[Checkins] SVN: Products.PluggableAuthService/trunk/ Prevent direct publication of the '@@csrf_token' view.
Tres Seaver
cvs-admin at zope.org
Fri Nov 16 20:21:27 UTC 2012
Log message for revision 128317:
Prevent direct publication of the '@@csrf_token' view.
Templates access the token now via 'context/@@csrf_token/token'.
Changed:
_U Products.PluggableAuthService/trunk/
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/tests/test_utils.py
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/utils.py
-=-
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt 2012-11-16 20:21:25 UTC (rev 128317)
@@ -27,7 +27,7 @@
<form action="." method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<tr class="row-hilite"
tal:repeat="info here/listGroupInfo"
@@ -85,7 +85,7 @@
<form action="manage_addGroup" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table
>
@@ -152,7 +152,7 @@
<form action="manage_updateGroup" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<input type="hidden" name="group_id" value="GROUP_ID"
tal:attributes="value group_id" />
<table>
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt 2012-11-16 20:21:25 UTC (rev 128317)
@@ -30,7 +30,7 @@
<form action="." method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<tr class="row-hilite"
tal:repeat="info here/listGroupInfo"
@@ -87,7 +87,7 @@
<form action="manage_addGroup" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table
>
@@ -150,7 +150,7 @@
<form action="manage_updateGroup" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<input type="hidden" name="group_id" value="GROUP_ID"
tal:attributes="value group_id" />
<table>
@@ -211,7 +211,7 @@
<form action="HERE" method="POST"
tal:attributes="action string:${here/absolute_url}/manage_groups">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<input type="hidden" name="group_id"
tal:attributes="value group_id" />
<input type="hidden" name="assign" value="1" />
@@ -245,7 +245,7 @@
"
>
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table metal:use-macro="here/manage_twoLists/macros/two_lists">
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt 2012-11-16 20:21:25 UTC (rev 128317)
@@ -33,7 +33,7 @@
<form action="." method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<tr class="row-hilite"
tal:repeat="info here/listRoleInfo"
@@ -90,7 +90,7 @@
<form action="manage_addRole" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table
>
@@ -153,7 +153,7 @@
<form action="manage_updateRole" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<input type="hidden" name="role_id" value="ROLE_ID"
tal:attributes="value role_id" />
<table>
@@ -214,7 +214,7 @@
<form action="HERE" method="POST"
tal:attributes="action string:${here/absolute_url}/manage_roles">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<input type="hidden" name="role_id"
tal:attributes="value role_id" />
<input type="hidden" name="assign" value="1" />
@@ -248,7 +248,7 @@
"
>
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table metal:use-macro="here/manage_twoLists/macros/two_lists">
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt 2012-11-16 20:21:25 UTC (rev 128317)
@@ -5,7 +5,7 @@
<form action="manage_updatePassword" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table tal:define="info here/getOwnUserInfo;
user_id info/user_id;
login_name info/login_name;
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt 2012-11-16 20:21:25 UTC (rev 128317)
@@ -28,9 +28,7 @@
<form action="." method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
- <input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<tr class="row-hilite"
tal:repeat="info here/listUserInfo"
@@ -79,7 +77,7 @@
<form action="manage_addUser" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table
>
@@ -120,7 +118,7 @@
<form action="manage_updateUserPassword" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table>
<tr valign="top">
@@ -186,7 +184,7 @@
<form action="manage_updateUser" method="POST">
<input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
+ tal:attributes="value context/@@csrf_token/token" />
<table>
<tr valign="top">
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/tests/test_utils.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/tests/test_utils.py 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/tests/test_utils.py 2012-11-16 20:21:25 UTC (rev 128317)
@@ -194,7 +194,7 @@
def test_wo_token_in_request(self):
request = _makeRequestWSession()
token = self._makeOne(request=request)
- value = token()
+ value = token.token()
self.assertTrue(isinstance(value, str))
self.assertFalse(set(value) - set('0123456789abcdef'))
@@ -202,9 +202,16 @@
request = _makeRequestWSession()
request.SESSION['_csrft_'] = 'deadbeef'
token = self._makeOne(request=request)
- self.assertEqual(token(), 'deadbeef')
+ self.assertEqual(token.token(), 'deadbeef')
+ def test___call___raises(self):
+ from ZPublisher import Forbidden
+ request = _makeRequestWSession()
+ request.SESSION['_csrft_'] = 'deadbeef'
+ token = self._makeOne(request=request)
+ self.assertRaises(Forbidden, token)
+
class Test_csrf_only(unittest.TestCase):
def _callFUT(self, *args, **kw):
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/utils.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/utils.py 2012-11-16 18:58:49 UTC (rev 128316)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/utils.py 2012-11-16 20:21:25 UTC (rev 128317)
@@ -218,19 +218,21 @@
class CSRFToken(object):
- """ View helper for rendering CSRF token in templates.
-
- E.g., in every protected form, add this::
-
- <input type="hidden" name="csrf_token"
- tal:attributes="value context/@@csrf_token" />
- """
+ # View helper for rendering CSRF token in templates.
+ #
+ # E.g., in every protected form, add this::
+ #
+ # <input type="hidden" name="csrf_token"
+ # tal:attributes="value context/@@csrf_token" />
security = ClassSecurityInfo()
security.declareObjectPublic()
def __init__(self, context, request):
self.context = context
self.request = request
def __call__(self):
+ raise Forbidden()
+ def token(self):
+ # API for template use
return getCSRFToken(self.request)
More information about the checkins
mailing list