def outbound(response): if 'user' in response.request.context: user = response.request.context['user'] if not isinstance(user, User): raise Response( 400, "If you define 'user' in a simplate it has to " "be a User instance.") else: user = User() if user.ANON: # user is anonymous if 'session' not in response.request.headers.cookie: # no cookie in the request, don't set one on response return else: # expired cookie in the request, instruct browser to delete it response.headers.cookie['session'] = '' expires = 0 else: # user is authenticated response.headers['Expires'] = BEGINNING_OF_EPOCH # don't cache response.headers.cookie['session'] = user.participant.session_token expires = time.time() + TIMEOUT user.keep_signed_in_until(expires) cookie = response.headers.cookie['session'] # I am not setting domain, because it is supposed to default to what we # want: the domain of the object requested. #cookie['domain'] cookie['path'] = '/' cookie['expires'] = rfc822.formatdate(expires) cookie['httponly'] = "Yes, please."
def inbound(request): """Authenticate from a cookie or an API key in basic auth. """ user = None if 'Authorization' in request.headers: header = request.headers['authorization'] if header.startswith('Basic '): creds = header[len('Basic '):].decode('base64') token, ignored = creds.split(':') user = User.from_api_key(token) # We don't require CSRF if they basically authenticated. csrf_token = csrf._get_new_csrf_key() request.headers.cookie['csrf_token'] = csrf_token request.headers['X-CSRF-TOKEN'] = csrf_token if 'Referer' not in request.headers: request.headers['Referer'] = \ 'https://%s/' % csrf._get_host(request) elif 'session' in request.headers.cookie: token = request.headers.cookie['session'].value user = User.from_session_token(token) if user is None: user = User() request.context['user'] = user
def outbound(request, response): if request.line.uri.startswith('/assets/'): return response.headers['Expires'] = BEGINNING_OF_EPOCH # don't cache if SESSION in request.headers.cookie: user = request.context.get('user') or User() if not user.ANON: user.keep_signed_in(response.headers.cookie)
def outbound(request, response): if request.line.uri.startswith('/assets/'): return response.headers['Expires'] = BEGINNING_OF_EPOCH # don't cache user = request.context.get('user') or User() if not isinstance(user, User): raise Response(500, "If you define 'user' in a simplate it has to " "be a User instance.") if not user.ANON: response.headers.cookie['session'] = user.participant.session_token expires = time.time() + TIMEOUT user.keep_signed_in_until(expires) cookie = response.headers.cookie['session'] cookie['path'] = '/' cookie['expires'] = rfc822.formatdate(expires) cookie['httponly'] = 'Yes, please.' if gittip.canonical_scheme == 'https': cookie['secure'] = 'Yes, please.'
def test_anonymous_user_is_anonymous(self): user = User() assert user.ANON
def test_anonymous_user_is_not_admin(self): user = User() assert not user.ADMIN
def test_dont_show_plural_no_members_as_team_to_anon(self): group = self.make_participant('Group', number='plural') assert not group.show_as_team(User())
def test_dont_show_individuals_as_team(self): alice = self.make_participant('alice', number='singular') assert not alice.show_as_team(User())
def test_show_as_team_to_anon(self): self.make_participant('alice') self.team.add_member(self.make_participant('bob')) assert self.team.show_as_team(User())