CSRF protection. #361

[zzz-spline-users.git] / splinext / users / controllers / users.py

diff --git a/splinext/users/controllers/users.py b/splinext/users/controllers/users.py
index 4afb9cd..4f46179 100644 (file)
--- a/splinext/users/controllers/users.py
+++ b/splinext/users/controllers/users.py
@@ -4,14 +4,15 @@ import unicodedata
 from wtforms import Form, ValidationError, fields, validators, widgets
 
 from pylons import config, request, response, session, tmpl_context as c, url
-from pylons.controllers.util import abort, redirect_to
+from pylons.controllers.util import abort, redirect
+from pylons.decorators.secure import authenticate_form
 from routes import request_config
 from sqlalchemy.orm.exc import NoResultFound
 
-from spline import model
 from spline.model import meta
 from spline.lib import helpers as h
 from spline.lib.base import BaseController, render
+from splinext.users import model as users_model
 
 log = logging.getLogger(__name__)
 
@@ -42,7 +43,8 @@ class ProfileEditForm(Form):
 class UsersController(BaseController):
 
     def list(self):
-        c.users = meta.Session.query(model.User).order_by(model.User.id.asc())
+        c.users = meta.Session.query(users_model.User) \
+            .order_by(users_model.User.id.asc())
         return render('/users/list.mako')
 
     def profile(self, id, name=None):
@@ -52,7 +54,7 @@ class UsersController(BaseController):
         entirely optional and ignored.
         """
 
-        c.page_user = meta.Session.query(model.User).get(id)
+        c.page_user = meta.Session.query(users_model.User).get(id)
         if not c.page_user:
             abort(404)
 
@@ -60,7 +62,7 @@ class UsersController(BaseController):
 
     def profile_edit(self, id, name=None):
         """Main user profile editing."""
-        c.page_user = meta.Session.query(model.User).get(id)
+        c.page_user = meta.Session.query(users_model.User).get(id)
         if not c.page_user:
             abort(404)
 
@@ -72,7 +74,24 @@ class UsersController(BaseController):
             name=c.page_user.name,
         )
 
-        if request.method != 'POST' or not c.form.validate():
+        return render('/users/profile_edit.mako')
+
+    @authenticate_form
+    def profile_edit_commit(self, id, name=None):
+        """Save profile changes."""
+        c.page_user = meta.Session.query(users_model.User).get(id)
+        if not c.page_user:
+            abort(404)
+
+        # XXX could use some real permissions
+        if c.page_user != c.user:
+            abort(403)
+
+        c.form = ProfileEditForm(request.params,
+            name=c.page_user.name,
+        )
+
+        if not c.form.validate():
             return render('/users/profile_edit.mako')
 
 
@@ -83,6 +102,8 @@ class UsersController(BaseController):
 
         h.flash('Saved your profile.', icon='tick')
 
-        redirect_to(controller='users', action='profile',
-                    id=c.page_user.id, name=c.page_user.name,
-                    _code=303)
+        redirect(
+            url(controller='users', action='profile',
+                id=c.page_user.id, name=c.page_user.name),
+            code=303,
+        )