--- LuCI web dispatcher.
module("luci.dispatcher", package.seeall)
+require("luci.util")
require("luci.init")
require("luci.http")
require("luci.sys")
return false
end
-function authenticator.htmlauth(validator, default)
+function authenticator.htmlauth(validator, accs, default)
local user = luci.http.formvalue("username")
local pass = luci.http.formvalue("password")
local c = context.tree
local track = {}
local args = {}
+ context.args = args
local n
for i, s in ipairs(request) do
c = c.nodes[s]
n = i
- if not c or c.leaf then
+ if not c then
break
end
for k, v in pairs(c) do
track[k] = v
end
+
+ if c.leaf then
+ break
+ end
end
if c and c.leaf then
tpl.context.viewns = viewns
viewns.write = luci.http.write
viewns.translate = function(...) return require("luci.i18n").translate(...) end
+ viewns.striptags = luci.util.striptags
viewns.controller = luci.http.getenv("SCRIPT_NAME")
viewns.media = luci.config.main.mediaurlbase
viewns.resource = luci.config.main.resourcebase
- viewns.REQUEST_URI = luci.http.getenv("SCRIPT_NAME") .. (luci.http.getenv("PATH_INFO") or "")
+ viewns.REQUEST_URI = (luci.http.getenv("SCRIPT_NAME") or "") .. (luci.http.getenv("PATH_INFO") or "")
if track.dependent then
local stat, err = pcall(assert, not track.auto)
if track.sysauth then
require("luci.sauth")
- local authen = authenticator[track.sysauth_authenticator]
+ local authen = type(track.sysauth_authenticator) == "function"
+ and track.sysauth_authenticator
+ or authenticator[track.sysauth_authenticator]
local def = (type(track.sysauth) == "string") and track.sysauth
local accs = def and {track.sysauth} or track.sysauth
- local user = luci.sauth.read(luci.http.getcookie("sysauth"))
+ local sess = luci.http.getcookie("sysauth")
+ sess = sess and sess:match("^[A-F0-9]+$")
+ local user = luci.sauth.read(sess)
if not luci.util.contains(accs, user) then
if authen then
- local user = authen(luci.sys.user.checkpasswd, def)
+ local user = authen(luci.sys.user.checkpasswd, accs, def)
if not user or not luci.util.contains(accs, user) then
return
else
luci.http.status(403, "Forbidden")
return
end
- else
- luci.http.status(403, "Forbidden")
- return
end
end