added forbidden_view_config on login.jinja2

2022-12-09 10:53:57 +01:00
parent 85c60cc561
commit fe69670f19
8 changed files with 105 additions and 13 deletions
--- a/cao_blogr.sqlite
+++ b/cao_blogr.sqlite
--- a/cao_blogr/alembic/env.py
+++ b/cao_blogr/alembic/env.py
@@ -3,7 +3,7 @@ from alembic import context
 from pyramid.paster import get_appsettings, setup_logging
 from sqlalchemy import engine_from_config
-from pyramid_blogr.models.meta import Base
+from cao_blogr.models.meta import Base
 config = context.config
--- a/cao_blogr/alembic/versions/20221208_7cfe6f79c819.py
+++ b/cao_blogr/alembic/versions/20221208_7cfe6f79c819.py
@@ -0,0 +1,28 @@
 """init
 Revision ID: 7cfe6f79c819
 Revises: b6095fa68edc
 Create Date: 2022-12-08 16:30:41.529957
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '7cfe6f79c819'
 down_revision = 'b6095fa68edc'
 branch_labels = None
 depends_on = None
 def upgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.add_column('users', sa.Column('groups', sa.Unicode(), nullable=True))
    op.drop_column('users', 'group')
    # ### end Alembic commands ###
 def downgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.add_column('users', sa.Column('group', sa.VARCHAR(), nullable=True))
    op.drop_column('users', 'groups')
    # ### end Alembic commands ###
--- a/cao_blogr/alembic/versions/20221208_86d2844ace15.py
+++ b/cao_blogr/alembic/versions/20221208_86d2844ace15.py
@@ -0,0 +1,26 @@
 """init
 Revision ID: 86d2844ace15
 Revises: bbacde35234d
 Create Date: 2022-12-08 15:53:57.291157
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '86d2844ace15'
 down_revision = 'bbacde35234d'
 branch_labels = None
 depends_on = None
 def upgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.add_column('users', sa.Column('group', sa.Unicode(), nullable=True))
    # ### end Alembic commands ###
 def downgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_column('users', 'group')
    # ### end Alembic commands ###
--- a/cao_blogr/alembic/versions/20221208_b6095fa68edc.py
+++ b/cao_blogr/alembic/versions/20221208_b6095fa68edc.py
@@ -0,0 +1,26 @@
 """init
 Revision ID: b6095fa68edc
 Revises: 86d2844ace15
 Create Date: 2022-12-08 16:22:49.206993
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = 'b6095fa68edc'
 down_revision = '86d2844ace15'
 branch_labels = None
 depends_on = None
 def upgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    pass
    # ### end Alembic commands ###
 def downgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    pass
    # ### end Alembic commands ###
--- a/cao_blogr/templates/login.jinja2
+++ b/cao_blogr/templates/login.jinja2
@@ -5,7 +5,7 @@
 <div class="row">
 	<div class="col-md-offset-4 col-md-5 well">
-    <form action="{{request.route_url('login')}}" method="post">
+    <form action="{{ login_url }}" method="post">
        <h2>Se connecter</h2>
        <div class="form-group">
            <input type="text" name="username" class="form-control" placeholder="Identifiant">
--- a/cao_blogr/views/default.py
+++ b/cao_blogr/views/default.py
@@ -1,4 +1,7 @@
-from pyramid.view import view_config
+from pyramid.view import (
    view_config,
    forbidden_view_config,
 )
 from pyramid.httpexceptions import HTTPFound
 from pyramid.security import remember, forget
 from ..services.user import UserService
@@ -27,23 +30,33 @@ def apropos(request):
        }
-@view_config(route_name='login',
+@view_config(route_name='login', renderer='cao_blogr:templates/login.jinja2')
-             renderer='cao_blogr:templates/login.jinja2')
+@forbidden_view_config(renderer='cao_blogr:templates/login.jinja2')
 def login(request):
-    username = request.POST.get('username')
+    username = ''
    login_url = request.route_url('login')
    referrer = request.url
    if referrer == login_url:
        referrer = '/' # never use the login form itself as came_from
    came_from = request.params.get('came_from', referrer)
    username = request.POST.get('username')
    userpwd = request.POST.get('password')
    if username:
        user = UserService.by_name(request, username)
-        if user and user.verify_password(request.POST.get('password')):
+        if user and user.verify_password(userpwd):
-            headers = remember(request, user.name)
+            headers = remember(request, username)
            request.session.flash("Bienvenue %s !" % username, 'success')
-            return HTTPFound(location=request.route_url('home'), headers=headers)
+            return HTTPFound(location=came_from, headers=headers)
        else:
            headers = forget(request)
            request.session.flash("Login et mot de passe invalides. La connexion a échoué.", "danger")
    return {
        'page_title': "",
        'came_from': came_from,
        'login_url': login_url,
        }
@@ -54,8 +67,7 @@ def logout(request):
    return HTTPFound(location=request.route_url('home'), headers=headers)
-@view_config(route_name='users',
+@view_config(route_name='users', renderer='cao_blogr:templates/users.jinja2', permission='manage')
             renderer='cao_blogr:templates/users.jinja2', permission='manage')
 def users(request):
    # get all users
    users = UserService.all(request)
--- a/setup.py
+++ b/setup.py
@@ -20,8 +20,8 @@ requires = [
    'SQLAlchemy',
    'transaction',
    'zope.sqlalchemy',
-    'wtforms==2.2.1',  # form library
+    'wtforms',  # form library 2.2.1
-    'webhelpers2==2.0',  # various web building related helpers
+    'webhelpers2',  # various web building related helpers 2.0
    'passlib',
    'markdown2',
 ]