diff options
author | Damien Churchill <damoxc@gmail.com> | 2011-10-04 23:00:28 +0100 |
---|---|---|
committer | Damien Churchill <damoxc@gmail.com> | 2011-10-05 01:38:37 +0100 |
commit | eb9071fcb0f613eaed0e4c5f465698b3937f9e2b (patch) | |
tree | 36aaf31bb5a919947ba723d1e5926fbeb4c4929a | |
parent | 9362ec0103b19681f3a05e90401b3772e2d4d272 (diff) | |
download | deluge-eb9071fcb0f613eaed0e4c5f465698b3937f9e2b.tar.gz deluge-eb9071fcb0f613eaed0e4c5f465698b3937f9e2b.tar.bz2 deluge-eb9071fcb0f613eaed0e4c5f465698b3937f9e2b.zip |
web: add a secure decorator to the auth module
This new decorator will make it easy to secure the render method
of twisted resources as we will be adding a fair few as more of
the interface moves to use ajax requests over json-rpc.
-rw-r--r-- | deluge/ui/web/auth.py | 26 | ||||
-rw-r--r-- | deluge/ui/web/server.py | 10 |
2 files changed, 28 insertions, 8 deletions
diff --git a/deluge/ui/web/auth.py b/deluge/ui/web/auth.py index 0675d9d9d..ab48eefeb 100644 --- a/deluge/ui/web/auth.py +++ b/deluge/ui/web/auth.py @@ -51,11 +51,14 @@ import time import random import hashlib import logging + from datetime import datetime, timedelta from email.utils import formatdate +from types import FunctionType from twisted.internet.defer import Deferred from twisted.internet.task import LoopingCall +from twisted.web.http import FORBIDDEN from deluge import component from deluge.ui.web.json_api import JSONComponent, export @@ -89,6 +92,29 @@ def make_expires(timeout): expires_str = formatdate(timeval=expires, localtime=False, usegmt=True) return expires, expires_str +def secure(auth_level=AUTH_LEVEL_DEFAULT): + """ + Decorator function to secure a Twisted resource ensuring that the + user is authenticated with the web interface. + """ + def wrap(func, *args, **kwargs): + def secure_render(self, request): + try: + component.get("Auth").check_request(request, + level=auth_level) + except AuthError: + request.setResponseCode(FORBIDDEN) + return "<h1>Forbidden</h1>" + return func(self, request) + return secure_render + + if type(auth_level) is FunctionType: + func = auth_level + auth_level = AUTH_LEVEL_DEFAULT + return wrap(func) + else: + return wrap + class Auth(JSONComponent): """ The component that implements authentification into the JSON interface. diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py index b775d9860..51534a04d 100644 --- a/deluge/ui/web/server.py +++ b/deluge/ui/web/server.py @@ -53,7 +53,7 @@ from deluge import common, component, configmanager from deluge.core.rpcserver import check_ssl_keys from deluge.ui import common as uicommon from deluge.ui.tracker_icons import TrackerIcons -from deluge.ui.web.auth import Auth, AuthError, AUTH_LEVEL_DEFAULT +from deluge.ui.web.auth import Auth, secure from deluge.ui.web.common import Template, compress from deluge.ui.web.json_api import JSON, WebApi from deluge.ui.web.pluginmanager import PluginManager @@ -228,14 +228,8 @@ class Peers(TorrentResource): "total": len(peers) }, request) + @secure def render(self, request): - try: - component.get("Auth").check_request(request, - level=AUTH_LEVEL_DEFAULT) - except AuthError: - request.setResponseCode(http.FORBIDDEN) - return '<h1>Forbidden</h1>' - component.get("SessionProxy" ).get_torrent_status(request.torrent_id, PEERS_KEYS ).addCallback(self.on_got_peers, request) |