Mercurial > kallithea
changeset 4990:959a9fa7d1a1
controllers: remove old auth_token checks - it was only partial CSRF protection
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Fri, 27 Mar 2015 16:25:27 +0100 |
parents | 8927a1ac8d41 |
children | aef21d16a262 |
files | kallithea/controllers/admin/repos.py kallithea/controllers/journal.py kallithea/lib/helpers.py kallithea/public/js/base.js kallithea/templates/admin/repos/repo_edit_advanced.html kallithea/templates/base/base.html kallithea/templates/data_table/_dt_elements.html kallithea/templates/summary/summary.html kallithea/tests/functional/test_journal.py |
diffstat | 9 files changed, 38 insertions(+), 73 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/admin/repos.py Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/controllers/admin/repos.py Fri Mar 27 16:25:27 2015 +0100 @@ -41,7 +41,6 @@ HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator from kallithea.lib.base import BaseRepoController, render from kallithea.lib.utils import action_logger, repo_name_slug, jsonify -from kallithea.lib.helpers import get_token from kallithea.lib.vcs import RepositoryError from kallithea.model.meta import Session from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\ @@ -516,23 +515,17 @@ :param repo_name: """ - cur_token = request.POST.get('auth_token') - token = get_token() - if cur_token == token: - try: - repo_id = Repository.get_by_repo_name(repo_name).repo_id - user_id = User.get_default_user().user_id - self.scm_model.toggle_following_repo(repo_id, user_id) - h.flash(_('Updated repository visibility in public journal'), - category='success') - Session().commit() - except Exception: - h.flash(_('An error occurred during setting this' - ' repository in public journal'), - category='error') - - else: - h.flash(_('Token mismatch'), category='error') + try: + repo_id = Repository.get_by_repo_name(repo_name).repo_id + user_id = User.get_default_user().user_id + self.scm_model.toggle_following_repo(repo_id, user_id) + h.flash(_('Updated repository visibility in public journal'), + category='success') + Session().commit() + except Exception: + h.flash(_('An error occurred during setting this' + ' repository in public journal'), + category='error') return redirect(url('edit_repo_advanced', repo_name=repo_name))
--- a/kallithea/controllers/journal.py Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/controllers/journal.py Fri Mar 27 16:25:27 2015 +0100 @@ -304,33 +304,28 @@ @LoginRequired() @NotAnonymous() def toggle_following(self): - cur_token = request.POST.get('auth_token') - token = h.get_token() - if cur_token == token: + user_id = request.POST.get('follows_user_id') + if user_id: + try: + self.scm_model.toggle_following_user(user_id, + self.authuser.user_id) + Session.commit() + return 'ok' + except Exception: + log.error(traceback.format_exc()) + raise HTTPBadRequest() - user_id = request.POST.get('follows_user_id') - if user_id: - try: - self.scm_model.toggle_following_user(user_id, - self.authuser.user_id) - Session.commit() - return 'ok' - except Exception: - log.error(traceback.format_exc()) - raise HTTPBadRequest() + repo_id = request.POST.get('follows_repo_id') + if repo_id: + try: + self.scm_model.toggle_following_repo(repo_id, + self.authuser.user_id) + Session.commit() + return 'ok' + except Exception: + log.error(traceback.format_exc()) + raise HTTPBadRequest() - repo_id = request.POST.get('follows_repo_id') - if repo_id: - try: - self.scm_model.toggle_following_repo(repo_id, - self.authuser.user_id) - Session.commit() - return 'ok' - except Exception: - log.error(traceback.format_exc()) - raise HTTPBadRequest() - - log.debug('token mismatch %s vs %s' % (cur_token, token)) raise HTTPBadRequest() @LoginRequired()
--- a/kallithea/lib/helpers.py Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/lib/helpers.py Fri Mar 27 16:25:27 2015 +0100 @@ -134,23 +134,6 @@ return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12]) -def get_token(): - """Return the current authentication token, creating one if one doesn't - already exist. - """ - token_key = "_authentication_token" - from pylons import session - if not token_key in session: - try: - token = hashlib.sha1(str(random.getrandbits(128))).hexdigest() - except AttributeError: # Python < 2.4 - token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest() - session[token_key] = token - if hasattr(session, 'save'): - session.save() - return session[token_key] - - class _GetError(object): """Get error from form_errors, and represent it as span wrapped error message
--- a/kallithea/public/js/base.js Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/public/js/base.js Fri Mar 27 16:25:27 2015 +0100 @@ -458,20 +458,16 @@ } } -var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){ +var toggleFollowingRepo = function(target, follows_repo_id){ var args = 'follows_repo_id=' + follows_repo_id; - args += '&auth_token=' + token; - if(user_id != undefined){ - args +="&user_id=" + user_id; - } $.post(TOGGLE_FOLLOW_URL, args, function(data){ _onSuccessFollow(target); }); return false; }; -var showRepoSize = function(target, repo_name, token){ - var args = 'auth_token=' + token; +var showRepoSize = function(target, repo_name){ + var args = ''; if(!$("#" + target).hasClass('loaded')){ $("#" + target).html(_TM['Loading ...']);
--- a/kallithea/templates/admin/repos/repo_edit_advanced.html Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/templates/admin/repos/repo_edit_advanced.html Fri Mar 27 16:25:27 2015 +0100 @@ -22,7 +22,6 @@ <h3>${_('Public Journal Visibility')}</h3> ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')} <div class="form"> - ${h.hidden('auth_token',str(h.get_token()))} <div class="field"> %if c.in_public_journal: <button class="btn btn-small" type="submit">
--- a/kallithea/templates/base/base.html Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/templates/base/base.html Fri Mar 27 16:25:27 2015 +0100 @@ -176,7 +176,7 @@ ## also it feels like a job for the controller %if c.authuser.username != 'default': <li> - <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');"> + <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});"> <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span> <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span> </a>
--- a/kallithea/templates/data_table/_dt_elements.html Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/templates/data_table/_dt_elements.html Fri Mar 27 16:25:27 2015 +0100 @@ -212,6 +212,6 @@ <%def name="toggle_follow(repo_id)"> <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}" - onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')"> + onclick="javascript:toggleFollowingRepo(this, ${repo_id})"> </span> </%def>
--- a/kallithea/templates/summary/summary.html Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/templates/summary/summary.html Fri Mar 27 16:25:27 2015 +0100 @@ -157,7 +157,7 @@ %if c.authuser.username != 'default': <li class="repo_size"> - <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a> + <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a> <span class="stats-bullet" id="repo_size_2"></span> </li> %endif
--- a/kallithea/tests/functional/test_journal.py Tue Apr 07 02:52:02 2015 +0200 +++ b/kallithea/tests/functional/test_journal.py Fri Mar 27 16:25:27 2015 +0100 @@ -23,8 +23,7 @@ # # response = self.app.post(url(controller='journal', # action='toggle_following'), -# {'auth_token':get_token(session), -# 'follows_repo_id':repo.repo_id}) +# {'follows_repo_id':repo.repo_id}) def test_start_following_repository(self): self.log_user()