def logout(self): response = HTTPFound(headers=forget(self.request)) if self.request.referrer and same_origin( self.request.referrer, self.request.current_route_url()): response.location = self.request.referrer else: response.location = self.request.route_url(route_name='home') return response
def logout(self): response = HTTPFound(headers=forget(self.request)) if self.request.referrer and same_origin( self.request.referrer, self.request.current_route_url()): response.location = self.request.referrer else: response.location = self.request.route_url(route_name='home') return response
def login(self): hubclient = self.request.registry.hubclient response = HTTPFound() # redeem ticket to get user data ticket = self.request.GET.get('ticket', None) if ticket and hubclient: try: user = hubclient.get_user( ticket, self.request.route_url('redirect_to_login')) self.request.session[USER_DATA_SESSION_KEY] = user.data user_id = user.get('uuid') headers = remember(self.request, user_id) response.headerlist.extend(headers) except HubClientException: # TODO: what to do when ticket is invalid? pass redirect_url = self.request.GET.get('url', None) if not (redirect_url and same_origin( redirect_url, self.request.current_route_url())): redirect_url = self.request.route_url(route_name='home') response.location = redirect_url return response
def login(self): hubclient = self.request.registry.hubclient response = HTTPFound() # redeem ticket to get user data ticket = self.request.GET.get('ticket', None) if ticket and hubclient: try: user = hubclient.get_user( ticket, self.request.route_url('redirect_to_login')) self.request.session[USER_DATA_SESSION_KEY] = user.data user_id = user.get('uuid') headers = remember(self.request, user_id) response.headerlist.extend(headers) except HubClientException: # TODO: what to do when ticket is invalid? pass redirect_url = self.request.GET.get('url', None) if not (redirect_url and same_origin( redirect_url, self.request.current_route_url())): redirect_url = self.request.route_url(route_name='home') response.location = redirect_url return response
def record_edit(self): zonename = self.request.matchdict['zonename'] recordname = self.request.matchdict['recordname'] zonefile = settings.zones[zonename] zone = Zone(zonename, zonefile) protected = name_is_protected(zonename, recordname) response = {"zonename": zonename, "recordname": recordname} if self.request.POST and protected: return HTTPForbidden("You can not modify this domain name") elif protected: response['protected'] = protected response['record'] = zone.get_record(recordname) return response schema = Record(validator=record_validator) form = deform.Form(schema, buttons=('submit',)) if self.request.POST: controls = self.request.POST.items() try: data = form.validate(controls) except deform.ValidationFailure, e: response['form'] = e.render() return response else: zone.add_record(**data) response = HTTPFound() response.location = self.request.route_url('record', zonename=zonename, recordname=data['name']) return response
def record_add(self): zonename = self.request.matchdict['zonename'] zonefile = settings.zones[zonename] zone = Zone(zonename, zonefile) schema = Record(validator=record_validator) form = deform.Form(schema, buttons=('submit',)) response = {"zonename": zonename, "recordname": "new"} response["form"] = form.render() if 'submit' in self.request.POST: controls = self.request.POST.items() try: data = form.validate(controls) except deform.ValidationFailure, e: response['form'] = e.render() return response if not name_is_protected(zonename, data['name']): zone.add_record(**data) response = HTTPFound() response.location = self.request.route_url('record', zonename=zonename, recordname=data['name']) return response else: return HTTPForbidden()
def record_add(self): zonename = self.request.matchdict['zonename'] zonefile = settings.zones[zonename] zone = Zone(zonename, zonefile) schema = Record() form = deform.Form(schema, buttons=('submit', )) response = {"zonename": zonename} response["form"] = form.render() if 'submit' in self.request.POST: controls = self.request.POST.items() try: data = form.validate(controls) except ValidationFailure, e: response['form'] = e.render() return response if not name_is_protected(zonename, data['name']): zone.add_record(**data) response = HTTPFound() response.location = self.request.route_url( 'record', zonename=zonename, recordname=data['name']) return response else: return HTTPForbidden()
def record_edit(self): zonename = self.request.matchdict['zonename'] recordname = self.request.matchdict['recordname'] zonefile = settings.zones[zonename] zone = Zone(zonename, zonefile) protected = name_is_protected(zonename, recordname) response = {"zonename": zonename} if self.request.POST and protected: return HTTPForbidden("You can not modify this domain name") elif protected: response['protected'] = protected response['record'] = zone.get_record(recordname) return response schema = Record() form = deform.Form(schema, buttons=('submit', )) if self.request.POST: controls = self.request.POST.items() try: data = form.validate(controls) except ValidationFailure, e: response['form'] = e.render() return response else: zone.add_record(**data) response = HTTPFound() response.location = self.request.route_url( 'record', zonename=zonename, recordname=data['name'])
def item_add(self): groupname = self.request.matchdict['groupname'] groupfile = self.files[groupname] group = self.backend(groupname, groupfile) schema = group.get_add_schema() form = deform.Form(schema, buttons=('submit',)) response = {"groupname": groupname, "itemname": "new"} response["form"] = form.render() if 'submit' in self.request.POST and self.request.POST['submit'] == 'submit': controls = self.request.POST.items() try: data = form.validate(controls) except deform.ValidationFailure, e: response['form'] = e.render() return response if data['name'] not in self.protected_names[groupname]: group.add_item(data) response = HTTPFound() response.location = self.request.route_url('item', groupname=groupname, itemname=data['name']) return response else: return HTTPForbidden()
def record_delete(self): zonename = self.request.matchdict['zonename'] recordname = self.request.matchdict['recordname'] zonefile = settings.zones[zonename] zone = Zone(zonename, zonefile) if name_is_protected(zonename, recordname): raise HTTPForbidden("You can not modify this domain name") zone.del_record(recordname) response = HTTPFound() response.location = self.request.route_url('zoneview', zonename=zonename) return response
def record_delete(self): zonename = self.request.matchdict['zonename'] recordname = self.request.matchdict['recordname'] zonefile = settings.zones[zonename] zone = Zone(zonename, zonefile) if name_is_protected(zonename, recordname): raise HTTPForbidden("You can not modify this domain name") zone.del_record(recordname) response = HTTPFound() response.location = self.request.route_url('zoneview', zonename=zonename) return response
def item_delete(self): groupname = self.request.matchdict['groupname'] itemname = self.request.matchdict['itemname'] groupfile = self.files[groupname] group = self.backend(groupname, groupfile) if itemname in self.protected_names[groupname]: raise HTTPForbidden("You can not modify this domain name") group.del_item(itemname) response = HTTPFound() response.location = self.request.route_url('groupview', groupname=groupname) return response
def __call__(self): """ login view callable """ # convenient method to set Cache-Control and Expires headers self.request.response.cache_expires = 0 dbsession = DBSession() params = self.request.params login_url = route_url('login', self.request) message = '' # playerid, password from cookie playerid = '' password = '' passwordFromCookie = False lc = self.request.cookies.get('cis_login_credentials', '') if lc: lc = lc.split('|') if len(lc) == 3: passwordFromCookie = True playerid = lc[0] password = lc[1] activeUser = User() activeUser.playerid = playerid activeUser.password = password user = None errors = {} passwordOk = False referrer = self.request.url if referrer == login_url: referrer = '/' came_from = self.request.params.get('came_from', referrer) url = came_from logged_in = authenticated_userid(self.request) headers = '' initial_login = not logged_in storeplayeridPwd = params.get('remember', '') # if already logged in and requesting this page, redirect to forbidden if logged_in: message = 'You do not have the required permissions to see this page.' return dict( message=message, url=url, came_from=came_from, password=password, user=activeUser, headers=headers, errors=errors, logged_in=logged_in, remember=storeplayeridPwd ) # check whether we are asked to do an autologin (from pwdreset.py) autologin = 0 #self.request.session.pop_flash(queue='autologin') # 'SECURITY RISK' forcelogin = lc and self.request.params.get('forcelogin', '') if forcelogin or autologin or 'form.submitted' in params: if autologin: autologin = autologin[0].split('|') playerid = autologin[0] password = autologin[1] #encrypted elif forcelogin: pass else: playerid = params['playerid'] # when we get a password from a cookie, we already receive it encrypted. If not, encrypt it here password = (passwordFromCookie and password) or params['password'] if not password: errors['password'] = "******" else: # if autologin, we already receive it encrypted. If not, encrypt it here password = ((forcelogin or autologin) and password) or hashlib.md5(params['password']).hexdigest() if not playerid: errors['playerid'] = "Enter your player id" if playerid and password: user = dbsession.query(User).filter_by(playerid=playerid).first() if user: passwordOk = (user.password == password) if not user: message = 'You do not have a CIS account' elif user.banned: message = 'Your account has been banned.' elif not user.activated: message = 'Your account has not yet been activated' elif not passwordOk: message = 'Your account/password do not match' else: # READY TO LOGIN, SOME FINAL CHECKS now = datetime.now() headers = remember(self.request, user.playerid) last_login = now.strftime('%Y-%m-%d %H:%M:%S') user.last_web = last_login response = HTTPFound() user.last_login = last_login response.headers = headers response.content_type = 'text/html' response.charset = 'UTF-8' if storeplayeridPwd: cookie_val = '%s|%s' % (playerid, password) response.set_cookie('cis_login_credentials', cookie_val, max_age=timedelta(days=365), path='/') response.location = came_from if (not forcelogin) and (not storeplayeridPwd): response.delete_cookie('cis_login_credentials') response.cache_control = 'no-cache' return response activeUser.playerid = playerid storeplayeridPwd = self.request.cookies.get('cis_login_credentials') and '1' or '' return dict( message=message, url=url, came_from=came_from, password=password, user=activeUser, headers=headers, errors=errors, logged_in=logged_in, remember=storeplayeridPwd )