( ban.id, ip_address=form.ip_address.data, description=form.description.data, duration=form.duration.data, scope=form.scope.data, active=form.active.data, ) return HTTPFound( location=request.route_path(route_name="admin_ban", ban=ban.id))
def banword_edit_post(request): check_csrf_token(request) banword_query_svc = request.find_service(IBanwordQueryService) banword_id = request.matchdict["banword"] banword = banword_query_svc.banword_from_id(banword_id) form = AdminBanwordForm(request.POST, obj=banword, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"banword": banword, "form": form} banword_update_svc = request.find_service(IBanwordUpdateService) banword = banword_update_svc.update( banword.id, expr=form.expr.data, description=form.description.data, scope=form.scope.data, active=form.active.data, ) return HTTPFound( location=request.route_path(route_name="admin_banword", banword=banword.id) )
def login_post(request): """Perform user login. :param request: A :class:`pyramid.request.Request` object. """ check_csrf_token(request) if authenticated_userid(request): raise HTTPForbidden form = AdminLoginForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} user_login_svc = request.find_service(IUserLoginService) if not user_login_svc.authenticate(form.username.data, form.password.data): return {"form": form} token = user_login_svc.token_for(form.username.data, request.client_addr) headers = remember(request, token) return HTTPFound(headers=headers, location=request.route_path(route_name="admin_dashboard"))
def login_post(request): """Perform user login. :param request: A :class:`pyramid.request.Request` object. """ check_csrf_token(request) if authenticated_userid(request): raise HTTPForbidden form = AdminLoginForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} user_login_svc = request.find_service(IUserLoginService) if not user_login_svc.authenticate(form.username.data, form.password.data): return {"form": form} token = user_login_svc.token_for(form.username.data, request.client_addr) headers = remember(request, token) return HTTPFound( headers=headers, location=request.route_path(route_name="admin_dashboard") )
def board_edit_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) form = AdminBoardForm(request.POST, obj=board, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "form": form} board_update_svc = request.find_service(IBoardUpdateService) board = board_update_svc.update( board.slug, title=form.title.data, description=form.description.data, status=form.status.data, agreements=form.agreements.data, settings=json.loads(form.settings.data), ) return HTTPFound(location=request.route_path(route_name="admin_board", board=board.slug))
def board_new_post(request): check_csrf_token(request) form = AdminBoardNewForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"form": form} board_create_svc = request.find_service(IBoardCreateService) db_settings = json.loads(form.settings.data) settings = DEFAULT_BOARD_CONFIG.update(db_settings) board = board_create_svc.create( form.slug.data, title=form.title.data, description=form.description.data, status=form.status.data, agreements=form.agreements.data, settings=settings, ) return HTTPFound( location=request.route_path(route_name="admin_board", board=board.slug) )
def board_edit_post(request): check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) board_slug = request.matchdict["board"] board = board_query_svc.board_from_slug(board_slug) form = AdminBoardForm(request.POST, obj=board, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "form": form} board_update_svc = request.find_service(IBoardUpdateService) board = board_update_svc.update( board.slug, title=form.title.data, description=form.description.data, status=form.status.data, agreements=form.agreements.data, settings=json.loads(form.settings.data), ) return HTTPFound( location=request.route_path(route_name="admin_board", board=board.slug) )
def decrease_banner_position_view(self): if not check_csrf_token(self.request): raise HTTPBadRequest bid = int(self.request.matchdict['id']) if bid is None: raise HTTPNotFound try: cursor_banner = DBSession.query(Banner).filter( Banner.id == bid).first() if cursor_banner is None: raise HTTPNotFound except Exception as e: log.debug(e) raise HTTPInternalServerError try: banners = DBSession.query(Banner).order_by(Banner.position, Banner.id).all() except Exception as e: log.debug(e) raise HTTPInternalServerError bindex = banners.index(cursor_banner) if bindex + 1 != len(banners): cursor_position = banners[bindex].position try: banners[bindex].position = banners[bindex + 1].position banners[bindex].updated_at = datetime.datetime.utcnow() banners[bindex + 1].position = cursor_position banners[bindex + 1].updated_at = datetime.datetime.utcnow() except Exception as e: log.debug(e) raise HTTPInternalServerError log.debug(201) url = self.request.route_url('admin_view') return HTTPFound(url)
def receive_file(request): if request.authenticated_userid: check_csrf_origin(request) and check_csrf_token(request) upload = Upload.save_from(request, 'files[]') return {'upload_id': upload.id}
def validator(self, node, _value): # pylint: disable=no-self-use request = node.bindings["request"] check_csrf_token(request)
def validator(self, form, value): request = form.bindings["request"] check_csrf_token(request)
def topic_show_post(request): """Handle form posting for replying to a topic. :param request: A :class:`pyramid.request.Request` object. """ check_csrf_token(request) board_query_svc = request.find_service(IBoardQueryService) topic_query_svc = request.find_service(ITopicQueryService) board_slug = request.matchdict["board"] topic_id = request.matchdict["topic"] board = board_query_svc.board_from_slug(board_slug) topic = topic_query_svc.topic_from_id(topic_id) if topic.board_id != board.id: raise HTTPNotFound(request.path) post_create_svc = request.find_service(IPostCreateService) form = PostForm(request.POST, request=request) if not form.validate(): request.response.status = "400 Bad Request" return {"board": board, "topic": topic, "form": form} ban_query_svc = request.find_service(IBanQueryService) ban_scope = {"board": board.slug, "topic": topic.title} if ban_query_svc.is_banned(request.client_addr, scopes=ban_scope): response = render_to_response( "topics/show_error.mako", {"board": board, "topic": topic, "name": "ban_rejected"}, request=request, ) response.status = "403 Forbidden" return response banword_query_svc = request.find_service(IBanwordQueryService) if banword_query_svc.is_banned(form.body.data, scopes=ban_scope): response = render_to_response( "topics/show_error.mako", {"board": board, "topic": topic, "name": "banword_rejected"}, request=request, ) response.status = "403 Forbidden" return response rate_limiter_svc = request.find_service(IRateLimiterService) if rate_limiter_svc: payload = {"ip_address": request.client_addr, "board": board.slug} if rate_limiter_svc.is_limited(**payload): response = render_to_response( "topics/show_error.mako", { "board": board, "topic": topic, "name": "rate_limited", "time_left": rate_limiter_svc.time_left(**payload), }, request=request, ) response.status = "429 Too Many Requests" return response rate_limiter_svc.limit_for(board.settings["post_delay"], **payload) post_create_svc = request.find_service(IPostCreateService) task = post_create_svc.enqueue( topic.id, form.body.data, form.bumped.data, request.client_addr, payload={ "application_url": request.application_url, "referrer": request.referrer, "url": request.url, "user_agent": request.user_agent, }, ) return HTTPFound( location=request.route_path( route_name="topic", board=topic.board.slug, topic=topic.id, _query={"task": task.id}, ) )
def _callFUT(self, *args, **kwargs): from pyramid.csrf import check_csrf_token return check_csrf_token(*args, **kwargs)
def validator(self, node, _value): request = node.bindings["request"] check_csrf_token(request)