# HG changeset patch # User Sylvain Thénault # Date 1274869894 -7200 # Node ID c1823448f81d7e259db1c8909d7ea555f277f4ab # Parent 24125df012f3f1c64fd7176e2f8e32794e69c6f1 [web] disallow authenticated users to access to the login form (closes #914873) diff -r 24125df012f3 -r c1823448f81d web/application.py --- a/web/application.py Wed May 26 11:01:50 2010 +0200 +++ b/web/application.py Wed May 26 12:31:34 2010 +0200 @@ -379,6 +379,8 @@ controller = self.vreg['controllers'].select(ctrlid, req, appli=self) except NoSelectableObject: + if ctrlid == 'login': + raise Unauthorized(req._('log out first')) raise Unauthorized(req._('not authorized')) req.update_search_state() result = controller.publish(rset=rset) diff -r 24125df012f3 -r c1823448f81d web/test/unittest_application.py --- a/web/test/unittest_application.py Wed May 26 11:01:50 2010 +0200 +++ b/web/test/unittest_application.py Wed May 26 12:31:34 2010 +0200 @@ -1,4 +1,3 @@ -# -*- coding: iso-8859-1 -*- # copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr # @@ -16,9 +15,7 @@ # # You should have received a copy of the GNU Lesser General Public License along # with CubicWeb. If not, see . -"""unit tests for cubicweb.web.application - -""" +"""unit tests for cubicweb.web.application""" import base64, Cookie import sys @@ -27,7 +24,7 @@ from logilab.common.testlib import TestCase, unittest_main from logilab.common.decorators import clear_cache -from cubicweb import AuthenticationError +from cubicweb import AuthenticationError, Unauthorized from cubicweb.devtools.testlib import CubicWebTC from cubicweb.devtools.fake import FakeRequest from cubicweb.web import LogOut, Redirect, INTERNAL_FIELD_VALUE @@ -299,6 +296,11 @@ self.commit() self.assertEquals(vreg.property_value('ui.language'), 'en') + def test_login_not_available_to_authenticated(self): + req = self.request() + ex = self.assertRaises(Unauthorized, self.app_publish, req, 'login') + self.assertEquals(str(ex), 'log out first') + def test_fb_login_concept(self): """see data/views.py""" self.set_option('auth-mode', 'cookie') diff -r 24125df012f3 -r c1823448f81d web/test/unittest_views_basetemplates.py --- a/web/test/unittest_views_basetemplates.py Wed May 26 11:01:50 2010 +0200 +++ b/web/test/unittest_views_basetemplates.py Wed May 26 12:31:34 2010 +0200 @@ -15,9 +15,6 @@ # # You should have received a copy of the GNU Lesser General Public License along # with CubicWeb. If not, see . -""" - -""" from cubicweb.devtools.testlib import CubicWebTC from cubicweb.devtools.htmlparser import DTDValidator @@ -26,7 +23,10 @@ def _login_labels(self): valid = self.content_type_validators.get('text/html', DTDValidator)() + req = self.request() + req.cnx.anonymous_connection = True page = valid.parse_string(self.vreg['views'].main_template(self.request(), 'login')) + req.cnx.anonymous_connection = False return page.find_tag('label') def test_label(self): diff -r 24125df012f3 -r c1823448f81d web/views/basecontrollers.py --- a/web/views/basecontrollers.py Wed May 26 11:01:50 2010 +0200 +++ b/web/views/basecontrollers.py Wed May 26 12:31:34 2010 +0200 @@ -31,7 +31,7 @@ from cubicweb import (NoSelectableObject, ObjectNotFound, ValidationError, AuthenticationError, typed_eid) from cubicweb.utils import CubicWebJsonEncoder -from cubicweb.selectors import authenticated_user, match_form_params +from cubicweb.selectors import authenticated_user, anonymous_user, match_form_params from cubicweb.mail import format_mail from cubicweb.web import Redirect, RemoteCallFailed, DirectResponse, json_dumps, json from cubicweb.web.controller import Controller @@ -78,6 +78,7 @@ class LoginController(Controller): __regid__ = 'login' + __select__ = anonymous_user() def publish(self, rset=None): """log in the instance""" diff -r 24125df012f3 -r c1823448f81d web/views/basetemplates.py --- a/web/views/basetemplates.py Wed May 26 11:01:50 2010 +0200 +++ b/web/views/basetemplates.py Wed May 26 12:31:34 2010 +0200 @@ -1,4 +1,3 @@ -# -*- coding: utf-8 -*- # copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr # @@ -16,16 +15,15 @@ # # You should have received a copy of the GNU Lesser General Public License along # with CubicWeb. If not, see . -"""default templates for CubicWeb web client +"""default templates for CubicWeb web client""" -""" __docformat__ = "restructuredtext en" from logilab.mtconverter import xml_escape from logilab.common.deprecation import class_renamed from cubicweb.appobject import objectify_selector -from cubicweb.selectors import match_kwargs, no_cnx +from cubicweb.selectors import match_kwargs, no_cnx, anonymous_user from cubicweb.view import View, MainTemplate, NOINDEX, NOFOLLOW from cubicweb.utils import UStringIO from cubicweb.schema import display_name @@ -60,6 +58,7 @@ class LogInTemplate(LogInOutTemplate): __regid__ = 'login' + __select__ = anonymous_user() title = 'log in' def content(self, w): @@ -80,6 +79,7 @@ xml_escape(indexurl), self._cw._('go back to the index page'))) + @objectify_selector def templatable_view(cls, req, rset, *args, **kwargs): view = kwargs.pop('view', None)