kallithea Changeset - 959a9fa7d1a1

Changeset - 959a9fa7d1a1

Parent rev.

Child rev.

[Not reviewed]

default

0 9 0

Mads Kiilerich - 11 years ago 2015-03-27 16:25:27
madski@unity3d.com

controllers: remove old auth_token checks - it was only partial CSRF protection

9 files changed with 38 insertions and 73 deletions:

kallithea/controllers/admin/repos.py

kallithea/controllers/journal.py

kallithea/lib/helpers.py

kallithea/public/js/base.js

kallithea/templates/admin/repos/repo_edit_advanced.html

kallithea/templates/base/base.html

kallithea/templates/data_table/_dt_elements.html

kallithea/templates/summary/summary.html

kallithea/tests/functional/test_journal.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/repos.py

➞

Show inline comments

@@ @@ -32,25 +32,24 @@ from formencode import htmlfill @@
 from webob.exc import HTTPInternalServerError, HTTPForbidden, HTTPNotFound
 from pylons import request, tmpl_context as c, url
 from pylons.controllers.util import redirect
 from pylons.i18n.translation import _
 from sqlalchemy.sql.expression import func
 from kallithea.lib import helpers as h
 from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator, \
     HasRepoPermissionAllDecorator, NotAnonymous,HasPermissionAny, \
     HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
 from kallithea.lib.helpers import get_token
 from kallithea.lib.vcs import RepositoryError
 from kallithea.model.meta import Session
 from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
     Setting, RepositoryField
 from kallithea.model.forms import RepoForm, RepoFieldForm, RepoPermsForm
 from kallithea.model.scm import ScmModel, RepoGroupList, RepoList
 from kallithea.model.repo import RepoModel
 from kallithea.lib.compat import json
 from kallithea.lib.exceptions import AttachedForksError
 from kallithea.lib.utils2 import safe_int
 log = logging.getLogger(__name__)
@@ @@ -507,41 +506,35 @@ class ReposController(BaseRepoController @@
             encoding="UTF-8",
             force_defaults=False)
     @HasRepoPermissionAllDecorator('repository.admin')
     def edit_advanced_journal(self, repo_name):
         """
         Sets this repository to be visible in public journal,
         in other words asking default user to follow this repo
         :param repo_name:
         """
         cur_token = request.POST.get('auth_token')
         token = get_token()
         if cur_token == token:
             try:
                 repo_id = Repository.get_by_repo_name(repo_name).repo_id
                 user_id = User.get_default_user().user_id
                 self.scm_model.toggle_following_repo(repo_id, user_id)
                 h.flash(_('Updated repository visibility in public journal'),
                         category='success')
                 Session().commit()
             except Exception:
                 h.flash(_('An error occurred during setting this'
                           ' repository in public journal'),
                         category='error')
         else:
             h.flash(_('Token mismatch'), category='error')
         try:
             repo_id = Repository.get_by_repo_name(repo_name).repo_id
             user_id = User.get_default_user().user_id
             self.scm_model.toggle_following_repo(repo_id, user_id)
             h.flash(_('Updated repository visibility in public journal'),
                     category='success')
             Session().commit()
         except Exception:
             h.flash(_('An error occurred during setting this'
                       ' repository in public journal'),
                     category='error')
         return redirect(url('edit_repo_advanced', repo_name=repo_name))
     @HasRepoPermissionAllDecorator('repository.admin')
     def edit_advanced_fork(self, repo_name):
         """
         Mark given repository as a fork of another
         :param repo_name:
         """
         try:
             fork_id = request.POST.get('id_fork_of')

kallithea/controllers/journal.py

➞

Show inline comments

@@ @@ -295,51 +295,46 @@ class JournalController(BaseController): @@
         """
         Produce an rss feed via feedgenerator module
         """
         following = self.sa.query(UserFollowing)\
             .filter(UserFollowing.user_id == self.authuser.user_id)\
             .options(joinedload(UserFollowing.follows_repository))\
             .all()
         return self._rss_feed(following, public=False)
     @LoginRequired()
     @NotAnonymous()
     def toggle_following(self):
         cur_token = request.POST.get('auth_token')
         token = h.get_token()
         if cur_token == token:
         user_id = request.POST.get('follows_user_id')
         if user_id:
             try:
                 self.scm_model.toggle_following_user(user_id,
                                             self.authuser.user_id)
                 Session.commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
             user_id = request.POST.get('follows_user_id')
             if user_id:
                 try:
                     self.scm_model.toggle_following_user(user_id,
                                                 self.authuser.user_id)
                     Session.commit()
                     return 'ok'
                 except Exception:
                     log.error(traceback.format_exc())
                     raise HTTPBadRequest()
         repo_id = request.POST.get('follows_repo_id')
         if repo_id:
             try:
                 self.scm_model.toggle_following_repo(repo_id,
                                             self.authuser.user_id)
                 Session.commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
             repo_id = request.POST.get('follows_repo_id')
             if repo_id:
                 try:
                     self.scm_model.toggle_following_repo(repo_id,
                                                 self.authuser.user_id)
                     Session.commit()
                     return 'ok'
                 except Exception:
                     log.error(traceback.format_exc())
                     raise HTTPBadRequest()
         log.debug('token mismatch %s vs %s' % (cur_token, token))
         raise HTTPBadRequest()
     @LoginRequired()
     def public_journal(self):
         # Return a rendered template
         p = safe_int(request.GET.get('page', 1), 1)
         c.following = self.sa.query(UserFollowing)\
             .filter(UserFollowing.user_id == self.authuser.user_id)\
             .options(joinedload(UserFollowing.follows_repository))\
             .all()

kallithea/lib/helpers.py

➞

Show inline comments

@@ @@ -125,41 +125,24 @@ safeid = _make_safe_id_component @@
 def FID(raw_id, path):
     """
     Creates a unique ID for filenode based on it's hash of path and revision
     it's safe to use in urls
     :param raw_id:
     :param path:
     """
     return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])
 def get_token():
     """Return the current authentication token, creating one if one doesn't
     already exist.
     """
     token_key = "_authentication_token"
     from pylons import session
     if not token_key in session:
         try:
             token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
         except AttributeError:  # Python < 2.4
             token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest()
         session[token_key] = token
         if hasattr(session, 'save'):
             session.save()
     return session[token_key]
 class _GetError(object):
     """Get error from form_errors, and represent it as span wrapped error
     message
     :param field_name: field to fetch errors for
     :param form_errors: form errors dict
     """
     def __call__(self, field_name, form_errors):
         tmpl = """<span class="error_msg">%s</span>"""
         if form_errors and field_name in form_errors:
             return literal(tmpl % form_errors.get(field_name))

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -449,38 +449,34 @@ var _onSuccessFollow = function(target){ @@
+        }
+    }
     else{
         $target.attr('class', 'follow');
         $target.attr('title', _TM['Start following this repository']);
         if($f_cnt.html()){
             var cnt = Number($f_cnt.html())-1;
             $f_cnt.html(cnt);
+        }
+    }
+}
-var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){
 var toggleFollowingRepo = function(target, follows_repo_id){
     var args = 'follows_repo_id=' + follows_repo_id;
     args += '&amp;auth_token=' + token;
     if(user_id != undefined){
         args +="&amp;user_id=" + user_id;
+    }
     $.post(TOGGLE_FOLLOW_URL, args, function(data){
             _onSuccessFollow(target);
         });
     return false;
 };
 var showRepoSize = function(target, repo_name, token){
     var args = 'auth_token=' + token;
 var showRepoSize = function(target, repo_name){
     var args = '';
     if(!$("#" + target).hasClass('loaded')){
         $("#" + target).html(_TM['Loading ...']);
         var url = pyroutes.url('repo_size', {"repo_name":repo_name});
         $.post(url, args, function(data) {
             $("#" + target).html(data);
             $("#" + target).addClass('loaded');
         });
+    }
     return false;
 };

kallithea/templates/admin/repos/repo_edit_advanced.html

➞

Show inline comments

@@ @@ -13,25 +13,24 @@ ${h.end_form()} @@
 <script>
     $(document).ready(function(){
         $("#id_fork_of").select2({
             'dropdownAutoWidth': true
         });
     })
 </script>
 <h3>${_('Public Journal Visibility')}</h3>
 ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}
 <div class="form">
   ${h.hidden('auth_token',str(h.get_token()))}
   <div class="field">
   %if c.in_public_journal:
     <button class="btn btn-small" type="submit">
         <i class="icon-minus"></i>
         ${_('Remove from public journal')}
     </button>
   %else:
     <button class="btn btn-small" type="submit">
         <i class="icon-plus"></i>
         ${_('Add to Public Journal')}
     </button>
   %endif

kallithea/templates/base/base.html

➞

Show inline comments

@@ @@ -167,25 +167,25 @@ @@
               %if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name) and c.db_repo.enable_locking:
                 %if c.db_repo.locked[0]:
                   <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock"></i> ${_('Unlock')}</a></li>
                 %else:
                   <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock-open-alt"></i> ${_('Lock')}</li>
                 %endif
               %endif
               ## TODO: this check feels wrong, it would be better to have a check for permissions
               ## also it feels like a job for the controller
               %if c.authuser.username != 'default':
                   <li>
-                   <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');">
                    <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});">
                     <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>
                     <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>
                   </a>
                   </li>
                   <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i> ${_('Fork')}</a></li>
                   <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i> ${_('Create Pull Request')}</a></li>
               %endif
              </ul>
         </li>
         <li ${is_current('showpullrequest')}>
           <a href="${h.url('pullrequest_show_all',repo_name=c.repo_name)}" title="${_('Show Pull Requests for %s') % c.repo_name}"> <i class="icon-git-pull-request"></i> ${_('Pull Requests')}
             %if c.repository_pull_requests:

kallithea/templates/data_table/_dt_elements.html

➞

Show inline comments

@@ @@ -203,15 +203,15 @@ @@
   </div>
 </%def>
 <%def name="user_group_name(user_group_id, user_group_name)">
   <div style="white-space: nowrap">
   <a href="${h.url('edit_users_group', id=user_group_id)}">
     <i class="icon-users" title="${_('User group')}"></i> ${user_group_name}</a>
   </div>
 </%def>
 <%def name="toggle_follow(repo_id)">
   <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"
-        onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')">
         onclick="javascript:toggleFollowingRepo(this, ${repo_id})">
   </span>
 </%def>

kallithea/templates/summary/summary.html

➞

Show inline comments

@@ @@ -148,25 +148,25 @@ summary = lambda n:{False:'summary-short @@
                 <span class="stats-bullet" id="current_followers_count">${c.repository_followers}</span>
               </a>
             </li>
             <li>
               <a title="${_('Forks')}" href="${h.url('repo_forks_home',repo_name=c.repo_name)}">
                 <i class="icon-fork"></i> ${_('Forks')}
                 <span class="stats-bullet">${c.repository_forks}</span>
               </a>
             </li>
             %if c.authuser.username != 'default':
             <li class="repo_size">
-              <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
               <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
               <span  class="stats-bullet" id="repo_size_2"></span>
             </li>
             %endif
             <li>
             %if c.authuser.username != 'default':
               <a href="${h.url('atom_feed_home',repo_name=c.db_repo.repo_name,api_key=c.authuser.api_key)}"><i class="icon-rss-squared"></i> ${_('Feed')}</a>
             %else:
               <a href="${h.url('atom_feed_home',repo_name=c.db_repo.repo_name)}"><i class="icon-rss-squared"></i> ${_('Feed')}</a>
             %endif
             </li>

kallithea/tests/functional/test_journal.py

➞

Show inline comments

@@ @@ -14,26 +14,25 @@ class TestJournalController(TestControll @@
         session = self.log_user()
 #        usr = Session().query(User).filter(User.username == 'test_admin').one()
 #        repo = Session().query(Repository).filter(Repository.repo_name == HG_REPO).one()
+#
 #        followings = Session().query(UserFollowing)\
 #            .filter(UserFollowing.user == usr)\
 #            .filter(UserFollowing.follows_repository == repo).all()
+#
 #        assert len(followings) == 1, 'Not following any repository'
+#
 #        response = self.app.post(url(controller='journal',
 #                                     action='toggle_following'),
 #                                     {'auth_token':get_token(session),
 #                                      'follows_repo_id':repo.repo_id})
 #                                     {'follows_repo_id':repo.repo_id})
     def test_start_following_repository(self):
         self.log_user()
         response = self.app.get(url(controller='journal', action='index'),)
     def test_public_journal_atom(self):
         self.log_user()
         response = self.app.get(url(controller='journal', action='public_journal_atom'),)
     def test_public_journal_rss(self):
         self.log_user()
         response = self.app.get(url(controller='journal', action='public_journal_rss'),)

0 comments (0 inline, 0 general)