Commit 7df9163c authored by iv's avatar iv

Change self.authorization checked for every method by a verification in before_request.

parent 7feb2668
from flask import Flask, request, redirect, url_for, render_template, make_response from flask import Flask, request, redirect, url_for, render_template, make_response, g
from flask.views import MethodView from flask.views import MethodView
from string import atoi from string import atoi
import shutil import shutil
...@@ -32,17 +32,43 @@ def is_authorized(cookies_list): ...@@ -32,17 +32,43 @@ def is_authorized(cookies_list):
FS_HANDLER = utils.FilesystemHandler(FS_PATH, URI_BEGINNING_PATH['webdav']) FS_HANDLER = utils.FilesystemHandler(FS_PATH, URI_BEGINNING_PATH['webdav'])
@app.before_request
def before_request():
"""
allow cross origin for webdav uri that are authorized
and filter unauthorized requests!
"""
if request.path.startswith(URI_BEGINNING_PATH['webdav']):
response = None
headers = {}
headers['Access-Control-Max-Age'] = '3600'
headers['Access-Control-Allow-Credentials'] = 'true'
content = ''
if is_authorized(request.cookies):
headers['Access-Control-Allow-Origin'] = request.headers.get('Origin', '*')
headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Accept-Encoding, Content-Length, Content-Type, Authorization, Depth, If-Modified-Since, If-None-Match'
headers['Access-Control-Expose-Headers'] = 'Content-Type, Last-Modified, WWW-Authenticate'
response = make_response(content, 200)
response.headers = headers
else:
headers['WWW-Authenticate'] = 'Nayookie login_url=' + request.url_root + URI_BEGINNING_PATH['authorization'] + '{?back_url}'
response = make_response(content, 401)
response.headers = headers
# do not handle the request if not authorized
return response
g.response = response
class WebDAV(MethodView): class WebDAV(MethodView):
methods = ['GET', 'HEAD', 'PUT', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'DELETE', 'COPY', 'MOVE'] methods = ['GET', 'HEAD', 'PUT', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'DELETE', 'COPY', 'MOVE']
def __init__(self): def __init__(self):
self.authorization = is_authorized(request.cookies)
self.baseuri = URI_BEGINNING_PATH['webdav'] self.baseuri = URI_BEGINNING_PATH['webdav']
def before_request(self, pathname):
pass
def get_body(self): def get_body(self):
""" get the request's body """
request_data = request.data request_data = request.data
if not request_data and atoi(request.headers['Content-length']): if not request_data and atoi(request.headers['Content-length']):
try: try:
...@@ -53,37 +79,23 @@ class WebDAV(MethodView): ...@@ -53,37 +79,23 @@ class WebDAV(MethodView):
return request_data return request_data
def head(self, pathname): def head(self, pathname):
""" HEAD: returns headers only """ """
origin = request.headers.get('Origin', '*') HEAD:
returns headers only
response = None """
headers = {}
headers['Access-Control-Max-Age'] = '3600'
headers['Access-Control-Allow-Credentials'] = 'true'
content = ''
if self.authorization:
headers['Access-Control-Allow-Origin'] = origin
headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Accept-Encoding, Content-Length, Content-Type, Authorization, Depth, If-Modified-Since, If-None-Match'
headers['Access-Control-Expose-Headers'] = 'Content-Type, Last-Modified, WWW-Authenticate'
response = make_response(content, 200)
else:
headers['WWW-Authenticate'] = 'Nayookie login_url=' + request.url_root + URI_BEGINNING_PATH['authorization'] + '{?back_url}'
response = make_response(content, 401)
response.headers = headers return g.response
return response
def get(self, pathname): def get(self, pathname):
""" GET: return headers + body (resource content or list of resources) """ """
GET:
return headers + body (resource content or list of resources)
"""
response = g.response
localpath = FS_HANDLER.uri2local(pathname) localpath = FS_HANDLER.uri2local(pathname)
response = self.head(pathname)
# TODO if into a collection => list of the ressources # TODO if into a collection => list of the ressources
print('localpath: ' + localpath)
data = '' data = ''
if self.authorization:
if os.path.isdir(localpath): if os.path.isdir(localpath):
data = "\n".join(FS_HANDLER.get_children(pathname)) data = "\n".join(FS_HANDLER.get_children(pathname))
elif os.path.isfile(localpath): elif os.path.isfile(localpath):
...@@ -108,9 +120,9 @@ class WebDAV(MethodView): ...@@ -108,9 +120,9 @@ class WebDAV(MethodView):
on collection: 405 Method Not Allowed, on collection: 405 Method Not Allowed,
on ressource: create if not existschange content on ressource: create if not existschange content
""" """
response = self.head(pathname)
if self.authorization: response = g.response
localpath = FS_HANDLER.uri2local(pathname) localpath = FS_HANDLER.uri2local(pathname)
request_body = self.get_body() request_body = self.get_body()
if request_body is None: if request_body is None:
...@@ -123,15 +135,17 @@ class WebDAV(MethodView): ...@@ -123,15 +135,17 @@ class WebDAV(MethodView):
return response return response
def propfind(self, pathname): def propfind(self, pathname):
response = self.head(pathname)
if self.authorization: response = g.response
# currently unsupported # currently unsupported
response.status = '423' response.status = '423'
return response return response
def proppatch(self, pathname): def proppatch(self, pathname):
response = self.head(pathname)
if self.authorization: response = g.response
# currently unsupported # currently unsupported
response.status = '423' response.status = '423'
return response return response
...@@ -142,8 +156,8 @@ class WebDAV(MethodView): ...@@ -142,8 +156,8 @@ class WebDAV(MethodView):
creates a collection (that corresponds to a directory on the file system) creates a collection (that corresponds to a directory on the file system)
""" """
response = self.head(pathname) response = g.response
if self.authorization:
response.status = str(FS_HANDLER.mkcol(pathname)) response.status = str(FS_HANDLER.mkcol(pathname))
return response return response
...@@ -153,8 +167,8 @@ class WebDAV(MethodView): ...@@ -153,8 +167,8 @@ class WebDAV(MethodView):
delete a resource or collection delete a resource or collection
""" """
response = self.head(pathname) response = g.response
if self.authorization:
localpath = FS_HANDLER.uri2local(pathname) localpath = FS_HANDLER.uri2local(pathname)
if not os.path.exists(localpath): if not os.path.exists(localpath):
response.status = '404' response.status = '404'
...@@ -178,8 +192,8 @@ class WebDAV(MethodView): ...@@ -178,8 +192,8 @@ class WebDAV(MethodView):
copy a resource or collection copy a resource or collection
""" """
response = self.head(pathname) response = g.response
if self.authorization:
localpath = FS_HANDLER.uri2local(pathname) localpath = FS_HANDLER.uri2local(pathname)
destination = request.headers['Destination'] destination = request.headers['Destination']
host = request.headers['Host'] host = request.headers['Host']
...@@ -197,7 +211,6 @@ class WebDAV(MethodView): ...@@ -197,7 +211,6 @@ class WebDAV(MethodView):
response.status = '201' response.status = '201'
if os.path.exists(destination_path): if os.path.exists(destination_path):
delete_response = self.delete(destination) delete_response = self.delete(destination)
print delete_response.status
response.status = '204' response.status = '204'
if os.path.isfile(localpath): if os.path.isfile(localpath):
...@@ -218,8 +231,8 @@ class WebDAV(MethodView): ...@@ -218,8 +231,8 @@ class WebDAV(MethodView):
move a resource or collection move a resource or collection
""" """
response = self.head(pathname) response = g.response
if self.authorization:
copy_response = self.copy(pathname) copy_response = self.copy(pathname)
response.status = copy_response.status response.status = copy_response.status
if copy_response.status == '201' or copy_response.status == '204': if copy_response.status == '201' or copy_response.status == '204':
...@@ -231,15 +244,17 @@ class WebDAV(MethodView): ...@@ -231,15 +244,17 @@ class WebDAV(MethodView):
app.add_url_rule(URI_BEGINNING_PATH['webdav'] + '<path:pathname>', view_func=WebDAV.as_view('dav')) app.add_url_rule(URI_BEGINNING_PATH['webdav'] + '<path:pathname>', view_func=WebDAV.as_view('dav'))
@app.route(URI_BEGINNING_PATH['authorization']) @app.route(URI_BEGINNING_PATH['authorization'], methods=['GET', 'POST'])
def authorize(): def authorize():
if request.method == 'POST':
response = make_response(render_template('authorization_page_cookie_set.html', headers=headers, origin=origin, back_url=back_url))
response.set_cookie('mycookie', value='', max_age=None, expires=None, path='/',
domain=None, secure=None, httponly=False)
else:
origin = request.headers.get('Origin') origin = request.headers.get('Origin')
print origin
headers = request.headers headers = request.headers
back_url = request.args.get('back_url') back_url = request.args.get('back_url')
print origin
response = make_response(render_template('authorization_page.html', headers=headers, origin=origin, back_url=back_url)) response = make_response(render_template('authorization_page.html', headers=headers, origin=origin, back_url=back_url))
response.set_cookie('mycookie', value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
return response return response
@app.route(URI_BEGINNING_PATH['editor']) @app.route(URI_BEGINNING_PATH['editor'])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment