CSRF protection. #361
[zzz-spline-users.git] / splinext / users / __init__.py
1 from pkg_resources import resource_filename
2
3 from pylons import config, session, tmpl_context as c
4
5 from spline.lib.plugin import PluginBase, PluginLink, Priority
6 import spline.model.meta as meta
7
8 import splinext.users.controllers.accounts
9 import splinext.users.controllers.admin
10 import splinext.users.controllers.users
11 from splinext.users import model as users_model
12
13 def add_routes_hook(map, *args, **kwargs):
14 """Hook to inject some of our behavior into the routes configuration."""
15 require_GET = dict(conditions=dict(method=['GET']))
16 require_POST = dict(conditions=dict(method=['POST']))
17
18 # Login, logout
19 map.connect('/accounts/login', controller='accounts', action='login')
20 map.connect('/accounts/login_begin', controller='accounts', action='login_begin')
21 map.connect('/accounts/login_finish', controller='accounts', action='login_finish')
22 map.connect('/accounts/logout', controller='accounts', action='logout')
23
24 # Self-admin
25 map.connect(r'/users/{id:\d+};{name}/edit', controller='users', action='profile_edit', **require_GET)
26 map.connect(r'/users/{id:\d+};{name}/edit', controller='users', action='profile_edit_commit', **require_POST)
27
28 # Public user pages
29 map.connect('/users', controller='users', action='list')
30 map.connect(r'/users/{id:\d+};{name}', controller='users', action='profile')
31 map.connect(r'/users/{id:\d+}', controller='users', action='profile')
32
33 # Big-boy admin
34 map.connect('/admin/users/permissions', controller='admin_users', action='permissions')
35
36 def monkeypatch_user_hook(config, *args, **kwargs):
37 """Hook to tell the `User` model who the root user is."""
38 try:
39 users_model.User._root_user_id \
40 = int(config['spline-users.root_user_id'])
41 except KeyError:
42 # No config set; oh well!
43 pass
44
45 def check_userid_hook(action, **params):
46 """Hook to see if a user is logged in and, if so, stick a user object in
47 c.
48 """
49
50 if not 'user_id' in session:
51 c.user = users_model.AnonymousUser()
52 return
53
54 user = meta.Session.query(users_model.User).get(session['user_id'])
55 if not user:
56 # Bogus id in the session somehow. Clear it
57 del session['user_id']
58 session.save()
59
60 c.user = users_model.AnonymousUser()
61 return
62
63 c.user = user
64
65
66 class UsersPlugin(PluginBase):
67 def controllers(self):
68 return dict(
69 accounts = splinext.users.controllers.accounts.AccountsController,
70 admin_users = splinext.users.controllers.admin.AdminController,
71 users = splinext.users.controllers.users.UsersController,
72 )
73
74 def template_dirs(self):
75 return [
76 (resource_filename(__name__, 'templates'), Priority.NORMAL)
77 ]
78
79 def hooks(self):
80 return [
81 ('routes_mapping', Priority.NORMAL, add_routes_hook),
82 ('after_setup', Priority.NORMAL, monkeypatch_user_hook),
83 ('before_controller', Priority.VERY_FIRST, check_userid_hook),
84 ]
85
86 def widgets(self):
87 return [
88 ('page_header', Priority.NORMAL, 'widgets/user_state.mako'),
89 ]