From dfecc17a80cb1d179402dd74459e834407cab6fb Mon Sep 17 00:00:00 2001 From: Michael Ziegler Date: Tue, 3 Aug 2010 23:09:16 +0200 Subject: [PATCH] implement proper request authorization and validation for the various forms exported over Ext.Direct --- pyweb/mumble/forms.py | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/pyweb/mumble/forms.py b/pyweb/mumble/forms.py index f06a2af..4307e79 100644 --- a/pyweb/mumble/forms.py +++ b/pyweb/mumble/forms.py @@ -145,12 +145,7 @@ class MumbleForm( PropertyModelForm ): fields = ['name'] def EXT_authorize( self, request, action ): - return request.user.is_authenticated() and ( not self.instance or self.instance.isUserAdmin( request.user ) ) - - def EXT_validate( self, request ): - if not self.instance.isUserAdmin( request.user ): - return False - return True + return self.instance.isUserAdmin( request.user ) class MumbleAdminForm( MumbleForm ): """ A Mumble Server admin form intended to be used by the server hoster. """ @@ -205,16 +200,27 @@ class MumbleServerForm( ModelForm ): class Meta: model = MumbleServer - +@EXT_FORMS_PROVIDER.register_form class MumbleUserForm( ModelForm ): """ The user registration form used to register an account. """ - password = forms.CharField( widget=forms.PasswordInput, required=False ) + password = forms.CharField( label=_("Password"), widget=forms.PasswordInput, required=False ) def __init__( self, *args, **kwargs ): ModelForm.__init__( self, *args, **kwargs ) self.server = None + def EXT_authorize( self, request, action ): + if not request.user.is_authenticated(): + return False + if action == "update" and settings.PROTECTED_MODE and self.instance.id is None: + # creating new user in protected mode -> need UserPasswordForm + return False + if self.instance is not None and request.user != self.instance.owner: + # editing another account + return False + return True + def EXT_validate( self, request ): if "serverid" in request.POST: try: @@ -253,7 +259,7 @@ class MumbleUserForm( ModelForm ): model = MumbleUser fields = ( 'name', 'password' ) - +@EXT_FORMS_PROVIDER.register_form class MumbleUserPasswordForm( MumbleUserForm ): """ The user registration form used to register an account on a private server in protected mode. """ @@ -263,6 +269,14 @@ class MumbleUserPasswordForm( MumbleUserForm ): widget=forms.PasswordInput(render_value=False) ) + def EXT_authorize( self, request, action ): + if not request.user.is_authenticated(): + return False + if self.instance is not None and request.user != self.instance.owner: + # editing another account + return False + return True + def clean_serverpw( self ): """ Validate the password """ serverpw = self.cleaned_data['serverpw'] @@ -277,7 +291,7 @@ class MumbleUserPasswordForm( MumbleUserForm ): del( self.cleaned_data['serverpw'] ) return self.cleaned_data - +@EXT_FORMS_PROVIDER.register_form class MumbleUserLinkForm( MumbleUserForm ): """ Special registration form to either register or link an account. """ @@ -291,6 +305,14 @@ class MumbleUserLinkForm( MumbleUserForm ): MumbleUserForm.__init__( self, *args, **kwargs ) self.mumbleid = None + def EXT_authorize( self, request, action ): + if not request.user.is_authenticated(): + return False + if self.instance is not None and request.user != self.instance.owner: + # editing another account + return False + return settings.ALLOW_ACCOUNT_LINKING + def clean_name( self ): """ Check if the target account exists in Murmur. """ if 'linkacc' not in self.data: