Mercurial > kallithea

changeset 4990:959a9fa7d1a1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
controllers: remove old auth_token checks - it was only partial CSRF protection
author Mads Kiilerich <madski@unity3d.com>
date Fri, 27 Mar 2015 16:25:27 +0100
parents 8927a1ac8d41
children aef21d16a262
files kallithea/controllers/admin/repos.py kallithea/controllers/journal.py kallithea/lib/helpers.py kallithea/public/js/base.js kallithea/templates/admin/repos/repo_edit_advanced.html kallithea/templates/base/base.html kallithea/templates/data_table/_dt_elements.html kallithea/templates/summary/summary.html kallithea/tests/functional/test_journal.py
diffstat 9 files changed, 38 insertions(+), 73 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/admin/repos.py	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/controllers/admin/repos.py	Fri Mar 27 16:25:27 2015 +0100
@@ -41,7 +41,6 @@
     HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
-from kallithea.lib.helpers import get_token
 from kallithea.lib.vcs import RepositoryError
 from kallithea.model.meta import Session
 from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
@@ -516,23 +515,17 @@
         :param repo_name:
         """
 
-        cur_token = request.POST.get('auth_token')
-        token = get_token()
-        if cur_token == token:
-            try:
-                repo_id = Repository.get_by_repo_name(repo_name).repo_id
-                user_id = User.get_default_user().user_id
-                self.scm_model.toggle_following_repo(repo_id, user_id)
-                h.flash(_('Updated repository visibility in public journal'),
-                        category='success')
-                Session().commit()
-            except Exception:
-                h.flash(_('An error occurred during setting this'
-                          ' repository in public journal'),
-                        category='error')
-
-        else:
-            h.flash(_('Token mismatch'), category='error')
+        try:
+            repo_id = Repository.get_by_repo_name(repo_name).repo_id
+            user_id = User.get_default_user().user_id
+            self.scm_model.toggle_following_repo(repo_id, user_id)
+            h.flash(_('Updated repository visibility in public journal'),
+                    category='success')
+            Session().commit()
+        except Exception:
+            h.flash(_('An error occurred during setting this'
+                      ' repository in public journal'),
+                    category='error')
         return redirect(url('edit_repo_advanced', repo_name=repo_name))
 
 
--- a/kallithea/controllers/journal.py	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/controllers/journal.py	Fri Mar 27 16:25:27 2015 +0100
@@ -304,33 +304,28 @@
     @LoginRequired()
     @NotAnonymous()
     def toggle_following(self):
-        cur_token = request.POST.get('auth_token')
-        token = h.get_token()
-        if cur_token == token:
+        user_id = request.POST.get('follows_user_id')
+        if user_id:
+            try:
+                self.scm_model.toggle_following_user(user_id,
+                                            self.authuser.user_id)
+                Session.commit()
+                return 'ok'
+            except Exception:
+                log.error(traceback.format_exc())
+                raise HTTPBadRequest()
 
-            user_id = request.POST.get('follows_user_id')
-            if user_id:
-                try:
-                    self.scm_model.toggle_following_user(user_id,
-                                                self.authuser.user_id)
-                    Session.commit()
-                    return 'ok'
-                except Exception:
-                    log.error(traceback.format_exc())
-                    raise HTTPBadRequest()
+        repo_id = request.POST.get('follows_repo_id')
+        if repo_id:
+            try:
+                self.scm_model.toggle_following_repo(repo_id,
+                                            self.authuser.user_id)
+                Session.commit()
+                return 'ok'
+            except Exception:
+                log.error(traceback.format_exc())
+                raise HTTPBadRequest()
 
-            repo_id = request.POST.get('follows_repo_id')
-            if repo_id:
-                try:
-                    self.scm_model.toggle_following_repo(repo_id,
-                                                self.authuser.user_id)
-                    Session.commit()
-                    return 'ok'
-                except Exception:
-                    log.error(traceback.format_exc())
-                    raise HTTPBadRequest()
-
-        log.debug('token mismatch %s vs %s' % (cur_token, token))
         raise HTTPBadRequest()
 
     @LoginRequired()
--- a/kallithea/lib/helpers.py	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/lib/helpers.py	Fri Mar 27 16:25:27 2015 +0100
@@ -134,23 +134,6 @@
     return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])
 
 
-def get_token():
-    """Return the current authentication token, creating one if one doesn't
-    already exist.
-    """
-    token_key = "_authentication_token"
-    from pylons import session
-    if not token_key in session:
-        try:
-            token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
-        except AttributeError:  # Python < 2.4
-            token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest()
-        session[token_key] = token
-        if hasattr(session, 'save'):
-            session.save()
-    return session[token_key]
-
-
 class _GetError(object):
     """Get error from form_errors, and represent it as span wrapped error
     message
--- a/kallithea/public/js/base.js	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/public/js/base.js	Fri Mar 27 16:25:27 2015 +0100
@@ -458,20 +458,16 @@
     }
 }
 
-var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){
+var toggleFollowingRepo = function(target, follows_repo_id){
     var args = 'follows_repo_id=' + follows_repo_id;
-    args += '&amp;auth_token=' + token;
-    if(user_id != undefined){
-        args +="&amp;user_id=" + user_id;
-    }
     $.post(TOGGLE_FOLLOW_URL, args, function(data){
             _onSuccessFollow(target);
         });
     return false;
 };
 
-var showRepoSize = function(target, repo_name, token){
-    var args = 'auth_token=' + token;
+var showRepoSize = function(target, repo_name){
+    var args = '';
 
     if(!$("#" + target).hasClass('loaded')){
         $("#" + target).html(_TM['Loading ...']);
--- a/kallithea/templates/admin/repos/repo_edit_advanced.html	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/templates/admin/repos/repo_edit_advanced.html	Fri Mar 27 16:25:27 2015 +0100
@@ -22,7 +22,6 @@
 <h3>${_('Public Journal Visibility')}</h3>
 ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}
 <div class="form">
-  ${h.hidden('auth_token',str(h.get_token()))}
   <div class="field">
   %if c.in_public_journal:
     <button class="btn btn-small" type="submit">
--- a/kallithea/templates/base/base.html	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/templates/base/base.html	Fri Mar 27 16:25:27 2015 +0100
@@ -176,7 +176,7 @@
               ## also it feels like a job for the controller
               %if c.authuser.username != 'default':
                   <li>
-                   <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');">
+                   <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});">
                     <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>
                     <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>
                   </a>
--- a/kallithea/templates/data_table/_dt_elements.html	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/templates/data_table/_dt_elements.html	Fri Mar 27 16:25:27 2015 +0100
@@ -212,6 +212,6 @@
 
 <%def name="toggle_follow(repo_id)">
   <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"
-        onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')">
+        onclick="javascript:toggleFollowingRepo(this, ${repo_id})">
   </span>
 </%def>
--- a/kallithea/templates/summary/summary.html	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/templates/summary/summary.html	Fri Mar 27 16:25:27 2015 +0100
@@ -157,7 +157,7 @@
 
             %if c.authuser.username != 'default':
             <li class="repo_size">
-              <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
+              <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
               <span  class="stats-bullet" id="repo_size_2"></span>
             </li>
             %endif
--- a/kallithea/tests/functional/test_journal.py	Tue Apr 07 02:52:02 2015 +0200
+++ b/kallithea/tests/functional/test_journal.py	Fri Mar 27 16:25:27 2015 +0100
@@ -23,8 +23,7 @@
 #
 #        response = self.app.post(url(controller='journal',
 #                                     action='toggle_following'),
-#                                     {'auth_token':get_token(session),
-#                                      'follows_repo_id':repo.repo_id})
+#                                     {'follows_repo_id':repo.repo_id})
 
     def test_start_following_repository(self):
         self.log_user()