Changeset - 959a9fa7d1a1
Parent rev.
Child rev.
[Not reviewed]
default
0 9 0
Mads Kiilerich - 11 years ago 2015-03-27 16:25:27
madski@unity3d.com
controllers: remove old auth_token checks - it was only partial CSRF protection
9 files changed with 38 insertions and 73 deletions:
kallithea/controllers/admin/repos.py
11
18
kallithea/controllers/journal.py
20
25
kallithea/lib/helpers.py
17
kallithea/public/js/base.js
3
7
kallithea/templates/admin/repos/repo_edit_advanced.html
1
kallithea/templates/base/base.html
1
1
kallithea/templates/data_table/_dt_elements.html
1
1
kallithea/templates/summary/summary.html
1
1
kallithea/tests/functional/test_journal.py
1
2
0 comments (0 inline, 0 general)
kallithea/controllers/admin/repos.py
Show inline comments
 
@@ -41,7 +41,6 @@ from kallithea.lib.auth import LoginRequ
 
    HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
 
from kallithea.lib.base import BaseRepoController, render
 
from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
 
from kallithea.lib.helpers import get_token
 
from kallithea.lib.vcs import RepositoryError
 
from kallithea.model.meta import Session
 
from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
 
@@ -516,23 +515,17 @@ class ReposController(BaseRepoController
 
        :param repo_name:
 
        """
 

			




	
	
	
		
 
        cur_token = request.POST.get('auth_token')

			




	
	
	
		
 
        token = get_token()

			




	
	
	
		
 
        if cur_token == token:

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                repo_id = Repository.get_by_repo_name(repo_name).repo_id

			




	
	
	
		
 
                user_id = User.get_default_user().user_id

			




	
	
	
		
 
                self.scm_model.toggle_following_repo(repo_id, user_id)

			




	
	
	
		
 
                h.flash(_('Updated repository visibility in public journal'),

			




	
	
	
		
 
                        category='success')

			




	
	
	
		
 
                Session().commit()

			




	
	
	
		
 
            except Exception:

			




	
	
	
		
 
                h.flash(_('An error occurred during setting this'

			




	
	
	
		
 
                          ' repository in public journal'),

			




	
	
	
		
 
                        category='error')

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            h.flash(_('Token mismatch'), category='error')

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            repo_id = Repository.get_by_repo_name(repo_name).repo_id

			




	
	
	
		
 
            user_id = User.get_default_user().user_id

			




	
	
	
		
 
            self.scm_model.toggle_following_repo(repo_id, user_id)

			




	
	
	
		
 
            h.flash(_('Updated repository visibility in public journal'),

			




	
	
	
		
 
                    category='success')

			




	
	
	
		
 
            Session().commit()

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            h.flash(_('An error occurred during setting this'

			




	
	
	
		
 
                      ' repository in public journal'),

			




	
	
	
		
 
                    category='error')

			




	
	
	
		
 
        return redirect(url('edit_repo_advanced', repo_name=repo_name))

			




	
	
	
		
 

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    kallithea/controllers/journal.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -304,33 +304,28 @@ class JournalController(BaseController):

			




	
	
	
		
 
    @LoginRequired()

			




	
	
	
		
 
    @NotAnonymous()

			




	
	
	
		
 
    def toggle_following(self):

			




	
	
	
		
 
        cur_token = request.POST.get('auth_token')

			




	
	
	
		
 
        token = h.get_token()

			




	
	
	
		
 
        if cur_token == token:

			




	
	
	
		
 
        user_id = request.POST.get('follows_user_id')

			




	
	
	
		
 
        if user_id:

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                self.scm_model.toggle_following_user(user_id,

			




	
	
	
		
 
                                            self.authuser.user_id)

			




	
	
	
		
 
                Session.commit()

			




	
	
	
		
 
                return 'ok'

			




	
	
	
		
 
            except Exception:

			




	
	
	
		
 
                log.error(traceback.format_exc())

			




	
	
	
		
 
                raise HTTPBadRequest()

			




	
	
	
		
 

			




	
	
	
		
 
            user_id = request.POST.get('follows_user_id')

			




	
	
	
		
 
            if user_id:

			




	
	
	
		
 
                try:

			




	
	
	
		
 
                    self.scm_model.toggle_following_user(user_id,

			




	
	
	
		
 
                                                self.authuser.user_id)

			




	
	
	
		
 
                    Session.commit()

			




	
	
	
		
 
                    return 'ok'

			




	
	
	
		
 
                except Exception:

			




	
	
	
		
 
                    log.error(traceback.format_exc())

			




	
	
	
		
 
                    raise HTTPBadRequest()

			




	
	
	
		
 
        repo_id = request.POST.get('follows_repo_id')

			




	
	
	
		
 
        if repo_id:

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                self.scm_model.toggle_following_repo(repo_id,

			




	
	
	
		
 
                                            self.authuser.user_id)

			




	
	
	
		
 
                Session.commit()

			




	
	
	
		
 
                return 'ok'

			




	
	
	
		
 
            except Exception:

			




	
	
	
		
 
                log.error(traceback.format_exc())

			




	
	
	
		
 
                raise HTTPBadRequest()

			




	
	
	
		
 

			




	
	
	
		
 
            repo_id = request.POST.get('follows_repo_id')

			




	
	
	
		
 
            if repo_id:

			




	
	
	
		
 
                try:

			




	
	
	
		
 
                    self.scm_model.toggle_following_repo(repo_id,

			




	
	
	
		
 
                                                self.authuser.user_id)

			




	
	
	
		
 
                    Session.commit()

			




	
	
	
		
 
                    return 'ok'

			




	
	
	
		
 
                except Exception:

			




	
	
	
		
 
                    log.error(traceback.format_exc())

			




	
	
	
		
 
                    raise HTTPBadRequest()

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('token mismatch %s vs %s' % (cur_token, token))

			




	
	
	
		
 
        raise HTTPBadRequest()

			




	
	
	
		
 

			




	
	
	
		
 
    @LoginRequired()

			




        

    


    
    

    

        

                

                    kallithea/lib/helpers.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -134,23 +134,6 @@ def FID(raw_id, path):

			




	
	
	
		
 
    return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def get_token():

			




	
	
	
		
 
    """Return the current authentication token, creating one if one doesn't

			




	
	
	
		
 
    already exist.

			




	
	
	
		
 
    """

			




	
	
	
		
 
    token_key = "_authentication_token"

			




	
	
	
		
 
    from pylons import session

			




	
	
	
		
 
    if not token_key in session:

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()

			




	
	
	
		
 
        except AttributeError:  # Python < 2.4

			




	
	
	
		
 
            token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest()

			




	
	
	
		
 
        session[token_key] = token

			




	
	
	
		
 
        if hasattr(session, 'save'):

			




	
	
	
		
 
            session.save()

			




	
	
	
		
 
    return session[token_key]

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class _GetError(object):

			




	
	
	
		
 
    """Get error from form_errors, and represent it as span wrapped error

			




	
	
	
		
 
    message

			




        

    


    
    

    

        

                

                    kallithea/public/js/base.js
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -458,20 +458,16 @@ var _onSuccessFollow = function(target){

			




	
	
	
		
 
    }

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){

			




	
	
	
		
 
var toggleFollowingRepo = function(target, follows_repo_id){

			




	
	
	
		
 
    var args = 'follows_repo_id=' + follows_repo_id;

			




	
	
	
		
 
    args += '&amp;auth_token=' + token;

			




	
	
	
		
 
    if(user_id != undefined){

			




	
	
	
		
 
        args +="&amp;user_id=" + user_id;

			




	
	
	
		
 
    }

			




	
	
	
		
 
    $.post(TOGGLE_FOLLOW_URL, args, function(data){

			




	
	
	
		
 
            _onSuccessFollow(target);

			




	
	
	
		
 
        });

			




	
	
	
		
 
    return false;

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
var showRepoSize = function(target, repo_name, token){

			




	
	
	
		
 
    var args = 'auth_token=' + token;

			




	
	
	
		
 
var showRepoSize = function(target, repo_name){

			




	
	
	
		
 
    var args = '';

			




	
	
	
		
 

			




	
	
	
		
 
    if(!$("#" + target).hasClass('loaded')){

			




	
	
	
		
 
        $("#" + target).html(_TM['Loading ...']);

			




        

    


    
    

    

        

                

                    kallithea/templates/admin/repos/repo_edit_advanced.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -22,7 +22,6 @@ ${h.end_form()}

			




	
	
	
		
 
<h3>${_('Public Journal Visibility')}</h3>

			




	
	
	
		
 
${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}

			




	
	
	
		
 
<div class="form">

			




	
	
	
		
 
  ${h.hidden('auth_token',str(h.get_token()))}

			




	
	
	
		
 
  <div class="field">

			




	
	
	
		
 
  %if c.in_public_journal:

			




	
	
	
		
 
    <button class="btn btn-small" type="submit">

			




        

    


    
    

    

        

                

                    kallithea/templates/base/base.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -176,7 +176,7 @@

			




	
	
	
		
 
              ## also it feels like a job for the controller

			




	
	
	
		
 
              %if c.authuser.username != 'default':

			




	
	
	
		
 
                  <li>

			




	
	
	
		
 
                   <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');">

			




	
	
	
		
 
                   <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});">

			




	
	
	
		
 
                    <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>

			




	
	
	
		
 
                    <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>

			




	
	
	
		
 
                  </a>

			




        

    


    
    

    

        

                

                    kallithea/templates/data_table/_dt_elements.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -212,6 +212,6 @@

			




	
	
	
		
 

			




	
	
	
		
 
<%def name="toggle_follow(repo_id)">

			




	
	
	
		
 
  <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"

			




	
	
	
		
 
        onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')">

			




	
	
	
		
 
        onclick="javascript:toggleFollowingRepo(this, ${repo_id})">

			




	
	
	
		
 
  </span>

			




	
	
	
		
 
</%def>

			




        

    


    
    

    

        

                

                    kallithea/templates/summary/summary.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -157,7 +157,7 @@ summary = lambda n:{False:'summary-short

			




	
	
	
		
 

			




	
	
	
		
 
            %if c.authuser.username != 'default':

			




	
	
	
		
 
            <li class="repo_size">

			




	
	
	
		
 
              <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>

			




	
	
	
		
 
              <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>

			




	
	
	
		
 
              <span  class="stats-bullet" id="repo_size_2"></span>

			




	
	
	
		
 
            </li>

			




	
	
	
		
 
            %endif

			




        

    


    
    

    

        

                

                    kallithea/tests/functional/test_journal.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -23,8 +23,7 @@ class TestJournalController(TestControll

			




	
	
	
		
 
#

			




	
	
	
		
 
#        response = self.app.post(url(controller='journal',

			




	
	
	
		
 
#                                     action='toggle_following'),

			




	
	
	
		
 
#                                     {'auth_token':get_token(session),

			




	
	
	
		
 
#                                      'follows_repo_id':repo.repo_id})

			




	
	
	
		
 
#                                     {'follows_repo_id':repo.repo_id})

			




	
	
	
		
 

			




	
	
	
		
 
    def test_start_following_repository(self):

			




	
	
	
		
 
        self.log_user()

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-26453
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support