1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
# IVLE
# Copyright (C) 2007-2009 The University of Melbourne
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
# Author: Will Grant, Nick Chadwick
import urllib
import datetime
try:
import mod_python.Cookie
except ImportError:
# This needs to be importable from outside Apache.
pass
import ivle.util
import ivle.pulldown_subj
import ivle.webapp.security
from ivle.auth import authenticate, AuthError
from ivle.webapp.base.xhtml import XHTMLView
from ivle.webapp.base.plugins import CookiePlugin
class LoginView(XHTMLView):
'''A view to allow a user to log in.'''
template = 'login.html'
allow_overlays = False
def authorize(self, req):
return True
def populate(self, req, ctx):
fields = req.get_fieldstorage()
nexturl = fields.getfirst('url')
if nexturl is None:
nexturl = '/'
# We are already logged in. If it is a POST, they might be trying to
# clobber their session with some new credentials. That's their own
# business, so we let them do it. Otherwise, we don't bother prompting
# and just redirect to the destination.
# Note that req.user is None even if we are 'logged in', if the user is
# invalid (state != enabled, or expired).
if req.method != "POST" and req.user is not None:
req.throw_redirect(nexturl)
# Don't give any URL if we want /.
if nexturl == '/':
query_string = ''
else:
query_string = '?url=' + urllib.quote(nexturl, safe="/~")
ctx['path'] = ivle.util.make_path('+login') + query_string
# If this succeeds, the user is invalid.
user = ivle.webapp.security.get_user_details(req)
if user is not None:
if user.state == "no_agreement":
# Authenticated, but need to accept the ToS. Send them there.
# IMPORTANT NOTE FOR HACKERS: You can't simply disable this
# if you are not planning to display a ToS page - the ToS
# acceptance process actually calls usrmgt to create the user
# jails and related stuff.
req.throw_redirect(ivle.util.make_path('+tos') + query_string)
elif user.state == "pending":
# FIXME: this isn't quite the right answer, but it
# should be more robust in the short term.
session = req.get_session()
session.invalidate()
session.delete()
user.state = u'no_agreement'
req.store.commit()
req.throw_redirect(nexturl)
if req.method == "POST":
# While req.user is normally set to get_user_details, it won't set
# it if the account isn't valid. So we get it ourselves.
user = ivle.webapp.security.get_user_details(req)
badlogin = None
username = fields.getfirst('user')
password = fields.getfirst('pass')
if username is not None:
# From this point onwards, we will be showing an error message
# if unsuccessful.
# Authenticate
if password is None:
badlogin = "No password supplied."
else:
user = None
try:
user = authenticate.authenticate(req.store,
username.value, password.value)
except AuthError, msg:
badlogin = msg
if user is None:
# Must have got an error. Do not authenticate.
# The except: above will have set a message.
pass
else:
# Success - Set the session and redirect to the URL.
session = req.get_session()
session['login'] = user.login
session.save()
session.unlock()
user.last_login = datetime.datetime.now()
# Create cookies for plugins that might request them.
for plugin in req.config.plugin_index[CookiePlugin]:
for cookie in plugin.cookies:
# The function can be None if they just need to be
# deleted at logout.
if plugin.cookies[cookie] is not None:
req.add_cookie(mod_python.Cookie.Cookie(cookie,
plugin.cookies[cookie](user), path='/'))
# Add any new enrolments.
ivle.pulldown_subj.enrol_user(req.store, user)
req.store.commit()
req.throw_redirect(nexturl)
# We didn't succeed.
# Render the login form with the error message.
ctx['error'] = badlogin
class LogoutView(XHTMLView):
'''A view to log the current session out.'''
template = 'logout.html'
allow_overlays = False
def authorize(self, req):
# This can be used by any authenticated user, even if they haven't
# accepted the ToS yet.
return ivle.webapp.security.get_user_details(req) is not None
def populate(self, req, ctx):
if req.method == "POST":
req.logout()
else:
ctx['path'] = ivle.util.make_path('+logout')
|