Changeset - 8ee17ef21796
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Søren Løvborg - 10 years ago 2015-09-18 13:57:49
sorenl@unity3d.com
login: use server-relative URLs in came_from correctly

Using h.url to combine came_from with query parameters caused the
SCRIPT_NAME to incorrectly be prepended to came_from, even though
it was already present. This was not a problem if the Kallithea
instance was served directly from the server root ('/') as is common,
but broke setups where Kallithea was served from a prefix.
1 file changed with 3 insertions and 4 deletions:
kallithea/controllers/login.py
3
4
0 comments (0 inline, 0 general)
kallithea/controllers/login.py
Show inline comments
 
@@ -22,136 +22,135 @@ Original author and date, and relevant c
 
:created_on: Apr 22, 2010
 
:author: marcink
 
:copyright: (c) 2013 RhodeCode GmbH, and others.
 
:license: GPLv3, see LICENSE.md for more details.
 
"""
 

			




	
	
	
		
 

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import formencode

			




	
	
	
		
 
import urlparse

			




	
	
	
		
 

			




	
	
	
		
 
from formencode import htmlfill

			




	
	
	
		
 
from webob.exc import HTTPFound, HTTPBadRequest

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from pylons.controllers.util import redirect

			




	
	
	
		
 
from pylons import request, session, tmpl_context as c, url

			




	
	
	
		
 

			




	
	
	
		
 
import kallithea.lib.helpers as h

			




	
	
	
		
 
from kallithea.lib.auth import AuthUser, HasPermissionAnyDecorator

			




	
	
	
		
 
from kallithea.lib.base import BaseController, log_in_user, render

			




	
	
	
		
 
from kallithea.lib.exceptions import UserCreationError

			




	
	
	
		
 
from kallithea.lib.utils2 import safe_str

			




	
	
	
		
 
from kallithea.model.db import User, Setting

			




	
	
	
		
 
from kallithea.model.forms import \

			




	
	
	
		
 
    LoginForm, RegisterForm, PasswordResetRequestForm, PasswordResetConfirmationForm

			




	
	
	
		
 
from kallithea.model.user import UserModel

			




	
	
	
		
 
from kallithea.model.meta import Session

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class LoginController(BaseController):

			




	
	
	
		
 

			




	
	
	
		
 
    def __before__(self):

			




	
	
	
		
 
        super(LoginController, self).__before__()

			




	
	
	
		
 

			




	
	
	
		
 
    def _validate_came_from(self, came_from):

			




	
	
	
		
 
        """Return True if came_from is valid and can and should be used"""

			




	
	
	
		
 
        url = urlparse.urlsplit(came_from)

			




	
	
	
		
 
        return not url.scheme and not url.netloc

			




	
	
	
		
 

			




	
	
	
		
 
    def index(self):

			




	
	
	
		
 
        c.came_from = safe_str(request.GET.get('came_from', ''))

			




	
	
	
		
 
        if c.came_from:

			




	
	
	
		
 
            if not self._validate_came_from(c.came_from):

			




	
	
	
		
 
                log.error('Invalid came_from (not server-relative): %r', c.came_from)

			




	
	
	
		
 
                raise HTTPBadRequest()

			




	
	
	
		
 
            came_from = url(c.came_from)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            c.came_from = came_from = url('home')

			




	
	
	
		
 
            c.came_from = url('home')

			




	
	
	
		
 

			




	
	
	
		
 
        not_default = self.authuser.username != User.DEFAULT_USER

			




	
	
	
		
 
        ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        # redirect if already logged in

			




	
	
	
		
 
        if self.authuser.is_authenticated and not_default and ip_allowed:

			




	
	
	
		
 
            raise HTTPFound(location=came_from)

			




	
	
	
		
 
            raise HTTPFound(location=c.came_from)

			




	
	
	
		
 

			




	
	
	
		
 
        if request.POST:

			




	
	
	
		
 
            # import Login Form validator class

			




	
	
	
		
 
            login_form = LoginForm()

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                c.form_result = login_form.to_python(dict(request.POST))

			




	
	
	
		
 
                # form checks for username/password, now we're authenticated

			




	
	
	
		
 
                username = c.form_result['username']

			




	
	
	
		
 
                user = User.get_by_username(username, case_insensitive=True)

			




	
	
	
		
 
            except formencode.Invalid as errors:

			




	
	
	
		
 
                defaults = errors.value

			




	
	
	
		
 
                # remove password from filling in form again

			




	
	
	
		
 
                del defaults['password']

			




	
	
	
		
 
                return htmlfill.render(

			




	
	
	
		
 
                    render('/login.html'),

			




	
	
	
		
 
                    defaults=errors.value,

			




	
	
	
		
 
                    errors=errors.error_dict or {},

			




	
	
	
		
 
                    prefix_error=False,

			




	
	
	
		
 
                    encoding="UTF-8",

			




	
	
	
		
 
                    force_defaults=False)

			




	
	
	
		
 
            except UserCreationError as e:

			




	
	
	
		
 
                # container auth or other auth functions that create users on

			




	
	
	
		
 
                # the fly can throw this exception signaling that there's issue

			




	
	
	
		
 
                # with user creation, explanation should be provided in

			




	
	
	
		
 
                # Exception itself

			




	
	
	
		
 
                h.flash(e, 'error')

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                log_in_user(user, c.form_result['remember'],

			




	
	
	
		
 
                    is_external_auth=False)

			




	
	
	
		
 
                raise HTTPFound(location=came_from)

			




	
	
	
		
 
                raise HTTPFound(location=c.came_from)

			




	
	
	
		
 

			




	
	
	
		
 
        return render('/login.html')

			




	
	
	
		
 

			




	
	
	
		
 
    @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',

			




	
	
	
		
 
                               'hg.register.manual_activate')

			




	
	
	
		
 
    def register(self):

			




	
	
	
		
 
        c.auto_active = 'hg.register.auto_activate' in User.get_default_user()\

			




	
	
	
		
 
            .AuthUser.permissions['global']

			




	
	
	
		
 

			




	
	
	
		
 
        settings = Setting.get_app_settings()

			




	
	
	
		
 
        captcha_private_key = settings.get('captcha_private_key')

			




	
	
	
		
 
        c.captcha_active = bool(captcha_private_key)

			




	
	
	
		
 
        c.captcha_public_key = settings.get('captcha_public_key')

			




	
	
	
		
 

			




	
	
	
		
 
        if request.POST:

			




	
	
	
		
 
            register_form = RegisterForm()()

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                form_result = register_form.to_python(dict(request.POST))

			




	
	
	
		
 
                form_result['active'] = c.auto_active

			




	
	
	
		
 

			




	
	
	
		
 
                if c.captcha_active:

			




	
	
	
		
 
                    from kallithea.lib.recaptcha import submit

			




	
	
	
		
 
                    response = submit(request.POST.get('recaptcha_challenge_field'),

			




	
	
	
		
 
                                      request.POST.get('recaptcha_response_field'),

			




	
	
	
		
 
                                      private_key=captcha_private_key,

			




	
	
	
		
 
                                      remoteip=self.ip_addr)

			




	
	
	
		
 
                    if c.captcha_active and not response.is_valid:

			




	
	
	
		
 
                        _value = form_result

			




	
	
	
		
 
                        _msg = _('Bad captcha')

			




	
	
	
		
 
                        error_dict = {'recaptcha_field': _msg}

			




	
	
	
		
 
                        raise formencode.Invalid(_msg, _value, None,

			




	
	
	
		
 
                                                 error_dict=error_dict)

			




	
	
	
		
 

			




	
	
	
		
 
                UserModel().create_registration(form_result)

			




	
	
	
		
 
                h.flash(_('You have successfully registered into Kallithea'),

			




	
	
	
		
 
                        category='success')

			




	
	
	
		
 
                Session().commit()

			




	
	
	
		
 
                return redirect(url('login_home'))

			




	
	
	
		
 

			




	
	
	
		
 
            except formencode.Invalid as errors:

			




	
	
	
		
 
                return htmlfill.render(

			




	
	
	
		
 
                    render('/register.html'),

			




	
	
	
		
 
                    defaults=errors.value,

			




	
	
	
		
 
                    errors=errors.error_dict or {},

			




	
	
	
		
 
                    prefix_error=False,

			




	
	
	
		
 
                    encoding="UTF-8",

			




	
	
	
		
 
                    force_defaults=False)

			




	
	
	
		
 
            except UserCreationError as e:

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.