← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to ivle/dispatch/__init__.py

  • Committer: Matt Giuca
  • Date: 2009-12-15 01:33:12 UTC
  • Revision ID: matt.giuca@gmail.com-20091215013312-bqlhpwh769zg9dwx
doc/man/architecture: Added section on auth and pulldown modules.

Show diffs side-by-side

added added

removed removed

Lines of Context:
ivle/dispatch/__init__.py
30
30
import os
31
31
import os.path
32
32
import urllib
33
 
import urlparse
34
33
import cgi
35
34
import traceback
36
35
import logging
37
36
import socket
38
37
import time
39
38
 
40
 
# We want to use the Storm C extensions if at all possible.
41
 
# Since we can't use SetEnv in Apache, do this here. It *must* appear
42
 
# before storm is imported for the first time.
43
 
os.environ['STORM_CEXTENSIONS'] = '1'
44
 
 
45
39
import mod_python
46
40
 
47
41
from ivle import util
50
44
import ivle.webapp.security
51
45
from ivle.webapp.base.plugins import ViewPlugin, PublicViewPlugin
52
46
from ivle.webapp.base.xhtml import XHTMLView, XHTMLErrorView
53
 
from ivle.webapp.errors import BadRequest, HTTPError, NotFound, Unauthorized
 
47
from ivle.webapp.errors import HTTPError, Unauthorized, NotFound
54
48
from ivle.webapp.publisher import Publisher, PublishingError
55
49
from ivle.webapp import ApplicationRoot
56
50
 
71
65
    def traversed_to_object(self, obj):
72
66
        """Check that the user has any permission at all over the object."""
73
67
        if (hasattr(obj, 'get_permissions') and
74
 
            len(obj.get_permissions(self.root.user, config)) == 0):
 
68
            len(obj.get_permissions(self.root.user)) == 0):
75
69
            # Indicate the forbidden object if this is an admin.
76
70
            if self.root.user and self.root.user.admin:
77
71
                raise Unauthorized('Unauthorized: %s' % obj)
131
125
    # Make the request object into an IVLE request which can be given to views
132
126
    req = Request(apachereq, config)
133
127
 
 
128
    # Hack? Try and get the user login early just in case we throw an error
 
129
    # (most likely 404) to stop us seeing not logged in even when we are.
 
130
    if not req.publicmode:
 
131
        user = ivle.webapp.security.get_user_details(req)
 
132
 
 
133
        # Don't set the user if it is disabled or hasn't accepted the ToS.
 
134
        if user and user.valid:
 
135
            req.user = user
 
136
 
134
137
    req.publisher = generate_publisher(
135
 
        config.plugin_index[ViewPlugin], ApplicationRoot(req),
 
138
        config.plugin_index[ViewPlugin],
 
139
        ApplicationRoot(req.config, req.store, req.user),
136
140
        publicmode=req.publicmode)
137
141
 
138
142
    try:
153
157
                    raise Unauthorized('Unauthorized: %s' % view)
154
158
                else:
155
159
                    raise Unauthorized()
156
 
 
157
 
            # Non-GET requests from other sites leave us vulnerable to
158
 
            # CSRFs. Block them.
159
 
            referer = req.headers_in.get('Referer')
160
 
            if (referer is None or
161
 
                urlparse.urlparse(req.headers_in.get('Referer')).netloc !=
162
 
                    req.hostname):
163
 
                if req.method != 'GET' and not view.offsite_posts_allowed:
164
 
                    raise BadRequest(
165
 
                        "Non-GET requests from external sites are forbidden "
166
 
                        "for security reasons.")
167
 
 
168
160
            # Render the output
169
161
            view.render(req)
170
162
        except HTTPError, e:
196
188
            handle_unknown_exception(req, *sys.exc_info())
197
189
            return req.OK
198
190
        else:
199
 
            # Commit the transaction if we have a store open.
200
 
            req.commit()
 
191
            req.store.commit()
201
192
            return req.OK
202
193
    except Unauthorized, e:
203
194
        # Resolution failed due to a permission check. Display a pretty
214
205
            XHTMLErrorView(req, NotFound(), e[0]).render(req)
215
206
 
216
207
        return req.OK
217
 
    finally:
218
 
        # Make sure we close the store.
219
 
        req.cleanup()
220
208
 
221
209
def handle_unknown_exception(req, exc_type, exc_value, exc_traceback):
222
210
    """