Mercurial > p > roundup > code

comparison roundup/cgi/templating.py @ 8411:ef1ea918b07a reauth-confirm_id

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
feat(security): Add user confirmation/reauth for sensitive changes Auditors can raise Reauth(reason) exception to require the user to enter a token (e.g. account password) to verify the user is performing the change. Naming is subject to change. actions.py: New ReauthAction class handler and verifyPassword() method for overriding if needed. client.py: Handle Reauth exception by calling Client:reauth() method. Default client:reauth method. Add 'reauth' action declaration. exceptions.py: Define and document Reauth exception as a subclass of RoundupCGIException. templating.py: Define method utils.embed_form_fields(). The original form making a change to the database has a lot of form fields. These need to be resubmitted to Roundup as part of the form submission that verifies the user's password. This method turns all non file form fields into type=hidden inputs. It escapes the names and values to prevent XSS. For file form fields, it base64 encodes the contents and puts them in hidden pre blocks. The pre blocks have data attributes for the filename, filetype and the original field name. (Note the original field name is not used.) This stops the file content data (maybe binary e.g. jpegs) from breaking the html page. The reauth template runs JavaScript that turns the encoded data inside the pre tags back into a file. Then it adds a multiple file input control to the page and attaches all the files to it. This file input is submitted with the rest of the fields. _generic.reauth.html (multiple tracker templates): Generates a form with id=reauth_form to: display any message from the Reauth exception to the user (e.g. why user is asked to auth). get the user's password submit the form embed all the form data that triggered the reauth recreate any file data that was submitted as part of the form and generate a new file input to push the data to the back end It has the JavaScript routine (as an IIFE) that regenerates a file input without user intervention. All the TAL based tracker templates use the same form. There is also one for the jinja2 template. The JavaScript for both is the same. reference.txt: document embed_form_fields utility method. upgrading.txt: initial upgrading docs. TODO: Finalize naming. I am leaning toward ConfirmID rather than Reauth. Still looking for a standard name for this workflow. Externalize the javascript in _generic.reauth.html to a seperate file and use utils.readfile() to embed it or change the script to load it from a @@file url. Clean up upgrading.txt with just steps to implement and less feature detail/internals. Document internals/troubleshooting in reference.txt. Add tests using live server.
author John Rouillard <rouilj@ieee.org>
date Mon, 11 Aug 2025 14:01:12 -0400
parents 389b62b1d65b
children 0663a7bcef6c
comparison
equal deleted inserted replaced
8410:fd72487d0054 8411:ef1ea918b07a
29 from roundup import date, hyperdb, support 29 from roundup import date, hyperdb, support
30 from roundup.anypy import scandir_ 30 from roundup.anypy import scandir_
31 from roundup.anypy import urllib_ 31 from roundup.anypy import urllib_
32 from roundup.anypy.cgi_ import cgi 32 from roundup.anypy.cgi_ import cgi
33 from roundup.anypy.html import html_escape 33 from roundup.anypy.html import html_escape
34 from roundup.anypy.strings import StringIO, is_us, s2u, u2s, us2s 34 from roundup.anypy.strings import StringIO, b2s, bs2b, is_us, s2u, u2s, us2s
35 from roundup.cgi import TranslationService, ZTUtils 35 from roundup.cgi import TranslationService, ZTUtils
36 from roundup.cgi.timestamp import pack_timestamp 36 from roundup.cgi.timestamp import pack_timestamp
37 from roundup.exceptions import RoundupException 37 from roundup.exceptions import RoundupException
38 38
39 from .KeywordsExpr import render_keywords_expression_editor 39 from .KeywordsExpr import render_keywords_expression_editor
3613 3613
3614 def html_quote(self, html): 3614 def html_quote(self, html):
3615 """HTML-quote the supplied text.""" 3615 """HTML-quote the supplied text."""
3616 return html_escape(html) 3616 return html_escape(html)
3617 3617
3618 def embed_form_fields(self, excluded_fields=None):
3619 """Used to create a hidden input field for each client.form element
3620
3621 :param: excluded_fields string or something with
3622 __contains__ dunder method (tuple, list, set...).
3623
3624 Limitations: It ignores file input fields.
3625 """
3626 if excluded_fields is None:
3627 excluded_fields = ()
3628 elif isinstance(excluded_fields, str):
3629 excluded_fields = (excluded_fields,)
3630 elif hasattr(excluded_fields, '__contains__'):
3631 pass
3632 else:
3633 raise ValueError(self._(
3634 'The excluded_fields parameter is invalid.'
3635 'It must have a __contains__ method.')
3636 )
3637
3638 rtn = []
3639
3640 for field in self.client.form.list:
3641 if field.name in excluded_fields:
3642 continue
3643
3644 if field.filename is not None:
3645 import base64
3646 # FIXME if possible
3647 rtn.append(
3648 '<pre hidden data-name="%s" data-filename="%s" data-mimetype="%s">%s</pre>' %
3649 (
3650 html_escape(field.name, quote=True),
3651 html_escape(field.filename, quote=True),
3652 html_escape(field.type, quote=True),
3653 b2s(base64.b64encode(bs2b(field.value))),
3654 )
3655 )
3656 continue
3657
3658 hidden_input = (
3659 """<input type="hidden" name="%s" value="%s">""" %
3660 (
3661 html_escape(field.name, quote=True),
3662 html_escape(field.value, quote=True)
3663 )
3664 )
3665
3666 rtn.append(hidden_input)
3667
3668 return "\n".join(rtn)
3669
3670
3671 """
3672 Possible solution to file retention issue:
3673 From: https://stackoverflow.com/questions/16365668/pre-populate-html-form-f
3674
3675 const transfer = new DataTransfer();
3676 transfer.items.add(new File(['file 1 content'], 'file 1.txt'));
3677 transfer.items.add(new File(['file 2 content'], 'file 2.txt'));
3678 document.querySelector('input').files = transfer.files;
3679
3680 document.querySelector('form').addEventListener('submit', e => {
3681 e.preventDefault();
3682 console.log(...new FormData(e.target));
3683 });
3684
3685 <form>
3686 <input name="files" type="file" multiple /> <br />
3687 <button>Submit</button>
3688 </form>
3689
3690 Name would be @file for Roundup.
3691
3692 see also: https://developer.mozilla.org/en-US/docs/Web/API/File/File
3693
3694 open question: how to make sure the file contents are safely encoded
3695 in javascript and yet still are saved properly on the server when
3696 the form is submitted.
3697
3698 maybe base64? https://developer.mozilla.org/en-US/docs/Glossary/Base64
3699 size increase may be an issue.
3700 <pre id="file1-contents"
3701 style="display: none">base64datastartshere...</pre>
3702 then atob(pre.text) as file content?
3703
3704 const transfer = new DataTransfer();
3705 file_list = document.querySelectorAll('pre[data-mimetype]');
3706 file_list.forEach( file =>
3707 transfer.items.add(
3708 new File([window.atob(file.textContent)],
3709 file.dataset.filename,
3710 {"type": file.dataset.mimetype})
3711 )
3712 )
3713
3714 form = document.querySelector("form")
3715 file_input = document.createElement('input')
3716 file_input.setAttribute("hidden", "")
3717 file_input = form.appendChild(file_input)
3718 file_input.setAttribute("type", "file")
3719 file_input.setAttribute("name", "@file")
3720 file_input.setAttribute("multiple", "")
3721 file_input.files = transfer.files
3722
3723 """
3724
3618 def __getattr__(self, name): 3725 def __getattr__(self, name):
3619 """Try the tracker's templating_utils.""" 3726 """Try the tracker's templating_utils."""
3620 if not hasattr(self.client.instance, 'templating_utils'): 3727 if not hasattr(self.client.instance, 'templating_utils'):
3621 # backwards-compatibility 3728 # backwards-compatibility
3622 raise AttributeError(name) 3729 raise AttributeError(name)
Roundup Issue Tracker: http://roundup-tracker.org/