##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
login: Moved method out of login view.
johbo -
r57:a49c279c default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -76,6 +76,26 b' def _store_user_in_session(session, user'
76 return headers
76 return headers
77
77
78
78
79 def get_came_from(request):
80 came_from = safe_str(request.GET.get('came_from', ''))
81 parsed = urlparse.urlparse(came_from)
82 allowed_schemes = ['http', 'https']
83 if parsed.scheme and parsed.scheme not in allowed_schemes:
84 log.error('Suspicious URL scheme detected %s for url %s' %
85 (parsed.scheme, parsed))
86 came_from = url('home')
87 elif parsed.netloc and request.host != parsed.netloc:
88 log.error('Suspicious NETLOC detected %s for url %s server url '
89 'is: %s' % (parsed.netloc, parsed, request.host))
90 came_from = url('home')
91 elif any(bad_str in parsed.path for bad_str in ('\r', '\n')):
92 log.error('Header injection detected `%s` for url %s server url ' %
93 (parsed.path, parsed))
94 came_from = url('home')
95
96 return came_from
97
98
79 class LoginView(object):
99 class LoginView(object):
80
100
81 def __init__(self, context, request):
101 def __init__(self, context, request):
@@ -84,35 +104,9 b' class LoginView(object):'
84 self.session = request.session
104 self.session = request.session
85 self._rhodecode_user = request.user
105 self._rhodecode_user = request.user
86
106
87 def _validate_came_from(self, came_from):
88 if not came_from:
89 return came_from
90
91 parsed = urlparse.urlparse(came_from)
92 allowed_schemes = ['http', 'https']
93 if parsed.scheme and parsed.scheme not in allowed_schemes:
94 log.error('Suspicious URL scheme detected %s for url %s' %
95 (parsed.scheme, parsed))
96 came_from = url('home')
97 elif parsed.netloc and self.request.host != parsed.netloc:
98 log.error('Suspicious NETLOC detected %s for url %s server url '
99 'is: %s' % (parsed.netloc, parsed, self.request.host))
100 came_from = url('home')
101 if any(bad_str in parsed.path for bad_str in ('\r', '\n')):
102 log.error('Header injection detected `%s` for url %s server url ' %
103 (parsed.path, parsed))
104 came_from = url('home')
105 return came_from
106
107 def _get_came_from(self):
108 _default_came_from = url('home')
109 came_from = self._validate_came_from(
110 safe_str(self.request.GET.get('came_from', '')))
111 return came_from or _default_came_from
112
113 def _get_template_context(self):
107 def _get_template_context(self):
114 return {
108 return {
115 'came_from': self._get_came_from(),
109 'came_from': get_came_from(self.request),
116 'defaults': {},
110 'defaults': {},
117 'errors': {},
111 'errors': {},
118 }
112 }
@@ -125,7 +119,7 b' class LoginView(object):'
125
119
126 # redirect if already logged in
120 # redirect if already logged in
127 if user.is_authenticated and not user.is_default and user.ip_allowed:
121 if user.is_authenticated and not user.is_default and user.ip_allowed:
128 raise HTTPFound(self._get_came_from())
122 raise HTTPFound(get_came_from(self.request))
129
123
130 return self._get_template_context()
124 return self._get_template_context()
131
125
@@ -133,7 +127,7 b' class LoginView(object):'
133 route_name='login', request_method='POST',
127 route_name='login', request_method='POST',
134 renderer='rhodecode:templates/login.html')
128 renderer='rhodecode:templates/login.html')
135 def login_post(self):
129 def login_post(self):
136 came_from = self._get_came_from()
130 came_from = get_came_from(self.request)
137 session = self.request.session
131 session = self.request.session
138 login_form = LoginForm()()
132 login_form = LoginForm()()
139
133
General Comments 0
You need to be logged in to leave comments. Login now