diff options
| author | Simo Sorce <simo@redhat.com> | 2014-04-20 21:41:24 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-04-20 22:02:19 -0400 |
| commit | 37ef4b972ea240f085e7d29923aba70787ac1668 (patch) | |
| tree | ee8a749a79206b7f4320ff1a4938be365cfad711 | |
| parent | e130459dce32d7d7543089d931b1fb3a15b3ba83 (diff) | |
| download | ipsilon-37ef4b972ea240f085e7d29923aba70787ac1668.tar.gz ipsilon-37ef4b972ea240f085e7d29923aba70787ac1668.tar.xz ipsilon-37ef4b972ea240f085e7d29923aba70787ac1668.zip | |
Add New form helper to Page object
This removes the need to define a root funciton only to redirect to
a GET/POST one.
Also adds basic CSRF protection if the page is declared a form.
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rwxr-xr-x | ipsilon/util/page.py | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 7727dda..3a01811 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -37,12 +37,13 @@ def protect(): class Page(object): - def __init__(self, site): + def __init__(self, site, form=False): if not 'template_env' in site: raise ValueError('Missing template environment') self._site = site self.basepath = cherrypy.config.get('base.mount', "") self.user = None + self.form = form def __call__(self, *args, **kwargs): # pylint: disable=star-args @@ -53,9 +54,23 @@ class Page(object): if callable(op) and getattr(self, args[0]+'.exposed', None): return op(*args[1:], **kwargs) else: - op = getattr(self, 'root', None) - if callable(op): - return op(*args, **kwargs) + if self.form: + self._debug("method: %s" % cherrypy.request.method) + op = getattr(self, cherrypy.request.method, None) + if callable(op): + # Basic CSRF protection + if cherrypy.request.method != 'GET': + if 'referer' not in cherrypy.request.headers: + return cherrypy.HTTPError(403) + referer = cherrypy.request.headers['referer'] + url = cherrypy.url(relative=False) + if referer != url: + return cherrypy.HTTPError(403) + return op(*args, **kwargs) + else: + op = getattr(self, 'root', None) + if callable(op): + return op(*args, **kwargs) return self.default(*args, **kwargs) |