Mercurial > moin > 1.9
changeset 6081:3253536f55fe
merged
| author | Thomas Waldmann <tw AT waldmann-edv DOT de> |
|---|---|
| date | Tue, 16 Sep 2014 23:37:08 +0200 |
| parents | e92d1fd9c183 (current diff) 236f7a9370c4 (diff) |
| children | 2e2f7c6f39eb |
| files | |
| diffstat | 8 files changed, 39 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/PageEditor.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/PageEditor.py Tue Sep 16 23:37:08 2014 +0200 @@ -27,6 +27,7 @@ from MoinMoin.mail.sendmail import encodeSpamSafeEmail from MoinMoin.support.python_compatibility import set from MoinMoin.util import filesys, timefuncs, web +from MoinMoin.util.abuse import log_attempt from MoinMoin.events import PageDeletedEvent, PageRenamedEvent, PageCopiedEvent, PageRevertedEvent from MoinMoin.events import PagePreSaveEvent, Abort, send_event import MoinMoin.events.notification as notification @@ -168,8 +169,10 @@ # check edit permissions if not request.user.may.write(self.page_name): + log_attempt('edit/no permissions', False, request, pagename=self.page_name) msg = _('You are not allowed to edit this page.') elif not self.isWritable(): + log_attempt('edit/immutable', False, request, pagename=self.page_name) msg = _('Page is immutable!') elif self.rev: # Trying to edit an old version, this is not possible via @@ -551,6 +554,7 @@ return False, _("You can't copy to an empty pagename.") if not self.request.user.may.write(newpagename): + log_attempt('copy/no permissions', False, request, pagename=self.page_name) return False, _('You are not allowed to copy this page!') newpage = PageEditor(request, newpagename) @@ -603,6 +607,7 @@ if not (request.user.may.delete(self.page_name) and request.user.may.write(newpagename)): + log_attempt('rename/no permissions', False, request, pagename=self.page_name) msg = _('You are not allowed to rename this page!') raise self.AccessDenied(msg) @@ -710,6 +715,7 @@ success = True if not (request.user.may.write(self.page_name) and request.user.may.delete(self.page_name)): + log_attempt('delete/no permissions', False, request, pagename=self.page_name) msg = _('You are not allowed to delete this page!') raise self.AccessDenied(msg) @@ -1074,9 +1080,11 @@ msg = "" if not request.user.may.save(self, newtext, rev, **kw): + log_attempt('save/no permissions', False, request, pagename=self.page_name) msg = _('You are not allowed to edit this page!') raise self.AccessDenied(msg) elif not self.isWritable(): + log_attempt('save/immutable', False, request, pagename=self.page_name) msg = _('Page is immutable!') raise self.Immutable(msg) elif not newtext: @@ -1120,6 +1128,7 @@ if (not request.user.may.admin(self.page_name) and parseACL(request, newtext).acl != acl.acl and action != "SAVE/REVERT"): + log_attempt('acl change/no permissions', False, request, pagename=self.page_name) msg = _("You can't change ACLs on this page since you have no admin rights on it!") raise self.NoAdmin(msg)
--- a/MoinMoin/action/edit.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/action/edit.py Tue Sep 16 23:37:08 2014 +0200 @@ -11,6 +11,7 @@ from MoinMoin import wikiutil from MoinMoin.Page import Page from MoinMoin.web.utils import check_surge_protect +from MoinMoin.util.abuse import log_attempt def execute(pagename, request): """ edit a page """ @@ -22,6 +23,7 @@ return if not request.user.may.write(pagename): + log_attempt('edit/no permissions', False, request, pagename=pagename) page = wikiutil.getLocalizedPage(request, 'PermissionDeniedPage') page.body = _('You are not allowed to edit this page.') page.page_name = pagename
--- a/MoinMoin/action/newpage.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/action/newpage.py Tue Sep 16 23:37:08 2014 +0200 @@ -12,6 +12,7 @@ import time from MoinMoin.Page import Page +from MoinMoin.util.abuse import log_attempt class NewPage: """ Open editor for a new page, using template """ @@ -65,6 +66,7 @@ page = Page(self.request, self.pagename) if not (page.isWritable() and self.request.user.may.read(self.pagename)): # Same error as the edit page for localization reasons + log_attempt('newpage/immutable or no permissions', False, self.request, pagename=self.pagename) return _('You are not allowed to edit this page.') return ''
--- a/MoinMoin/action/revert.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/action/revert.py Tue Sep 16 23:37:08 2014 +0200 @@ -12,6 +12,7 @@ from MoinMoin.Page import Page from MoinMoin.PageEditor import PageEditor from MoinMoin.action import ActionBase +from MoinMoin.util.abuse import log_attempt class revert(ActionBase): """ revert page action @@ -32,6 +33,8 @@ _ = self._ may = self.request.user.may allowed = may.write(self.pagename) and may.revert(self.pagename) + if not allowed: + log_attempt('revert/immutable or no permissions', False, self.request, pagename=self.pagename) return allowed, _('You are not allowed to revert this page!') def check_condition(self):
--- a/MoinMoin/auth/__init__.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/auth/__init__.py Tue Sep 16 23:37:08 2014 +0200 @@ -252,11 +252,11 @@ u = user.User(request, name=username, password=password, auth_method=self.name) if u.valid: logging.debug("%s: successfully authenticated user %r (valid)" % (self.name, u.name)) - log_attempt("auth: login (moin)", True, request, username) + log_attempt("auth/login (moin)", True, request, username) return ContinueLogin(u) else: logging.debug("%s: could not authenticate user %r (not valid)" % (self.name, username)) - log_attempt("auth: login (moin)", False, request, username) + log_attempt("auth/login (moin)", False, request, username) return ContinueLogin(user_obj, _("Invalid username or password.")) def login_hint(self, request): @@ -379,12 +379,12 @@ u.create_or_update() if u and u.valid: logging.debug("returning valid user %r" % u) - log_attempt("auth: request (given)", True, request, auth_username) + log_attempt("auth/request (given)", True, request, auth_username) return u, True # True to get other methods called, too else: logging.debug("returning %r" % user_obj) if u and not u.valid: - log_attempt("auth: request (given)", False, request, auth_username) + log_attempt("auth/request (given)", False, request, auth_username) return user_obj, True @@ -474,8 +474,7 @@ uid = request.session['setuid'] userobj = user.User(request, uid, auth_method='setuid') userobj.valid = True - log_attempt("auth: login (setuid from %r)" % old_user.name, - True, request, userobj.name) + log_attempt("auth/login (setuid from %r)" % old_user.name, True, request, userobj.name) logging.debug("setup_suid returns %r, %r" % (userobj, old_user)) return (userobj, old_user)
--- a/MoinMoin/events/__init__.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/events/__init__.py Tue Sep 16 23:37:08 2014 +0200 @@ -14,6 +14,7 @@ from MoinMoin import wikiutil from MoinMoin.util import pysupport +from MoinMoin.util.abuse import log_attempt from MoinMoin.wikiutil import PluginAttributeError # Create a list of extension actions from the package directory @@ -186,6 +187,7 @@ req_superuser = True def __init__(self, request, user): + log_attempt('account/created', True, request, user.name) Event.__init__(self, request) self.user = user
--- a/MoinMoin/util/abuse.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/util/abuse.py Tue Sep 16 23:37:08 2014 +0200 @@ -14,23 +14,24 @@ logging = log.getLogger(__name__) -def log_attempt(system, success, request=None, username=None): +def log_attempt(system, success, request=None, username=None, pagename=None): """ log attempts to use <system>, log success / failure / username / ip @param system: some string telling about the system that was used, e.g. - "auth: login" or "textcha" + "auth/login" or "textcha" @param success: whether the attempt was successful @param request: request object (optional, to determine remote's ip address) @param username: user's name (optional, if None: determined from request) + @param pagename: name of the page (optional) """ if username is None: - if request and request.user.valid: + if request and hasattr(request, 'user') and request.user.valid: username = request.user.name else: username = u'anonymous' level = (logging.WARNING, logging.INFO)[success] - msg = """%s status: %s username: "%s" ip: %s""" + msg = """: %s: status %s: username "%s": ip %s: page %s""" status = ("failure", "success")[success] ip = request and request.remote_addr or 'unknown' - logging.log(level, msg, system, status, username, ip) + logging.log(level, msg, system, status, username, ip, pagename)
--- a/MoinMoin/wsgiapp.py Tue Sep 16 14:14:50 2014 +0200 +++ b/MoinMoin/wsgiapp.py Tue Sep 16 23:37:08 2014 +0200 @@ -19,6 +19,7 @@ from MoinMoin.Page import Page from MoinMoin import auth, config, i18n, user, wikiutil, xmlrpc, error from MoinMoin.action import get_names, get_available_actions +from MoinMoin.util.abuse import log_attempt def set_umask(new_mask=0777^config.umask): @@ -172,7 +173,11 @@ get_available_actions(cfg, context.page, context.user): msg = _("You are not allowed to do %(action_name)s on this page.") % { 'action_name': wikiutil.escape(action_name), } - if not context.user.valid: + if context.user.valid: + log_attempt(action_name + '/action unavailable', False, + context.request, context.user.name, pagename=pagename) + else: + log_attempt(action_name + '/action unavailable', False, context.request, pagename=pagename) # Suggest non valid user to login msg += " " + _("Login and try again.") @@ -186,7 +191,10 @@ if handler is None: msg = _("You are not allowed to do %(action_name)s on this page.") % { 'action_name': wikiutil.escape(action_name), } - if not context.user.valid: + if context.user.valid: + log_attempt(action_name + '/no handler', False, context.request, context.user.name, pagename=pagename) + else: + log_attempt(action_name + '/no handler', False, context.request, pagename=pagename) # Suggest non valid user to login msg += " " + _("Login and try again.") context.theme.add_msg(msg, "error")