summaryrefslogtreecommitdiffstats
path: root/ipsilon/util/page.py
blob: d2ccb510bed70b0cd17988bc49f27def20c11278 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Copyright (C) 2013  Simo Sorce <simo@redhat.com>
#
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import cherrypy
from ipsilon.util.log import Log
from ipsilon.util.user import UserSession
from ipsilon.util.trans import Transaction
from urllib import unquote
try:
    from urlparse import urlparse
    from urlparse import parse_qs
except ImportError:
    # pylint: disable=no-name-in-module, import-error
    from urllib.parse import urlparse
    from urllib.parse import parse_qs


def admin_protect(fn):

    def check(*args, **kwargs):
        if UserSession().get_user().is_admin:
            return fn(*args, **kwargs)

        raise cherrypy.HTTPError(403)

    return check


class Page(Log):
    def __init__(self, site, form=False):
        if 'template_env' not in site:
            raise ValueError('Missing template environment')
        self._site = site
        self.basepath = cherrypy.config.get('base.mount', "")
        self.user = None
        self._is_form_page = form
        self.default_headers = dict()
        self.auth_protect = False

    def get_url(self):
        return cherrypy.url(relative=False)

    def instance_base_url(self):
        url = self.get_url()
        s = urlparse(unquote(url))
        return '%s://%s%s' % (s.scheme, s.netloc, self.basepath)

    def _check_referer(self, referer, url):
        r = urlparse(unquote(referer))
        u = urlparse(unquote(url))
        if r.scheme != u.scheme:
            return False
        if r.netloc != u.netloc:
            return False
        if r.path.startswith(self.basepath):
            return True
        return False

    def __call__(self, *args, **kwargs):
        # pylint: disable=star-args
        cherrypy.response.headers.update(self.default_headers)

        self.user = UserSession().get_user()

        if self.auth_protect and self.user.is_anonymous:
            raise cherrypy.HTTPError(401)

        if len(args) > 0:
            op = getattr(self, args[0], None)
            if callable(op) and getattr(op, 'public_function', None):
                return op(*args[1:], **kwargs)
        else:
            if self._is_form_page:
                self._debug("method: %s" % cherrypy.request.method)
                op = getattr(self, cherrypy.request.method, None)
                if callable(op):
                    # Basic CSRF protection
                    if cherrypy.request.method != 'GET':
                        url = self.get_url()
                        if 'referer' not in cherrypy.request.headers:
                            self._debug("Missing referer in %s request to %s"
                                        % (cherrypy.request.method, url))
                            raise cherrypy.HTTPError(403)
                        referer = cherrypy.request.headers['referer']
                        if not self._check_referer(referer, url):
                            self._debug("Wrong referer %s in request to %s"
                                        % (referer, url))
                            raise cherrypy.HTTPError(403)
                    return op(*args, **kwargs)
            else:
                op = getattr(self, 'root', None)
                if callable(op):
                    return op(*args, **kwargs)

        return self.default(*args, **kwargs)

    def _template_model(self):
        model = dict()
        model['basepath'] = self.basepath
        model['title'] = 'IPSILON'
        model['user'] = self.user
        return model

    def _template(self, *args, **kwargs):
        # pylint: disable=star-args
        t = self._site['template_env'].get_template(args[0])
        m = self._template_model()
        m.update(kwargs)
        return t.render(**m)

    def default(self, *args, **kwargs):
        raise cherrypy.NotFound()

    def add_subtree(self, name, page):
        self.__dict__[name] = page

    def del_subtree(self, name):
        del self.__dict__[name]

    def get_valid_transaction(self, provider, **kwargs):
        try:
            t = Transaction(provider)
            # Try with kwargs first
            tid = t.find_tid(kwargs)
            if not tid:
                # If no TID yet See if we have it in a referer
                if 'referer' in cherrypy.request.headers:
                    r = urlparse(unquote(cherrypy.request.headers['referer']))
                    if r.query:
                        tid = t.find_tid(parse_qs(r.query))
                if not tid:
                    t.create_tid()
            return t
        except ValueError:
            msg = 'Transaction expired, or cookies not available'
            raise cherrypy.HTTPError(401, msg)

    exposed = True