def unsecured(fn): """A Decorator to make a SecuredController controller method unsecured. """ def wrapper(*args, **kw): return fn(*args, **kw) return tools.decorated(wrapper, fn, secured=False)
def secured(fn): """A Decorator to make a SecuredController controller method secured. """ def clear_login_fields(kw): if not kw.get('login_action'): return for k in ('db', 'user', 'password'): kw.pop(k, None) for k in kw.keys(): if k.startswith('login_'): del kw[k] def get_orig_args(kw): if not kw.get('login_action'): return kw new_kw = kw.copy() clear_login_fields(new_kw) return new_kw def wrapper(*args, **kw): """The wrapper function to secure exposed methods """ if rpc.session.is_logged() and kw.get('login_action') != 'login': # User is logged in; allow access clear_login_fields(kw) return fn(*args, **kw) else: action = kw.get('login_action', '') # get some settings from cookies try: db = cherrypy.request.cookie['terp_db'].value user = cherrypy.request.cookie['terp_user'].value except: db = '' user = '' db = kw.get('db', db) user = ustr(kw.get('user', user)) password = kw.get('password', '') # See if the user just tried to log in if rpc.session.login(db, user, password) <= 0: # Bad login attempt if action == 'login': message = _("Bad username or password") return login(cherrypy.request.path_info, message=message, db=db, user=user, action=action, origArgs=get_orig_args(kw)) else: message = '' kwargs = {} if action: kwargs['action'] = action if message: kwargs['message'] = message base = cherrypy.request.path_info if cherrypy.request.headers.get('X-Requested-With') == 'XMLHttpRequest': cherrypy.response.status = 401 next_key = 'next' else: cherrypy.response.status = 303 next_key = 'location' # login?location is the redirection destination w/o next if base and base != '/' and cherrypy.request.method == 'GET': kwargs[next_key] = "%s?%s" % (base, cherrypy.request.query_string) login_url = openobject.tools.url( '/openerp/login', db=db, user=user, **kwargs ) cherrypy.response.headers['Location'] = login_url return """ <html> <head> <script type="text/javascript"> window.location.href="%s" </script> </head> <body> </body> </html> """%(login_url) # Authorized. Set db, user name in cookies cookie = cherrypy.response.cookie cookie['terp_db'] = db cookie['terp_user'] = user.encode('utf-8') cookie['terp_db']['max-age'] = 3600 cookie['terp_user']['max-age'] = 3600 cookie['terp_db']['path'] = '/' cookie['terp_user']['path'] = '/' # User is now logged in, so show the content clear_login_fields(kw) return fn(*args, **kw) return tools.decorated(wrapper, fn, secured=True)
def secured(fn): """A Decorator to make a SecuredController controller method secured. """ def clear_login_fields(kw): if not kw.get('login_action'): return for k in ('db', 'user', 'password'): kw.pop(k, None) for k in kw.keys(): if k.startswith('login_'): del kw[k] def get_orig_args(kw): if not kw.get('login_action'): return kw new_kw = kw.copy() clear_login_fields(new_kw) return new_kw def wrapper(*args, **kw): """The wrapper function to secure exposed methods """ if rpc.session.is_logged() and kw.get('login_action') != 'login': # User is logged in; allow access clear_login_fields(kw) return fn(*args, **kw) else: action = kw.get('login_action', '') # get some settings from cookies try: db = cherrypy.request.cookie['terp_db'].value user = cherrypy.request.cookie['terp_user'].value except: db = '' user = '' db = kw.get('db', db) user = ustr(kw.get('user', user)) password = kw.get('password', '') # See if the user just tried to log in if rpc.session.login(db, user, password) <= 0: # Bad login attempt if action == 'login': message = _("Bad username or password") return login(cherrypy.request.path_info, message=message, db=db, user=user, action=action, origArgs=get_orig_args(kw)) else: message = '' kwargs = {} if action: kwargs['action'] = action if message: kwargs['message'] = message base = cherrypy.request.path_info if cherrypy.request.headers.get( 'X-Requested-With') == 'XMLHttpRequest': cherrypy.response.status = 401 next_key = 'next' else: cherrypy.response.status = 303 next_key = 'location' # login?location is the redirection destination w/o next if base and base != '/' and cherrypy.request.method == 'GET': kwargs[next_key] = "%s?%s" % ( base, cherrypy.request.query_string) login_url = openobject.tools.url('/openerp/login', db=db, user=user, **kwargs) cherrypy.response.headers['Location'] = login_url return """ <html> <head> <script type="text/javascript"> window.location.href="%s" </script> </head> <body> </body> </html> """ % (login_url) # Authorized. Set db, user name in cookies cookie = cherrypy.response.cookie cookie['terp_db'] = db cookie['terp_user'] = user.encode('utf-8') cookie['terp_db']['max-age'] = 3600 cookie['terp_user']['max-age'] = 3600 cookie['terp_db']['path'] = '/' cookie['terp_user']['path'] = '/' # User is now logged in, so show the content clear_login_fields(kw) return fn(*args, **kw) return tools.decorated(wrapper, fn, secured=True)