def transformIterable(self, result, encoding): if CSRF_DISABLED: return # only auto CSRF protect authenticated users if isAnonymousUser(getSecurityManager().getUser()): return # if on confirm view, do not check, just abort and # immediately transform without csrf checking again if IConfirmView.providedBy(self.request.get('PUBLISHED')): return # next, check if we're a resource not connected # to a ZODB object--no context context = self.getContext() if not context: return tool = getToolByName(context, 'portal_url', None) if tool: self.site = tool.getPortalObject() try: self.key_manager = getUtility(IKeyManager) except ComponentLookupError: root = getRoot(context) self.key_manager = getRootKeyManager(root) if self.site is None and self.key_manager is None: # key manager not installed and no site object. # key manager must not be installed on site root, ignore return return self.transform(result, encoding)
def transformIterable(self, result, encoding): """Apply the transform if required """ # before anything, do the clickjacking protection if ( X_FRAME_OPTIONS and not self.request.response.getHeader('X-Frame-Options') ): self.request.response.setHeader('X-Frame-Options', X_FRAME_OPTIONS) if CSRF_DISABLED: return # only auto CSRF protect authenticated users if isAnonymousUser(getSecurityManager().getUser()): return # if on confirm view, do not check, just abort and # immediately transform without csrf checking again if IConfirmView.providedBy(self.request.get('PUBLISHED')): # abort it, show the confirmation... transaction.abort() return self.transform(result, encoding) # next, check if we're a resource not connected # to a ZODB object--no context context = self.getContext() if not context: return try: tool = getToolByName(context, 'portal_url', None) if tool: self.site = tool.getPortalObject() except TypeError: self.site = getSite() try: self.key_manager = getUtility(IKeyManager) except ComponentLookupError: root = getRoot(context) self.key_manager = getRootKeyManager(root) if self.site is None and self.key_manager is None: # key manager not installed and no site object. # key manager must not be installed on site root, ignore return if not self.check(): # we don't need to transform the doc, we're getting redirected return # finally, let's run the transform return self.transform(result, encoding)
def transformIterable(self, result, encoding): """Apply the transform if required """ # before anything, do the clickjacking protection if X_FRAME_OPTIONS and not self.request.response.getHeader( 'X-Frame-Options'): self.request.response.setHeader('X-Frame-Options', X_FRAME_OPTIONS) if CSRF_DISABLED: return # only auto CSRF protect authenticated users if isAnonymousUser(getSecurityManager().getUser()): return # if on confirm view, do not check, just abort and # immediately transform without csrf checking again if IConfirmView.providedBy(self.request.get('PUBLISHED')): # abort it, show the confirmation... transaction.abort() return self.transform(result, encoding) # next, check if we're a resource not connected # to a ZODB object--no context context = self.getContext() if not context: return try: tool = getToolByName(context, 'portal_url', None) if tool: self.site = tool.getPortalObject() except TypeError: self.site = getSite() try: self.key_manager = getUtility(IKeyManager) except ComponentLookupError: root = getRoot(context) self.key_manager = getRootKeyManager(root) if self.site is None and self.key_manager is None: # key manager not installed and no site object. # key manager must not be installed on site root, ignore return if not self.check(): # we don't need to transform the doc, we're getting redirected return # finally, let's run the transform return self.transform(result, encoding)
def render_ajax_form(context, request, name): """Render ajax form on context by view name. By default contents of div with id ``content`` gets replaced. If fiddle mode or selector needs to get customized, ``bda.plone.ajax.form.mode`` and ``bda.plone.ajax.form.selector`` must be given as request parameters. """ try: key_manager = getUtility(IKeyManager) except ComponentLookupError: key_manager = getRootKeyManager(getRoot(context)) token = createToken(manager=key_manager) try: result = context.restrictedTraverse(name)() selector = request.get('bda.plone.ajax.form.selector', '#content') mode = request.get('bda.plone.ajax.form.mode', 'inner') continuation = request.get('bda.plone.ajax.continuation') form_continue = AjaxFormContinue(continuation) response = ajax_form_template % { 'form': result, 'token': token, 'selector': selector, 'mode': mode, 'next': form_continue.next, } return response except Exception: result = '<div>Form rendering error</div>' selector = request.get('bda.plone.ajax.form.selector', '#content') mode = request.get('bda.plone.ajax.form.mode', 'inner') tb = format_traceback() continuation = AjaxMessage(tb, 'error', None) form_continue = AjaxFormContinue([continuation]) response = ajax_form_template % { 'form': result, 'token': token, 'selector': selector, 'mode': mode, 'next': form_continue.next, } return response
def onUserLogsIn(event): """ since we already write to the database when a user logs in, let's check for key rotation here """ # disable csrf protection on login requests req = getRequest() alsoProvides(req, IDisableCSRFProtection) try: manager = getUtility(IKeyManager) _rotate(manager) # also check rotation of zope root keyring root = getRoot(getSite()) manager = getRootKeyManager(root) if manager: _rotate(manager) except ComponentLookupError: if req: url = req.URL else: url = '' LOGGER.warn('cannot find key manager for url %s' % url)