CSRF protection. #361

[zzz-spline-users.git] / splinext / users / controllers / accounts.py

diff --git a/splinext/users/controllers/accounts.py b/splinext/users/controllers/accounts.py
index 9add733..55b6319 100644 (file)
--- a/splinext/users/controllers/accounts.py
+++ b/splinext/users/controllers/accounts.py
@@ -1,18 +1,19 @@
 import logging
-from openid.consumer.consumer import Consumer
+from openid.consumer.consumer import Consumer, SUCCESS, CANCEL
 from openid.extensions.sreg import SRegRequest, SRegResponse
 from openid.store.filestore import FileOpenIDStore
 from openid.yadis.discover import DiscoveryFailure
 from sqlalchemy.orm.exc import NoResultFound
 
 from pylons import config, request, response, session, tmpl_context as c, url
-from pylons.controllers.util import abort, redirect_to
+from pylons.controllers.util import abort, redirect
+from pylons.decorators.secure import authenticate_form
 from routes import request_config
 
-from spline import model
 from spline.model import meta
 from spline.lib import helpers as h
 from spline.lib.base import BaseController, render
+from splinext.users import model as users_model
 
 log = logging.getLogger(__name__)
 
@@ -59,7 +60,7 @@ class AccountsController(BaseController):
         return_url = url(host=host, controller='accounts', action='login_finish')
         new_url = auth_request.redirectURL(return_to=return_url,
                                            realm=protocol + '://' + host)
-        redirect_to(new_url)
+        redirect(new_url)
 
     def login_finish(self):
         """Step two of logging in; the OpenID provider redirects back here."""
@@ -69,13 +70,17 @@ class AccountsController(BaseController):
         return_url = url(host=host, controller='accounts', action='login_finish')
         res = cons.complete(request.params, return_url)
 
-        if res.status != 'success':
+        if res.status == CANCEL:
+            # I guess..  just..  back to the homepage?
+            h.flash(u"""Login canceled.""", icon='user-silhouette')
+            redirect(url('/'))
+        elif res.status != SUCCESS:
             return 'Error!  %s' % res.message
 
         try:
             # Grab an existing user record, if one exists
-            q = meta.Session.query(model.User) \
-                    .filter(model.User.openids.any(openid=res.identity_url))
+            q = meta.Session.query(users_model.User) \
+                    .filter(users_model.User.openids.any(openid=res.identity_url))
             user = q.one()
         except NoResultFound:
             # Try to pull a name out of the SReg response
@@ -87,10 +92,10 @@ class AccountsController(BaseController):
                 username = 'Anonymous'
 
             # Create db records
-            user = model.User(name=username)
+            user = users_model.User(name=username)
             meta.Session.add(user)
 
-            openid = model.OpenID(openid=res.identity_url)
+            openid = users_model.OpenID(openid=res.identity_url)
             user.openids.append(openid)
 
             meta.Session.commit()
@@ -102,8 +107,9 @@ class AccountsController(BaseController):
         h.flash(u"""Hello, {0}!""".format(user.name),
                 icon='user')
 
-        redirect_to('/', _code=303)
+        redirect(url('/'), code=303)
 
+    @authenticate_form
     def logout(self):
         """Logs the user out."""
 
@@ -114,4 +120,4 @@ class AccountsController(BaseController):
             h.flash(u"""Logged out.""",
                     icon='user-silhouette')
 
-        redirect_to('/', _code=303)
+        redirect(url('/'), code=303)