warricksothr
/
mumble-django
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

implement proper request authorization and validation for the various forms exported over Ext.Direct

Natenom/support-murmur-13-1446181288462
Michael Ziegler 14 years ago
parent
19a9d91fe7
commit
dfecc17a80
1 changed files with 32 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 42
      pyweb/mumble/forms.py

42
pyweb/mumble/forms.py
View File

@ -145,12 +145,7 @@ class MumbleForm( PropertyModelForm ):
fields = ['name']
def EXT_authorize( self, request, action ):
return request.user.is_authenticated() and ( not self.instance or self.instance.isUserAdmin( request.user ) )
def EXT_validate( self, request ):
if not self.instance.isUserAdmin( request.user ):
return False
return True
return self.instance.isUserAdmin( request.user )
class MumbleAdminForm( MumbleForm ):
""" A Mumble Server admin form intended to be used by the server hoster. """
@ -205,16 +200,27 @@ class MumbleServerForm( ModelForm ):
class Meta:
model = MumbleServer
@EXT_FORMS_PROVIDER.register_form
class MumbleUserForm( ModelForm ):
""" The user registration form used to register an account. """
password = forms.CharField( widget=forms.PasswordInput, required=False )
password = forms.CharField( label=_("Password"), widget=forms.PasswordInput, required=False )
def __init__( self, *args, **kwargs ):
ModelForm.__init__( self, *args, **kwargs )
self.server = None
def EXT_authorize( self, request, action ):
if not request.user.is_authenticated():
return False
if action == "update" and settings.PROTECTED_MODE and self.instance.id is None:
# creating new user in protected mode -> need UserPasswordForm
return False
if self.instance is not None and request.user != self.instance.owner:
# editing another account
return False
return True
def EXT_validate( self, request ):
if "serverid" in request.POST:
try:
@ -253,7 +259,7 @@ class MumbleUserForm( ModelForm ):
model = MumbleUser
fields = ( 'name', 'password' )
@EXT_FORMS_PROVIDER.register_form
class MumbleUserPasswordForm( MumbleUserForm ):
""" The user registration form used to register an account on a private server in protected mode. """
@ -263,6 +269,14 @@ class MumbleUserPasswordForm( MumbleUserForm ):
widget=forms.PasswordInput(render_value=False)
)
def EXT_authorize( self, request, action ):
if not request.user.is_authenticated():
return False
if self.instance is not None and request.user != self.instance.owner:
# editing another account
return False
return True
def clean_serverpw( self ):
""" Validate the password """
serverpw = self.cleaned_data['serverpw']
@ -277,7 +291,7 @@ class MumbleUserPasswordForm( MumbleUserForm ):
del( self.cleaned_data['serverpw'] )
return self.cleaned_data
@EXT_FORMS_PROVIDER.register_form
class MumbleUserLinkForm( MumbleUserForm ):
""" Special registration form to either register or link an account. """
@ -291,6 +305,14 @@ class MumbleUserLinkForm( MumbleUserForm ):
MumbleUserForm.__init__( self, *args, **kwargs )
self.mumbleid = None
def EXT_authorize( self, request, action ):
if not request.user.is_authenticated():
return False
if self.instance is not None and request.user != self.instance.owner:
# editing another account
return False
return settings.ALLOW_ACCOUNT_LINKING
def clean_name( self ):
""" Check if the target account exists in Murmur. """
if 'linkacc' not in self.data:

Write Preview
Loading…
Cancel
Save