def _check(self): registered = self._registered_objects() if len(registered) > 0 and \ not IDisableCSRFProtection.providedBy(self.request): # Okay, we're writing here, we need to protect! try: check(self.request) return True except ComponentLookupError: # okay, it's possible we're at the zope root and the KeyManager # hasn't been installed yet. Let's check and carry on # if this is the case if IApplication.providedBy(self.getContext()): LOGGER.info('skipping csrf protection on zope root until ' 'keymanager gets installed') return True raise except Forbidden: if self.request.REQUEST_METHOD != 'GET': # only try to be "smart" with GET requests raise # XXX # okay, so right now, we're going to check if the current # registered objects to write, are just portlet assignments. # I don't know why, but when a site is created, these # cause some writes on read. ALL, registered objects # need to be portlet assignments. XXX needs to be fixed # somehow... safe = True for obj in registered: if (not IPortletAssignment.providedBy(obj) and not getattr(obj, '_v_safe_write', False)): safe = False break if not safe: LOGGER.info('aborting transaction due to no CSRF ' 'protection on url %s' % self.request.URL) transaction.abort() # conditions for doing the confirm form are: # 1. 301, 302 response code # 2. text/html response # 3. getSite could be none, zope root maybe, carry on # otherwise, # just abort with a log entry because we tried to # write on read, without a POST request and we don't # know what to do with it gracefully. resp = self.request.response ct = resp.headers.get('content-type') if self.site and ( resp.status in (301, 302) or 'text/html' in ct): data = self.request.form.copy() data['original_url'] = self.request.URL resp.redirect('%s/@@confirm-action?%s' % ( self.site.absolute_url(), urlencode(data) )) return False return True
def _check(self): registered = self._registered_objects() if len(registered) > 0 and \ not IDisableCSRFProtection.providedBy(self.request): # Okay, we're writing here, we need to protect! try: check(self.request) return True except ComponentLookupError: # okay, it's possible we're at the zope root and the KeyManager # hasn't been installed yet. Let's check and carry on # if this is the case if IApplication.providedBy(self.getContext()): LOGGER.info('skipping csrf protection on zope root until ' 'keymanager gets installed') return True raise except Forbidden: if self.request.REQUEST_METHOD != 'GET': # only try to be "smart" with GET requests raise # XXX # okay, so right now, we're going to check if the current # registered objects to write, are just portlet assignments. # I don't know why, but when a site is created, these # cause some writes on read. ALL, registered objects # need to be portlet assignments. XXX needs to be fixed # somehow... safe = True for obj in registered: if (not IPortletAssignment.providedBy(obj) and not getattr(obj, '_v_safe_write', False)): safe = False break if not safe: LOGGER.info('aborting transaction due to no CSRF ' 'protection on url %s' % self.request.URL) transaction.abort() # conditions for doing the confirm form are: # 1. 301, 302 response code # 2. text/html response # 3. getSite could be none, zope root maybe, carry on # otherwise, # just abort with a log entry because we tried to # write on read, without a POST request and we don't # know what to do with it gracefully. resp = self.request.response ct = resp.headers.get('content-type') if self.site and (resp.status in (301, 302) or 'text/html' in ct): data = self.request.form.copy() data['original_url'] = self.request.URL resp.redirect( '%s/@@confirm-action?%s' % (self.site.absolute_url(), urlencode(data))) return False return True
def _check(self): registered = self._registered_objects() if len(registered) > 0 and \ not IDisableCSRFProtection.providedBy(self.request): # Okay, we're writing here, we need to protect! try: check(self.request, manager=self.key_manager) return True except ComponentLookupError: LOGGER.info('Can not find key manager for CSRF protection. ' 'This should not happen.') raise except Forbidden: # XXX # okay, so right now, we're going to check if the current # registered objects to write, are just portlet assignments. # I don't know why, but when a site is created, these # cause some writes on read. ALL, registered objects # need to be portlet assignments. XXX needs to be fixed # somehow... safe_oids = [] if SAFE_WRITE_KEY in getattr(self.request, 'environ', {}): safe_oids = self.request.environ[SAFE_WRITE_KEY] safe = True for obj in registered: if (not IPortletAssignment.providedBy(obj) and getattr(obj, '_p_oid', False) not in safe_oids): safe = False break if not safe: if self.request.REQUEST_METHOD != 'GET': # only try to be "smart" with GET requests raise LOGGER.info('%s\naborting transaction due to no CSRF ' 'protection on url %s'%(traceback.print_stack(), self.request.URL)) transaction.abort() # conditions for doing the confirm form are: # 1. 301, 302 response code # 2. text/html response # 3. getSite could be none, zope root maybe, carry on # otherwise, # just abort with a log entry because we tried to # write on read, without a POST request and we don't # know what to do with it gracefully. resp = self.request.response ct = resp.getHeader('Content-Type', '') or '' if self.site and ( resp.status in (301, 302) or 'text/html' in ct): data = self.request.form.copy() data['original_url'] = self.request.URL resp.redirect('%s/@@confirm-action?%s' % ( self.site.absolute_url(), urlencode(data) )) return False return True
def _check(self): registered = self._registered_objects() if len(registered) > 0 and \ not IDisableCSRFProtection.providedBy(self.request): # Okay, we're writing here, we need to protect! try: check(self.request, manager=self.key_manager) return True except ComponentLookupError: LOGGER.info('Can not find key manager for CSRF protection. ' 'This should not happen.') raise except Forbidden: # XXX # okay, so right now, we're going to check if the current # registered objects to write, are just portlet assignments. # I don't know why, but when a site is created, these # cause some writes on read. ALL, registered objects # need to be portlet assignments. XXX needs to be fixed # somehow... safe_oids = [] if SAFE_WRITE_KEY in getattr(self.request, 'environ', {}): safe_oids = self.request.environ[SAFE_WRITE_KEY] safe = True for obj in registered: if (not IPortletAssignment.providedBy(obj) and getattr( obj, '_p_oid', False) not in safe_oids): safe = False break if not safe: if self.request.REQUEST_METHOD != 'GET': # only try to be "smart" with GET requests raise LOGGER.info('aborting transaction due to no CSRF ' 'protection on url %s' % self.request.URL) transaction.abort() # conditions for doing the confirm form are: # 1. 301, 302 response code # 2. text/html response # 3. getSite could be none, zope root maybe, carry on # otherwise, # just abort with a log entry because we tried to # write on read, without a POST request and we don't # know what to do with it gracefully. resp = self.request.response ct = resp.getHeader('Content-Type', '') or '' if self.site and (resp.status in (301, 302) or 'text/html' in ct): data = self.request.form.copy() data['original_url'] = self.request.URL resp.redirect( '%s/@@confirm-action?%s' % (self.site.absolute_url(), urlencode(data))) return False return True
def save(self): """Save the image""" context, request, form = self.context, self.request, self.request.form check(self.request) # raise an error if not authenficated if not "image" in form: raise Exception("invalid request") data = self.fetch(form["image"]) if not data: raise Exception("image download fails") if IATImage.providedBy(self.context): self.at_store(self.context, data) parent = aq_parent(self.context) if IATContentType.providedBy(parent): self.at_store(parent, data, self.context.id())