def lang(request):
# Set language
code = request.matchdict['code']
# TODO redirect where we came_from
response = HTTPFound(location='/')
response.set_cookie('lang', value=code, max_age=31536000) # max_age = year
return response
def postLoginPage(self):
user = {'email': self.request.params['email'], 'password': self.request.params['password']}
credentials_db = {}
credentials_db = DBSession.query(User).filter(User.mail == user['email']).first()
error = {"email_required": False, "password_required": False, "incorrect_credentials": False}
if credentials_db is None:
if len(user['email']) == 0:
error['email_required'] = True
else:
error['incorrect_credentials'] = True
return render_to_response('templates/login.jinja2', error, request = self.request)
if not sha256_crypt.verify(user['password'],credentials_db.as_dict()['parola']):
if len(user['password']) == 0:
error['password_required'] = True
if (len(user['email']) > 0) and (len(user['password']) > 0):
error['incorrect_credentials'] = True
return render_to_response('templates/login.jinja2', error, request = self.request)
credentials=credentials_db.as_dict()
self.request.session['email'] = user['email']
self.request.session['tip'] = credentials['tip']
self.request.session['nume'] = credentials['nume']
self.request.session['prenume'] = credentials['prenume']
self.request.session['id_user'] = credentials['id_user']
token = sha256_crypt.encrypt(self.request.session.get_csrf_token())
response = HTTPFound(location = self.request.route_url('home'))
response.set_cookie('XSRF-TOKEN', value=token)
return response
def fbauth(request):
code = request.params['code']
fb_user = User.fb_user(code)
user_id = str(fb_user.id)
response = HTTPFound(location="/")
response.set_cookie('user_id', value=user_id, max_age=31536000)
return response
def account_verify_email(request):
login_store = request.find_service(name="redis_login")
try:
user_id = int(request.GET["user_id"].strip())
email_address = request.GET["email_address"].strip()
token = request.GET["token"].strip()
except (KeyError, ValueError):
raise HTTPNotFound
stored_token = login_store.get("verify_email:%s:%s" % (user_id, email_address))
if not user_id or not email_address or not token or not stored_token:
raise HTTPNotFound
stored_token = stored_token.decode("utf-8")
if not stored_token == token:
raise HTTPNotFound
try:
db = request.find_service(name="db")
user = db.query(User).filter(User.id == user_id).one()
except NoResultFound:
raise HTTPNotFound
user.email = email_address
response = HTTPFound(request.route_path("account", _query={"saved": "email_address"}))
if not request.user or request.user.id != user.id:
new_session_id = str(uuid4())
login_store.set("session:" + new_session_id, user.id)
response.set_cookie("cherubplay", new_session_id, 31536000)
return response
def skip_persona_selection(self):
# set cookie and redirect
response = HTTPFound(location=get_redirect_url(self.request))
response.set_cookie(
PERSONA_COOKIE_NAME, value=PERSONA_SKIP_COOKIE_VALUE,
max_age=ONE_YEAR)
return response
def log_in(request):
# Disable logging in in read-only mode.
if "cherubplay.read_only" in request.registry.settings:
raise HTTPForbidden
try:
user = Session.query(User).filter(
User.username == request.POST["username"].lower()).one()
except NoResultFound:
return {"log_in_error": "Username and/or password not recognised."}
if hashpw(request.POST["password"].encode(),
user.password.encode()) != user.password:
return {"log_in_error": "Username and/or password not recognised."}
# Generate session ID and add it to the login store.
new_session_id = str(uuid.uuid4())
try:
request.login_store.set("session:" + new_session_id, user.id)
except ConnectionError:
return {
"log_in_error":
"We can't log you in because we're having problems with the login server. Please try again later."
}
# Set cookie for session ID.
response = HTTPFound(request.route_path("home"))
response.set_cookie("cherubplay", new_session_id, 31536000)
return response
def oauth(request):
oaserver = request.env.auth.oauth
oauth_url = request.route_url('auth.oauth')
oauth_path = request.route_path('auth.oauth')
def cookie_name(state):
return 'ngw-oastate-' + state
if 'error' in request.params:
raise AuthorizationException()
elif 'code' in request.params and 'state' in request.params:
# Extract data from state named cookie
state = request.params['state']
try:
data = json.loads(request.cookies[cookie_name(state)])
except ValueError:
raise AuthorizationException("State cookie parse error")
tresp = oaserver.grant_type_authorization_code(
request.params['code'], oauth_url)
if data['merge'] == '1' and request.user.keyname != 'guest':
user = oaserver.access_token_to_user(tresp.access_token, merge_user=request.user)
else:
user = oaserver.access_token_to_user(tresp.access_token)
if user is None:
raise InvalidTokenException()
DBSession.flush()
headers = remember(request, (user.id, tresp))
event = OnUserLogin(user, request, data['next_url'])
zope.event.notify(event)
response = HTTPFound(location=event.next_url, headers=headers)
response.delete_cookie(cookie_name(state), path=oauth_path)
return response
else:
data = dict(
next_url=request.params.get('next', request.application_url),
merge=request.params.get('merge', '0')
)
alphabet = string.ascii_letters + string.digits
state = ''.join(secrets.choice(alphabet) for i in range(16))
ac_url = oaserver.authorization_code_url(oauth_url, state=state)
response = HTTPFound(location=ac_url)
# Store data in state named cookie
response.set_cookie(
cookie_name(state), value=json.dumps(data),
path=oauth_path, max_age=600, httponly=True)
return response
def logout(request):
next = request.params.get('next') or request.route_url('index')
if not authenticated_userid(request):
return HTTPFound(location=request.route_url('login'))
headers = forget(request)
response = HTTPFound(location=next, headers=headers)
response.set_cookie('csrf_token', value=None)
return response
def sign_up(request):
# Disable signing up in read-only mode.
if "cherubplay.read_only" in request.registry.settings:
raise HTTPForbidden
# Make sure this IP address hasn't created an account recently.
# Also don't explode if Redis is down.
ip_check_key = "ip:" + request.environ["REMOTE_ADDR"]
try:
ip_check = request.login_store.get(ip_check_key)
except ConnectionError:
return {
"sign_up_error":
"We can't create your account because we're having problems with the login server. Please try again later."
}
if ip_check is not None:
return {
"sign_up_error":
"An account has already been created from your IP address. Please try again in a few hours."
}
# Validate password.
if request.POST["password"] == "":
return {"sign_up_error": "Please don't use a blank password."}
if request.POST["password"] != request.POST["password_again"]:
return {"sign_up_error": "The two passwords didn't match."}
# Make sure username hasn't been taken.
username = request.POST["username"].lower()[:100]
if username_validator.match(username) is None:
return {
"sign_up_error":
"Usernames can only contain letters, numbers, hyphens and underscores."
}
existing_username = Session.query(
User.id).filter(User.username == username).count()
if existing_username == 1 or username in reserved_usernames:
return {
"sign_up_error":
"The username \"%s\" has already been taken." % username
}
# Create the user.
new_user = User(
username=username,
password=hashpw(request.POST["password"].encode(), gensalt()),
last_ip=request.environ["REMOTE_ADDR"],
)
Session.add(new_user)
Session.flush()
# Generate session ID and add it to the login store.
new_session_id = str(uuid.uuid4())
request.login_store.set("session:" + new_session_id, new_user.id)
# Remember their IP address for 12 hours.
ip_check = request.login_store.set(ip_check_key, "1")
ip_check = request.login_store.expire(ip_check_key, 43200)
# Set cookie for session ID.
response = HTTPFound(request.route_path("home"))
response.set_cookie("cherubplay", new_session_id, 31536000)
return response
def login(request):
username = request.params.get('username', None)
password = request.params.get('password', None)
session = DBSession()
user = session.query(User).filter(User.username==username).first()
if user is not None and user.password == password:
response = HTTPFound('/')
# totally insecure, TODO in workshop: use auth token or something
response.set_cookie('user_id', str(user.id), max_age=timedelta(30))
return response
return {'username': username}
def auth(self):
self.twitter = Twython(APP_KEY, APP_SECRET)
auth = self.twitter.get_authentication_tokens(callback_url=CALLBACK_URL)
OAUTH_TOKEN = auth['oauth_token']
OAUTH_TOKEN_SECRET = auth['oauth_token_secret']
auth_url = auth['auth_url']
# set cookies and redirect
response = HTTPFound(location=auth_url)
response.set_cookie('oauth_token', OAUTH_TOKEN, max_age=86400)
response.set_cookie('oauth_token_secret', OAUTH_TOKEN_SECRET, max_age=86400)
return response
def change_profile(request, profile):
"""
Sets a cookie for the given profile and deletes any location set in the
cookies.
Returns a response which directs to the map view.
"""
response = HTTPFound(location=request.route_url('map_view'))
response.set_cookie('_PROFILE_', profile, timedelta(days=90))
if '_LOCATION_' in request.cookies:
response.delete_cookie('_LOCATION_')
return response
def change_profile(request, profile):
"""
Sets a cookie for the given profile and deletes any location set in the
cookies.
Returns a response which directs to the map view.
"""
response = HTTPFound(location=request.route_url('map_view'))
response.set_cookie('_PROFILE_', profile, timedelta(days=90))
if '_LOCATION_' in request.cookies:
response.delete_cookie('_LOCATION_')
return response
def login(request):
"""
Login view.
request - Reads AJAX request to get user data and checks permissions on database.
"""
try:
login_url = route_url('login', request)
referrer = request.url
if referrer == login_url:
referrer = '/'
came_from = request.params.get('came_from', referrer)
message = ''
email = ''
password = ''
if 'form.submitted' in request.params:
login = request.params['login']
password = request.params['password']
permissions = groupfinder(login, password, request)
if permissions is None:
message = 'BŁĘDNE HASŁO.'
elif permissions is []:
message = 'UŻYTKOWNIK %s NIE JEST ZAREJESTROWANY.' % email
elif 'permission:' in permissions:
headers = remember(request, permissions)
response = HTTPFound(location=came_from, headers=headers)
#Add user cookie
response.set_cookie('user', value=login, max_age=31536000)
return response
return dict(
message=message,
url=request.application_url + '/login',
came_from=came_from,
login=email,
password=password, )
except DBAPIError, ex:
print ex
return Response(conn_err_msg, content_type='text/plain', status_int=500)
def sudo_candidate(self):
candidate_id = self.request.matchdict['id']
candidate = DBSession.query(Candidate).get(candidate_id)
if not candidate:
raise HTTPNotFound('Unknown candidate id')
else:
self.request.session['candidate_id'] = candidate.id
location = self.request.params.get('furl')
if not location:
location = 'http://%s/candidate' % self.request.frontend_domain
response = HTTPFound(location=location)
response.set_cookie('__admin__', value='true') # max_age = year
return response
def sudo_employer(self):
employer_id = self.request.matchdict['id']
employer = DBSession.query(Employer).get(employer_id)
if not employer:
raise HTTPNotFound('Unknown employer id')
else:
self.request.session['employer_id'] = employer.id
location = self.request.params.get('furl')
if not location:
location = 'http://%s/employer' % self.request.frontend_domain
response = HTTPFound(location=location)
response.set_cookie('__admin__', value='true') # max_age = year
return response
def order(request):
server = Settings.Session.query(Server).filter(Server.id == request.matchdict['server']).scalar()
item = Settings.Session.query(Item).filter(Item.id == request.matchdict['product']).scalar()
path = [{"href": request.route_url('home'), "name": "Home", "active": False},
{"href": '{href}?sid={sid}'.format(href=request.route_url('home'), sid=server.id), "name": server.name, "active": False},
{"href": request.route_url('order', server=server.id, product=item.id), "name": item.name, "active": True}]
errors = []
if not server or not item or not item in [servitem.item for servitem in server.items]:
return HTTPFound(location=request.route_url('home'))
price = item.price
for promotion in [promo.promotion for promo in item.promotions if promo.promotion.type == 1 and '%' not in promo.promotion.value and time.time() < promo.promotion.expires]:
try:
price = price - float(promotion.value)
except:
continue
for promotion in [promo.promotion for promo in item.promotions if promo.promotion.type == 1 and '%' in promo.promotion.value and time.time() < promo.promotion.expires]:
try:
price = price - (price * (float(promotion.value.replace('%', '')) / 100))
except:
continue;
if price < 0:
price = 0
if 'form.submitted' in request.params:
try:
steamid = SteamIDToCommunityID(request.params['input.steamid'])
except SteamFormatException:
errors.append('steamid')
if not re.match(r'[^@]+@[^@]+\.[^@]+', request.params['input.email']):
errors.append('email')
if request.params['input.code'].strip():
print "Code: %s" % request.params['input.code']
code = None
for promotion in [promo.promotion for promo in item.promotions if promo.promotion.type == 2 and time.time() < promo.promotion.expires]:
if promotion.code == request.params['input.code']:
code = promotion
break
if not code:
errors.append('promo')
if not errors:
order = {'steamid': request.params['input.steamid'], 'email': request.params['input.email'],
'promocode': request.params['input.code'], 'server': server.id, 'item': item.id}
response = HTTPFound(location=request.route_url('confirm'))
response.set_cookie('order', value=json.dumps(order), max_age=300)
return response
path = [{"href": request.route_url('home'), "name": "Home", "active": False},
{"href": '{href}?sid={sid}'.format(href=request.route_url('home'), sid=server.id), "name": server.name, "active": False},
{"href": request.route_url('order', server=server.id, product=item.id), "name": item.name, "active": True}]
return {'community': Settings.Community, 'item': item, 'server': server, 'path': path, 'errors': errors, 'price': round(price,2), 'path': path}
def login(request):
next_url = request.params.get('next', request.application_url)
if request.method == 'POST':
if 'sid' in request.POST:
sid = request.POST['sid']
expires = request.POST['expires']
try:
store = SessionStore.filter_by(
session_id=sid, key='auth.policy.current').one()
except NoResultFound:
raise InvalidCredentialsException(
message=_("Session not found."))
value = json.loads(store.value)
exp = datetime.fromtimestamp(value[2])
if datetime.fromisoformat(expires) != exp:
raise InvalidCredentialsException(
message=_("Invalid 'expires' parameter."))
now = datetime.utcnow()
if exp <= now:
raise InvalidCredentialsException(
message=_("Session expired."))
cookie_settings = WebSession.cookie_settings(request)
cookie_settings['max_age'] = int((exp - now).total_seconds())
cookie_name = request.env.pyramid.options['session.cookie.name']
response = HTTPFound(location=next_url)
response.set_cookie(cookie_name, value=sid, **cookie_settings)
return response
else:
try:
user, headers = request.env.auth.authenticate(
request, request.POST['login'].strip(),
request.POST['password'])
except (InvalidCredentialsException, UserDisabledException) as exc:
return dict(error=exc.title, next_url=next_url)
event = OnUserLogin(user, request, next_url)
zope.event.notify(event)
return HTTPFound(location=event.next_url, headers=headers)
return dict(next_url=next_url)
def select_persona(self):
slug = self.request.matchdict['slug'].upper()
if slug not in PERSONAE:
raise HTTPNotFound
# set cookie and redirect
response = HTTPFound(location=get_redirect_url(self.request))
response.set_cookie(PERSONA_COOKIE_NAME, value=slug, max_age=ONE_YEAR)
# set persona dimension value on GA
# NOTE: the persona dimension has to be configured with scope 'user'
persona_dimension_id = self.settings.get('ga.persona_dimension_id')
if persona_dimension_id:
self.request.google_analytics[persona_dimension_id] = slug
return response
def sign_up(request):
# Disable signing up in read-only mode.
if "cherubplay.read_only" in request.registry.settings:
raise HTTPForbidden
# Make sure this IP address hasn't created an account recently.
# Also don't explode if Redis is down.
ip_check_key = "ip:" + request.environ["REMOTE_ADDR"]
try:
ip_check = request.login_store.get(ip_check_key)
except ConnectionError:
return {
"sign_up_error": "We can't create your account because we're having problems with the login server. Please try again later."
}
if ip_check is not None:
return {
"sign_up_error": "An account has already been created from your IP address. Please try again in a few hours."
}
# Validate password.
if request.POST["password"] == "":
return {"sign_up_error": "Please don't use a blank password."}
if request.POST["password"] != request.POST["password_again"]:
return {"sign_up_error": "The two passwords didn't match."}
# Make sure username hasn't been taken.
username = request.POST["username"].lower()[:100]
if username_validator.match(username) is None:
return {"sign_up_error": "Usernames can only contain letters, numbers, hyphens and underscores."}
existing_username = Session.query(User.id).filter(User.username == username).count()
if existing_username == 1 or username in reserved_usernames:
return {"sign_up_error": 'The username "%s" has already been taken.' % username}
# Create the user.
new_user = User(
username=username,
password=hashpw(request.POST["password"].encode(), gensalt()),
last_ip=request.environ["REMOTE_ADDR"],
)
Session.add(new_user)
Session.flush()
# Generate session ID and add it to the login store.
new_session_id = str(uuid.uuid4())
request.login_store.set("session:" + new_session_id, new_user.id)
# Remember their IP address for 12 hours.
ip_check = request.login_store.set(ip_check_key, "1")
ip_check = request.login_store.expire(ip_check_key, 43200)
# Set cookie for session ID.
response = HTTPFound(request.route_path("home"))
response.set_cookie("cherubplay", new_session_id, 31536000)
return response
def login(self, request):
if request.method == 'POST':
login = request.POST.get('login')
password = request.POST.get('password')
if login and password:
user = dbs.query(StaffModel).filter_by(name=login).first()
if user and user.password == sha256(
password + user.salt).hexdigest():
now = datetime.datetime.utcnow()
csrf = sha256(str(now)).hexdigest()
val = signed_serialize({'time': now, 'csrf': csrf}, SECRET)
response = HTTPFound(request.route_url('admin.index'))
response.set_cookie('signed', val)
return response
return dict(
error='Something went wrong. Try "admin" and "111111"')
return {}
def post(self):
form = self.form()
request = self.request
if form.validate():
login = form.data.get('login')
password = form.data.get('password')
user = User.by_login(login)
if User.check_password(login, password):
url = request.route_url('user_list') + '?login=%s' % (login)
response = HTTPFound(location=url,
headers=remember(request, login))
response.set_cookie('user_id', value=str(user.id), max_age=31536000)
return response
else:
request.session.flash('Authentication Failed!', 'error')
return self.get()
def switch_ui(request):
using_ux2 = request.cookies.get('ux2') == 'true'
if request.method == 'POST':
response = HTTPFound(request.application_url)
if using_ux2:
response.set_cookie('ux2', 'false')
else:
response.set_cookie('ux2', 'true')
return response
if using_ux2:
button_text = 'Switch to Classic UI'
else:
button_text = 'Switch to New and Improved UI'
return Response(
'<html><head><title>Karl: Change UI</title></head>'
'<body><form method="POST"><input type="submit" value="%s"/></form>'
'</body></html>' % button_text, content_type='text/html')
def callback(self):
oauth_verifier = self.request.GET['oauth_verifier']
OAUTH_TOKEN = self.request.cookies['oauth_token']
OAUTH_TOKEN_SECRET = self.request.cookies['oauth_token_secret']
twitter = Twython(APP_KEY, APP_SECRET,
OAUTH_TOKEN,
OAUTH_TOKEN_SECRET)
final_step = twitter.get_authorized_tokens(oauth_verifier)
OAUTH_TOKEN = final_step['oauth_token']
OAUTH_TOKEN_SECRET = final_step['oauth_token_secret']
# set cookies and redirect
response = HTTPFound(location='https://twittpane-dev.freegate.co')
response.set_cookie('oauth_token', OAUTH_TOKEN, max_age=86400)
response.set_cookie('oauth_token_secret', OAUTH_TOKEN_SECRET, max_age=86400)
return response
def create(request):
"""Receives data to register a user."""
# TODO workshop: validation
# TODO workshop: encrypt password
username = request.params['username']
password = request.params['password']
name = request.params['name']
email = request.params['email']
location = request.params['location']
user = User(username, password, name, email, location)
session = DBSession()
session.add(user)
session.flush()
# TODO workshop: test email by mocking
send_welcome_email(request.registry.settings, name, email)
response = HTTPFound(route_url('user_single', request, user_id=user.id))
# totally insecure, TODO in workshop: use auth token or something
response.set_cookie('user_id', str(user.id), max_age=timedelta(30))
return response
def set_lang(request):
"""Set current language
"""
lang = request.matchdict['lang'].lower()
langs = dict(request.registry.settings['available_langs'])
if lang not in langs:
raise HTTPBadRequest('Not supported language %r' % lang)
referrer = request.referer
my_url = request.route_url('front.set_lang', lang=lang)
if referrer == my_url or not referrer:
# never use the set_lang itself as came_from
# which could lead to a infinite loop
referrer = '/'
came_from = request.params.get('came_from', referrer)
response = HTTPFound(location=came_from)
response.set_cookie('_LOCALE_', normalize_locale_name(lang))
return response
def password_login_view(request):
if request.method == 'GET':
return {}
main_view = '/'
if hasattr(request.session, 'redirect_to'):
came_from = request.session.redirect_to
else:
came_from = request.params.get('came_from', main_view)
post_data = request.POST
ref_path = request.referer.split('/')[-1] if request.referer else ''
if 'submit' in post_data:
login = post_data.get('login', '').lower()
password = post_data.pop('password')
request.session['login_data'] = post_data
if User.check_password(login, password):
user = User.get_by_login(login)
assert user.activated, 'User is inactive, please contact ' \
'[email protected] for any requests.'
headers = remember(request, user.id)
if not user.has_logged_in:
came_from = '/%s/%s' % (user.type.split(',')[-1], user.id)
request.session.flash(u'<b>Welcome!</b> The Alchemist Portal is a repository of various Alchemist '
u'resources. To get started, please enter all profile details for you and your '
u'company in Founders Directory 2.0, especially general and specific tags for '
u'your Areas of Expertise and your company\'s Industry Keywords. Also upload your'
u' profile picture and your company\'s logo.')
user.has_logged_in = True
redirect_home = HTTPFound(location=came_from, headers=headers)
redirect_home.set_cookie('AIW_USER', '1')
return redirect_home
request.session.flash(u'Incorrect password. Please try again or reset your password.', 'error')
elif request.referer and request.application_url in request.referer and ref_path not in \
['about', '']:
request.session.flash(u'You were logged out, please log in again!')
return HTTPFound(location='/')
def switch_ui(request):
using_ux2 = request.cookies.get("ux2_kachoo") == "true"
if request.method == "POST":
response = HTTPFound(request.application_url)
if using_ux2:
response.set_cookie("ux2_kachoo", "false")
else:
response.set_cookie("ux2_kachoo", "true")
return response
if using_ux2:
button_text = "Switch to Classic UI"
else:
button_text = "Switch to New and Improved UI"
return Response(
"<html><head><title>Karl: Change UI</title></head>"
'<body><form method="POST"><input type="submit" value="%s"/></form>'
"</body></html>" % button_text,
content_type="text/html",
)
def set_language(context, request):
import re
settings = request.registry.settings
lang = sanitize_get(request, 'lang', 'en')
if lang not in settings['available_languages']:
return HTTPNotFound()
url = request.environ.get('HTTP_REFERER', None)
host = request.environ.get('HTTP_HOST', None)
dashboard_hostname = settings.get('dashboard_hostname')
dashboard_baseurl = settings.get('dashboard_baseurl')
# To avoid malicious redirects, using header injection, we only
# allow the client to be redirected to an URL that is within the
# predefined scope of the application.
allowed_url = re.compile('^(http|https)://' + dashboard_hostname + '[:]{0,1}\d{0,5}($|/)')
allowed_host = re.compile('^' + dashboard_hostname + '[:]{0,1}\d{0,5}$')
if url is None or not allowed_url.match(url):
url = dashboard_baseurl
elif host is None or not allowed_host.match(host):
url = dashboard_baseurl
response = HTTPFound(location=url)
cookie_domain = settings.get('lang_cookie_domain', None)
cookie_name = settings.get('lang_cookie_name')
extra_options = {}
if cookie_domain is not None:
extra_options['domain'] = cookie_domain
extra_options['httponly'] = asbool(settings.get('session.httponly'))
extra_options['secure'] = asbool(settings.get('session.secure'))
response.set_cookie(cookie_name, value=lang, **extra_options)
request.stats.count('set_language_cookie')
return response
def account_reset_password_post(request):
login_store = request.find_service(name="redis_login")
user = _validate_reset_token(request)
if not request.POST.get("password"):
return {"error": "no_password"}
if request.POST["password"] != request.POST["password_again"]:
return {"error": "passwords_didnt_match"}
user.set_password(request.POST["password"])
login_store.delete("reset_password:%s:%s" % (user.id, request.GET["email_address"].strip()))
response = HTTPFound(request.route_path("home"))
new_session_id = str(uuid4())
login_store.set("session:"+new_session_id, user.id)
response.set_cookie("cherubplay", new_session_id, 31536000)
return response
def login_view(request):
"""
The login view
"""
form = Form(get_auth_schema(),
buttons=(Button(name="submit",
title="Connexion",
type='submit'),))
nextpage = request.params.get('nextpage') or request.route_url('index')
# avoid redirection looping
if nextpage == request.route_url('login'):
nextpage = request.route_url('index')
app_struct = {'nextpage': nextpage}
myform = form.render(app_struct)
fail_message = None
if 'submit' in request.params:
controls = request.params.items()
log.info(u"Authenticating : '{0}'".format(request.params.get('login')))
try:
datas = form.validate(controls)
except ValidationFailure, err:
log.exception(u" - Authentication error")
myform = err.render()
fail_message = u"Erreur d'authentification"
return {'title': "Authentification",
'html_form': myform,
'message': fail_message
}
else:
login = datas['login']
log.info(u" + '{0}' has been authenticated".format(login))
# Storing the datas in the request object
remember(request, login)
remember_me = datas.get('remember_me', False)
response = HTTPFound(location=nextpage)
if remember_me:
log.debug(" * The user wants to be remembered")
longtimeout = get_longtimeout()
response.set_cookie('remember_me', "ok", max_age=longtimeout)
return response
def set_locale_cookie(self):
"""
This view will set a language cookie
"""
settings = get_current_registry().settings
default_lang = settings.get('pyramid.default_locale_name')
available_languages = settings.get('available_languages', default_lang).split()
[x.lower() for x in available_languages]
language = self.request.GET.get('language', default_lang).lower()
if language not in available_languages:
language = default_lang
referer = self.request.referer
if referer is not None:
response = HTTPFound(location=referer)
else:
response = HTTPFound(location=self.request.route_url('home'))
response.set_cookie('_LOCALE_',
value=language,
max_age=31536000) # max_age = year
return response
def set_locale_cookie(self):
"""
This view will set a language cookie
"""
settings = get_current_registry().settings
default_lang = settings.get('pyramid.default_locale_name')
available_languages = settings.get('available_languages',
default_lang).split()
[x.lower() for x in available_languages]
language = self.request.GET.get('language', default_lang).lower()
if language not in available_languages:
language = default_lang
referer = self.request.referer
if referer is not None:
response = HTTPFound(location=referer)
else:
response = HTTPFound(location=self.request.route_url('home'))
response.set_cookie('_LOCALE_', value=language,
max_age=31536000) # max_age = year
return response
def session_invite(request):
next_url = request.params.get('next', request.application_url)
if request.method == 'GET':
if any(k not in request.GET for k in ('sid', 'expires')):
raise HTTPNotFound()
return dict(session_id=request.GET['sid'],
expires=request.GET['expires'],
next_url=next_url)
elif request.method == 'POST':
sid = request.POST['sid']
expires = request.POST['expires']
try:
store = SessionStore.filter_by(session_id=sid,
key='auth.policy.current').one()
except NoResultFound:
raise InvalidCredentialsException(message=_("Session not found."))
value = json.loads(store.value)
exp = datetime.fromtimestamp(value[2])
if datetime.fromisoformat(expires) != exp:
raise InvalidCredentialsException(
message=_("Invalid 'expires' parameter."))
now = datetime.utcnow()
if exp <= now:
raise InvalidCredentialsException(message=_("Session expired."))
cookie_settings = WebSession.cookie_settings(request)
cookie_settings['max_age'] = int((exp - now).total_seconds())
cookie_name = request.env.pyramid.options['session.cookie.name']
response = HTTPFound(location=next_url)
response.set_cookie(cookie_name, value=sid, **cookie_settings)
return response
def log_in(request):
# Disable logging in in read-only mode.
if "cherubplay.read_only" in request.registry.settings:
raise HTTPForbidden
try:
user = Session.query(User).filter(User.username == request.POST["username"].lower()).one()
except NoResultFound:
return {"log_in_error": "Username and/or password not recognised."}
if hashpw(request.POST["password"].encode(), user.password.encode()) != user.password:
return {"log_in_error": "Username and/or password not recognised."}
# Generate session ID and add it to the login store.
new_session_id = str(uuid.uuid4())
try:
request.login_store.set("session:" + new_session_id, user.id)
except ConnectionError:
return {
"log_in_error": "We can't log you in because we're having problems with the login server. Please try again later."
}
# Set cookie for session ID.
response = HTTPFound(request.route_path("home"))
response.set_cookie("cherubplay", new_session_id, 31536000)
return response
def login_view(self):
message = ''
if 'form.submitted' in self.request.params:
username = self.request.params['login'].lower()
password = self.request.params['password']
try:
r = select_from('user_info', 'username', username)
if r[2] == encrypt(username, password) and username == r[1]:
temp = generate_random()
self.request.session['username'] = username
self.request.session['enpass'] = encrypt(password, temp)
res = HTTPFound(location='/school')
res.set_cookie('r', temp)
return res
else:
message = 'Failed Login'
except:
message = 'Failed Login'
message = 'Failed Login'
re = {'page_title': LINKS['login']['title'], 'url' : self.request.application_url + '/login', 'message' : message }
re.update(self.get_header())
return re
def set_language(context, request):
settings = request.registry.settings
lang = request.GET.get("lang", "en")
if lang not in settings["available_languages"]:
return HTTPNotFound()
url = request.environ.get("HTTP_REFERER", None)
if url is None:
url = request.route_path("home")
response = HTTPFound(location=url)
cookie_domain = settings.get("lang_cookie_domain", None)
cookie_name = settings.get("lang_cookie_name")
extra_options = {}
if cookie_domain is not None:
extra_options["domain"] = cookie_domain
extra_options["httponly"] = asbool(settings.get("session.httponly"))
extra_options["secure"] = asbool(settings.get("session.secure"))
response.set_cookie(cookie_name, value=lang, **extra_options)
return response
def student_login(self):
request = self.request
student_login = self.request.cookies.get('student_login')
student = DBSession.query(Student).filter_by(
login=student_login).first()
if student:
return HTTPFound(self.request.route_url('student_profile'))
login_url = request.route_url('student_login')
referrer = request.url
if referrer == login_url:
referrer = '/' # never use login form itself as came_from
came_from = request.route_url('home')
message = ''
login = ''
password = ''
if 'form.submitted' in request.params:
login = request.params['login']
password = request.params['password']
# if check_password(password, USERS.get(login)):
student = DBSession.query(Student).filter_by(login=login).first()
if not student:
message = 'Failed login'
elif password == student.password:
response = HTTPFound(location=came_from)
response.set_cookie('student_login',
value=login,
max_age=31536000) # max_age = year
return response
message = 'Failed login'
return dict(
name='Login',
message=message,
url=login_url,
came_from=came_from,
login=login,
password=password,
)
def password_login_view(request):
if request.method == 'GET':
return {}
main_view = '/'
if hasattr(request.session, 'redirect_to'):
came_from = request.session.redirect_to
else:
came_from = request.params.get('came_from', main_view)
post_data = request.POST
ref_path = request.referer.split('/')[-1] if request.referer else ''
if 'submit' in post_data:
login = post_data.get('login', '').lower()
password = post_data.pop('password')
request.session['login_data'] = post_data
if User.check_password(login, password):
user = User.get_by_login(login)
assert user.activated, 'User is inactive, please contact ' \
'[email protected] for any requests.'
headers = remember(request, user.id)
if not user.has_logged_in:
came_from = '/%s/%s' % (user.primary_type, user.id)
user.has_logged_in = True
redirect_home = HTTPFound(location=came_from, headers=headers)
redirect_home.set_cookie('AIW_USER', '1')
return redirect_home
request.session.flash(u'Incorrect password. Please try again or reset your password.', 'error')
elif request.referer and request.application_url in request.referer and ref_path not in \
['about', '']:
request.session.flash(u'You were logged out, please log in again!')
return HTTPFound(location='/')
def lang(request):
lang_name = request.matchdict['name']
response = HTTPFound(location=request.environ['HTTP_REFERER'])
response.set_cookie('_LOCALE_', value=lang_name,
max_age=31536000) # max_age = year
return response
