+local function require_post_security(target)
+ if type(target) == "table" then
+ if type(target.post) == "table" then
+ local param_name, required_val, request_val
+
+ for param_name, required_val in pairs(target.post) do
+ request_val = http.formvalue(param_name)
+
+ if (type(required_val) == "string" and
+ request_val ~= required_val) or
+ (required_val == true and
+ (request_val == nil or request_val == ""))
+ then
+ return false
+ end
+ end
+
+ return true
+ end
+
+ return (target.post == true)
+ end
+
+ return false
+end
+
+function test_post_security()
+ if http.getenv("REQUEST_METHOD") ~= "POST" then
+ http.status(405, "Method Not Allowed")
+ http.header("Allow", "POST")
+ return false
+ end
+
+ if http.formvalue("token") ~= context.authtoken then
+ http.status(403, "Forbidden")
+ luci.template.render("csrftoken")
+ return false
+ end
+
+ return true
+end
+
+local function session_retrieve(sid, allowed_users)
+ local sdat = util.ubus("session", "get", { ubus_rpc_session = sid })
+
+ if type(sdat) == "table" and
+ type(sdat.values) == "table" and
+ type(sdat.values.token) == "string" and
+ (not allowed_users or
+ util.contains(allowed_users, sdat.values.username))
+ then
+ return sid, sdat.values
+ end
+
+ return nil, nil
+end
+
+local function session_setup(user, pass, allowed_users)
+ if util.contains(allowed_users, user) then
+ local login = util.ubus("session", "login", {
+ username = user,
+ password = pass,
+ timeout = tonumber(luci.config.sauth.sessiontime)
+ })
+
+ if type(login) == "table" and
+ type(login.ubus_rpc_session) == "string"
+ then
+ util.ubus("session", "set", {
+ ubus_rpc_session = login.ubus_rpc_session,
+ values = { token = sys.uniqueid(16) }
+ })
+
+ return session_retrieve(login.ubus_rpc_session)
+ end
+ end
+
+ return nil, nil
+end
+