CSRF protection. #361

[zzz-spline-users.git] / splinext / users / controllers / accounts.py
diff --git a/splinext/users/controllers/accounts.py b/splinext/users/controllers/accounts.py

index 9add733..55b6319 100644 (file)
--- a/splinext/users/controllers/accounts.py
+++ b/splinext/users/controllers/accounts.py
@@ -1,18 +1,19 @@
  import logging
  import logging
-from openid.consumer.consumer import Consumer
+from openid.consumer.consumer import Consumer, SUCCESS, CANCEL
  from openid.extensions.sreg import SRegRequest, SRegResponse
  from openid.store.filestore import FileOpenIDStore
  from openid.yadis.discover import DiscoveryFailure
  from sqlalchemy.orm.exc import NoResultFound
  
  from pylons import config, request, response, session, tmpl_context as c, url
  from openid.extensions.sreg import SRegRequest, SRegResponse
  from openid.store.filestore import FileOpenIDStore
  from openid.yadis.discover import DiscoveryFailure
  from sqlalchemy.orm.exc import NoResultFound
  
  from pylons import config, request, response, session, tmpl_context as c, url
-from pylons.controllers.util import abort, redirect_to
+from pylons.controllers.util import abort, redirect
+from pylons.decorators.secure import authenticate_form
  from routes import request_config
  
  from routes import request_config
  
-from spline import model
  from spline.model import meta
  from spline.lib import helpers as h
  from spline.lib.base import BaseController, render
  from spline.model import meta
  from spline.lib import helpers as h
  from spline.lib.base import BaseController, render
+from splinext.users import model as users_model
  
  log = logging.getLogger(__name__)
  
  
  log = logging.getLogger(__name__)
  
@@ -59,7 +60,7 @@ class AccountsController(BaseController):
          return_url = url(host=host, controller='accounts', action='login_finish')
          new_url = auth_request.redirectURL(return_to=return_url,
                                             realm=protocol + '://' + host)
          return_url = url(host=host, controller='accounts', action='login_finish')
          new_url = auth_request.redirectURL(return_to=return_url,
                                             realm=protocol + '://' + host)
-        redirect_to(new_url)
+        redirect(new_url)
  
      def login_finish(self):
          """Step two of logging in; the OpenID provider redirects back here."""
  
      def login_finish(self):
          """Step two of logging in; the OpenID provider redirects back here."""
@@ -69,13 +70,17 @@ class AccountsController(BaseController):
          return_url = url(host=host, controller='accounts', action='login_finish')
          res = cons.complete(request.params, return_url)
  
          return_url = url(host=host, controller='accounts', action='login_finish')
          res = cons.complete(request.params, return_url)
  
-        if res.status != 'success':
+        if res.status == CANCEL:
+            # I guess..  just..  back to the homepage?
+            h.flash(u"""Login canceled.""", icon='user-silhouette')
+            redirect(url('/'))
+        elif res.status != SUCCESS:
              return 'Error!  %s' % res.message
  
          try:
              # Grab an existing user record, if one exists
              return 'Error!  %s' % res.message
  
          try:
              # Grab an existing user record, if one exists
-            q = meta.Session.query(model.User) \
-                    .filter(model.User.openids.any(openid=res.identity_url))
+            q = meta.Session.query(users_model.User) \
+                    .filter(users_model.User.openids.any(openid=res.identity_url))
              user = q.one()
          except NoResultFound:
              # Try to pull a name out of the SReg response
              user = q.one()
          except NoResultFound:
              # Try to pull a name out of the SReg response
@@ -87,10 +92,10 @@ class AccountsController(BaseController):
                  username = 'Anonymous'
  
              # Create db records
                  username = 'Anonymous'
  
              # Create db records
-            user = model.User(name=username)
+            user = users_model.User(name=username)
              meta.Session.add(user)
  
              meta.Session.add(user)
  
-            openid = model.OpenID(openid=res.identity_url)
+            openid = users_model.OpenID(openid=res.identity_url)
              user.openids.append(openid)
  
              meta.Session.commit()
              user.openids.append(openid)
  
              meta.Session.commit()
@@ -102,8 +107,9 @@ class AccountsController(BaseController):
          h.flash(u"""Hello, {0}!""".format(user.name),
                  icon='user')
  
          h.flash(u"""Hello, {0}!""".format(user.name),
                  icon='user')
  
-        redirect_to('/', _code=303)
+        redirect(url('/'), code=303)
  
  
+    @authenticate_form
      def logout(self):
          """Logs the user out."""
  
      def logout(self):
          """Logs the user out."""
  
@@ -114,4 +120,4 @@ class AccountsController(BaseController):
              h.flash(u"""Logged out.""",
                      icon='user-silhouette')
  
              h.flash(u"""Logged out.""",
                      icon='user-silhouette')
  
-        redirect_to('/', _code=303)
+        redirect(url('/'), code=303)