1. Wojciech Malinowski
  2. Webware

Source

Webware / WebKit / Admin / AdminSecurity.py

from AdminPage import AdminPage

# Set this to False if you want to allow everyone to access secure pages
# with no login required. This should instead come from a config file.
requireLogin = True

if not requireLogin:


    class AdminSecurity(AdminPage):

        def writeHTML(self):
            session = self.session()
            request = self.request()
            # Are they logging out?
            if request.hasField('logout'):
                # They are logging out. Clear all session variables:
                session.values().clear()
            # write the page
            AdminPage.writeHTML(self)

else:


    class AdminSecurity(AdminPage):

        def writeHTML(self):
            session = self.session()
            request = self.request()
            trans = self.transaction()
            app = self.application()
            # Are they logging in?
            if (request.hasField('login') and request.hasField('username')
                    and request.hasField('password')):
                # They are logging in. Get login id and clear session:
                loginid = session.value('loginid', None)
                session.values().clear()
                # Check if this is a valid user/password
                username = request.field('username')
                password = request.field('password')
                if (self.isValidUserAndPassword(username, password)
                        and request.field('loginid', 'nologin') == loginid):
                    # Success; log them in and send the page:
                    session.setValue('authenticated_user_admin', username)
                    AdminPage.writeHTML(self)
                else:
                    # Failed login attempt; have them try again:
                    request.fields()['extra'] = ('Login failed.'
                        ' Please try again.'
                        ' (And make sure cookies are enabled.)')
                    app.forward(trans, 'LoginPage')
                    return
            # Are they logging out?
            elif request.hasField('logout'):
                # They are logging out. Clear all session variables:
                session.values().clear()
                request.fields()['extra'] = 'You have been logged out.'
                app.forward(trans, 'LoginPage')
                return
            # Are they already logged in?
            elif session.value('authenticated_user_admin', None):
                # They are already logged in; write the HTML for this page:
                AdminPage.writeHTML(self)
            else:
                # They need to log in.
                app.forward(trans, 'LoginPage')
                return

        def isValidUserAndPassword(self, username, password):
            # Replace this with a database lookup, or whatever you're using
            # for authentication...
            adminPassword = self.application().setting('AdminPassword')
            return (username == 'admin'
                and adminPassword and password == adminPassword)