Changeset 1416

Show
Ignore:
Timestamp:
02/16/08 13:24:37 (2 years ago)
Author:
JensDiemer
Message:

Patch for 148 - Disabling PermitViewPublic? does not prevent anonymous viewing of the page
Thanks to rantaaho

Location:
trunk
Files:
9 modified

Legend:

Unmodified
Added
Removed

  • trunk/AUTHORS

    r1395 r1416  
    1212 
    1313CONTRIBUTORS: 
    14         IbOn <ibonso@gmail.com> 
     14    rantaaho <rantaaho@gmail.com> 
     15    IbOn <ibonso@gmail.com> 
    1516    Guido Leisker <http://www.guido-leisker.de> 
    1617    Alen Hopek <http://www.mactricks.de> 

  • trunk/pylucid/PyLucid/index.py

    r1339 r1416  
    2020import datetime, md5 
    2121 
    22 from django.http import HttpResponse, HttpResponsePermanentRedirect 
     22from django.http import HttpResponse, HttpResponsePermanentRedirect, HttpResponseRedirect 
    2323from django.template import RequestContext 
    2424from django.core.cache import cache 
     
    3232from PyLucid.system import plugin_manager 
    3333from PyLucid.system.response import SimpleStringIO 
    34 from PyLucid.system.exceptions import AccessDeny 
     34from PyLucid.system.exceptions import AccessDenied 
    3535from PyLucid.system.page_msg import PageMessages 
    3636from PyLucid.system.detect_page import get_current_page_obj, \ 
     
    210210 
    211211    # Get the response for the requested cms page: 
    212     current_page_obj = get_current_page_obj(request, url) 
    213     context = _get_context(request, current_page_obj) 
    214     response = _render_cms_page(context) 
     212    try: 
     213        current_page_obj = get_current_page_obj(request, url) 
     214        context = _get_context(request, current_page_obj) 
     215        response = _render_cms_page(context) 
     216    except AccessDenied: 
     217        # FIXME: We should build the command url in a better way 
     218        #     Don't insert a hardcoded ID! Use the default ID. 
     219        next = '?next=%s' % request.path 
     220        path = '/'.join( 
     221            ('',settings.COMMAND_URL_PREFIX,'1','auth','login',next) 
     222        ) 
     223        return HttpResponseRedirect(path) 
    215224 
    216225    if use_cache: 
     
    268277            context, local_response, module_name, method_name, url_args 
    269278        ) 
    270     except AccessDeny: 
    271         page_content = "[Permission Deny!]" 
     279    except AccessDenied: 
     280        page_content = "[Permission Denied!]" 
    272281    else: 
    273282        if output == None: 

  • trunk/pylucid/PyLucid/plugins_internal/auth/auth.py

    r1286 r1416  
    11#!/usr/bin/python 
    2 # -*- coding: UTF-8 -*- 
     2# -*- coding: utf-8 -*- 
    33 
    44""" 
     
    2727import datetime 
    2828 
     29from django.http import HttpResponseRedirect 
    2930from django.core import mail 
    3031from django import newforms as forms 
     
    149150 
    150151        UsernameForm = forms.form_for_model(User, fields=("username",)) 
     152         
     153        next_url = self.request.GET.get('next',self.URLs['scriptRoot']) 
    151154 
    152155        def get_data(form): 
     
    192195                    self.page_msg.red("Wrong POST data.") 
    193196 
     197        if DEBUG: self.page_msg("Next URL: %s" % next_url) 
    194198 
    195199        context = { 
    196200            "fallback_url": self.URLs.adminLink(""), 
    197201            "form": username_form, 
     202            "next_url": next_url, 
    198203        } 
    199204        self._render_template("input_username", context)#, debug=True) 
     
    209214 
    210215        PasswordForm = forms.form_for_model(User, fields=("password",)) 
     216 
     217        next_url = self.request.POST.get('next_url',self.URLs['scriptRoot']) 
    211218 
    212219        # Change the default TextInput to a PasswordInput 
     
    216223            "username": user.username, 
    217224            "logout_url": self.URLs.methodLink("logout"), 
     225            "next_url": next_url, 
    218226        } 
    219227 
     
    232240                else: 
    233241                    # Login ok 
    234                     return 
     242                    return HttpResponseRedirect(next_url) 
    235243 
    236244        context["form"] = password_form 
     
    260268        # rebuild the login/logout link: 
    261269        add_dynamic_context(self.request, self.context) 
     270 
     271        next_url = self.request.POST.get('next_url',self.URLs['scriptRoot']) 
     272 
     273        # Redirect to next URL 
     274        HttpResponseRedirect(next_url) 
    262275 
    263276 
     
    276289            self.pass_reset(user.username, msg) # Display the pass reset form 
    277290            return 
    278  
     291        next_url = self.request.POST.get('next_url',self.URLs['scriptRoot']) 
    279292        salt = js_login_data.salt 
    280293        context = { 
     
    282295            "fallback_url": self.URLs.adminLink(""), 
    283296            "salt": salt, 
     297            "next_url": next_url, 
    284298            "PyLucid_media_url": settings.PYLUCID_MEDIA_URL, 
    285299        } 
     
    327341                    if user: 
    328342                        self._login_user(user) 
    329                         return 
     343                        return HttpResponseRedirect(next_url) 
    330344                self._insert_reset_link(context) 
    331345                self.page_msg.red(msg) 
     
    350364                self.page_msg("password:", password) 
    351365                self.page_msg("SHA-1 - Not implemented completly, yet :(") 
    352                 return 
     366                return HttpResponseRedirect(next_url) 
    353367        else: 
    354368            password_form = PasswordForm() 
     
    373387 
    374388        self.page_msg.green("You logged out.") 
     389        return HttpResponseRedirect(self.URLs['scriptRoot']) 
    375390 
    376391    #__________________________________________________________________________ 

  • trunk/pylucid/PyLucid/plugins_internal/auth/internal_pages/input_password.html

    r1316 r1416  
    66  <input type="hidden" name="username" value="{{ username }}" /> 
    77  <input type="hidden" name="sha_login" value="little secure sha login" /> 
     8  <input type="hidden" name="next_url" value="{{ next_url }}" /> 
    89 
    910  <label for="plaintext_pass">{% trans 'Password' %}:</label> 

  • trunk/pylucid/PyLucid/plugins_internal/auth/internal_pages/input_username.html

    r1180 r1416  
    1212  <input type="submit" id="sha_button" name="sha_login" value="SHA-1 login" /> 
    1313  <input type="submit" id="plaintext_button" name="plaintext_login" value="unsecure plaintext login" onclick="return confirm('Do you realy want to send your password in plaintext?')"/> 
     14  <input type="hidden" name="next_url" value="{{ next_url }}" /> 
    1415</form> 
    1516</fieldset> 

  • trunk/pylucid/PyLucid/plugins_internal/auth/internal_pages/plaintext_login.html

    r1186 r1416  
    44  <input type="hidden" name="username" value="{{ username }}" /> 
    55  <input type="hidden" name="plaintext_login" value="unsecure plaintext login" /> 
     6  <input type="hidden" name="next_url" value="{{ next_url }}" /> 
    67  {{ form }} 
    78  <input type="submit" value="{% trans 'Log in' %}" /> 

  • trunk/pylucid/PyLucid/system/detect_page.py

    r1350 r1416  
    1818 
    1919from PyLucid.models import Page, Preference, Template 
     20from PyLucid.system.exceptions import AccessDenied 
    2021 
    2122from django.utils.translation import ugettext as _ 
     
    8485    shortcuts.reverse() 
    8586    wrong_shutcuts = [] 
     87    # FIXME: We need no for loop here, isn't it? 
    8688    for shortcut in shortcuts: 
    8789        try: 
    88             return Page.objects.get(shortcut__exact=shortcut) 
     90            page = Page.objects.get(shortcut__exact=shortcut) 
    8991        except Page.DoesNotExist: 
    9092            raise Http404(_("Page '%s' doesn't exists.") % shortcut) 
     93 
     94        if request.user.is_anonymous() and not page.permitViewPublic: 
     95            raise AccessDenied 
     96        else: 
     97            return page 

  • trunk/pylucid/PyLucid/system/exceptions.py

    r1087 r1416  
    11#!/usr/bin/python 
    2 # -*- coding: UTF-8 -*- 
     2# -*- coding: utf-8 -*- 
    33 
    44""" 
     
    99""" 
    1010 
    11 class AccessDeny(Exception): 
     11class AccessDenied(Exception): 
     12    """ 
     13    e.g. anonymous tries to view a cms page without permitViewPublic flag. 
     14    """ 
    1215    pass 
    1316 

  • trunk/pylucid/PyLucid/system/plugin_manager.py

    r1409 r1416  
    134134        request.must_login = True # For static_tags an the robot tag 
    135135 
    136         if request.user.username == "": 
     136        if request.user.is_anonymous(): 
    137137            # User is not logged in 
    138138            if method_cfg.get("no_rights_error", False) == True: 
     
    141141                return "" 
    142142            else: 
    143                 raise AccessDeny 
     143                raise AccessDenied 
    144144 
    145145    if method_cfg["must_admin"]: 
    146146        # The User must be an admin to use this method 
    147147        if not (request.user.is_superuser or request.user.is_staff): 
    148             raise AccessDeny 
     148            raise AccessDenied 
    149149 
    150150    URLs = context["URLs"]