changeset 5513:0e8fa2a6d016

SyncPages action: require POST of name/password form in any case, add ticket
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 07 Feb 2010 19:34:55 +0100
parents 478dfec03a09
children 09de6f176a91
files MoinMoin/action/SyncPages.py
diffstat 1 files changed, 24 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/SyncPages.py	Sun Feb 07 17:23:08 2010 +0100
+++ b/MoinMoin/action/SyncPages.py	Sun Feb 07 19:34:55 2010 +0100
@@ -98,8 +98,8 @@
             "pageList": None,
             "groupList": None,
             "direction": "foo", # is defaulted below
-            "user": None, # XXX should be refactored into a password agent or OpenID like solution
-            "password": None,
+            "user": "", # XXX should be refactored into a password agent or OpenID like solution
+            "password": "",
         }
 
         options.update(Dict(self.request, self.pagename))
@@ -116,10 +116,6 @@
 
     def fix_params(self, params):
         """ Does some fixup on the parameters. """
-        # Load the password
-        if "password" in self.request.form:
-            params["password"] = self.request.form["password"][0]
-
         # merge the pageList case into the pageMatch case
         if params["pageList"] is not None:
             params["pageMatch"] = u'|'.join([r'^%s$' % re.escape(name)
@@ -135,10 +131,14 @@
 
         return params
 
-    def show_password_form(self):
+    def show_password_form(self, name, password):
         _ = self.request.getText
         d = {"message": _(r"Please enter your password of your account at the remote wiki below. <<BR>> /!\ You should trust both wikis because the password could be read by the particular administrators.", wiki=True),
+             "namelabel": _("Name"),
+             "name": name,
              "passwordlabel": _("Password"),
+             "password": password,
+             "ticket": wikiutil.createTicket(self.request),
              "submit": _("Login"),
              "cancel": _("Cancel"),
         }
@@ -147,8 +147,13 @@
 <form method="post">
 <div>
 <input type="hidden" name="action" value="SyncPages">
+<input type="hidden" name="ticket" value="%(ticket)s">
+<label for="iName" style="font-weight: bold;">%(namelabel)s:</label>
+<input type="text" name="name" id="iName" size="32" value="%(name)s">
+</div>
+<div>
 <label for="iPassword" style="font-weight: bold;">%(passwordlabel)s:</label>
-<input type="password" name="password" id="iPassword" size="20">
+<input type="password" name="password" id="iPassword" size="32" value="%(password)s">
 </div>
 <div style="margin-top:1em; margin-bottom:1em;">
 <div style="float:left">
@@ -172,10 +177,20 @@
 
         params = self.fix_params(self.parse_page())
 
+        if self.request.request_method != 'POST':
+            # display the username / password dialog if we were just called by a GET request
+            return self.show_password_form(params["user"], params["password"])
+
         try:
             if "cancel" in self.request.form:
                 raise ActionStatus(_("Operation was canceled."), "error")
 
+            if not wikiutil.checkTicket(self.request, self.request.form.get('ticket', [''])[0]):
+                raise ActionStatus(_('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'SyncPages' })
+
+            name = self.request.form.get('name', [''])[0]
+            password = self.request.form.get('password', [''])[0]
+
             if params["direction"] == UP:
                 raise ActionStatus(_("The only supported directions are BOTH and DOWN."), "error")
 
@@ -187,15 +202,12 @@
 
             local = MoinLocalWiki(self.request, params["localPrefix"], params["pageList"])
             try:
-                remote = MoinRemoteWiki(self.request, params["remoteWiki"], params["remotePrefix"], params["pageList"], params["user"], params["password"], verbose=debug)
+                remote = MoinRemoteWiki(self.request, params["remoteWiki"], params["remotePrefix"], params["pageList"], name, password, verbose=debug)
             except (UnsupportedWikiException, NotAllowedException), (msg, ):
                 raise ActionStatus(msg, "error")
 
             if not remote.valid:
                 raise ActionStatus(_("The ''remoteWiki'' is unknown.", wiki=True), "error")
-            # if only the username is supplied, we ask for the password
-            if params["user"] and not params["password"]:
-                return self.show_password_form()
         except ActionStatus, e:
             self.request.theme.add_msg(*e.args)
         else: