CSRF protection. #361

[zzz-spline-users.git] / splinext / users / controllers / users.py
diff --git a/splinext/users/controllers/users.py b/splinext/users/controllers/users.py

index 4afb9cd..4f46179 100644 (file)
--- a/splinext/users/controllers/users.py
+++ b/splinext/users/controllers/users.py
@@ -4,14 +4,15 @@ import unicodedata
  from wtforms import Form, ValidationError, fields, validators, widgets
  
  from pylons import config, request, response, session, tmpl_context as c, url
  from wtforms import Form, ValidationError, fields, validators, widgets
  
  from pylons import config, request, response, session, tmpl_context as c, url
-from pylons.controllers.util import abort, redirect_to
+from pylons.controllers.util import abort, redirect
+from pylons.decorators.secure import authenticate_form
  from routes import request_config
  from sqlalchemy.orm.exc import NoResultFound
  
  from routes import request_config
  from sqlalchemy.orm.exc import NoResultFound
  
-from spline import model
  from spline.model import meta
  from spline.lib import helpers as h
  from spline.lib.base import BaseController, render
  from spline.model import meta
  from spline.lib import helpers as h
  from spline.lib.base import BaseController, render
+from splinext.users import model as users_model
  
  log = logging.getLogger(__name__)
  
  
  log = logging.getLogger(__name__)
  
@@ -42,7 +43,8 @@ class ProfileEditForm(Form):
  class UsersController(BaseController):
  
      def list(self):
  class UsersController(BaseController):
  
      def list(self):
-        c.users = meta.Session.query(model.User).order_by(model.User.id.asc())
+        c.users = meta.Session.query(users_model.User) \
+            .order_by(users_model.User.id.asc())
          return render('/users/list.mako')
  
      def profile(self, id, name=None):
          return render('/users/list.mako')
  
      def profile(self, id, name=None):
@@ -52,7 +54,7 @@ class UsersController(BaseController):
          entirely optional and ignored.
          """
  
          entirely optional and ignored.
          """
  
-        c.page_user = meta.Session.query(model.User).get(id)
+        c.page_user = meta.Session.query(users_model.User).get(id)
          if not c.page_user:
              abort(404)
  
          if not c.page_user:
              abort(404)
  
@@ -60,7 +62,7 @@ class UsersController(BaseController):
  
      def profile_edit(self, id, name=None):
          """Main user profile editing."""
  
      def profile_edit(self, id, name=None):
          """Main user profile editing."""
-        c.page_user = meta.Session.query(model.User).get(id)
+        c.page_user = meta.Session.query(users_model.User).get(id)
          if not c.page_user:
              abort(404)
  
          if not c.page_user:
              abort(404)
  
@@ -72,7 +74,24 @@ class UsersController(BaseController):
              name=c.page_user.name,
          )
  
              name=c.page_user.name,
          )
  
-        if request.method != 'POST' or not c.form.validate():
+        return render('/users/profile_edit.mako')
+
+    @authenticate_form
+    def profile_edit_commit(self, id, name=None):
+        """Save profile changes."""
+        c.page_user = meta.Session.query(users_model.User).get(id)
+        if not c.page_user:
+            abort(404)
+
+        # XXX could use some real permissions
+        if c.page_user != c.user:
+            abort(403)
+
+        c.form = ProfileEditForm(request.params,
+            name=c.page_user.name,
+        )
+
+        if not c.form.validate():
              return render('/users/profile_edit.mako')
  
  
              return render('/users/profile_edit.mako')
  
  
@@ -83,6 +102,8 @@ class UsersController(BaseController):
  
          h.flash('Saved your profile.', icon='tick')
  
  
          h.flash('Saved your profile.', icon='tick')
  
-        redirect_to(controller='users', action='profile',
-                    id=c.page_user.id, name=c.page_user.name,
-                    _code=303)
+        redirect(
+            url(controller='users', action='profile',
+                id=c.page_user.id, name=c.page_user.name),
+            code=303,
+        )