diff options
Diffstat (limited to 'modules/luci-base')
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 52 |
1 files changed, 14 insertions, 38 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index df562dd5d..bb02912f4 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -113,24 +113,11 @@ function authenticator.htmlauth(validator, accs, default) return user end - if context.urltoken.stok then - context.urltoken.stok = nil - - local cookie = 'sysauth=%s; expires=%s; path=%s/' %{ - http.getcookie('sysauth') or 'x', - 'Thu, 01 Jan 1970 01:00:00 GMT', - build_url() - } - - http.header("Set-Cookie", cookie) - http.redirect(build_url()) - else - require("luci.i18n") - require("luci.template") - context.path = {} - http.status(403, "Forbidden") - luci.template.render("sysauth", {duser=default, fuser=user}) - end + require("luci.i18n") + require("luci.template") + context.path = {} + http.status(403, "Forbidden") + luci.template.render("sysauth", {duser=default, fuser=user}) return false @@ -151,18 +138,8 @@ function httpdispatch(request, prefix) end end - local tokensok = true for node in pathinfo:gmatch("[^/]+") do - local tkey, tval - if tokensok then - tkey, tval = node:match(";(%w+)=([a-fA-F0-9]*)") - end - if tkey then - context.urltoken[tkey] = tval - else - tokensok = false - r[#r+1] = node - end + r[#r+1] = node end local stat, err = util.coxpcall(function() @@ -311,13 +288,14 @@ function dispatch(request) resource = luci.config.main.resourcebase; ifattr = function(...) return _ifattr(...) end; attr = function(...) return _ifattr(true, ...) end; - token = ctx.urltoken.stok; url = build_url; }, {__index=function(table, key) if key == "controller" then return build_url() elseif key == "REQUEST_URI" then return build_url(unpack(ctx.requestpath)) + elseif key == "token" then + return ctx.authtoken else return rawget(table, key) or _G[key] end @@ -340,20 +318,17 @@ function dispatch(request) local def = (type(track.sysauth) == "string") and track.sysauth local accs = def and {track.sysauth} or track.sysauth local sess = ctx.authsession - local verifytoken = false if not sess then sess = http.getcookie("sysauth") sess = sess and sess:match("^[a-f0-9]*$") - verifytoken = true end local sdat = (util.ubus("session", "get", { ubus_rpc_session = sess }) or { }).values - local user + local user, token if sdat then - if not verifytoken or ctx.urltoken.stok == sdat.token then - user = sdat.user - end + user = sdat.user + token = sdat.token else local eu = http.getenv("HTTP_AUTH_USER") local ep = http.getenv("HTTP_AUTH_PASS") @@ -390,8 +365,8 @@ function dispatch(request) sess, build_url() }) - ctx.urltoken.stok = token ctx.authsession = sess + ctx.authtoken = token ctx.authuser = user http.redirect(build_url(unpack(ctx.requestpath))) @@ -403,6 +378,7 @@ function dispatch(request) end else ctx.authsession = sess + ctx.authtoken = token ctx.authuser = user end end @@ -414,7 +390,7 @@ function dispatch(request) return end - if http.formvalue("token") ~= ctx.urltoken.stok then + if http.formvalue("token") ~= ctx.authtoken then http.status(403, "Forbidden") luci.template.render("csrftoken") return |