[web] disallow authenticated users to access to the login form (closes #914873) stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 26 May 2010 12:31:34 +0200 (2010-05-26)
branchstable
changeset 5584 c1823448f81d
parent 5583 24125df012f3
child 5585 e1cbf6b304ea
[web] disallow authenticated users to access to the login form (closes #914873)
web/application.py
web/test/unittest_application.py
web/test/unittest_views_basetemplates.py
web/views/basecontrollers.py
web/views/basetemplates.py
--- a/web/application.py	Wed May 26 11:01:50 2010 +0200
+++ b/web/application.py	Wed May 26 12:31:34 2010 +0200
@@ -379,6 +379,8 @@
                     controller = self.vreg['controllers'].select(ctrlid, req,
                                                                  appli=self)
                 except NoSelectableObject:
+                    if ctrlid == 'login':
+                        raise Unauthorized(req._('log out first'))
                     raise Unauthorized(req._('not authorized'))
                 req.update_search_state()
                 result = controller.publish(rset=rset)
--- a/web/test/unittest_application.py	Wed May 26 11:01:50 2010 +0200
+++ b/web/test/unittest_application.py	Wed May 26 12:31:34 2010 +0200
@@ -1,4 +1,3 @@
-# -*- coding: iso-8859-1 -*-
 # copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
 #
@@ -16,9 +15,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License along
 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
-"""unit tests for cubicweb.web.application
-
-"""
+"""unit tests for cubicweb.web.application"""
 
 import base64, Cookie
 import sys
@@ -27,7 +24,7 @@
 from logilab.common.testlib import TestCase, unittest_main
 from logilab.common.decorators import clear_cache
 
-from cubicweb import AuthenticationError
+from cubicweb import AuthenticationError, Unauthorized
 from cubicweb.devtools.testlib import CubicWebTC
 from cubicweb.devtools.fake import FakeRequest
 from cubicweb.web import LogOut, Redirect, INTERNAL_FIELD_VALUE
@@ -299,6 +296,11 @@
         self.commit()
         self.assertEquals(vreg.property_value('ui.language'), 'en')
 
+    def test_login_not_available_to_authenticated(self):
+        req = self.request()
+        ex = self.assertRaises(Unauthorized, self.app_publish, req, 'login')
+        self.assertEquals(str(ex), 'log out first')
+
     def test_fb_login_concept(self):
         """see data/views.py"""
         self.set_option('auth-mode', 'cookie')
--- a/web/test/unittest_views_basetemplates.py	Wed May 26 11:01:50 2010 +0200
+++ b/web/test/unittest_views_basetemplates.py	Wed May 26 12:31:34 2010 +0200
@@ -15,9 +15,6 @@
 #
 # You should have received a copy of the GNU Lesser General Public License along
 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
-"""
-
-"""
 from cubicweb.devtools.testlib import CubicWebTC
 from cubicweb.devtools.htmlparser import DTDValidator
 
@@ -26,7 +23,10 @@
 
     def _login_labels(self):
         valid = self.content_type_validators.get('text/html', DTDValidator)()
+        req = self.request()
+        req.cnx.anonymous_connection = True
         page = valid.parse_string(self.vreg['views'].main_template(self.request(), 'login'))
+        req.cnx.anonymous_connection = False
         return page.find_tag('label')
 
     def test_label(self):
--- a/web/views/basecontrollers.py	Wed May 26 11:01:50 2010 +0200
+++ b/web/views/basecontrollers.py	Wed May 26 12:31:34 2010 +0200
@@ -31,7 +31,7 @@
 from cubicweb import (NoSelectableObject, ObjectNotFound, ValidationError,
                       AuthenticationError, typed_eid)
 from cubicweb.utils import CubicWebJsonEncoder
-from cubicweb.selectors import authenticated_user, match_form_params
+from cubicweb.selectors import authenticated_user, anonymous_user, match_form_params
 from cubicweb.mail import format_mail
 from cubicweb.web import Redirect, RemoteCallFailed, DirectResponse, json_dumps, json
 from cubicweb.web.controller import Controller
@@ -78,6 +78,7 @@
 
 class LoginController(Controller):
     __regid__ = 'login'
+    __select__ = anonymous_user()
 
     def publish(self, rset=None):
         """log in the instance"""
--- a/web/views/basetemplates.py	Wed May 26 11:01:50 2010 +0200
+++ b/web/views/basetemplates.py	Wed May 26 12:31:34 2010 +0200
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 # copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
 #
@@ -16,16 +15,15 @@
 #
 # You should have received a copy of the GNU Lesser General Public License along
 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
-"""default templates for CubicWeb web client
+"""default templates for CubicWeb web client"""
 
-"""
 __docformat__ = "restructuredtext en"
 
 from logilab.mtconverter import xml_escape
 from logilab.common.deprecation import class_renamed
 
 from cubicweb.appobject import objectify_selector
-from cubicweb.selectors import match_kwargs, no_cnx
+from cubicweb.selectors import match_kwargs, no_cnx, anonymous_user
 from cubicweb.view import View, MainTemplate, NOINDEX, NOFOLLOW
 from cubicweb.utils import UStringIO
 from cubicweb.schema import display_name
@@ -60,6 +58,7 @@
 
 class LogInTemplate(LogInOutTemplate):
     __regid__ = 'login'
+    __select__ = anonymous_user()
     title = 'log in'
 
     def content(self, w):
@@ -80,6 +79,7 @@
                 xml_escape(indexurl),
                 self._cw._('go back to the index page')))
 
+
 @objectify_selector
 def templatable_view(cls, req, rset, *args, **kwargs):
     view = kwargs.pop('view', None)