Attachment 'security_string8.patch'

Download

   1 * looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 to compare with
   2 * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347
   3 M  MoinMoin/auth.py
   4 M  MoinMoin/multiconfig.py
   5 M  MoinMoin/request.py
   6 M  MoinMoin/user.py
   7 M  MoinMoin/userform.py
   8 
   9 * modified files
  10 
  11 --- orig/MoinMoin/auth.py
  12 +++ mod/MoinMoin/auth.py
  13 @@ -45,6 +45,7 @@
  14  
  15  import Cookie
  16  from MoinMoin import user
  17 +from MoinMoin.util import securitystring
  18  
  19  def moin_cookie(request, **kw):
  20      """ authenticate via the MOIN_ID cookie """
  21 @@ -58,13 +59,6 @@
  22              request.setCookie()
  23              return u, False
  24          return None, True
  25 -
  26 -    if kw.get('logout'):
  27 -        # clear the cookie in the browser and locally. Does not
  28 -        # check if we have a valid user logged, just make sure we
  29 -        # don't have one after this call.
  30 -        request.deleteCookie()
  31 -        return None, True
  32      
  33      try:
  34          cookie = Cookie.SimpleCookie(request.saved_cookie)
  35 @@ -72,13 +66,72 @@
  36          # ignore invalid cookies, else user can't relogin
  37          cookie = None
  38      if cookie and cookie.has_key('MOIN_ID'):
  39 -        u = user.User(request, id=cookie['MOIN_ID'].value,
  40 +        # Use security_string to handle the Cookie.
  41 +	# So. need to use 
  42 +	#     MoinMoin.util.securitystring.cal_security_userid modify
  43 +	#     to do cookie auth.
  44 +	# Need Pass the user_obj to cal_security_userid. 
  45 +	# Because the MoinMoin.util.securitystring.cal_security_userid
  46 +	#     need to do MoinMoin.user.getUserList, 
  47 +	#     and MoinMoin.user.User.load_from_id
  48 +
  49 +	# FrankieChow: I think in MoinMoin/util/securitystring. 
  50 +	#     If pass the user simple the pass the user.User
  51 +	user_obj = user
  52 +        u = user.User(request, 
  53 +		# if can auth, then 
  54 +		#  MoinMoin.util.securitystring.cal_security_userid
  55 +		#  return the uid.
  56 +		# if cannot match any uid then return None.
  57 +	        id=securitystring.SecurityString(request).cal_security_userid(cookie['MOIN_ID'].value, user_obj),
  58                        auth_method='moin_cookie', auth_attribs=())
  59          if u.valid:
  60 -            return u, False
  61 +            if kw.get('logout'):
  62 +	        # Frankie: Why Does not check it?
  63 +		# Please see: http://moinmoin.wikiwikiweb.de/MoinMoinBugs/LogoutHandle
  64 +		#
  65 +                # clear the cookie in the browser and locally. Does not
  66 +                # check if we have a valid user logged, just make sure we
  67 +                # don't have one after this call.
  68 +                request.deleteCookie()
  69 +                # FrankieChow: When the user do global logout then change the
  70 +                # security_string. ( in here. All logout is global logout. )
  71 +                u.security_string = securitystring.gen(30)
  72 +                u.save()
  73 +                return None, True
  74 +	    else:
  75 +                return u, False
  76 +
  77 +        # If the brower don't have MOIN_ID cookie, just delete the cookie.
  78 +        if kw.get('logout'):
  79 +            request.deleteCookie()
  80 +	    # Frankie: I don't know ? why ( None, True ) not ( None, False ) ?
  81 +            return None, True
  82 +	    
  83      return None, True
  84  
  85  
  86 +def moin_url(request, **kw):
  87 +    # The url syntax is like this: action=userform&uid=
  88 +    action = request.form.get('action',[None])[0]
  89 +    uid = request.form.get('uid',[None])[0]
  90 +    user_obj = user
  91 +    if action == 'userform' :
  92 +        u = user.User(request, 
  93 +		# if can auth, then 
  94 +		#  MoinMoin.util.securitystring.cal_security_userid
  95 +		#  return the uid.
  96 +		# if cannot match any uid then return None.
  97 +	        id=securitystring.SecurityString(request).cal_security_userid(uid, user_obj),
  98 +                      auth_method='moin_cookie', auth_attribs=())
  99 +        if u.valid:
 100 +            u.security_string = securitystring.gen(30)
 101 +            u.save()
 102 +	    request.user = u
 103 +            request.setCookie()
 104 +            return u, False
 105 +    return None, True
 106 +
 107  #
 108  #   idea: maybe we should call back to the request object like:
 109  #         username, password, authenticated, authtype = request.getUserPassAuth()
 110 
 111 
 112 --- orig/MoinMoin/multiconfig.py
 113 +++ mod/MoinMoin/multiconfig.py
 114 @@ -172,7 +172,7 @@
 115      actions_excluded = [] # ['DeletePage', 'AttachFile', 'RenamePage']
 116      allow_xslt = 0
 117      attachments = None # {'dir': path, 'url': url-prefix}
 118 -    auth = [authmodule.moin_cookie]
 119 +    auth = [authmodule.moin_cookie, authmodule.moin_url]
 120      
 121      backup_compression = 'gz'
 122      backup_users = []
 123 
 124 
 125 --- orig/MoinMoin/request.py
 126 +++ mod/MoinMoin/request.py
 127 @@ -9,7 +9,7 @@
 128  
 129  import os, time, sys, cgi, StringIO
 130  from MoinMoin import config, wikiutil, user
 131 -from MoinMoin.util import MoinMoinNoFooter, IsWin9x
 132 +from MoinMoin.util import MoinMoinNoFooter, IsWin9x, securitystring
 133  
 134  # Timing ---------------------------------------------------------------
 135  
 136 @@ -1216,7 +1216,16 @@
 137          # Set the cookie
 138          from Cookie import SimpleCookie
 139          c = SimpleCookie()
 140 -        c['MOIN_ID'] = self.user.id
 141 +	# Modify the Cookie String Syntax.
 142 +	# Keep the self.user.id in Cookie.
 143 +	#   1. easy for auth.
 144 +	#   2. and don't need to care the 
 145 +	#       securitystring.make_security_key(security_string, self.user.id)
 146 +	#      is unique.
 147 +	c['MOIN_ID'] = '%s%s%s' %(
 148 +	   securitystring.make_security_key(self.user.security_string, self.user.id),
 149 +	   securitystring.luck(),
 150 +	   self.user.id )
 151          c['MOIN_ID']['max-age'] = maxage
 152          if self.cfg.cookie_domain:
 153              c['MOIN_ID']['domain'] = self.cfg.cookie_domain
 154 
 155 
 156 --- orig/MoinMoin/user.py
 157 +++ mod/MoinMoin/user.py
 158 @@ -17,7 +17,7 @@
 159  PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL
 160  
 161  from MoinMoin import config, caching, wikiutil
 162 -from MoinMoin.util import datetime, filesys
 163 +from MoinMoin.util import datetime, filesys, securitystring
 164  
 165  
 166  def getUserList(request):
 167 @@ -232,9 +232,10 @@
 168  
 169          self.enc_password = ""
 170          if password:
 171 -            if password.startswith('{SHA}'):
 172 -                self.enc_password = password
 173 -            else:
 174 +             # disable the {SHA} auth.
 175 +#            if password.startswith('{SHA}'):
 176 +#                self.enc_password = password
 177 +#            else:
 178                  try:
 179                      self.enc_password = encodePassword(password)
 180                  except UnicodeError:
 181 @@ -450,6 +451,12 @@
 182          # First try with default encoded password. Match only non empty
 183          # passwords. (require non empty enc_password)
 184          if self.enc_password and self.enc_password == data['enc_password']:
 185 +	    # If the user profile: It is create in moin-1.3 or old.
 186 +	    # then user profile have not security_string.
 187 +	    # MoinMoin will random create it.
 188 +	    if not data.has_key('security_string'):
 189 +	        data['security_string'] = securitystring.gen(30)
 190 +		return True, True
 191              return True, False
 192  
 193          # Try to match using one of pre 1.3 8 bit charsets
 194 @@ -483,6 +490,11 @@
 195                  # User password match - replace the user password in the
 196                  # file with self.password
 197                  data['enc_password'] = self.enc_password
 198 +	        # If the user profile: It is create in pro moin-1.3 or old.
 199 +	        # then user profile have not security_string.
 200 +	        # MoinMoin will random create it.
 201 +		if not data.has_key('security_string'):
 202 +		    data['security_string'] = securitystring.gen(30)
 203                  return True, True
 204  
 205          # No encoded password match, this must be wrong password
 206 @@ -527,6 +539,11 @@
 207  
 208          if not self.disabled:
 209              self.valid = 1
 210 +	
 211 +	# In Now Update the uid2security_hmac_string cache.
 212 +	ss = securitystring.SecurityString(self._request)
 213 +	ss.update_uid2security_hmac_string_cache(
 214 +	              self.security_string, self.id)
 215  
 216      # -----------------------------------------------------------------
 217      # Time and date formatting
 218 @@ -935,14 +952,16 @@
 219          from MoinMoin.util import mail
 220          _ = self._request.getText
 221  
 222 +        # If MoinMoin use security_string logic to do url_auth. 
 223 +	#     When use SSHA to disable the Login Password.
 224          text = '\n' + _("""\
 225  Login Name: %s
 226  
 227 -Login Password: %s
 228 -
 229  Login URL: %s/?action=userform&uid=%s
 230  """, formatted=False) % (
 231 -                        self.name, self.enc_password, self._request.getBaseURL(), self.id)
 232 +                        self.name, self._request.getBaseURL(), 
 233 +			securitystring.make_security_key(self.security_string, self.id)
 234 +			)
 235  
 236          text = _("""\
 237  Somebody has requested to submit your account data to this email address.
 238 
 239 
 240 --- orig/MoinMoin/userform.py
 241 +++ mod/MoinMoin/userform.py
 242 @@ -8,7 +8,7 @@
 243  
 244  import string, time, re
 245  from MoinMoin import user, util, wikiutil
 246 -from MoinMoin.util import web, mail, datetime
 247 +from MoinMoin.util import web, mail, datetime, securitystring
 248  from MoinMoin.widget import html
 249  
 250  _debug = 0
 251 @@ -78,6 +78,10 @@
 252                  theuser = user.User(self.request, uid)
 253                  if theuser.valid and theuser.email.lower() == email:
 254                      msg = theuser.mailAccountData()
 255 +		    # Change the security_string
 256 +		    #    When the user request the account_sendmail.
 257 +		    theuser.security_string = securitystring.gen(30)
 258 +		    theuser.save()
 259                      return wikiutil.escape(msg)
 260  
 261              return _("Found no account matching the given email address '%(email)s'!") % {'email': wikiutil.escape(email)}
 262 @@ -124,7 +128,9 @@
 263              if not password and newuser:
 264                  return _("Please specify a password!")
 265              # Encode password
 266 -            if password and not password.startswith('{SHA}'):
 267 +	    if password.startswith('{SHA}'):
 268 +	        return _("Not Don't Support {SHA} password for create profile.")
 269 +            if password:
 270                  try:
 271                      theuser.enc_password = user.encodePassword(password)
 272                  except UnicodeError, err:
 273 @@ -148,6 +154,8 @@
 274                      if thisuser.email == theuser.email and not thisuser.disabled:
 275                          return _("This email already belongs to somebody else.")
 276  
 277 +            # Before create the user's profile, create the user's security_string.
 278 +	    theuser.security_string = securitystring.gen(30)
 279              # save data
 280              theuser.save()
 281              if form.has_key('create_and_mail'):
 282 @@ -194,8 +202,11 @@
 283                      return _("Passwords don't match!")
 284                  if not password and newuser:
 285                      return _("Please specify a password!")
 286 +                # Don't support SHA auth.
 287 +	        if password.startswith('{SHA}'):
 288 +	            return _("Not Don't Support the {SHA} password")
 289                  # Encode password
 290 -                if password and not password.startswith('{SHA}'):
 291 +                if password:
 292                      try:
 293                          theuser.enc_password = user.encodePassword(password)
 294                      except UnicodeError, err:

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2005-12-29 12:11:24, 10.1 KB) [[attachment:security_string.patch]]
  • [get | view] (2006-01-07 08:59:28, 10.0 KB) [[attachment:security_string11.patch]]
  • [get | view] (2006-01-07 11:50:10, 11.4 KB) [[attachment:security_string13.patch]]
  • [get | view] (2006-01-08 01:35:46, 11.6 KB) [[attachment:security_string15.patch]]
  • [get | view] (2006-01-09 00:05:23, 11.6 KB) [[attachment:security_string16.patch]]
  • [get | view] (2006-01-21 11:44:21, 11.9 KB) [[attachment:security_string17.patch]]
  • [get | view] (2005-12-30 06:26:38, 8.9 KB) [[attachment:security_string6.patch]]
  • [get | view] (2005-12-30 09:14:39, 7.0 KB) [[attachment:security_string7.patch]]
  • [get | view] (2006-01-05 11:04:41, 10.6 KB) [[attachment:security_string8.patch]]
  • [get | view] (2006-01-04 15:03:44, 4.1 KB) [[attachment:securitystring.old.py]]
  • [get | view] (2006-01-04 15:04:58, 4.1 KB) [[attachment:securitystring.py]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.