From 692d015627ecf03fbc23cfdb4afcf398b9a09a51 Mon Sep 17 00:00:00 2001 From: RaNaN Date: Thu, 12 Jan 2012 17:26:28 +0100 Subject: scripts for testing and syntax unit test --- module/web/api_app.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index 1629c1677..160a984df 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -11,6 +11,7 @@ from utils import toDict, set_session from webinterface import PYLOAD from module.common.json_layer import json +from module.utils import remove_chars from module.lib.SafeEval import const_eval as literal_eval from module.Api import BaseObject @@ -33,7 +34,8 @@ def call_api(func, args=""): s = request.environ.get('beaker.session') if 'session' in request.POST: - s = s.get_by_id(request.POST['session']) + # removes "' so it works on json strings + s = s.get_by_id(remove_chars(request.POST['session'], "'\"")) if not s or not s.get("authenticated", False): return HTTPError(403, json.dumps("Forbidden")) -- cgit v1.2.3 From 358286377832c774b7721efd86d9f4128436ec8c Mon Sep 17 00:00:00 2001 From: RaNaN Date: Mon, 16 Jan 2012 19:35:43 +0100 Subject: correct utf8 conversion for urls --- module/web/api_app.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index 160a984df..affcdb39a 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -25,16 +25,16 @@ class TBaseEncoder(json.JSONEncoder): # accepting positional arguments, as well as kwargs via post and get - -@route("/api/:func:args#[a-zA-Z0-9\-_/\"'\[\]%{}]*#") -@route("/api/:func:args#[a-zA-Z0-9\-_/\"'\[\]%{}]*#", method="POST") +# only forbidden path symbol are "?", which is used to seperate GET data and # +@route("/api/") +@route("/api/", method="POST") def call_api(func, args=""): response.headers.replace("Content-type", "application/json") response.headers.append("Cache-Control", "no-cache, must-revalidate") s = request.environ.get('beaker.session') if 'session' in request.POST: - # removes "' so it works on json strings + # removes "' so it works on json strings s = s.get_by_id(remove_chars(request.POST['session'], "'\"")) if not s or not s.get("authenticated", False): @@ -65,7 +65,7 @@ def callApi(func, *args, **kwargs): result = getattr(PYLOAD, func)(*[literal_eval(x) for x in args], **dict([(x, literal_eval(y)) for x, y in kwargs.iteritems()])) - # null is invalid json response + # null is invalid json response if result is None: result = True return json.dumps(result, cls=TBaseEncoder) -- cgit v1.2.3 From 4df2b77fdf42046fe19bd371be7c7255986b5980 Mon Sep 17 00:00:00 2001 From: RaNaN Date: Tue, 6 Mar 2012 13:36:39 +0100 Subject: renamed hooks to addons, new filemanager and database, many new api methods you will loose ALL your LINKS, webinterface will NOT work --- module/web/api_app.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index affcdb39a..6c93266fc 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -24,13 +24,17 @@ class TBaseEncoder(json.JSONEncoder): return json.JSONEncoder.default(self, o) +def add_header(r): + r.headers.replace("Content-type", "application/json") + r.headers.append("Cache-Control", "no-cache, must-revalidate") + r.headers.append("Access-Control-Allow-Origin", "*") # allow xhr requests + # accepting positional arguments, as well as kwargs via post and get # only forbidden path symbol are "?", which is used to seperate GET data and # @route("/api/") @route("/api/", method="POST") def call_api(func, args=""): - response.headers.replace("Content-type", "application/json") - response.headers.append("Cache-Control", "no-cache, must-revalidate") + add_header(response) s = request.environ.get('beaker.session') if 'session' in request.POST: @@ -62,6 +66,7 @@ def callApi(func, *args, **kwargs): print "Invalid API call", func return HTTPError(404, json.dumps("Not Found")) + # TODO: encoding result = getattr(PYLOAD, func)(*[literal_eval(x) for x in args], **dict([(x, literal_eval(y)) for x, y in kwargs.iteritems()])) @@ -74,8 +79,7 @@ def callApi(func, *args, **kwargs): #post -> username, password @route("/api/login", method="POST") def login(): - response.headers.replace("Content-type", "application/json") - response.headers.append("Cache-Control", "no-cache, must-revalidate") + add_header(response) user = request.forms.get("username") password = request.forms.get("password") @@ -97,8 +101,7 @@ def login(): @route("/api/logout") def logout(): - response.headers.replace("Content-type", "application/json") - response.headers.append("Cache-Control", "no-cache, must-revalidate") + add_header(response) s = request.environ.get('beaker.session') s.delete() -- cgit v1.2.3 From b40b32ee05f611323a7827fad2a25fa0a28dcb24 Mon Sep 17 00:00:00 2001 From: X3n0m0rph59 Date: Sun, 22 Apr 2012 19:56:17 +0200 Subject: a huge pile of spelling fixes --- module/web/api_app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index 6c93266fc..7a9eb8558 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -30,7 +30,7 @@ def add_header(r): r.headers.append("Access-Control-Allow-Origin", "*") # allow xhr requests # accepting positional arguments, as well as kwargs via post and get -# only forbidden path symbol are "?", which is used to seperate GET data and # +# only forbidden path symbol are "?", which is used to separate GET data and # @route("/api/") @route("/api/", method="POST") def call_api(func, args=""): -- cgit v1.2.3 From a8f763fb85756f69899f7b3b71c01bb01461ee3c Mon Sep 17 00:00:00 2001 From: RaNaN Date: Fri, 10 Aug 2012 22:12:10 +0200 Subject: beginning new pyload web-ui from scratch --- module/web/api_app.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index 7a9eb8558..df62db18f 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -7,11 +7,11 @@ from traceback import format_exc, print_exc from bottle import route, request, response, HTTPError -from utils import toDict, set_session +from utils import set_session from webinterface import PYLOAD from module.common.json_layer import json -from module.utils import remove_chars +from module.utils import remove_chars, to_dict from module.lib.SafeEval import const_eval as literal_eval from module.Api import BaseObject @@ -20,7 +20,7 @@ class TBaseEncoder(json.JSONEncoder): def default(self, o): if isinstance(o, BaseObject): - return toDict(o) + return to_dict(o) return json.JSONEncoder.default(self, o) -- cgit v1.2.3 From 941e3021000e59020f66419cc2156aee30972121 Mon Sep 17 00:00:00 2001 From: RaNaN Date: Mon, 13 Aug 2012 17:40:10 +0200 Subject: working login --- module/web/api_app.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index df62db18f..4be6e5ab8 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -7,7 +7,7 @@ from traceback import format_exc, print_exc from bottle import route, request, response, HTTPError -from utils import set_session +from utils import set_session, get_user_api from webinterface import PYLOAD from module.common.json_layer import json @@ -41,10 +41,11 @@ def call_api(func, args=""): # removes "' so it works on json strings s = s.get_by_id(remove_chars(request.POST['session'], "'\"")) - if not s or not s.get("authenticated", False): + api = get_user_api(s) + if not api: return HTTPError(403, json.dumps("Forbidden")) - if not PYLOAD.isAuthorized(func, {"role": s["role"], "permission": s["perms"]}): + if not PYLOAD.isAuthorized(func, api.user): return HTTPError(401, json.dumps("Unauthorized")) args = args.split("/")[1:] @@ -81,21 +82,22 @@ def callApi(func, *args, **kwargs): def login(): add_header(response) - user = request.forms.get("username") + username = request.forms.get("username") password = request.forms.get("password") - info = PYLOAD.checkAuth(user, password) + user = PYLOAD.checkAuth(username, password) - if not info: + if not user: return json.dumps(False) - s = set_session(request, info) + s = set_session(request, user) # get the session id by dirty way, documentations seems wrong try: sid = s._headers["cookie_out"].split("=")[1].split(";")[0] return json.dumps(sid) except: + print "Could not get session" return json.dumps(True) -- cgit v1.2.3 From 208b857c3f9b9233037847b9c5d98ab9e958ce19 Mon Sep 17 00:00:00 2001 From: RaNaN Date: Fri, 17 Aug 2012 16:11:13 +0200 Subject: renamed default_mobile to mobile --- module/web/api_app.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'module/web/api_app.py') diff --git a/module/web/api_app.py b/module/web/api_app.py index 4be6e5ab8..b2d7fa5b6 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -61,6 +61,7 @@ def call_api(func, args=""): print_exc() return HTTPError(500, json.dumps({"error": e.message, "traceback": format_exc()})) +# Better error codes on invalid input def callApi(func, *args, **kwargs): if not hasattr(PYLOAD.EXTERNAL, func) or func.startswith("_"): @@ -102,6 +103,7 @@ def login(): @route("/api/logout") +@route("/api/logout", method="POST") def logout(): add_header(response) -- cgit v1.2.3