def pwd_expired_change(self, **kw):
require_authenticated()
return_to = kw.get('return_to')
kw = F.password_change_form.to_python(kw, None)
ap = plugin.AuthenticationProvider.get(request)
try:
expired_username = session.get('expired-username')
expired_user = M.User.query.get(
username=expired_username) if expired_username else None
ap.set_password(expired_user or c.user, kw['oldpw'], kw['pw'])
expired_user.set_tool_data('allura',
pwd_reset_preserve_session=session.id)
expired_user.set_tool_data(
'AuthPasswordReset', hash='',
hash_expiry='') # Clear password reset token
except wexc.HTTPUnauthorized:
flash('Incorrect password', 'error')
redirect(tg.url('/auth/pwd_expired', dict(return_to=return_to)))
flash('Password changed')
session.pop('pwd-expired', None)
session['username'] = session.get('expired-username')
session.pop('expired-username', None)
session.save()
h.auditlog_user('Password reset (via expiration process)')
if return_to and return_to != request.url:
redirect(return_to)
else:
redirect('/')
def _basic_security_checks():
"""Perform basic security/sanity checks before processing the request."""
# Only allow the following HTTP request methods.
if request.method not in ['GET', 'HEAD', 'POST']:
raise webob.exc.HTTPMethodNotAllowed()
# Also verify the _method override - no longer allowed.
if request.params.get('_method') is None:
pass # no override, no problem
else:
raise webob.exc.HTTPMethodNotAllowed()
# Make sure CSRF token never appears in the URL. If so, invalidate it.
if secure_form.token_key in request.GET:
log.error('CSRF key leak detected')
session.pop(secure_form.token_key, None)
session.save()
from kallithea.lib import helpers as h
h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
category='error')
# WebOb already ignores request payload parameters for anything other
# than POST/PUT, but double-check since other Kallithea code relies on
# this assumption.
if request.method not in ['POST', 'PUT'] and request.POST:
log.error('%r request with payload parameters; WebOb should have stopped this', request.method)
raise webob.exc.HTTPBadRequest()
def pwd_expired_change(self, **kw):
require_authenticated()
return_to = kw.get('return_to')
kw = F.password_change_form.to_python(kw, None)
ap = plugin.AuthenticationProvider.get(request)
try:
expired_username = session.get('expired-username')
expired_user = M.User.query.get(username=expired_username) if expired_username else None
ap.set_password(expired_user or c.user, kw['oldpw'], kw['pw'])
expired_user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
expired_user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='') # Clear password reset token
except wexc.HTTPUnauthorized:
flash('Incorrect password', 'error')
redirect(tg.url('/auth/pwd_expired', dict(return_to=return_to)))
flash('Password changed')
session.pop('pwd-expired', None)
session['username'] = session.get('expired-username')
session.pop('expired-username', None)
session.save()
h.auditlog_user('Password reset (via expiration process)')
if return_to and return_to != request.url:
redirect(return_to)
else:
redirect('/')
def pwd_expired_change(self, **kw):
require_authenticated()
return_to = kw.get("return_to")
kw = F.password_change_form.to_python(kw, None)
ap = plugin.AuthenticationProvider.get(request)
try:
expired_username = session.get("expired-username")
expired_user = M.User.query.get(username=expired_username) if expired_username else None
ap.set_password(expired_user or c.user, kw["oldpw"], kw["pw"])
expired_user.set_tool_data("allura", pwd_reset_preserve_session=session.id)
expired_user.set_tool_data("AuthPasswordReset", hash="", hash_expiry="") # Clear password reset token
except wexc.HTTPUnauthorized:
flash("Incorrect password", "error")
redirect(tg.url("/auth/pwd_expired", dict(return_to=return_to)))
flash("Password changed")
session.pop("pwd-expired", None)
session["username"] = session.get("expired-username")
session.pop("expired-username", None)
session.save()
h.auditlog_user("Password reset (via expiration process)")
if return_to and return_to != request.url:
redirect(return_to)
else:
redirect("/")
def _session_flash_messages(append=None, clear=False):
"""Manage a message queue in tg.session: return the current message queue
after appending the given message, and possibly clearing the queue."""
key = 'flash'
from tg import session
if key in session:
flash_messages = session[key]
else:
if append is None: # common fast path - also used for clearing empty queue
return [] # don't bother saving
flash_messages = []
session[key] = flash_messages
if append is not None and append not in flash_messages:
flash_messages.append(append)
if clear:
session.pop(key, None)
session.save()
return flash_messages
def pop_messages(self):
"""Return all accumulated messages and delete them from the session.
The return value is a list of ``Message`` objects.
"""
from tg import session
messages = session.pop(self.session_key, [])
session.save()
return [_Message(*m) for m in messages]
def pop_messages(self):
"""Return all accumulated messages and delete them from the session.
The return value is a list of ``Message`` objects.
"""
from tg import session
messages = session.pop(self.session_key, [])
session.save()
return [_Message(*m) for m in messages]
def clear(self):
session.pop('settings', None)
session.pop('skip', None)
session.pop('lang', None)
session.save()
logging.debug('clear all settings: session: %s', session)
flash(_('All settings cleared'))
redirect(self.menu.base)
def clear(self):
session.pop('settings', None)
session.pop('skip', None)
session.pop('lang', None)
session.save()
logging.debug('clear all settings: session: %s', session)
flash(_('All settings cleared'))
redirect(self.menu.base)
def im_save(self, **kw):
if 'expense_data' not in session :
flash('Error ,no data imported!')
return redirect('/fee/im')
data = session.pop('expense_data')
try:
records = DBSession.query(FeeContent).filter(and_(FeeContent.active == 0,
FeeContent.company_id == data['company_id'],
FeeContent.year == data['year'],
FeeContent.month == data['month'],
))
existing = {}
for r in records : existing[ '%s_%s' % (r.logicteam_id, r.feeitem_id) ] = r
for row in data['data']:
for d in row:
team_id, item_id, val = d
key = '%s_%s' % (team_id, item_id)
if key not in existing:
obj = FeeContent(
company_id = data['company_id'],
logicteam_id = team_id,
year = data['year'], month = data['month'],
feeitem_id = item_id,
actual_value = val or 0
)
DBSession.add(obj)
else:
obj = existing[key]
if obj.actual_status < STATUS_CONFIRMED: obj.actual_value = val or 0
flash('Successfully importing the data!')
except:
transaction.doom()
traceback.print_exc()
flash('Error when importing the data!')
return redirect('/fee/im')