##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

controllers: remove old auth_token checks - it was only partial CSRF protection
Mads Kiilerich -
r4990:959a9fa7 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -41,7 +41,6 b' from kallithea.lib.auth import LoginRequ'
41 HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
41 HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
42 from kallithea.lib.base import BaseRepoController, render
42 from kallithea.lib.base import BaseRepoController, render
43 from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
43 from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
44 from kallithea.lib.helpers import get_token
45 from kallithea.lib.vcs import RepositoryError
44 from kallithea.lib.vcs import RepositoryError
46 from kallithea.model.meta import Session
45 from kallithea.model.meta import Session
47 from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
46 from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
@@ -516,23 +515,17 b' class ReposController(BaseRepoController'
516 :param repo_name:
515 :param repo_name:
517 """
516 """
518
517
519 cur_token = request.POST.get('auth_token')
518 try:
520 token = get_token()
519 repo_id = Repository.get_by_repo_name(repo_name).repo_id
521 if cur_token == token:
520 user_id = User.get_default_user().user_id
522 try:
521 self.scm_model.toggle_following_repo(repo_id, user_id)
523 repo_id = Repository.get_by_repo_name(repo_name).repo_id
522 h.flash(_('Updated repository visibility in public journal'),
524 user_id = User.get_default_user().user_id
523 category='success')
525 self.scm_model.toggle_following_repo(repo_id, user_id)
524 Session().commit()
526 h.flash(_('Updated repository visibility in public journal'),
525 except Exception:
527 category='success')
526 h.flash(_('An error occurred during setting this'
528 Session().commit()
527 ' repository in public journal'),
529 except Exception:
528 category='error')
530 h.flash(_('An error occurred during setting this'
531 ' repository in public journal'),
532 category='error')
533
534 else:
535 h.flash(_('Token mismatch'), category='error')
536 return redirect(url('edit_repo_advanced', repo_name=repo_name))
529 return redirect(url('edit_repo_advanced', repo_name=repo_name))
537
530
538
531
Show file before | Show file after | Hide comments
@@ -304,33 +304,28 b' class JournalController(BaseController):'
304 @LoginRequired()
304 @LoginRequired()
305 @NotAnonymous()
305 @NotAnonymous()
306 def toggle_following(self):
306 def toggle_following(self):
307 cur_token = request.POST.get('auth_token')
307 user_id = request.POST.get('follows_user_id')
308 token = h.get_token()
308 if user_id:
309 if cur_token == token:
309 try:
310 self.scm_model.toggle_following_user(user_id,
311 self.authuser.user_id)
312 Session.commit()
313 return 'ok'
314 except Exception:
315 log.error(traceback.format_exc())
316 raise HTTPBadRequest()
310
317
311 user_id = request.POST.get('follows_user_id')
318 repo_id = request.POST.get('follows_repo_id')
312 if user_id:
319 if repo_id:
313 try:
320 try:
314 self.scm_model.toggle_following_user(user_id,
321 self.scm_model.toggle_following_repo(repo_id,
315 self.authuser.user_id)
322 self.authuser.user_id)
316 Session.commit()
323 Session.commit()
317 return 'ok'
324 return 'ok'
318 except Exception:
325 except Exception:
319 log.error(traceback.format_exc())
326 log.error(traceback.format_exc())
320 raise HTTPBadRequest()
327 raise HTTPBadRequest()
321
328
322 repo_id = request.POST.get('follows_repo_id')
323 if repo_id:
324 try:
325 self.scm_model.toggle_following_repo(repo_id,
326 self.authuser.user_id)
327 Session.commit()
328 return 'ok'
329 except Exception:
330 log.error(traceback.format_exc())
331 raise HTTPBadRequest()
332
333 log.debug('token mismatch %s vs %s' % (cur_token, token))
334 raise HTTPBadRequest()
329 raise HTTPBadRequest()
335
330
336 @LoginRequired()
331 @LoginRequired()
Show file before | Show file after | Hide comments
@@ -134,23 +134,6 b' def FID(raw_id, path):'
134 return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])
134 return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])
135
135
136
136
137 def get_token():
138 """Return the current authentication token, creating one if one doesn't
139 already exist.
140 """
141 token_key = "_authentication_token"
142 from pylons import session
143 if not token_key in session:
144 try:
145 token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
146 except AttributeError: # Python < 2.4
147 token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest()
148 session[token_key] = token
149 if hasattr(session, 'save'):
150 session.save()
151 return session[token_key]
152
153
154 class _GetError(object):
137 class _GetError(object):
155 """Get error from form_errors, and represent it as span wrapped error
138 """Get error from form_errors, and represent it as span wrapped error
156 message
139 message
Show file before | Show file after | Hide comments
@@ -458,20 +458,16 b' var _onSuccessFollow = function(target){'
458 }
458 }
459 }
459 }
460
460
461 var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){
461 var toggleFollowingRepo = function(target, follows_repo_id){
462 var args = 'follows_repo_id=' + follows_repo_id;
462 var args = 'follows_repo_id=' + follows_repo_id;
463 args += '&amp;auth_token=' + token;
464 if(user_id != undefined){
465 args +="&amp;user_id=" + user_id;
466 }
467 $.post(TOGGLE_FOLLOW_URL, args, function(data){
463 $.post(TOGGLE_FOLLOW_URL, args, function(data){
468 _onSuccessFollow(target);
464 _onSuccessFollow(target);
469 });
465 });
470 return false;
466 return false;
471 };
467 };
472
468
473 var showRepoSize = function(target, repo_name, token){
469 var showRepoSize = function(target, repo_name){
474 var args = 'auth_token=' + token;
470 var args = '';
475
471
476 if(!$("#" + target).hasClass('loaded')){
472 if(!$("#" + target).hasClass('loaded')){
477 $("#" + target).html(_TM['Loading ...']);
473 $("#" + target).html(_TM['Loading ...']);
Show file before | Show file after | Hide comments
@@ -22,7 +22,6 b''
22 <h3>${_('Public Journal Visibility')}</h3>
22 <h3>${_('Public Journal Visibility')}</h3>
23 ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}
23 ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}
24 <div class="form">
24 <div class="form">
25 ${h.hidden('auth_token',str(h.get_token()))}
26 <div class="field">
25 <div class="field">
27 %if c.in_public_journal:
26 %if c.in_public_journal:
28 <button class="btn btn-small" type="submit">
27 <button class="btn btn-small" type="submit">
Show file before | Show file after | Hide comments
@@ -176,7 +176,7 b''
176 ## also it feels like a job for the controller
176 ## also it feels like a job for the controller
177 %if c.authuser.username != 'default':
177 %if c.authuser.username != 'default':
178 <li>
178 <li>
179 <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');">
179 <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});">
180 <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>
180 <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>
181 <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>
181 <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>
182 </a>
182 </a>
Show file before | Show file after | Hide comments
@@ -212,6 +212,6 b''
212
212
213 <%def name="toggle_follow(repo_id)">
213 <%def name="toggle_follow(repo_id)">
214 <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"
214 <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"
215 onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')">
215 onclick="javascript:toggleFollowingRepo(this, ${repo_id})">
216 </span>
216 </span>
217 </%def>
217 </%def>
Show file before | Show file after | Hide comments
@@ -157,7 +157,7 b" summary = lambda n:{False:'summary-short"
157
157
158 %if c.authuser.username != 'default':
158 %if c.authuser.username != 'default':
159 <li class="repo_size">
159 <li class="repo_size">
160 <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
160 <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
161 <span class="stats-bullet" id="repo_size_2"></span>
161 <span class="stats-bullet" id="repo_size_2"></span>
162 </li>
162 </li>
163 %endif
163 %endif
Show file before | Show file after | Hide comments
@@ -23,8 +23,7 b' class TestJournalController(TestControll'
23 #
23 #
24 # response = self.app.post(url(controller='journal',
24 # response = self.app.post(url(controller='journal',
25 # action='toggle_following'),
25 # action='toggle_following'),
26 # {'auth_token':get_token(session),
26 # {'follows_repo_id':repo.repo_id})
27 # 'follows_repo_id':repo.repo_id})
28
27
29 def test_start_following_repository(self):
28 def test_start_following_repository(self):
30 self.log_user()
29 self.log_user()
General Comments 0
You need to be logged in to leave comments. Login now