Make routing reject non-numeric ids in URLs.

[zzz-spline-users.git] / splinext / users / __init__.py

diff --git a/splinext/users/__init__.py b/splinext/users/__init__.py
index 39318f0..0e6f44f 100644 (file)
--- a/splinext/users/__init__.py
+++ b/splinext/users/__init__.py
@@ -4,15 +4,21 @@ from pylons import c, session
 
 from spline.lib.plugin import PluginBase
 from spline.lib.plugin import PluginBase, PluginLink, Priority
-import spline.model as model
 import spline.model.meta as meta
 
 import splinext.users.controllers.accounts
 import splinext.users.controllers.users
-import splinext.users.model
+from splinext.users import model as users_model
 
 def add_routes_hook(map, *args, **kwargs):
     """Hook to inject some of our behavior into the routes configuration."""
+    def id_is_numeric(environ, result):
+        try:
+            int(result['id'])
+            return True
+        except (KeyError, ValueError):
+            return False
+
     # Login, logout
     map.connect('/accounts/login', controller='accounts', action='login')
     map.connect('/accounts/login_begin', controller='accounts', action='login_begin')
@@ -20,28 +26,32 @@ def add_routes_hook(map, *args, **kwargs):
     map.connect('/accounts/logout', controller='accounts', action='logout')
 
     # Self-admin
-    map.connect('/users/{id};{name}/edit', controller='users', action='profile_edit')
+    map.connect('/users/{id};{name}/edit', controller='users', action='profile_edit',
+        conditions=dict(function=id_is_numeric))
 
     # Public user pages
     map.connect('/users', controller='users', action='list')
-    map.connect('/users/{id};{name}', controller='users', action='profile')
-    map.connect('/users/{id}', controller='users', action='profile')
+    map.connect('/users/{id};{name}', controller='users', action='profile',
+        conditions=dict(function=id_is_numeric))
+    map.connect('/users/{id}', controller='users', action='profile',
+        conditions=dict(function=id_is_numeric))
 
 def check_userid_hook(action, **params):
     """Hook to see if a user is logged in and, if so, stick a user object in
     c.
     """
 
-    c.user = None
-
     if not 'user_id' in session:
+        c.user = users_model.AnonymousUser()
         return
 
-    user = meta.Session.query(model.User).get(session['user_id'])
+    user = meta.Session.query(users_model.User).get(session['user_id'])
     if not user:
         # Bogus id in the session somehow.  Clear it
         del session['user_id']
         session.save()
+
+        c.user = users_model.AnonymousUser()
         return
 
     c.user = user
@@ -54,12 +64,6 @@ class UsersPlugin(PluginBase):
             users = splinext.users.controllers.users.UsersController,
         )
 
-    def model(self):
-        return [
-            splinext.users.model.User,
-            splinext.users.model.OpenID,
-        ]
-
     def template_dirs(self):
         return [
             (resource_filename(__name__, 'templates'), Priority.NORMAL)