summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
f23f7b8)
Now that sensitive urls require post requests and only accept them if a valid
security token is sent along the request, we can drop the global random url
token to improve LuCI usability.
The main improvement is the ability to use multiple tabs with the same login
session, but also deep linking to specific urls without the need for another
login becomes feasible, e.g. for documentation purposes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
- if context.urltoken.stok then
- context.urltoken.stok = nil
-
- local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
- http.getcookie('sysauth') or 'x',
- 'Thu, 01 Jan 1970 01:00:00 GMT',
- build_url()
- }
-
- http.header("Set-Cookie", cookie)
- http.redirect(build_url())
- else
- require("luci.i18n")
- require("luci.template")
- context.path = {}
- http.status(403, "Forbidden")
- luci.template.render("sysauth", {duser=default, fuser=user})
- end
+ require("luci.i18n")
+ require("luci.template")
+ context.path = {}
+ http.status(403, "Forbidden")
+ luci.template.render("sysauth", {duser=default, fuser=user})
for node in pathinfo:gmatch("[^/]+") do
for node in pathinfo:gmatch("[^/]+") do
- local tkey, tval
- if tokensok then
- tkey, tval = node:match(";(%w+)=([a-fA-F0-9]*)")
- end
- if tkey then
- context.urltoken[tkey] = tval
- else
- tokensok = false
- r[#r+1] = node
- end
end
local stat, err = util.coxpcall(function()
end
local stat, err = util.coxpcall(function()
resource = luci.config.main.resourcebase;
ifattr = function(...) return _ifattr(...) end;
attr = function(...) return _ifattr(true, ...) end;
resource = luci.config.main.resourcebase;
ifattr = function(...) return _ifattr(...) end;
attr = function(...) return _ifattr(true, ...) end;
- token = ctx.urltoken.stok;
url = build_url;
}, {__index=function(table, key)
if key == "controller" then
return build_url()
elseif key == "REQUEST_URI" then
return build_url(unpack(ctx.requestpath))
url = build_url;
}, {__index=function(table, key)
if key == "controller" then
return build_url()
elseif key == "REQUEST_URI" then
return build_url(unpack(ctx.requestpath))
+ elseif key == "token" then
+ return ctx.authtoken
else
return rawget(table, key) or _G[key]
end
else
return rawget(table, key) or _G[key]
end
local def = (type(track.sysauth) == "string") and track.sysauth
local accs = def and {track.sysauth} or track.sysauth
local sess = ctx.authsession
local def = (type(track.sysauth) == "string") and track.sysauth
local accs = def and {track.sysauth} or track.sysauth
local sess = ctx.authsession
- local verifytoken = false
if not sess then
sess = http.getcookie("sysauth")
sess = sess and sess:match("^[a-f0-9]*$")
if not sess then
sess = http.getcookie("sysauth")
sess = sess and sess:match("^[a-f0-9]*$")
end
local sdat = (util.ubus("session", "get", { ubus_rpc_session = sess }) or { }).values
end
local sdat = (util.ubus("session", "get", { ubus_rpc_session = sess }) or { }).values
- if not verifytoken or ctx.urltoken.stok == sdat.token then
- user = sdat.user
- end
+ user = sdat.user
+ token = sdat.token
else
local eu = http.getenv("HTTP_AUTH_USER")
local ep = http.getenv("HTTP_AUTH_PASS")
else
local eu = http.getenv("HTTP_AUTH_USER")
local ep = http.getenv("HTTP_AUTH_PASS")
- ctx.urltoken.stok = token
ctx.authuser = user
http.redirect(build_url(unpack(ctx.requestpath)))
ctx.authuser = user
http.redirect(build_url(unpack(ctx.requestpath)))
end
else
ctx.authsession = sess
end
else
ctx.authsession = sess
ctx.authuser = user
end
end
ctx.authuser = user
end
end
- if http.formvalue("token") ~= ctx.urltoken.stok then
+ if http.formvalue("token") ~= ctx.authtoken then
http.status(403, "Forbidden")
luci.template.render("csrftoken")
return
http.status(403, "Forbidden")
luci.template.render("csrftoken")
return