kennethreitz-archive/www.gittip.com
1
0
Fork 0
mirror of https://github.com/kennethreitz-archive/www.gittip.com.git synced 2026-06-21 15:50:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
deactivate-button
www.gittip.com/www/on/take-over.html
T
Chad Whitacre 602e70fd23 Implement "Connect account" UI; #406
2012-12-17 14:45:16 -05:00

37 lines
1.1 KiB
HTML
Raw Permalink Blame History

from aspen import Response
from gittip.elsewhere.github import GitHubAccount
from gittip.elsewhere.twitter import TwitterAccount
# ====== ^L
if user.ANON or not POST:
raise Response(404)
platform = body['platform']
if platform not in ('github', 'twitter'):
raise Response(400, "bad platform: %s" % platform)
user_id = body['user_id']
if not user_id:
raise Response(400, "no user_id")
# Look for a connect_token.
# =========================
# CSRF isn't enough to protect against unauthorized take_overs. Someone need
# only find their own CSRF header and use that. We need a token specific to the
# connection request.
connect_key = (user.id, platform, user_id)
expected = website.connect_tokens.pop(connect_key, None)
actual = body.get('connect_token')
if expected is None or actual != expected:
msg = str("Is %s gaming us? %s:%s" % (user.id, expected, actual))
raise Response(400, msg)
account = (GitHubAccount if platform == 'github' else TwitterAccount)(user_id)
user.take_over(account, have_confirmation=True)
request.redirect('/about/me.html')
# ====== ^L
Reference in New Issue View Git Blame Copy Permalink