/usr/share/pyshared/cherrypy/filters/sessionauthenticatefilter.py is in python-cherrypy 2.3.0-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | import cherrypy
from basefilter import BaseFilter
def default_login_screen(from_page, login = '', error_msg = ''):
return """
<html><body>
Message: %s
<form method="post" action="do_login">
Login: <input type="text" name="login" value="%s" size="10"/><br/>
Password: <input type="password" name="password" size="10"/><br/>
<input type="hidden" name="from_page" value="%s"/><br/>
<input type="submit"/>
</form>
</body></html>
""" % (error_msg, login, from_page)
def default_check_login_and_password(login, password):
# Dummy check_login_and_password function
if login != 'login' or password != 'password':
return u'Wrong login/password'
class SessionAuthenticateFilter(BaseFilter):
"""
Filter allows for simple forms based authentication and access control
"""
def before_main(self):
cherrypy.request.user = None
conf = cherrypy.config.get
if ((not conf('session_authenticate_filter.on', False))
or conf('static_filter.on', False)):
return
check_login_and_password = cherrypy.config.get('session_authenticate_filter.check_login_and_password', default_check_login_and_password)
login_screen = cherrypy.config.get('session_authenticate_filter.login_screen', default_login_screen)
not_logged_in = cherrypy.config.get('session_authenticate_filter.not_logged_in')
load_user_by_username = cherrypy.config.get('session_authenticate_filter.load_user_by_username')
session_key = cherrypy.config.get('session_authenticate_filter.session_key', 'username')
on_login = cherrypy.config.get('session_authenticate_filter.on_login', None)
on_logout = cherrypy.config.get('session_authenticate_filter.on_logout', None)
if cherrypy.request.path.endswith('login_screen'):
return
elif cherrypy.request.path.endswith('do_logout'):
login = cherrypy.session.get(session_key)
cherrypy.session[session_key] = None
cherrypy.request.user = None
if login and on_logout:
on_logout(login)
from_page = cherrypy.request.params.get('from_page', '..')
raise cherrypy.HTTPRedirect(from_page)
elif cherrypy.request.path.endswith('do_login'):
from_page = cherrypy.request.params.get('from_page', '..')
login = cherrypy.request.params['login']
password = cherrypy.request.params['password']
error_msg = check_login_and_password(login, password)
if error_msg:
cherrypy.response.body = login_screen(from_page, login = login, error_msg = error_msg)
# Delete Content-Length header so finalize() recalcs it.
cherrypy.response.headers.pop("Content-Length", None)
cherrypy.request.execute_main = False
else:
cherrypy.session[session_key] = login
if on_login:
on_login(login)
if not from_page:
from_page = '/'
raise cherrypy.HTTPRedirect(from_page)
return
# Check if user is logged in
temp_user = None
if (not cherrypy.session.get(session_key)) and not_logged_in:
# Call not_logged_in so that applications where anynymous user
# is OK can handle it
temp_user = not_logged_in()
if (not cherrypy.session.get(session_key)) and not temp_user:
cherrypy.response.body = login_screen(cherrypy.request.browser_url)
# Delete Content-Length header so finalize() recalcs it.
cherrypy.response.headers.pop("Content-Length", None)
cherrypy.request.execute_main = False
return
# Everything is OK: user is logged in
if load_user_by_username and not cherrypy.request.user:
username = temp_user or cherrypy.session[session_key]
cherrypy.request.user = load_user_by_username(username)
|