38
38
from zope.event import notify
39
39
from zope.interface import implements, providedBy
40
40
from zope.publisher.interfaces import IPublishTraverse, Retry
41
from zope.publisher.interfaces.browser import IDefaultSkin, IBrowserRequest
41
from zope.publisher.interfaces.browser import (
42
IDefaultSkin, IBrowserRequest, IBrowserApplicationRequest)
42
43
from zope.publisher.publish import mapply
43
44
from zope.security.proxy import removeSecurityProxy
44
45
from zope.security.management import newInteraction
63
64
from canonical.launchpad.webapp.menu import structured
64
65
from canonical.launchpad.webapp.opstats import OpStats
65
66
from lazr.uri import URI, InvalidURIError
67
from lazr.restful.interfaces import IWebServiceClientRequest
66
68
from canonical.launchpad.webapp.vhosts import allvhosts
313
315
The OffsiteFormPostError exception is raised if the following
315
1. the request method is POST
316
2. the HTTP referer header is not empty
317
3. the host portion of the referrer is not a registered vhost
317
1. the request method is POST *AND*
318
2. a. the HTTP referer header is empty *OR*
319
b. the host portion of the referrer is not a registered vhost
319
321
if request.method != 'POST':
325
327
if request['PATH_INFO'] == '/+openid':
329
if (IWebServiceClientRequest.providedBy(request) or
330
not IBrowserRequest.providedBy(request) or
331
'oauth_consumer_key' in request.form or
332
'oauth_token' in request.form):
333
# We only want to check for the referrer header if we are in
334
# the middle of a browser request. If it is a webservice
335
# request (which extends a normal browser request) or an
336
# XMLRPC request (which doesn't), we can just return.
337
# Checking for an oauth request is messy, because it is
338
# still a browser request. Even though it is far from
339
# satisfying, we check for the specified form fields because
340
# it works and another better approach has not yet come to
342
# XXX gary 2010-03-09 bug=535122
343
# Actually, the oauth_token should always be in a normal POST
344
# request with a REFERER header, so we should be able to remove
345
# that condition when the launchpadlib bug referenced above is
327
348
referrer = request.getHeader('referer') # match HTTP spec misspelling
350
raise OffsiteFormPostError('No value for REFERER header')
330
351
# XXX: jamesh 2007-04-26 bug=98437:
331
352
# The Zope testing infrastructure sets a default (incorrect)
332
353
# referrer value of "localhost" or "localhost:9000" if no