Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 8411:ef1ea918b07a reauth-confirm_id

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
feat(security): Add user confirmation/reauth for sensitive changes Auditors can raise Reauth(reason) exception to require the user to enter a token (e.g. account password) to verify the user is performing the change. Naming is subject to change. actions.py: New ReauthAction class handler and verifyPassword() method for overriding if needed. client.py: Handle Reauth exception by calling Client:reauth() method. Default client:reauth method. Add 'reauth' action declaration. exceptions.py: Define and document Reauth exception as a subclass of RoundupCGIException. templating.py: Define method utils.embed_form_fields(). The original form making a change to the database has a lot of form fields. These need to be resubmitted to Roundup as part of the form submission that verifies the user's password. This method turns all non file form fields into type=hidden inputs. It escapes the names and values to prevent XSS. For file form fields, it base64 encodes the contents and puts them in hidden pre blocks. The pre blocks have data attributes for the filename, filetype and the original field name. (Note the original field name is not used.) This stops the file content data (maybe binary e.g. jpegs) from breaking the html page. The reauth template runs JavaScript that turns the encoded data inside the pre tags back into a file. Then it adds a multiple file input control to the page and attaches all the files to it. This file input is submitted with the rest of the fields. _generic.reauth.html (multiple tracker templates): Generates a form with id=reauth_form to: display any message from the Reauth exception to the user (e.g. why user is asked to auth). get the user's password submit the form embed all the form data that triggered the reauth recreate any file data that was submitted as part of the form and generate a new file input to push the data to the back end It has the JavaScript routine (as an IIFE) that regenerates a file input without user intervention. All the TAL based tracker templates use the same form. There is also one for the jinja2 template. The JavaScript for both is the same. reference.txt: document embed_form_fields utility method. upgrading.txt: initial upgrading docs. TODO: Finalize naming. I am leaning toward ConfirmID rather than Reauth. Still looking for a standard name for this workflow. Externalize the javascript in _generic.reauth.html to a seperate file and use utils.readfile() to embed it or change the script to load it from a @@file url. Clean up upgrading.txt with just steps to implement and less feature detail/internals. Document internals/troubleshooting in reference.txt. Add tests using live server.
author John Rouillard <rouilj@ieee.org>
date Mon, 11 Aug 2025 14:01:12 -0400
parents e882a5d52ae5
children 0663a7bcef6c
line wrap: on
line diff
--- a/roundup/cgi/client.py	Mon Aug 11 02:37:49 2025 -0400
+++ b/roundup/cgi/client.py	Mon Aug 11 14:01:12 2025 -0400
@@ -41,6 +41,7 @@
     NotFound,
     NotModified,
     RateLimitExceeded,
+    Reauth,
     Redirect,
     SendFile,
     SendStaticFile,
@@ -960,6 +961,8 @@
 
         except SeriousError as message:
             self.write_html(str(message))
+        except Reauth as e:
+            self.reauth(e)
         except Redirect as url:
             # let's redirect - if the url isn't None, then we need to do
             # the headers, otherwise the headers have been set before the
@@ -1916,6 +1919,44 @@
         if template_override is not None:
             self.template = template_override
 
+    def reauth(self, exception):
+        """Processing for a Reauth exception raised from an auditor.
+
+           Can be overridden by code in tracker's interfaces.py.
+        """
+        
+        from roundup.anypy.vendored.cgi import MiniFieldStorage
+
+        original_action = self.form['@action'].value if '@action' \
+            in self.form else ""
+        original_template = self.template
+
+        self.template = 'reauth'
+        self.form.list = [ x for x in self.form.list
+                           if x.name not in ('@action',
+                                             '@csrf',
+                                             '@template'
+                                             )]
+
+        # save the action and template used when the Reauth as
+        # triggered. Will be used to resolve the change by the reauth
+        # action when when reauth password verified.
+        if '@next_action' not in self.form.list:
+            self.form.list.append(MiniFieldStorage('@next_action',
+                                                   original_action))
+        if '@next_template' not in self.form.list:
+            self.form.list.append(MiniFieldStorage('@next_template',
+                                                   original_template))
+
+        if exception.args and "@reauth_message" not in self.form.list:
+            self.form.list.append(
+                MiniFieldStorage('@reauth_message',
+                                 html_escape(exception.args[0])
+                )
+            )
+
+        self.write_html(self.renderContext())
+
     # re for splitting designator, see also dre_url above this one
     # doesn't strip leading 0's from the id. Why not??
     dre = re.compile(r'([^\d]+)(\d+)')
@@ -2365,6 +2406,7 @@
         ('show',        actions.ShowAction),  # noqa: E241
         ('export_csv',  actions.ExportCSVAction),  # noqa: E241
         ('export_csv_id',  actions.ExportCSVWithIdAction),  # noqa: E241
+        ('reauth',      actions.ReauthAction),  # noqa: E241
     )
 
     def handle_action(self):
Roundup Issue Tracker: http://roundup-tracker.org/