Attachment 'security_string7.patch'

Download

   1 * looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347 to compare with
   2 * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-347
   3 M  MoinMoin/auth.py
   4 M  MoinMoin/request.py
   5 M  MoinMoin/user.py
   6 M  MoinMoin/userform.py
   7 
   8 * modified files
   9 
  10 --- orig/MoinMoin/auth.py
  11 +++ mod/MoinMoin/auth.py
  12 @@ -45,6 +45,7 @@
  13  
  14  import Cookie
  15  from MoinMoin import user
  16 +from MoinMoin.util import securitystring
  17  
  18  def moin_cookie(request, **kw):
  19      """ authenticate via the MOIN_ID cookie """
  20 @@ -58,13 +59,6 @@
  21              request.setCookie()
  22              return u, False
  23          return None, True
  24 -
  25 -    if kw.get('logout'):
  26 -        # clear the cookie in the browser and locally. Does not
  27 -        # check if we have a valid user logged, just make sure we
  28 -        # don't have one after this call.
  29 -        request.deleteCookie()
  30 -        return None, True
  31      
  32      try:
  33          cookie = Cookie.SimpleCookie(request.saved_cookie)
  34 @@ -72,13 +66,48 @@
  35          # ignore invalid cookies, else user can't relogin
  36          cookie = None
  37      if cookie and cookie.has_key('MOIN_ID'):
  38 -        u = user.User(request, id=cookie['MOIN_ID'].value,
  39 +        # Use security_string to handle the Cookie.
  40 +	# So. need to use 
  41 +	#     MoinMoin.util.securitystring.cal_security_userid modify
  42 +	#     to do cookie auth.
  43 +	# Need Pass the user_obj to cal_security_userid. 
  44 +	# Because the MoinMoin.util.securitystring.cal_security_userid
  45 +	#     need to do MoinMoin.user.getUserList, 
  46 +	#     and MoinMoin.user.User.load_from_id
  47 +	user_obj = user
  48 +        u = user.User(request, 
  49 +		# if can auth, then 
  50 +		#  MoinMoin.util.securitystring.cal_security_userid
  51 +		#  return the uid.
  52 +		# if cannot match any uid then return None.
  53 +	        id=securitystring.SecurityString(request).cal_security_userid(cookie['MOIN_ID'].value, user_obj),
  54                        auth_method='moin_cookie', auth_attribs=())
  55          if u.valid:
  56 -            return u, False
  57 +            if kw.get('logout'):
  58 +	        # Frankie: Why Does not check it?
  59 +		# Please see: http://moinmoin.wikiwikiweb.de/MoinMoinBugs/LogoutHandle
  60 +		#
  61 +                # clear the cookie in the browser and locally. Does not
  62 +                # check if we have a valid user logged, just make sure we
  63 +                # don't have one after this call.
  64 +                request.deleteCookie()
  65 +                # Frankie: When the user do global logout then change the
  66 +                # security_string. ( in here. All logout is global logout. )
  67 +                u.security_string = securitystring.gen(30)
  68 +                u.save()
  69 +                return None, True
  70 +	    else:
  71 +                return u, False
  72 +
  73 +        # If the brower don't have MOIN_ID cookie, just delete the cookie.
  74 +        if kw.get('logout'):
  75 +            request.deleteCookie()
  76 +            return None, True
  77 +	    
  78      return None, True
  79  
  80  
  81 +
  82  #
  83  #   idea: maybe we should call back to the request object like:
  84  #         username, password, authenticated, authtype = request.getUserPassAuth()
  85 
  86 
  87 --- orig/MoinMoin/request.py
  88 +++ mod/MoinMoin/request.py
  89 @@ -9,7 +9,7 @@
  90  
  91  import os, time, sys, cgi, StringIO
  92  from MoinMoin import config, wikiutil, user
  93 -from MoinMoin.util import MoinMoinNoFooter, IsWin9x
  94 +from MoinMoin.util import MoinMoinNoFooter, IsWin9x, securitystring
  95  
  96  # Timing ---------------------------------------------------------------
  97  
  98 @@ -1216,7 +1216,16 @@
  99          # Set the cookie
 100          from Cookie import SimpleCookie
 101          c = SimpleCookie()
 102 -        c['MOIN_ID'] = self.user.id
 103 +	# Modify the Cookie String Syntax.
 104 +	# Keep the self.user.id in Cookie.
 105 +	#   1. easy for auth.
 106 +	#   2. and don't need to care the 
 107 +	#       securitystring.make_security_key(security_string, self.user.id)
 108 +	#      is unique.
 109 +	c['MOIN_ID'] = '%s%s%s' %(
 110 +	   securitystring.make_security_key(self.user.security_string, self.user.id),
 111 +	   securitystring.luck(),
 112 +	   self.user.id )
 113          c['MOIN_ID']['max-age'] = maxage
 114          if self.cfg.cookie_domain:
 115              c['MOIN_ID']['domain'] = self.cfg.cookie_domain
 116 
 117 
 118 --- orig/MoinMoin/user.py
 119 +++ mod/MoinMoin/user.py
 120 @@ -17,7 +17,7 @@
 121  PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL
 122  
 123  from MoinMoin import config, caching, wikiutil
 124 -from MoinMoin.util import datetime, filesys
 125 +from MoinMoin.util import datetime, filesys, securitystring
 126  
 127  
 128  def getUserList(request):
 129 @@ -450,6 +450,12 @@
 130          # First try with default encoded password. Match only non empty
 131          # passwords. (require non empty enc_password)
 132          if self.enc_password and self.enc_password == data['enc_password']:
 133 +	    # If the user profile: It is create in moin-1.3 or old.
 134 +	    # then user profile have not security_string.
 135 +	    # MoinMoin will random create it.
 136 +	    if not data.has_key('security_string'):
 137 +	        data['security_string'] = securitystring.gen(30)
 138 +		return True, True
 139              return True, False
 140  
 141          # Try to match using one of pre 1.3 8 bit charsets
 142 @@ -483,6 +489,11 @@
 143                  # User password match - replace the user password in the
 144                  # file with self.password
 145                  data['enc_password'] = self.enc_password
 146 +	        # If the user profile: It is create in pro moin-1.3 or old.
 147 +	        # then user profile have not security_string.
 148 +	        # MoinMoin will random create it.
 149 +		if not data.has_key('security_string'):
 150 +		    data['security_string'] = securitystring.gen(30)
 151                  return True, True
 152  
 153          # No encoded password match, this must be wrong password
 154 @@ -527,6 +538,11 @@
 155  
 156          if not self.disabled:
 157              self.valid = 1
 158 +	
 159 +	# In Now Update the uid2security_hmac_string cache.
 160 +	ss = securitystring.SecurityString(self._request)
 161 +	ss.update_uid2security_hmac_string_cache(
 162 +	              self.security_string, self.id)
 163  
 164      # -----------------------------------------------------------------
 165      # Time and date formatting
 166 
 167 
 168 --- orig/MoinMoin/userform.py
 169 +++ mod/MoinMoin/userform.py
 170 @@ -8,7 +8,7 @@
 171  
 172  import string, time, re
 173  from MoinMoin import user, util, wikiutil
 174 -from MoinMoin.util import web, mail, datetime
 175 +from MoinMoin.util import web, mail, datetime, securitystring
 176  from MoinMoin.widget import html
 177  
 178  _debug = 0
 179 @@ -78,6 +78,10 @@
 180                  theuser = user.User(self.request, uid)
 181                  if theuser.valid and theuser.email.lower() == email:
 182                      msg = theuser.mailAccountData()
 183 +		    # Change the security_string
 184 +		    #    When the user request the account_sendmail.
 185 +		    theuser.security_string = securitystring.gen(30)
 186 +		    theuser.save()
 187                      return wikiutil.escape(msg)
 188  
 189              return _("Found no account matching the given email address '%(email)s'!") % {'email': wikiutil.escape(email)}
 190 @@ -148,6 +152,8 @@
 191                      if thisuser.email == theuser.email and not thisuser.disabled:
 192                          return _("This email already belongs to somebody else.")
 193  
 194 +            # Before create the user's profile, create the user's security_string.
 195 +	    theuser.security_string = securitystring.gen(30)
 196              # save data
 197              theuser.save()
 198              if form.has_key('create_and_mail'):

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2005-12-29 12:11:24, 10.1 KB) [[attachment:security_string.patch]]
  • [get | view] (2006-01-07 08:59:28, 10.0 KB) [[attachment:security_string11.patch]]
  • [get | view] (2006-01-07 11:50:10, 11.4 KB) [[attachment:security_string13.patch]]
  • [get | view] (2006-01-08 01:35:46, 11.6 KB) [[attachment:security_string15.patch]]
  • [get | view] (2006-01-09 00:05:23, 11.6 KB) [[attachment:security_string16.patch]]
  • [get | view] (2006-01-21 11:44:21, 11.9 KB) [[attachment:security_string17.patch]]
  • [get | view] (2005-12-30 06:26:38, 8.9 KB) [[attachment:security_string6.patch]]
  • [get | view] (2005-12-30 09:14:39, 7.0 KB) [[attachment:security_string7.patch]]
  • [get | view] (2006-01-05 11:04:41, 10.6 KB) [[attachment:security_string8.patch]]
  • [get | view] (2006-01-04 15:03:44, 4.1 KB) [[attachment:securitystring.old.py]]
  • [get | view] (2006-01-04 15:04:58, 4.1 KB) [[attachment:securitystring.py]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.