upstream/kallithea Commit - r4990:959a9fa7

controllers: remove old auth_token checks - it was only partial CSRF protection

Mads Kiilerich -

r4990:959a9fa7 default

parent child

kallithea/controllers/admin/repos.py

0 0 -7

                  HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
              from kallithea.lib.base import BaseRepoController, render
              from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
-             from kallithea.lib.helpers import get_token
              from kallithea.lib.vcs import RepositoryError
              from kallithea.model.meta import Session
              from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
                      :param repo_name:
                      """
-                     cur_token = request.POST.get('auth_token')
-                     token = get_token()
-                     if cur_token == token:
-                         try:
-                             repo_id = Repository.get_by_repo_name(repo_name).repo_id
-                             user_id = User.get_default_user().user_id
-                             h.flash(_('An error occurred during setting this'
-                                       ' repository in public journal'),
-                                     category='error')
-                     else:
-                         h.flash(_('Token mismatch'), category='error')
                      return redirect(url('edit_repo_advanced', repo_name=repo_name))

kallithea/controllers/journal.py

0 0 -5

                  @LoginRequired()
                  @NotAnonymous()
                  def toggle_following(self):
-                     cur_token = request.POST.get('auth_token')
-                     token = h.get_token()
-                     if cur_token == token:
-                         user_id = request.POST.get('follows_user_id')
-                         if user_id:
-                             try:
-                                 log.error(traceback.format_exc())
-                                 raise HTTPBadRequest()
-                     log.debug('token mismatch %s vs %s' % (cur_token, token))
                      raise HTTPBadRequest()
                  @LoginRequired()

kallithea/lib/helpers.py

0 0 -17

                  return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])
-             def get_token():
-                 """Return the current authentication token, creating one if one doesn't
-                 already exist.
-                 """
-                 token_key = "_authentication_token"
-                 from pylons import session
-                 if not token_key in session:
-                     try:
-                         token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
-                     except AttributeError:  # Python < 2.4
-                         token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest()
-                     session[token_key] = token
-                     if hasattr(session, 'save'):
-                         session.save()
-                 return session[token_key]
              class _GetError(object):
                  """Get error from form_errors, and represent it as span wrapped error
                  message

kallithea/public/js/base.js

0 +3 -7

                  }
              }
-             var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){
+             var toggleFollowingRepo = function(target, follows_repo_id){
                  var args = 'follows_repo_id=' + follows_repo_id;
-                 args += '&amp;auth_token=' + token;
-                 if(user_id != undefined){
-                     args +="&amp;user_id=" + user_id;
+                 }
                  $.post(TOGGLE_FOLLOW_URL, args, function(data){
                          _onSuccessFollow(target);
                      });
                  return false;
              };
-             var showRepoSize = function(target, repo_name, token){
-                 var args = 'auth_token=' + token;
+             var showRepoSize = function(target, repo_name){
+                 var args = '';
                  if(!$("#" + target).hasClass('loaded')){
                      $("#" + target).html(_TM['Loading ...']);

kallithea/templates/admin/repos/repo_edit_advanced.html

0 0 -1

              <h3>${_('Public Journal Visibility')}</h3>
              ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}
              <div class="form">
-               ${h.hidden('auth_token',str(h.get_token()))}
                <div class="field">
                %if c.in_public_journal:
                  <button class="btn btn-small" type="submit">

kallithea/templates/base/base.html

0 +1 -1

                            ## also it feels like a job for the controller
                            %if c.authuser.username != 'default':
                                <li>
-                                <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');">
+                                <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});">
                                  <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>
                                  <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>
                                </a>

kallithea/templates/data_table/_dt_elements.html

0 +1 -1

              <%def name="toggle_follow(repo_id)">
                <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"
-                     onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')">
+                     onclick="javascript:toggleFollowingRepo(this, ${repo_id})">
                </span>
              </%def>

kallithea/templates/summary/summary.html

0 +1 -1

                          %if c.authuser.username != 'default':
                          <li class="repo_size">
-                           <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
+                           <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
                            <span  class="stats-bullet" id="repo_size_2"></span>
                          </li>
                          %endif

kallithea/tests/functional/test_journal.py

0 +1 -2

              #
              #        response = self.app.post(url(controller='journal',
              #                                     action='toggle_following'),
-             #                                     {'auth_token':get_token(session),
-             #                                      'follows_repo_id':repo.repo_id})
+             #                                     {'follows_repo_id':repo.repo_id})
                  def test_start_following_repository(self):
                      self.log_user()

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages