Пример #1
0
    def process_response(self, request, response):
        """Alters HTML responses containing <form> tags to embed the XSRF token."""

        content_type = response.get('Content-Type', None)
        if content_type and content_type.split(';')[0] in _HTML_TYPES:
            xsrf_token = xsrfutil.getGeneratedTokenForCurrentUser(
                _GetSecretKey(request))

            # there may be multiple forms per page, but we only id= one of them
            idattributes = itertools.chain(("id='xsrftoken'", ),
                                           itertools.repeat(''))

            # invoked on every matching <form> tag
            def add_xsrf_field(match):
                """Returns the matched <form> tag plus the added <input> element"""
                return mark_safe(match.group() + (
                    "<div style='display:none;'>" + "<input type='hidden' " +
                    idattributes.next() + " name='xsrf_token' value='" +
                    xsrf_token + "' /></div>"))

            response.content, n = _POST_FORM_RE.subn(add_xsrf_field,
                                                     response.content)
            if n > 0:
                # content has changed, so ETag would be invalid
                del response['ETag']

        return response
Пример #2
0
  def process_response(self, request, response):
    """Alters HTML responses containing <form> tags to embed the XSRF token."""

    content_type = response.get('Content-Type', None)
    if content_type and content_type.split(';')[0] in _HTML_TYPES:
      xsrf_token = \
        xsrfutil.getGeneratedTokenForCurrentUser(self._getSecretKey(request))

      # there may be multiple forms per page, but we only id= one of them
      idattributes = itertools.chain(("id='xsrftoken'",), itertools.repeat(''))

      # invoked on every matching <form> tag
      def add_xsrf_field(match):
        """Returns the matched <form> tag plus the added <input> element"""
        return mark_safe(match.group() + ("<div style='display:none;'>" +
            "<input type='hidden' " + idattributes.next() +
            " name='xsrf_token' value='" + xsrf_token +
            "' /></div>"))

      response.content, n = _POST_FORM_RE.subn(add_xsrf_field, response.content)
      if n > 0:
        # content has changed, so ETag would be invalid
        del response['ETag']

    return response
Пример #3
0
  def render(self, context):
    """Renders the page using the specified context.

    The page is rendered using the template specified in self.templatePath()
    and is written to the response object.

    The context object is extended with the following values:
      app_version: the current version of the application, used e.g. in URL
                   patterns to avoid JS caching issues.
      is_local: Whether the application is running locally.
      posted: Whether render is called after a POST is request.
      xsrf_token: The xsrf token for the current user.

    Args:
      context: the context that should be used
    """

    context['app_version'] = os.environ.get('CURRENT_VERSION_ID', '').split('.')[0]
    context['is_local'] = system.isLocal()
    context['posted'] = self.posted
    xsrf_secret_key = site.getXsrfSecretKey(self.data.site)
    context['xsrf_token'] = xsrfutil.getGeneratedTokenForCurrentUser(xsrf_secret_key)
    context['ga_tracking_num'] = self.data.site.ga_tracking_num
    if system.isSecondaryHostname(self.request):
      context['google_api_key'] = self.data.site.secondary_google_api_key
    else:
      context['google_api_key'] = self.data.site.google_api_key

    rendered = loader.render_to_string(self.templatePath(), dictionary=context)
    self.response.write(rendered)
Пример #4
0
def default(data):
  """Returns a context dictionary with default values set.

  The following values are available:
      app_version: the current version string of the application
      is_local: whether we are running locally
      posted: if this was a post/redirect-after-post request
      xsrf_token: the xstrf_token for this request
      google_api_key: the google api key for this website
      ga_tracking_num: the google tracking number for this website
      ds_write_disabled: if datastore writes are disabled
      css_path: part of the path to the css files to distinguish modules  
  """
  posted = data.request.POST or 'validated' in data.request.GET

  xsrf_secret_key = site.xsrfSecretKey(data.site)
  xsrf_token = xsrfutil.getGeneratedTokenForCurrentUser(xsrf_secret_key)

  if system.isSecondaryHostname(data):
    google_api_key = data.site.secondary_google_api_key
  else:
    google_api_key = data.site.google_api_key

  if data.user and oauth_helper.getAccessToken(data.user):
    gdata_is_logged_in = 'true'
  else:
    gdata_is_logged_in = 'false'

  css_path = '/'.join([
      'soc', 'content', system.getMelangeVersion(), 'css', 'v2',
      data.css_path])

  return {
      'app_version': system.getMelangeVersion(),
      'is_local': system.isLocal(),
      'posted': posted,
      'xsrf_token': xsrf_token,
      'google_api_key': google_api_key,
      'ga_tracking_num': data.site.ga_tracking_num,
      'ds_write_disabled': data.ds_write_disabled,
      'gdata_is_logged_in': gdata_is_logged_in,
      'css_path': css_path
  }
Пример #5
0
def default(data):
    """Returns a context dictionary with default values set.

  The following values are available:
      app_version: the current version string of the application
      is_local: whether we are running locally
      posted: if this was a post/redirect-after-post request
      xsrf_token: the xstrf_token for this request
      google_api_key: the google api key for this website
      ga_tracking_num: the google tracking number for this website
      ds_write_disabled: if datastore writes are disabled
      css_path: part of the path to the css files to distinguish modules
  """
    app_version = system.getMelangeVersion()

    posted = data.request.POST or 'validated' in data.request.GET

    xsrf_secret_key = site.xsrfSecretKey(data.site)
    xsrf_token = xsrfutil.getGeneratedTokenForCurrentUser(xsrf_secret_key)

    if site.isSecondaryHostname(data):
        google_api_key = data.site.secondary_google_api_key
    else:
        google_api_key = data.site.google_api_key

    css_path = '/'.join(['soc', 'content', app_version, 'css', data.css_path])

    return {
        'app_version': app_version,
        'is_local': system.isLocal(),
        'posted': posted,
        'xsrf_token': xsrf_token,
        'google_api_key': google_api_key,
        'ga_tracking_num': data.site.ga_tracking_num,
        'ds_write_disabled': data.ds_write_disabled,
        'css_path': css_path,
        'site_description': data.site.description,
    }
Пример #6
0
def getUniversalContext(request):
    """Constructs a template context dict will many common variables defined.

  Args:
    request: the Django HTTP request object

  Returns:
    a new context dict containing:

    {
      'request': the Django HTTP request object passed in by the caller
      'account': the logged-in Google Account if there is one
      'user': the User entity corresponding to the Google Account in
        context['account']
      'is_admin': True if users.is_current_user_admin() is True
      'is_debug': True if system.isDebug() is True
      'sign_in': a Google Account login URL
      'sign_out': a Google Account logout URL
      'sidebar_menu_html': an HTML string that renders the sidebar menu
    }
  """

    core = callback.getCore()

    context = core.getRequestValue('context', {})

    if context:
        return context

    account = accounts.getCurrentAccount()
    user = None
    is_admin = False

    context['request'] = request

    if account:
        user = user_logic.getForAccount(account)
        is_admin = user_logic.isDeveloper(account=account, user=user)

    context['account'] = account
    context['user'] = user
    context['is_admin'] = is_admin

    context['is_local'] = system.isLocal()
    context['is_debug'] = system.isDebug()
    context['sign_in'] = users.create_login_url(request.path)
    context['sign_out'] = users.create_logout_url(request.path)

    context['sidebar_menu_items'] = core.getSidebar(account, user)

    context['gae_version'] = system.getAppVersion()
    context['soc_release'] = system.getMelangeVersion()

    settings = site.logic.getSingleton()

    context['ga_tracking_num'] = settings.ga_tracking_num
    context['gmaps_api_key'] = settings.gmaps_api_key
    context['site_name'] = settings.site_name
    context['site_notice'] = settings.site_notice
    context['tos_link'] = redirects.getToSRedirect(settings)
    context['in_maintenance'] = timeline.isActivePeriod(
        settings, 'maintenance')

    # Only one xsrf_token is generated per request.
    xsrf_secret_key = site.logic.getXsrfSecretKey(settings)
    context['xsrf_token'] = xsrfutil.getGeneratedTokenForCurrentUser(
        xsrf_secret_key)

    core.setRequestValue('context', context)

    return context