Age | Commit message (Collapse) | Author |
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Fix links to point into Github repo instead of luci.subsignal.org
- the hint to file a bug in dispatcher
- footers of Bootstrap and Firefunk themes
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
|
|
Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Allows external code to perform POST and token checking manually.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Now that we don't have an url token anymore, '/cgi-bin/luci' becomes a valid
url while cookies are restricted to only '/cgi-bin/luci/' and below.
In order to ensure that the first request after login refers to a path
covered by the authentication cookie, change build_url() to always append
a trailing slash if we're referring to the base url.
This should fix the login problems mentioned in #516.
While we're touching the dispatcher, also remove remaining url token code.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Now that sensitive urls require post requests and only accept them if a valid
security token is sent along the request, we can drop the global random url
token to improve LuCI usability.
The main improvement is the ability to use multiple tabs with the same login
session, but also deep linking to specific urls without the need for another
login becomes feasible, e.g. for documentation purposes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
* Add a generic helper function to check need for post / csrf token validation
* Remove custom token verification in cbi targets
* Support requiring post security depending on specific submit parameters,
usable through post_on() action
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Add the dispatcher infrastructure to restrict certain routes to POST
requests only in conjunction with verification of CSRF tokens.
This is the first step to get rid of the CSRF token in the url in favor
to tokens embedded in forms.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Remove luci.sauth session storage implementation and offload the session
management to the rpcd ubus backend. Also depend on rpcd due to this.
|
|
* Rename subdirectories to their repective OpenWrt package names
* Make each LuCI module its own standalone package
* Deploy a shared luci.mk which is used by each module Makefile
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|