Changeset 2572

Timestamp:

03/11/10 16:25:23 (5 months ago)

Author:

JensDiemer

Message:

reimplement JS-SHA-Login. Use jQuery. Do everything in one step. fixed: ticket:270 ticket:273

Location:

branches/0.9/pylucid_project

Files:

• apps/pylucid/models/log.py (modified) (2 diffs)
• apps/pylucid_admin/admin_site.py (modified) (2 diffs)
• media/PyLucid/pylucid_js_tools.js (modified) (2 diffs)
• media/PyLucid/shared_sha_tools.js (modified) (1 diff)
• media/PyLucid/sha_login_input_password.js (deleted)
• pylucid_plugins/auth/auth.OLD_py (deleted)
• pylucid_plugins/auth/auth_cfg.OLDpy (deleted)
• pylucid_plugins/auth/forms.py (modified) (2 diffs)
• pylucid_plugins/auth/preference_forms.py (modified) (1 diff)
• pylucid_plugins/auth/templates/auth/django_login.html (added)
• pylucid_plugins/auth/templates/auth/input_password.css (deleted)
• pylucid_plugins/auth/templates/auth/input_password.html (deleted)
• pylucid_plugins/auth/templates/auth/input_username.css (deleted)
• pylucid_plugins/auth/templates/auth/input_username.html (deleted)
• pylucid_plugins/auth/templates/auth/login_info.html (deleted)
• pylucid_plugins/auth/templates/auth/new_password_form.css (deleted)
• pylucid_plugins/auth/templates/auth/new_password_form.html (deleted)
• pylucid_plugins/auth/templates/auth/new_password_form.js (deleted)
• pylucid_plugins/auth/templates/auth/pass_reset_email.html (deleted)
• pylucid_plugins/auth/templates/auth/pass_reset_form.html (deleted)
• pylucid_plugins/auth/templates/auth/plaintext_login.html (deleted)
• pylucid_plugins/auth/templates/auth/sha_form.html (added)
• pylucid_plugins/auth/tests.py (added)
• pylucid_plugins/auth/test_settings.py (added)
• pylucid_plugins/auth/views.py (modified) (7 diffs)
• pylucid_plugins/auth/__init__.py (modified) (1 diff)
• utils/crypt.py (modified) (2 diffs)

branches/0.9/pylucid_project/apps/pylucid/models/log.py

@@ -59 +59 @@
         return queryset
 
-    def request_limit(self, request, min_pause, ban_limit, app_label):
+    def request_limit(self, request, min_pause, ban_limit, app_label, no_page_msg=False):
         """
         Monitor request min_pause and ban_limit.
@@ -84 +84 @@
         if last_actions > 0:
             msg = _("Request too fast!")
+            debug_msg = " (%s in the last %ssec. IP is blocked by %s overruns.)" % (
+                last_actions, min_pause, ban_limit
+            )
             if settings.DEBUG:
-                msg += _(" Please wait min. %ssec.") % min_pause
-            request.page_msg.error(msg)
+                msg += debug_msg
+            if no_page_msg == False:
+                request.page_msg.error(msg)
             LogEntry.objects.log_action(
-                app_label=app_label, action="request aborted", message="(%s in the last %ssec.)" % (last_actions, min_pause),
+                app_label=app_label, action="request aborted", message=debug_msg,
             )
-            raise self.model.RequestTooFast()
+            raise self.model.RequestTooFast(msg)
 
     def log_action(self, app_label, action, request=None, message=None, long_message=None, data=None):

branches/0.9/pylucid_project/apps/pylucid_admin/admin_site.py

@@ -4 +4 @@
 from django.contrib import admin
 from django.http import HttpResponseRedirect
-
-from pylucid_project.apps.pylucid.models import PageTree, UserProfile
-
 
 
@@ -17 +14 @@
             return super(PyLucidAdminSite, self).logout(request)
 
+        # Use the PyLucid own logout view, so the user it back on his cms page
         url = "/?" + settings.PYLUCID.AUTH_LOGOUT_GET_VIEW
         return HttpResponseRedirect(url)
 
-    def login(self, request):
-        """
-        Redirect to PyLucid's own login view.
-        In debug mode:
-            -user can suppress the redirect by adding any GET parameter. (e.g: domain.tld/admin/?foobar)
-            -Don't redirect if PyLucid own login view can't work.
-            
-        TODO: prevent redirect loops
-        """
-        if PageTree.on_site.all().count() == 0 or UserProfile.on_site.all().count() == 0 or \
-                                                                        (request.GET and settings.DEBUG):
-            return super(PyLucidAdminSite, self).login(request)
-
-        url = settings.PYLUCID.AUTH_NEXT_URL % {"path": "/", "next_url": request.get_full_path()}
-        return HttpResponseRedirect(url)
 
 pylucid_admin_site = PyLucidAdminSite()
 
+
 # Use all django contrib model admins in our own admin site ;)
 pylucid_admin_site._registry = admin.site._registry

branches/0.9/pylucid_project/media/PyLucid/pylucid_js_tools.js

@@ -45 +45 @@
                 
         log("redirect work-a-round: replace the complete page");
+                log(data);
         log("</body> index:" + data.indexOf("</body>"));
         replace_complete_page(data)
@@ -69 +70 @@
     if (!response_text) {
         response_text = "<h1>Ajax response error without any response text.</h1>";
+                response_text += "<p>textStatus:" + textStatus + "</p>"
+                response_text += "<p>errorThrown:" + errorThrown + "</p>"
+                replace_page_content(response_text, textStatus);
+                return
     }
     replace_complete_page(response_text);

branches/0.9/pylucid_project/media/PyLucid/shared_sha_tools.js

@@ -3 +3 @@
  */
 
-check_ok = false;
-debug_msg = false;
-
-// length of a SHA1 hexdigest string:
-HASH_LEN = 40;
-// length of the salt and challenge value string:
-SALT_LEN = 5;
-
-
-if (!document.getElementById) {
-    alert("Error: Your Browser is not supported!");
-}
-
-if (navigator.cookieEnabled) {
-    if (navigator.cookieEnabled != true) {
-        alert("You must enable Cookies in your Browser!");
-    }
-}
-
-/* ___________________________________________________________________________
- *  needfull generic functions:
- */
-
-function get_value(object_id) {
-    // get a form value
-    try {
-        return document.getElementById(object_id).value;
-    } catch (e) {
-        alert("get_value('"+object_id+"') error! " + e);
-    }
-}
-
-function set_value(object_id, value) {
-    // set a form value
-    try {
-        obj = document.getElementById(object_id).value = value;
-    } catch (e) {
-        alert("set_value('"+object_id+"', '"+value+"') error! " + e);
-    }
-}
-
-function set_focus(object_id) {
-    try {
-        debug("set focus on id:" + object_id);
-        document.getElementById(object_id).focus();
-    } catch (e) {
-        alert("set_focus('"+object_id+"') error:" + e);
-    }
-}
-
-function hide_by_id(object_id) {
-    try {
-        debug("hide_by_id: "+object_id);
-        obj = document.getElementById(object_id);
-        obj.style.display = 'none';
-    } catch (e) {
-        alert("hide_by_id('"+object_id+"') error:" + e);
-    }
-}
-function unhide_by_id(object_id) {
-    try {
-        debug("unhide_by_id: "+object_id);
-        obj = document.getElementById(object_id);
-        obj.style.display = 'block';
-    } catch (e) {
-        alert("unhide_by_id('"+object_id+"') error:" + e);
-    }
-}
-
-function change_color(object_id, color_name) {
-    try {
-        debug("change_color: "+object_id);
-        obj = document.getElementById(object_id);
-        obj.style.backgroundColor = color_name;
-    } catch (e) {
-        alert("change_color('"+object_id+"', '"+color_name+"') error:" + e);
-    }
-}
-
-/* ___________________________________________________________________________
- *  special functions:
- */
-
-function check_ascii_only(data) {
+function is_only_ascii(data) {
+    // Check if the given string contains only ASCII characters
     for (var i = 1; i <= data.length; i++) {
-       unicode_charcode = data.charCodeAt(i);
-       if (unicode_charcode > 127) {
-            alert("Only ASCII letters are allowed!");
+       if (data.charCodeAt(i) > 127) {
             return false;
        }
     }
     return true;
- }
+}
 
-function get_plaintext_pass(object_id) {
+function sha_hexdigest(txt) {
+    // build the SHA hexdigest from the given string. Return false is anything is wrong.
     try {
-        in_pass = get_value(object_id);
-        debug("in_pass:" + in_pass);
-        if (in_pass.length<8) {
-            alert("Password min len 8! - current len:" + in_pass.length);
-            set_focus(object_id)
+        log("sha_hexdigest(" + txt + "):");
+        SHA_hexdigest = hex_sha1(txt); // from: sha.js
+        len = SHA_hexdigest.length;
+        if (len != HASH_LEN) {
+            page_msg_error("sha_hexdigest() error! wrong length:" + len);
             return false;
         }
-
-        if (check_ascii_only(in_pass) == false) {
-            set_focus(object_id)
-            return false;
-        }
-        return in_pass;
+        log(SHA_hexdigest);
+        return SHA_hexdigest;
     } catch (e) {
-        alert("get_plaintext_pass() error:" + e);
+        page_msg_error("sha_hexdigest() error:" + e);
         return false;
     }
 }
 
-function make_SHA(txt) {
-    try {
-        debug("make_SHA(" + txt + "):");
-        SHA_hexdigest = hex_sha1(txt); // from: sha.js
-        len = SHA_hexdigest.length;
-        if (len != HASH_LEN) {
-            alert("make_SHA() error! wrong length:" + len);
-            return false;
-        }
-        debug(SHA_hexdigest);
-        return SHA_hexdigest;
-    } catch (e) {
-        alert("make_SHA() error:" + e);
-        return false;
-    }
+function _page_msg(msg){
+    $("#js_page_msg").html(msg).css("display", "block").slideDown();
 }
-
-
-/* ___________________________________________________________________________
- *  debugging:
- */
-
-function init_debug() {
-    /* Create a debug window, if it's not exists */
-    try {
-        if (debug_msg != true) { return; }
-        try {
-            if (debug_window) {
-                return;
-            }
-        } catch (e) {}
-        debug_window = window.open("", "Debug", "dependent=yes, resizable=yes, scrollbars=yes, width=350, height=400, top=1, left=" + window.outerWidth);
-
-        debug_win = debug_window.document;
-        debug_win.writeln("<style>* { font-size: 0.85em; }</style>");
-
-        var now = new Date();
-        now = now.toLocaleString();
-
-        debug_win.writeln("<h1>JS Debug - "+now+":</h1>");
-        debug_win.writeln("---[DEBUG START]---");
-        debug_win.writeln("cookie:" + document.cookie +"<br />");
-    } catch (e) {
-        alert("init_debug() error:" + e);
-    }
+function page_msg_error(msg) {
+    $("#js_page_msg").removeClass("page_msg_info page_msg_success").addClass("page_msg_error");
+    _page_msg(msg);
 }
-
-
-function debug(msg) {
-    try {
-        if (debug_msg != true) { return; }
-        init_debug();
-        debug_win.writeln(msg + "<br />");
-        debug_window.focus();
-        // scroll to the last lines
-        debug_window.scrollBy(0, 1000);
-    } catch (e) {
-        alert("debug('"+msg+"') error:" + e);
-    }
+function page_msg_success(msg) {
+    $("#js_page_msg").removeClass("page_msg_info page_msg_success").addClass("page_msg_success");
+    _page_msg(msg);    
 }
-
-
-function debug_confirm() {
-    try {
-       if (debug_msg != true) { return; }
-       debug_window.focus();
-       debug_win.writeln("---[DEBUG END]---");
-       alert("OK for closing the debug window.");
-       debug_window.close();
-       debug_window = false;
-    } catch (e) {
-        alert("debug_confirm() error:" + e);
-    }
+function page_msg_info(msg) {
+    $("#js_page_msg").removeClass("page_msg_success page_msg_error").addClass("page_msg_info");
+    _page_msg(msg);    
 }

branches/0.9/pylucid_project/pylucid_plugins/auth/forms.py

@@ -8 +8 @@
 
 from pylucid_project.utils import crypt
-
-
-
-def get_newforms_data(key_name, cleaned_data):
-    if not key_name in cleaned_data:
-        raise forms.ValidationError(u"No '%s' data in the form." % key_name)
-    return cleaned_data[key_name]
-
-
-def validate_sha1(key_name, cleaned_data):
-    """
-    A universal routine to validate a SHA1 hexdigest for newforms.
-    """
-    sha_value = get_newforms_data(key_name, cleaned_data)
-
-    if crypt.validate_sha_value(sha_value) == True:
-        return sha_value
-    else:
-        raise forms.ValidationError(u"Wrong '%s' data." % key_name)
-
-
-class SHA_LoginForm(forms.Form):
+from pylucid_project.apps.pylucid.models import UserProfile
+
+class WrongUserError(Exception):
+    pass
+
+class UsernameForm(forms.Form):
+    username = forms.CharField(max_length=_('30'), label=_('Username'),
+        help_text=_('Required. 30 characters or fewer. Alphanumeric characters only (letters, digits and underscores).')
+    )
+
+    def get_user(self):
+        username = self.cleaned_data["username"]
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist, e:
+            raise WrongUserError("User %r doesn't exists!" % username)
+
+        if not user.is_active:
+            raise WrongUserError("User %r is not active!" % user)
+
+        return user
+
+    def get_user_profile(self, user=None):
+        if user is None:
+            user = self.get_user()
+        try:
+            return user.get_profile()
+        except UserProfile.DoesNotExist, err:
+            raise WrongUserError("Can't get user profile: %r" % err)
+
+    def get_user_and_profile(self):
+        user = self.get_user()
+        user_profile = self.get_user_profile(user)
+        return user, user_profile
+
+
+class ShaLoginForm(UsernameForm):
     """
     Form for the SHA1-JavaScript-Login.
     """
-    sha_a2 = forms.CharField(
-        min_length=crypt.HASH_LEN, max_length=crypt.HASH_LEN
-    )
-    sha_b = forms.CharField(
-        min_length=crypt.HASH_LEN / 2, max_length=crypt.HASH_LEN / 2
-    )
-
-    #__________________________________________________________________________
-    # Validate the SHA1 hexdigest values:
+    sha_a2 = forms.CharField(min_length=crypt.HASH_LEN, max_length=crypt.HASH_LEN)
+    sha_b = forms.CharField(min_length=crypt.HASH_LEN / 2, max_length=crypt.HASH_LEN / 2)
 
     def clean_sha_a2(self):
-        return validate_sha1("sha_a2", self.cleaned_data)
+        sha_a2 = self.cleaned_data["sha_a2"]
+        if crypt.validate_sha_value(sha_a2) != True:
+            raise forms.ValidationError(u"sha_a2 is not valid SHA value.")
+
+        return sha_a2
 
     def clean_sha_b(self):
@@ -51 +63 @@
         some characers to use the rypt.validate_sha_value() method.
         """
-        sha_value = get_newforms_data("sha_b", self.cleaned_data)
+        sha_b = self.cleaned_data["sha_b"]
 
         # Fill with null, to match the full SHA1 hexdigest length.
         fill_len = crypt.HASH_LEN - (crypt.HASH_LEN / 2)
-        temp_value = ("0" * fill_len) + sha_value
-
-        if crypt.validate_sha_value(temp_value) == True:
-            return sha_value
-        else:
-            raise forms.ValidationError(u"Wrong sha_b data.")
-
-
-class NewPasswordForm(forms.Form):
-    username = forms.CharField(
-        help_text="(required)", min_length=3, max_length=30
-    )
-
-    # Should normaly never be send back!
-    raw_password = forms.CharField(
-        help_text="(required)", required=False, widget=forms.PasswordInput()
-    )
-
-    sha_1 = forms.CharField(
-        label="SHA1 for django",
-        help_text="(automatic generated with JavaScript.)",
-        widget=forms.TextInput(attrs={"readonly":"readonly", "size":"40"}),
-        min_length=crypt.HASH_LEN, max_length=crypt.HASH_LEN
-    )
-    sha_2 = forms.CharField(
-        label="SHA1 for PyLucid",
-        help_text="(automatic generated with JavaScript.)",
-        widget=forms.TextInput(attrs={"readonly":"readonly", "size":"40"}),
-        min_length=crypt.HASH_LEN, max_length=crypt.HASH_LEN
-    )
-
-    #__________________________________________________________________________
-    # Validate the SHA1 hexdigest values:
-
-    def clean_sha_1(self):
-        return validate_sha1("sha_1", self.cleaned_data)
-
-    def clean_sha_2(self):
-        return validate_sha1("sha_2", self.cleaned_data)
-
-
-#______________________________________________________________________________
-# FORMS
-
-#class BaseModelForm(forms.ModelForm):
-#    """
-#    A model form witch don't validate unique fields.
-#
-#    This ModelForm is only for generating the forms and not for create/update
-#    any database data. So a field unique Test would like generate Errors like:
-#        User with this Username already exists.
-#
-#    see also:
-#    http://www.jensdiemer.de/_command/118/blog/detail/30/ (de)
-#    http://www.python-forum.de/topic-16000.html (de)
-#    """
-#    def __init__(self, *args, **kwargs):
-#        """ Change field meta in a DRY way """
-#        super(BaseModelForm, self).__init__(*args, **kwargs)
-#
-#        self.model.full_validate = self._skip
-#
-#    def _skip(self, *args, **kwargs):
-#        pass
-#
-#    def validate_unique(self):
-#        pass
-
-class UsernameForm(forms.Form):
-    """
-    form for input the username, used in auth.login()
-    
-    FIXME: This is not DRY.
-    """
-    username = forms.CharField(max_length=_('30'), label=_('Username'),
-        help_text=_('Required. 30 characters or fewer. Alphanumeric characters only (letters, digits and underscores).')
-    )
-
-    def is_valid(self):
-        """ do a secont validation: try to get the user from database and
-        check if he is active """
-        is_valid = super(UsernameForm, self).is_valid()
-        if not is_valid:
-            return False
-
-        username = self.cleaned_data["username"]
-        try:
-            self.user = User.objects.get(username=username)
-        except User.DoesNotExist, e:
-            self._errors["username"] = ("User doesn't exist!",)
-            return False
-
-        return True
-
-#    class Meta:
-#        model = User
-#        fields = ("username",)
-
-
-class PasswordForm(forms.Form):
-    """
-    form for input the username, used in auth._sha_login()
-    
-    FIXME: This is not DRY.
-    """
-    password = forms.CharField(max_length=_('128'), label=_('Password'), widget=forms.PasswordInput()
-    )
-
-#    def __init__(self, *args, **kwargs):
-#        """ Change field meta in a DRY way """
-#        super(PasswordForm, self).__init__(*args, **kwargs)
-#
-#        self.fields['password'].widget = forms.PasswordInput()
-#        self.fields['password'].help_text = ""
-
-    def is_valid(self, username):
-        is_valid = super(PasswordForm, self).is_valid()
-        if not is_valid:
-            return False
-
-        password = self.cleaned_data["password"]
-        self.user = auth.authenticate(username=username, password=password)
-        if not self.user:
-            self._errors["password"] = ("Wrong password!",)
-            return False
-
-        return True
-
-#    class Meta:
-#        model = User
-#        fields = ("password",)
-
-
-class ResetForm(forms.Form):
-    """
-    from for input username and email, used in auth.pass_reset()
-    """
-    username = forms.CharField(max_length=_('30'), label=_('Username'),
-        help_text=_('Required. 30 characters or fewer. Alphanumeric characters only (letters, digits and underscores).')
-    )
-    email = forms.EmailField(max_length=_('75'), label=_('E-mail address'))
-
-#    def __init__(self, *args, **kwargs):
-#        super(ResetForm, self).__init__(*args, **kwargs)
-#        # User.email is normaly a not required field, here it's required!
-#        self.fields['email'].required = True
-
-#    class Meta:
-#        model = User
-#        fields = ("username", "email")
+        temp_value = ("0" * fill_len) + sha_b
+
+        if crypt.validate_sha_value(temp_value) != True:
+            raise forms.ValidationError(u"sha_b is not a valid SHA value.")
+
+        return sha_b
+
+#
+#class NewPasswordForm(forms.Form):
+#    username = forms.CharField(
+#        help_text="(required)", min_length=3, max_length=30
+#    )
+#
+#    # Should normaly never be send back!
+#    raw_password = forms.CharField(
+#        help_text="(required)", required=False, widget=forms.PasswordInput()
+#    )
+#
+#    sha_1 = forms.CharField(
+#        label="SHA1 for django",
+#        help_text="(automatic generated with JavaScript.)",
+#        widget=forms.TextInput(attrs={"readonly":"readonly", "size":"40"}),
+#        min_length=crypt.HASH_LEN, max_length=crypt.HASH_LEN
+#    )
+#    sha_2 = forms.CharField(
+#        label="SHA1 for PyLucid",
+#        help_text="(automatic generated with JavaScript.)",
+#        widget=forms.TextInput(attrs={"readonly":"readonly", "size":"40"}),
+#        min_length=crypt.HASH_LEN, max_length=crypt.HASH_LEN
+#    )
+#
+#    #__________________________________________________________________________
+#    # Validate the SHA1 hexdigest values:
+#
+#    def clean_sha_1(self):
+#        return validate_sha1("sha_1", self.cleaned_data)
+#
+#    def clean_sha_2(self):
+#        return validate_sha1("sha_2", self.cleaned_data)
+#
+#
+##______________________________________________________________________________
+## FORMS
+#
+##class BaseModelForm(forms.ModelForm):
+##    """
+##    A model form witch don't validate unique fields.
+##
+##    This ModelForm is only for generating the forms and not for create/update
+##    any database data. So a field unique Test would like generate Errors like:
+##        User with this Username already exists.
+##
+##    see also:
+##    http://www.jensdiemer.de/_command/118/blog/detail/30/ (de)
+##    http://www.python-forum.de/topic-16000.html (de)
+##    """
+##    def __init__(self, *args, **kwargs):
+##        """ Change field meta in a DRY way """
+##        super(BaseModelForm, self).__init__(*args, **kwargs)
+##
+##        self.model.full_validate = self._skip
+##
+##    def _skip(self, *args, **kwargs):
+##        pass
+##
+##    def validate_unique(self):
+##        pass
+#
+#class UsernameForm(forms.Form):
+#    """
+#    form for input the username, used in auth.login()
+#    
+#    FIXME: This is not DRY.
+#    """
+#
+#
+##    class Meta:
+##        model = User
+##        fields = ("username",)
+#
+#
+#class PasswordForm(forms.Form):
+#    """
+#    form for input the username, used in auth._sha_login()
+#    
+#    FIXME: This is not DRY.
+#    """
+#    password = forms.CharField(max_length=_('128'), label=_('Password'), widget=forms.PasswordInput()
+#    )
+#
+##    def __init__(self, *args, **kwargs):
+##        """ Change field meta in a DRY way """
+##        super(PasswordForm, self).__init__(*args, **kwargs)
+##
+##        self.fields['password'].widget = forms.PasswordInput()
+##        self.fields['password'].help_text = ""
+#
+#    def is_valid(self, username):
+#        is_valid = super(PasswordForm, self).is_valid()
+#        if not is_valid:
+#            return False
+#
+#        password = self.cleaned_data["password"]
+#        self.user = auth.authenticate(username=username, password=password)
+#        if not self.user:
+#            self._errors["password"] = ("Wrong password!",)
+#            return False
+#
+#        return True
+#
+##    class Meta:
+##        model = User
+##        fields = ("password",)
+#
+#
+#class ResetForm(forms.Form):
+#    """
+#    from for input username and email, used in auth.pass_reset()
+#    """
+#    username = forms.CharField(max_length=_('30'), label=_('Username'),
+#        help_text=_('Required. 30 characters or fewer. Alphanumeric characters only (letters, digits and underscores).')
+#    )
+#    email = forms.EmailField(max_length=_('75'), label=_('E-mail address'))
+#
+##    def __init__(self, *args, **kwargs):
+##        super(ResetForm, self).__init__(*args, **kwargs)
+##        # User.email is normaly a not required field, here it's required!
+##        self.fields['email'].required = True
+#
+##    class Meta:
+##        model = User
+##        fields = ("username", "email")

branches/0.9/pylucid_project/pylucid_plugins/auth/preference_forms.py

@@ -10 +10 @@
     ban_limit = forms.IntegerField(
         help_text=_("Numbers login log messages after IP would be banned."),
-        initial=5, min_value=1, max_value=20
+        initial=6, min_value=1, max_value=20
     )
     min_pause = forms.IntegerField(
         help_text=_("Minimum pause in seconds between two login log messages from the same user. (Used 'REMOTE_ADDR')"),
-        initial=30, min_value=1, max_value=600
+        initial=15, min_value=1, max_value=600
     )
 

branches/0.9/pylucid_project/pylucid_plugins/auth/views.py

@@ -21 +21 @@
 from django.template import RequestContext
 from django.contrib.sites.models import Site
-from django.http import HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseRedirect, HttpResponseBadRequest
 from django.utils.translation import ugettext as _
 from django.template.loader import render_to_string
@@ -27 +27 @@
 
 
-from pylucid.shortcuts import render_pylucid_response
-from pylucid.models import LogEntry, BanEntry, UserProfile
+from pylucid_project.apps.pylucid.shortcuts import render_pylucid_response
+from pylucid_project.apps.pylucid.models import LogEntry, BanEntry, UserProfile
 
 from pylucid_project.utils import crypt
 
-from pylucid_plugins.auth.forms import UsernameForm, PasswordForm, SHA_LoginForm
+from pylucid_project.pylucid_plugins.auth.forms import WrongUserError, UsernameForm, ShaLoginForm
 from pylucid_plugins.auth.preference_forms import AuthPreferencesForm
 
@@ -47 +47 @@
 
 
-# For the tag list from page_admin plugin:
-LUCIDTAG_EXAMPLE = """{% lucidTag admin_menu %}"""
+def _get_challenge(request):
+    """ create a new challenge, add it to session and return it"""
+    # Create a new random salt value for the password challenge:
+    challenge = crypt.get_new_salt()
+
+    # For later comparing with form data
+    request.session["challenge"] = challenge
+
+    return challenge
+
+
+def _bad_request(debug_msg):
+    """
+    Create a new LogEntry and return a HttpResponseBadRequest
+    """
+    LogEntry.objects.log_action(
+        app_label="pylucid_plugin.auth", action="login error", message=debug_msg,
+    )
+    if settings.DEBUG:
+        msg = debug_msg
+    else:
+        msg = ""
+    return HttpResponseBadRequest(msg)
+
+
+def _is_post_ajax_request(request):
+    if not request.is_ajax():
+        debug_msg = "request is not a ajax request"
+        return _bad_request(debug_msg)
+
+    if request.method != 'POST':
+        debug_msg = "request method %r wrong, only POST allowed" % request.method
+        return _bad_request(debug_msg)
 
 
@@ -57 +88 @@
     """
     if request.user.is_authenticated():
-        # admin_logout reverse is still broken in django, see:
-        # http://code.djangoproject.com/ticket/11080
-        # http://code.djangoproject.com/attachment/ticket/10061
-        #url = reverse("admin:logout")
-        #url = reverse("admin:index") + "logout/" # TODO: Update this if django is bugfixed
         template_name = "auth/logout_link.html"
-        url = "?auth=logout"
+        if hasattr(request.PYLUCID, "pagetree"):
+            # We are on a normal cms page -> Dont's change the url
+            url = ""
+        else:
+            # We are in the django admin panel -> Go to root page
+            url = "/"
+        url += "?auth=logout"
     else:
         template_name = "auth/login_link.html"
@@ -71 +103 @@
 
 
+def _wrong_login(request, debug_msg, user=None):
+    """ username or password is wrong. """
+    if settings.DEBUG:
+        error_msg = debug_msg
+    else:
+        error_msg = _("Wrong username/password.")
+
+    # Protection against DOS attacks.
+    pref_form = AuthPreferencesForm()
+    preferences = pref_form.get_preferences()
+    min_pause = preferences["min_pause"]
+    ban_limit = preferences["ban_limit"]
+    try:
+        LogEntry.objects.request_limit(
+            request, min_pause, ban_limit, app_label="pylucid_plugin.auth", no_page_msg=True
+        )
+    except LogEntry.RequestTooFast, err:
+        # min_pause is not observed
+        error_msg = err
+
+    # Log this error (Important: must be logged after LogEntry.objects.request_limit() stuff!
+    if user is not None:
+        data = {"user_username": user.username}
+    else:
+        data = None
+    LogEntry.objects.log_action(
+        app_label="pylucid_plugin.auth", action="login", message=debug_msg, data=data
+    )
+
+    # create a new challenge and add it to session
+    challenge = _get_challenge(request)
+
+    response = "%s;%s" % (challenge, error_msg)
+    return HttpResponse(response, content_type="text/plain")
+
+
+def _sha_auth(request):
+    """
+    login the user with username and sha values.
+    """
+    response = _is_post_ajax_request(request)
+    if response is not None: # It's not a Ajax POST request
+        return response # Return HttpResponseBadRequest
+
+    form = ShaLoginForm(request.POST)
+    if not form.is_valid():
+        debug_msg = "ShaLoginForm is not valid: %r" % form.errors
+        return _bad_request(debug_msg)
+
+    try:
+        challenge = request.session.pop("challenge")
+    except KeyError, err:
+        debug_msg = "Can't get 'challenge' from session: %s" % err
+        return _bad_request(debug_msg)
+
+    try:
+        user1, user_profile = form.get_user_and_profile()
+    except WrongUserError, err:
+        debug_msg = "Can't get user and user profile: %s" % err
+        return _wrong_login(request, debug_msg)
+
+    sha_checksum = user_profile.sha_login_checksum
+    sha_a2 = form.cleaned_data["sha_a2"]
+    sha_b = form.cleaned_data["sha_b"]
+
+    # authenticate with:
+    # pylucid.system.auth_backends.SiteSHALoginAuthBackend
+    user2 = auth.authenticate(
+        user=user1, challenge=challenge,
+        sha_a2=sha_a2, sha_b=sha_b,
+        sha_checksum=sha_checksum
+    )
+    if user2 is None:
+        debug_msg = "auth.authenticate() failed. (must be a wrong password)"
+        return _wrong_login(request, debug_msg, user1)
+    else:
+        # everything is ok -> log the user in and display "last login" page message
+        last_login = user2.last_login
+        auth.login(request, user2)
+        message = render_to_string('auth/login_info.html', {"last_login":last_login})
+        request.page_msg.successful(message)
+        return HttpResponse("OK", content_type="text/plain")
+
+
+def _get_salt(request):
+    """
+    return the user password salt.
+    If the user doesn't exist or is not active, return a pseudo salt.
+    """
+    response = _is_post_ajax_request(request)
+    if response is not None: # It's not a Ajax POST request
+        return response # Return HttpResponseBadRequest
+
+    user_profile = None
+    form = UsernameForm(request.POST)
+    if form.is_valid():
+        try:
+            user_profile = form.get_user_profile()
+        except WrongUserError, err:
+            if settings.DEBUG:
+                request.page_msg.error(err)
+
+    if user_profile is None: # Wrong user?
+        username = request.POST["username"]
+        if settings.DEBUG:
+            request.page_msg.error("Wrong user %r !" % username)
+        salt = crypt.get_pseudo_salt(username)
+    else:
+        salt = user_profile.sha_login_salt
+
+    return HttpResponse(salt, content_type="text/plain")
+
+
+def _login_view(request, next_url):
+    if request.method != 'GET':
+        debug_msg = "request method %r wrong, only GET allowed" % request.method
+        return _bad_request(debug_msg) # Return HttpResponseBadRequest
+
+    if "://" in next_url: # FIXME: How to validate this better?
+        # Don't redirect to other pages.
+        debug_msg = "next url %r seems to be wrong!" % next_url
+        return _bad_request(debug_msg) # Return HttpResponseBadRequest
+
+    form = ShaLoginForm()
+
+    # create a new challenge and add it to session
+    challenge = _get_challenge(request)
+
+    context = {
+        "challenge": challenge,
+        "salt_len": crypt.SALT_LEN,
+        "hash_len": crypt.HASH_LEN,
+        "get_salt_url": request.path + "?auth=get_salt",
+        "sha_auth_url": request.path + "?auth=sha_auth",
+        "next_url": next_url,
+        "form": form,
+        "pass_reset_link": "#TODO",
+    }
+
+    # return a string for replacing the normal cms page content
+    return render_pylucid_response(request, 'auth/sha_form.html', context, context_instance=RequestContext(request))
 
 
@@ -80 +253 @@
 
 
-def _login(request, user, next_url):
-    last_login = user.last_login
-
-    auth.login(request, user)
-
-    message = render_to_string('auth/login_info.html', {"last_login":last_login})
-    request.page_msg.successful(message)
-
-    return HttpResponseRedirect(next_url)
-
-
-def _plaintext_login(request, context, username, next_url):
-    """ input the password and login if auth ok """
-    if "password" in request.POST:
-        password_form = PasswordForm(request.POST)
-        if password_form.is_valid(username):
-            user = password_form.user # User instance added in UsernameForm.is_valid()
-            return _login(request, user, next_url)
-    else:
-        password_form = PasswordForm()
-
-    context["form"] = password_form
-
-    # return a string for replacing the normal cms page content
-    return render_pylucid_response(request, 'auth/plaintext_login.html', context)
-
-
-
-def _sha_login(request, context, user, next_url):
-    """
-    Login via JS-SHA-Login.
-    Display the JS-SHA-Login form and login if password is ok.
-    """
-    try:
-        user_profile = user.get_profile()
-    except UserProfile.DoesNotExist, err:
-        try:
-            UserProfile.objects.get(user=user)#.count()
-        except UserProfile.DoesNotExist, err:
-            # User profile doesn't generally not exist for this user. e.g. Update from v0.8.x ?
-            msg = _("There exist no UserProfile for user %(user)r: %(err)s") % {"user":user, "err":err}
-        else:
-            # A UserProfile exist -> User can't access *this* site.
-            site = Site.objects.get_current()
-            msg = _("User %(user)r can't access this site: %(site)r") % {"user":user, "site": site}
-
-        LogEntry.objects.log_action(
-            app_label="pylucid_plugin.auth", action="login", message=msg
-        )
-
-        if settings.DEBUG:
-            request.page_msg.error(msg)
-        else:
-            request.page_msg.error(_("User unknown."))
-
-        return
-
-    if "sha_a2" in request.POST and "sha_b" in request.POST:
-        SHA_login_form = SHA_LoginForm(request.POST)
-        if not SHA_login_form.is_valid():
-            msg = _("Form data is not valid. Please correct.")
-            request.page_msg.error(msg)
-            LogEntry.objects.log_action(
-                app_label="pylucid_plugin.auth", action="login",
-                message="%s (%r)" % (msg, SHA_login_form.errors)
-            )
-            if DEBUG: request.page_msg(SHA_login_form.errors)
-        else:
-            sha_a2 = SHA_login_form.cleaned_data["sha_a2"]
-            sha_b = SHA_login_form.cleaned_data["sha_b"]
-            if DEBUG:
-                request.page_msg("sha_a2:", sha_a2)
-                request.page_msg("sha_b:", sha_b)
-
-            # A submited SHA1-JS-Login form
-            try:
-                challenge = request.session['challenge']
-                if DEBUG: request.page_msg("challenge:", challenge)
-            except KeyError, e:
-                msg = _("Session Error.")
-                LogEntry.objects.log_action(
-                    app_label="pylucid_plugin.auth", action="login", message=msg,
-                    data={"user_username": user.username}
-                )
-                if DEBUG: msg = "%s (%s)" % (msg, e)
-                request.page_msg.error(msg)
-                return
-
-            sha_checksum = user_profile.sha_login_checksum
-            if DEBUG: request.page_msg("sha_checksum:", sha_checksum)
-
-            # authenticate with:
-            # pylucid.system.auth_backends.SiteSHALoginAuthBackend
-            user2 = auth.authenticate(
-                user=user, challenge=challenge,
-                sha_a2=sha_a2, sha_b=sha_b,
-                sha_checksum=sha_checksum
-            )
-            if user2:
-                return _login(request, user2, next_url)
-
-            msg = _("Wrong password.")
-            LogEntry.objects.log_action(
-                app_label="pylucid_plugin.auth", action="login", message=msg,
-                data={"user_username": user.username}
-            )
-            request.page_msg.error(msg)
-    else:
-        SHA_login_form = UsernameForm()
-
-
-    context["salt"] = user_profile.sha_login_salt
-    if DEBUG:
-        challenge = "debug" # Use same challenge in debug mode
-        context["debug"] = "true" # For JavaScript debug
-    else:
-        # Create a new random salt value for the password challenge:
-        challenge = crypt.get_new_salt()
-        context["debug"] = "false"
-
-    # For later comparing with form data
-    request.session['challenge'] = challenge
-    context["challenge"] = challenge
-
-    context["form"] = SHA_login_form
-
-    # return a string for replacing the normal cms page content
-    return render_pylucid_response(request, 'auth/input_password.html', context,
-        context_instance=RequestContext(request)
-    )
-
-
-def _login_view(request, form_url, next_url):
-    if DEBUG:
-        request.page_msg(
-            "Warning: DEBUG is ON! Should realy only use for debugging!"
-        )
-
-    pref_form = AuthPreferencesForm()
-    preferences = pref_form.get_preferences()
-    min_pause = preferences["min_pause"]
-    ban_limit = preferences["ban_limit"]
-
-    try:
-        LogEntry.objects.request_limit(request, min_pause, ban_limit, app_label="pylucid_plugin.auth")
-    except LogEntry.RequestTooFast:
-        # min_pause is not observed, page_msg has been created -> display the normal cms page.
-        return
-
-    context = request.PYLUCID.context
-    context["form_url"] = form_url
-
-    if request.method == 'POST':
-        username_form = UsernameForm(request.POST)
-        if username_form.is_valid():
-            user = username_form.user # User instance added in UsernameForm.is_valid()
-            if not user.is_active:
-                msg = _("Error: Your account is disabled!")
-                LogEntry.objects.log_action(
-                    app_label="pylucid_plugin.auth", action="login", message=msg,
-                    data={"user_username": user.username}
-                )
-                request.page_msg.error(msg)
-                return
-
-            context["username"] = user.username
-
-            if "plaintext_login" in request.POST:
-                return _plaintext_login(request, context, user.username, next_url)
-            else:
-                return _sha_login(request, context, user, next_url)
-    else:
-        username_form = UsernameForm()
-
-    context["form"] = username_form
-
-    # return a string for replacing the normal cms page content
-    return render_pylucid_response(request, 'auth/input_username.html', context)
-
-
 def http_get_view(request):
     """
@@ -265 +258 @@
     """
     action = request.GET["auth"]
+
+
+
+
+
     if action == "login":
-        next_url = request.GET.get("next_url", None)
-        if next_url:
-            form_url = settings.PYLUCID.AUTH_NEXT_URL % {"path": request.path, "next_url": next_url}
-        else:
-            next_url = request.path
-            form_url = "%s?%s" % (request.path, settings.PYLUCID.AUTH_GET_VIEW)
-
-        return _login_view(request, form_url, next_url)
+#        next_url = request.GET.get("next_url", None)
+#        if next_url:
+#            form_url = settings.PYLUCID.AUTH_NEXT_URL % {"path": request.path, "next_url": next_url}
+#        else:
+#            next_url = request.path
+#            form_url = "%s?%s" % (request.path, settings.PYLUCID.AUTH_GET_VIEW)
+
+        next_url = request.GET.get("next_url", request.path)
+        return _login_view(request, next_url)
+    elif action == "get_salt":
+        return _get_salt(request)
+    elif action == "sha_auth":
+        return _sha_auth(request)
     elif action == "logout":
         next_url = request.path
         return _logout_view(request, next_url)
-
-    msg = _("Wrong get view parameter!")
-    LogEntry.objects.log_action(app_label="pylucid_plugin.auth", action="login", message=msg)
-    if settings.DEBUG:
-        request.page_msg.error(msg)
-
-
-def authenticate(request):
-    """
-    Login+Logout view via PluginPage
-    """
-    if request.user.is_authenticated():
-        return _logout_view(request)
-    else:
-        next_url = request.GET.get("next_url", None)
-        form_url = request.path
-        if next_url == None:
-            next_url = "/"
-        else:
-            form_url += "?next_url=" + next_url
-
-        return _login_view(request, form_url, next_url)
-
+    else:
+        debug_msg = "Wrong get view parameter!"
+        return _bad_request(debug_msg) # Return HttpResponseBadRequest
+
+
+#def authenticate(request):
+#    """
+#    Login+Logout view via PluginPage
+#    """
+#    if request.user.is_authenticated():
+#        return _logout_view(request)
+#    else:
+#        next_url = request.GET.get("next_url", None)
+#        form_url = request.path
+#        if next_url == None:
+#            next_url = "/"
+#        else:
+#            form_url += "?next_url=" + next_url
+#
+#        return _login_view(request, form_url, next_url)

branches/0.9/pylucid_project/pylucid_plugins/auth/__init__.py

@@ -1 +1 @@
 # -*- coding: utf-8 -*-
+
+from django.contrib.admin import AdminSite
+
+# Change the template for django's normal login.
+# So we can insert a link to JS-SHA-Login.
+AdminSite.login_template = "auth/django_login.html"

branches/0.9/pylucid_project/utils/crypt.py

@@ -135 +135 @@
     return seed[:SALT_LEN]
 
+def get_pseudo_salt(*args):
+    """
+    generate a pseudo salt (used, if user is wrong)
+    """
+    temp = "".join([repr(arg) for arg in args])
+    return sha_constructor(temp).hexdigest()[:SALT_LEN]
+
 
 def make_hash(txt, salt):
@@ -148 +155 @@
     hash = sha_constructor(salt + smart_str(txt)).hexdigest()
     return hash
+
 
 def get_salt_and_hash(txt):