Commit fd85d088 authored by Robert Czechowski's avatar Robert Czechowski
Browse files

Use csrf token for contest start, match naming of csrf tokens

parent 3727cc51
Pipeline #198 passed with stage
in 20 minutes and 28 seconds
......@@ -206,6 +206,7 @@ pub fn show_contest<T: MedalConnection>(conn: &T, contest_id: i32, session_token
data.insert("firstname".to_string(), to_json(&session.firstname));
data.insert("lastname".to_string(), to_json(&session.lastname));
data.insert("teacher".to_string(), to_json(&session.is_teacher));
data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
}
if c.duration == 0 {
data.insert("can_start".to_string(), to_json(&true));
......@@ -299,16 +300,21 @@ pub fn show_contest_results<T: MedalConnection>(conn: &T, contest_id: i32, sessi
}
//TODO: use csrf_token
pub fn start_contest<T: MedalConnection>(conn: &T, contest_id: i32, session_token: &str, _csrf_token: &str)
pub fn start_contest<T: MedalConnection>(conn: &T, contest_id: i32, session_token: &str, csrf_token: &str)
-> MedalResult<()> {
//TODO: use data or remove?
let _data = json_val::Map::new();
let _ = conn.get_session_or_new(&session_token);
// TODO: Should check if logged in or anonymous!
// TODO: Is _or_new the right semantic?
let session = conn.get_session_or_new(&session_token);
//.ensure_logged_in()
//.ok_or(MedalError::AccessDenied)?;
if session.is_logged_in() && session.csrf_token != csrf_token {
return Err(MedalError::CsrfCheckFailed);
}
match conn.new_participation(&session_token, contest_id) {
Ok(_) => Ok(()),
_ => Err(MedalError::AccessDenied),
_ => Err(MedalError::AccessDenied), // Contest already started TODO: Maybe redirect to page with hint
}
}
......@@ -450,7 +456,7 @@ pub fn show_task<T: MedalConnection>(conn: &T, task_id: i32, session_token: &str
data.insert("contestname".to_string(), to_json(&c.name));
data.insert("name".to_string(), to_json(&tg.name));
data.insert("taskid".to_string(), to_json(&task_id));
data.insert("csrftoken".to_string(), to_json(&session.csrf_token));
data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
data.insert("taskpath".to_string(), to_json(&taskpath));
data.insert("contestid".to_string(), to_json(&c.id));
data.insert("seconds_left".to_string(), to_json(&left_secs));
......@@ -485,7 +491,7 @@ pub fn show_groups<T: MedalConnection>(conn: &T, session_token: &str) -> MedalVa
code: g.groupcode.clone() })
.collect();
data.insert("group".to_string(), to_json(&v));
data.insert("csrftoken".to_string(), to_json(&session.csrf_token));
data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
Ok(("groups".to_string(), data))
}
......@@ -542,7 +548,7 @@ pub fn add_group<T: MedalConnection>(conn: &T, session_token: &str, csrf_token:
.ok_or(MedalError::AccessDenied)?;
if session.csrf_token != csrf_token {
return Err(MedalError::AccessDenied); // CsrfError
return Err(MedalError::CsrfCheckFailed);
}
let group_code: String = Some('g').into_iter()
......@@ -553,7 +559,7 @@ pub fn add_group<T: MedalConnection>(conn: &T, session_token: &str, csrf_token:
})
.take(7)
.collect();
// todo: check for collisions
// TODO: check for collisions
let mut group =
Group { id: None, name: name, groupcode: group_code, tag: tag, admin: session.id, members: Vec::new() };
......@@ -598,7 +604,7 @@ pub fn show_profile<T: MedalConnection>(conn: &T, session_token: &str, user_id:
}
data.insert("ownprofile".into(), to_json(&true));
data.insert("csrftoken".to_string(), to_json(&session.csrf_token));
data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
if let Some(query) = query_string {
if query.starts_with("status=") {
......@@ -632,7 +638,7 @@ pub fn show_profile<T: MedalConnection>(conn: &T, session_token: &str, user_id:
data.insert("ownprofile".into(), to_json(&false));
data.insert("csrftoken".to_string(), to_json(&session.csrf_token));
data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
if let Some(query) = query_string {
if query.starts_with("status=") {
......
......@@ -482,13 +482,13 @@ mod tests {
let content = resp.text().unwrap();
assert!(content.contains("Gruppe anlegen"));
let params = [("name", "WrongGroupname"), ("tag", "WrongMarker"), ("csrf", "76CfTPJaoz")];
let params = [("name", "WrongGroupname"), ("tag", "WrongMarker"), ("csrf_token", "76CfTPJaoz")];
let resp = client.post("http://localhost:8084/group/").form(&params).send().unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
let pos = content.find("type=\"hidden\" name=\"csrf\" value=\"").expect("CSRF-Token not found");
let csrf = &content[pos + 33..pos + 43];
let params = [("name", "Groupname"), ("tag", "Marker"), ("csrf", csrf)];
let pos = content.find("type=\"hidden\" name=\"csrf_token\" value=\"").expect("CSRF-Token not found");
let csrf = &content[pos + 39..pos + 49];
let params = [("name", "Groupname"), ("tag", "Marker"), ("csrf_token", csrf)];
let resp = client.post("http://localhost:8084/group/").form(&params).send().unwrap();
assert_eq!(resp.status(), StatusCode::FOUND);
......@@ -554,7 +554,6 @@ mod tests {
assert_eq!(resp.status(), StatusCode::OK);
let content = resp.text().unwrap();
println!("{}", content);
assert!(content.contains("PublicContestName"));
assert!(content.contains("InfiniteContestName"));
//assert!(content.contains("PrivateContestName"));
......@@ -566,21 +565,19 @@ mod tests {
assert_eq!(resp.status(), StatusCode::OK);
let content = resp.text().unwrap();
println!("{}", content);
assert!(content.contains("PublicContestName"));
assert!(!content.contains("InfiniteContestName"));
assert!(!content.contains("PrivateContestName"));
assert!(!content.contains("WrongContestName"));
assert!(!content.contains("RenamedContestName"));
let params = [("csrftoken", "76CfTPJaoz")];
let params = [("csrf_token", "76CfTPJaoz")];
let resp = client.post("http://localhost:8085/contest/1").form(&params).send().unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
let pos = content.find("type=\"hidden\" name=\"csrftoken\" value=\"").expect("CSRF-Token not found");
let csrf = &content[pos + 38..pos + 48];
println!("==={}===", csrf);
let params = [("csrftoken", csrf)];
let pos = content.find("type=\"hidden\" name=\"csrf_token\" value=\"").expect("CSRF-Token not found");
let csrf = &content[pos + 39..pos + 49];
let params = [("csrf_token", csrf)];
let resp = client.post("http://localhost:8085/contest/1").form(&params).send().unwrap();
assert_eq!(resp.status(), StatusCode::FOUND);
})
......
......@@ -352,7 +352,7 @@ fn contest_post<C>(req: &mut Request) -> IronResult<Response>
let csrf_token = {
let formdata = itry!(req.get_ref::<UrlEncodedBody>());
iexpect!(formdata.get("csrftoken"))[0].to_owned()
iexpect!(formdata.get("csrf_token"))[0].to_owned()
};
// TODO: Was mit dem Result?
......@@ -470,7 +470,7 @@ fn submission_post<C>(req: &mut Request) -> IronResult<Response>
let session_token = req.expect_session_token()?;
let (csrf_token, data, grade, subtask) = {
let formdata = iexpect!(req.get_ref::<UrlEncodedBody>().ok());
(iexpect!(formdata.get("csrf"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned(),
(iexpect!(formdata.get("csrf_token"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned(),
iexpect!(formdata.get("data"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned(),
iexpect!(formdata.get("grade").unwrap_or(&vec!["0".to_owned()])[0].parse::<i32>().ok(),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request"))),
formdata.get("subtask").map(|x| x[0].to_owned()),
......@@ -540,16 +540,14 @@ fn new_group<C>(req: &mut Request) -> IronResult<Response>
where C: MedalConnection + std::marker::Send + 'static {
let session_token = req.require_session_token()?;
let (csrf, name, tag) = {
let (csrf_token, name, tag) = {
let formdata = iexpect!(req.get_ref::<UrlEncodedBody>().ok());
(iexpect!(formdata.get("csrf"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned(),
(iexpect!(formdata.get("csrf_token"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned(),
iexpect!(formdata.get("name"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned(),
iexpect!(formdata.get("tag"),(status::BadRequest, mime!(Text/Html), format!("400 Bad Request")))[0].to_owned())
};
println!("{}", csrf);
println!("{}", name);
let group_id = with_conn![functions::add_group, C, req, &session_token, &csrf, name, tag].aug(req)?;
let group_id = with_conn![functions::add_group, C, req, &session_token, &csrf_token, name, tag].aug(req)?;
Ok(Response::with((status::Found, Redirect(url_for!(req, "group", "groupid" => format!("{}",group_id))))))
}
......@@ -571,7 +569,7 @@ fn profile_post<C>(req: &mut Request) -> IronResult<Response>
let session_token = req.expect_session_token()?;
let (csrf_token, firstname, lastname, street, zip, city, pwd, pwd_repeat, grade) = {
let formdata = itry!(req.get_ref::<UrlEncodedBody>());
(iexpect!(formdata.get("csrftoken"))[0].to_owned(),
(iexpect!(formdata.get("csrf_token"))[0].to_owned(),
iexpect!(formdata.get("firstname"))[0].to_owned(),
iexpect!(formdata.get("lastname"))[0].to_owned(),
formdata.get("street").map(|x| x[0].to_owned()),
......@@ -623,7 +621,7 @@ fn user_post<C>(req: &mut Request) -> IronResult<Response>
let session_token = req.expect_session_token()?;
let (csrf_token, firstname, lastname, street, zip, city, pwd, pwd_repeat, grade) = {
let formdata = itry!(req.get_ref::<UrlEncodedBody>());
(iexpect!(formdata.get("csrftoken"))[0].to_owned(),
(iexpect!(formdata.get("csrf_token"))[0].to_owned(),
iexpect!(formdata.get("firstname"))[0].to_owned(),
iexpect!(formdata.get("lastname"))[0].to_owned(),
formdata.get("street").map(|x| x[0].to_owned()),
......
......@@ -28,7 +28,7 @@ window.save_task_object = function (object, callback) {
if (!callback) callback = function(data){}; // is this necessary?
var params = {
csrf: window.hashdict["csrftoken"],
csrf_token: window.hashdict["csrftoken"],
data: JSON.stringify(object)
}
$.post("/save/" + window.hashdict["taskid"], params, callback, "json").fail(function(){
......@@ -54,7 +54,7 @@ window.save_subtask_object = function (subtaskname, object, callback) {
var params = {
subtask: subtaskname,
csrf: window.hashdict["csrftoken"],
csrf_token: window.hashdict["csrftoken"],
data: JSON.stringify(object)
}
$.post("/save/" + window.hashdict["taskid"], params, callback, "json").fail(function(){
......
......@@ -29,7 +29,7 @@ window.save_task_object = function (object, grade, callback) {
if (!callback) callback = function(data){};
var params = {
csrf: window.hashdict["csrftoken"],
csrf_token: window.hashdict["csrftoken"],
data: JSON.stringify(object),
grade: JSON.stringify(grade)
}
......@@ -57,7 +57,7 @@ window.save_subtask_object = function (subtaskname, object, grade, callback) {
var params = {
subtask: subtaskname,
csrf: window.hashdict["csrftoken"],
csrf_token: window.hashdict["csrftoken"],
data: JSON.stringify(object),
grade: JSON.stringify(grade)
}
......
......@@ -39,7 +39,7 @@ Punktestand: {{ total_points }} ★ / {{ max_total_points }} ☆ &nbsp; ({{ rela
{{#if can_start}}
<p>
<form action="" method="post">
<input type="hidden" name="csrftoken" value="{{csrftoken}}">
<input type="hidden" name="csrf_token" value="{{csrf_token}}">
<input type="submit" value="Jetzt starten!">
</form>
</p>
......
......@@ -8,7 +8,7 @@
<input name="name">
Marker:
<input name="tag" placeholder="optional">
<input type="hidden" name="csrf" value="{{csrftoken}}">
<input type="hidden" name="csrf_token" value="{{csrf_token}}">
<input type="submit" value="Neue Gruppe anlegen">
</form>
</p>
......
......@@ -64,7 +64,7 @@
</tr>
{{/if}}
<tr>
<td></td><td><input type="hidden" name="csrftoken" value="{{ csrftoken }}"><input type="submit" value="Speichern"></td>
<td></td><td><input type="hidden" name="csrf_token" value="{{ csrf_token }}"><input type="submit" value="Speichern"></td>
</tr>
</table>
</form>
......
......@@ -185,7 +185,7 @@ else {
</div>
</div>
<iframe src="/{{taskpath}}#taskid={{taskid}}&csrftoken={{csrftoken}}" name="taskframe">Leider unterstützt ihr Browser keine Frames. Sie können die Aufgabe auch manuell aufrufen: <a href="/{{taskpath}}#taskid={{taskid}}&csrftoken={{csrftoken}}">Aufgabe manuell bearbeiten</a>.</iframe>
<iframe src="/{{taskpath}}#taskid={{taskid}}&csrftoken={{csrf_token}}" name="taskframe">Leider unterstützt ihr Browser keine Frames. Sie können die Aufgabe auch manuell aufrufen: <a href="/{{taskpath}}#taskid={{taskid}}&csrftoken={{csrf_token}}">Aufgabe manuell bearbeiten</a>.</iframe>
</body></html>
......
......@@ -97,7 +97,7 @@
{{#if can_start}}
<p>
<form action="" method="post">
<input type="hidden" name="csrftoken" value="{{csrftoken}}">
<input type="hidden" name="csrf_token" value="{{csrf_token}}">
<input class="button is-warning" type="submit" value="⏱ &nbsp; Jetzt starten!">
</form>
</p>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment