From eb9071fcb0f613eaed0e4c5f465698b3937f9e2b Mon Sep 17 00:00:00 2001
From: Damien Churchill <damoxc@gmail.com>
Date: Tue, 4 Oct 2011 23:00:28 +0100
Subject: web: add a secure decorator to the auth module

This new decorator will make it easy to secure the render method
of twisted resources as we will be adding a fair few as more of
the interface moves to use ajax requests over json-rpc.
---
 deluge/ui/web/auth.py   | 26 ++++++++++++++++++++++++++
 deluge/ui/web/server.py | 10 ++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/deluge/ui/web/auth.py b/deluge/ui/web/auth.py
index 0675d9d9d..ab48eefeb 100644
--- a/deluge/ui/web/auth.py
+++ b/deluge/ui/web/auth.py
@@ -51,11 +51,14 @@ import time
 import random
 import hashlib
 import logging
+
 from datetime import datetime, timedelta
 from email.utils import formatdate
+from types import FunctionType
 
 from twisted.internet.defer import Deferred
 from twisted.internet.task import LoopingCall
+from twisted.web.http import FORBIDDEN
 
 from deluge import component
 from deluge.ui.web.json_api import JSONComponent, export
@@ -89,6 +92,29 @@ def make_expires(timeout):
     expires_str = formatdate(timeval=expires, localtime=False, usegmt=True)
     return expires, expires_str
 
+def secure(auth_level=AUTH_LEVEL_DEFAULT):
+    """
+    Decorator function to secure a Twisted resource ensuring that the
+    user is authenticated with the web interface.
+    """
+    def wrap(func, *args, **kwargs):
+        def secure_render(self, request):
+            try:
+                component.get("Auth").check_request(request,
+                                                    level=auth_level)
+            except AuthError:
+                request.setResponseCode(FORBIDDEN)
+                return "<h1>Forbidden</h1>"
+            return func(self, request)
+        return secure_render
+
+    if type(auth_level) is FunctionType:
+        func = auth_level
+        auth_level = AUTH_LEVEL_DEFAULT
+        return wrap(func)
+    else:
+        return wrap
+
 class Auth(JSONComponent):
     """
     The component that implements authentification into the JSON interface.
diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py
index b775d9860..51534a04d 100644
--- a/deluge/ui/web/server.py
+++ b/deluge/ui/web/server.py
@@ -53,7 +53,7 @@ from deluge import common, component, configmanager
 from deluge.core.rpcserver import check_ssl_keys
 from deluge.ui import common as uicommon
 from deluge.ui.tracker_icons import TrackerIcons
-from deluge.ui.web.auth import Auth, AuthError, AUTH_LEVEL_DEFAULT
+from deluge.ui.web.auth import Auth, secure
 from deluge.ui.web.common import Template, compress
 from deluge.ui.web.json_api import JSON, WebApi
 from deluge.ui.web.pluginmanager import PluginManager
@@ -228,14 +228,8 @@ class Peers(TorrentResource):
             "total": len(peers)
         }, request)
 
+    @secure
     def render(self, request):
-        try:
-            component.get("Auth").check_request(request,
-                                                level=AUTH_LEVEL_DEFAULT)
-        except AuthError:
-            request.setResponseCode(http.FORBIDDEN)
-            return '<h1>Forbidden</h1>'
-
         component.get("SessionProxy"
             ).get_torrent_status(request.torrent_id, PEERS_KEYS
             ).addCallback(self.on_got_peers, request)
-- 
cgit