summaryrefslogtreecommitdiff
path: root/session_app.py
diff options
context:
space:
mode:
Diffstat (limited to 'session_app.py')
-rwxr-xr-xsession_app.py40
1 files changed, 37 insertions, 3 deletions
diff --git a/session_app.py b/session_app.py
index 847df19..50a52fd 100755
--- a/session_app.py
+++ b/session_app.py
@@ -16,7 +16,6 @@
# preserve POST with code 307 https://stackoverflow.com/a/15480983/3569534
# Improve:
# remove session info, when logging out?
-# provide web page for adjusting settings like ldap uri
# Run:
# FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
# Dependencies:
@@ -56,13 +55,14 @@ def requires_session(function):
if 'user' not in session:
return Response("User is not in this session.",401)
s_user = session['user']
+ s_groups = session['groups']
c_user = request.cookies.get('user')
print(f"session user: {s_user}")
print(f"cookie user: {c_user}")
if session['user'] != c_user:
return Response("Wrong user for this session!.",401)
# otherwise, everything is good!
- return function(*args,**kwargs)
+ return function(s_user, s_groups, *args,**kwargs)
# catch-all
return Response("requires session",401)
return decorated
@@ -205,7 +205,7 @@ def index():
@app.route("/protected/")
@requires_session
-def protected_page():
+def protected_page(user=None,groups=None):
return protected_page_real()
def protected_page_real():
@@ -358,6 +358,40 @@ def login_basic():
session['formdata'] = form
return redirect(url_for("login_ldap"),code=307)
+@app.route("/protected/settings/", methods=['GET','POST'])
+@requires_session
+def protected_settings(user,groups):
+ print(f"DEBUG: visit settings page as user {user}")
+ print(f"DEBUG: with groups {groups}")
+ if "admins" not in groups:
+ #return Response(f'<h1>Not Found</h1><p>What you were looking for is just not there.<p><a href="{ url_for("index") }">Start over</a>', 404)
+ #return Response(f'<h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>', 404)
+ return Response(f'<h1>Not Authorized</h1><p>You are not authorized to access this page.</p>', 403)
+ else:
+ if request.method == "GET":
+ return render_template(
+ 'settings.html',
+ ldap_uri=app.config['LDAP_URI']
+ )
+ elif request.method == "POST":
+ form = request.form
+ print(f"Form: {form}")
+ message = ""
+ if 'ldap_uri' not in form:
+ return Response("Invalid input.", 400)
+ else:
+ new_ldap_uri = form['ldap_uri']
+ if new_ldap_uri != app.config['LDAP_URI']:
+ app.config['LDAP_URI'] = new_ldap_uri
+ # removing LDAP_HOSTS causes get_new_ldap_server to reidentify the ldap servers for this uri.
+ if 'LDAP_HOSTS' in app.config:
+ app.config.pop('LDAP_HOSTS')
+ message += "<li>LDAP_URI</li>"
+ if "" != message:
+ message = "Settings updated:<ul>" + message + "</ul>"
+ message += f"<form action='{url_for('protected_settings')}' method='get'><input type='submit' value='Return to settings'/></form>"
+ return Response(message, 200)
+
## This bumps the session lifetime to two minutes farther out from each web request with this session.
#@app.before_request
#def make_session_permanent():
bgstack15