Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 8279:80105cd30368
refactor: translator hint that 'user%s' should not be 'user %s'
When I looked at this in the .po file, I thought it was a typo
expecting:
user rouilj
not
user1
add userid as a named replacement field to hint to the translator that
"user%s" becomes user1 and the token shouldn't be split.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 13 Jan 2025 12:48:31 -0500 |
| parents | 05d8806b25ad |
| children | b07165add61b |
comparison
equal
deleted
inserted
replaced
| 8278:9489ea677a61 | 8279:80105cd30368 |
|---|---|
| 1675 # | 1675 # |
| 1676 # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers | 1676 # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers |
| 1677 if 'HTTP_X_REQUESTED_WITH' not in self.env: | 1677 if 'HTTP_X_REQUESTED_WITH' not in self.env: |
| 1678 logger.error(self._( | 1678 logger.error(self._( |
| 1679 ''"csrf X-REQUESTED-WITH xmlrpc required header " | 1679 ''"csrf X-REQUESTED-WITH xmlrpc required header " |
| 1680 ''"check failed for user%s."), | 1680 ''"check failed for user%(userid)s."), |
| 1681 current_user) | 1681 {"userid": current_user}) |
| 1682 raise UsageError(self._("Required Header Missing")) | 1682 raise UsageError(self._("Required Header Missing")) |
| 1683 | 1683 |
| 1684 # Expire old csrf tokens now so we don't use them. These will | 1684 # Expire old csrf tokens now so we don't use them. These will |
| 1685 # be committed after the otks.destroy below. Note that the | 1685 # be committed after the otks.destroy below. Note that the |
| 1686 # self.clean_up run as part of determine_user() will run only | 1686 # self.clean_up run as part of determine_user() will run only |
| 1715 | 1715 |
| 1716 enforce = config['WEB_CSRF_ENFORCE_TOKEN'] | 1716 enforce = config['WEB_CSRF_ENFORCE_TOKEN'] |
| 1717 if key is None: # we do not have an @csrf token | 1717 if key is None: # we do not have an @csrf token |
| 1718 if enforce == 'required': | 1718 if enforce == 'required': |
| 1719 logger.error(self._( | 1719 logger.error(self._( |
| 1720 "Required csrf field missing for user%s"), current_user) | 1720 "Required csrf field missing for user%(userid)s"), |
| 1721 {"userid": current_user}) | |
| 1721 raise UsageError(self._( | 1722 raise UsageError(self._( |
| 1722 ''"We can't validate your session (csrf failure). " | 1723 ''"We can't validate your session (csrf failure). " |
| 1723 ''"Re-enter any unsaved data and try again.")) | 1724 ''"Re-enter any unsaved data and try again.")) |
| 1724 if enforce == 'logfailure': | 1725 if enforce == 'logfailure': |
| 1725 # FIXME include url | 1726 # FIXME include url |
| 1726 logger.warning(self._("csrf field not supplied by user%s"), | 1727 logger.warning(self._( |
| 1727 current_user) | 1728 "csrf field not supplied by user%(userid)s"), |
| 1729 {"userid": current_user}) | |
| 1728 else: | 1730 else: |
| 1729 # enforce is either yes or no. Both permit change if token is | 1731 # enforce is either yes or no. Both permit change if token is |
| 1730 # missing | 1732 # missing |
| 1731 return True | 1733 return True |
| 1732 | 1734 |