0001-misc-expose-session-identifier-in-substitution-varia.patch

Frédéric Péters, 27 juin 2018 12:47

Voir les différences: en ligne côte à côte

Subject: [PATCH] misc: expose session identifier in substitution variables
 (#24778)

 tests/test_form_pages.py |  2 --
 tests/test_sessions.py   | 40 ++++++++++++++++++++++++++++++++++++++++
 wcs/forms/root.py        |  5 +++++
 wcs/qommon/sessions.py   | 16 +++++++++++++---
 4 files changed, 58 insertions(+), 5 deletions(-)

         formdef = create_formdef()
         app = get_app(pub)
         resp = app.get('/test/', status=200)
         resp = resp.form.submit('submit')
         assert resp.headers['Set-Cookie'].startswith('wcs-')
         assert 'httponly' in resp.headers['Set-Cookie']
         assert not 'secure' in resp.headers['Set-Cookie']
         app = get_app(pub, https=True)
         resp = app.get('/test/', status=200)
         resp = resp.form.submit('submit')
         assert resp.headers['Set-Cookie'].startswith('wcs-')
         assert 'httponly' in resp.headers['Set-Cookie']
         assert 'secure' in resp.headers['Set-Cookie']

     from wcs.qommon.ident.password_accounts import PasswordAccount
     from wcs.qommon.http_request import HTTPRequest
     from wcs.formdef import FormDef
     from wcs import fields
     from utilities import create_temporary_pub, clean_temporary_pub, get_app, login
-...
         resp = login_form.submit()
         assert resp.status_int == 302
         assert pub.session_manager.session_class.count() == 2
     def test_session_substitution_variables(pub, user, app):
         pub.session_manager.session_class.wipe()
         resp = app.get('/')
         formdef = FormDef()
         formdef.name = 'foobar'
         formdef.fields = [fields.CommentField(id='7', label='Hello [session_id]', type='comment')]
         formdef.store()
         resp = app.get('/foobar/')
         assert pub.session_manager.session_class.count() == 1
         session_id = pub.session_manager.session_class.select()[0].id
         assert 'Hello %s' % session_id in resp.body
         login(app, username='foo', password='foo')
         assert pub.session_manager.session_class.count() == 2
         session_id = [x for x in pub.session_manager.session_class.select() if x.id != session_id][0].id
         resp = app.get('/foobar/')
         assert 'Hello %s' % session_id in resp.body
     def test_session_substitution_variables_1st_page_condition(pub, user, app):
         pub.session_manager.session_class.wipe()
         resp = app.get('/')
         formdef = FormDef()
         formdef.name = 'foobar'
         formdef.fields = [fields.PageField(id='0', label='1st PAGE', type='page',
                 condition={'type': 'python', 'value': 'vars().get("session_id") is not None'}),
                 fields.CommentField(id='7', label='COM1 [session_id]', type='comment'),
                 fields.PageField(id='8', label='2nd PAGE', type='page'),
                 fields.CommentField(id='9', label='COM2 [session_id]', type='comment')]
         formdef.store()
         resp = app.get('/foobar/')
         assert pub.session_manager.session_class.count() == 1
         session_id = pub.session_manager.session_class.select()[0].id
         assert 'COM1' in resp.body

                 return redirect(self.check_disabled())
             session = get_session()
             if not session.id:
                 # force session to be written down, this is required so
                 # [session_var_id] is available on the first page.
                 session.force()
             if self.formdef.enable_tracking_codes:
                 if get_request().form.get('_ajax_form_token'):
                     # _ajax_form_token is immediately removed, this prevents

         jsonp_display_values = None
         extra_variables = None
         expire = None
         forced = False
         # should only be overwritten by authentication methods
         extra_user_variables = None
         username = None # only set on password authentication
         def force(self):
             # add some data in the session, it will force a cookie to be set, this
             # is used so we get a session identifier fixed even on the first page
             # of a form.
             self.forced = True
             get_session_manager().maintain_session(self)
         def set_expire(self, expire):
             self.expire = expire
-...
                 CaptchaSession.has_info(self) or \
                 self.expire or \
                 self.extra_user_variables or \
                 self.forced or \
                 QuixoteSession.has_info(self)
         is_dirty = has_info
-...
                 self.extra_variables = {}
             self.extra_variables.update(kwargs)
         def get_substitution_variables(self, prefix='session_var_'):
         def get_substitution_variables(self, prefix='session_'):
             d = {}
             d[prefix + 'id'] = self.id
             if self.extra_variables:
                 for k, v in self.extra_variables.items():
                     d[prefix + k] = v
                     d[prefix + 'var_' + k] = v
             if self.extra_user_variables:
                 for k, v in self.extra_user_variables.items():
                     d[prefix + 'user_' + k] = v
                     d[prefix + 'var_user_' + k] = v
             return d
         @classmethod
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-misc-expose-session-identifier-in-substitution-varia.patch