BryanDavis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/316026
Change subject: Check request ip for account creation blocks on Wikitech
......................................................................
Check request ip for account creation blocks on Wikitech
Add a check for nocreate blocks tied to the remote ip on all account
creation steps.
Bug: T147024
Change-Id: I2a04b4d201d3e68f70f9f9dd88ab251fcb504ef4
---
M striker/mediawiki.py
M striker/register/utils.py
M striker/register/views.py
3 files changed, 65 insertions(+), 13 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/labs/striker
refs/changes/26/316026/1
diff --git a/striker/mediawiki.py b/striker/mediawiki.py
index 2cd3992..a306ad9 100644
--- a/striker/mediawiki.py
+++ b/striker/mediawiki.py
@@ -82,7 +82,15 @@
result = self.site.api(
'query', formatversion=2,
meta='allmessages',
- ammessages=message, amargs='|'.join(params), amlang=lang,
+ ammessages=message, amargs='|'.join(params), amlang=lang
)
# TODO: error handling
return result['query']['allmessages'][0]['content']
+
+ def query_blocks_ip(self, ip):
+ result = self.site.api(
+ 'query', formatversion=2,
+ list='blocks',
+ bkip=ip
+ )
+ return result['query']['blocks']
diff --git a/striker/register/utils.py b/striker/register/utils.py
index 3f2b21c..4c3aa27 100644
--- a/striker/register/utils.py
+++ b/striker/register/utils.py
@@ -94,3 +94,15 @@
logger.exception('Failed to get expanded message for %s', user)
ret['error'] = user['cancreateerror'][0]['message']
return ret
+
+
+def check_ip_blocked_from_create(ip):
+ """Check to see if an ip address is banned from creating accounts.
+
+ Returns a block reason or False if not blocked.
+ """
+ res = mwapi.query_blocks_ip(ip)
+ for block in res:
+ if block['nocreate']:
+ return block['reason']
+ return False
diff --git a/striker/register/views.py b/striker/register/views.py
index 09a930b..85012e8 100644
--- a/striker/register/views.py
+++ b/striker/register/views.py
@@ -34,8 +34,6 @@
from formtools.wizard.views import NamedUrlSessionWizardView
from striker.labsauth.models import LabsUser
-from striker.labsauth.utils import add_ldap_user
-from striker.labsauth.utils import oauth_from_session
from striker.register import forms
from striker.register import utils
@@ -44,10 +42,11 @@
def oauth_required(f):
+ """Decorator to ensure that OAuth data is present in session."""
@functools.wraps(f)
def decorated(*args, **kwargs):
req = args[0]
- oauth = oauth_from_session(req.session)
+ oauth = utils.oauth_from_session(req.session)
if oauth['username'] is None:
messages.error(
req, _('Please login with your Wikimedia unified account'))
@@ -56,18 +55,49 @@
return decorated
+def anon_required(f):
+ """Decorator to ensure that user is not logged in."""
+ @functools.wraps(f)
+ def decorated(*args, **kwargs):
+ req = args[0]
+ if not req.user.is_anonymous():
+ messages.error(
+ req, _('Logged in users can not create new accounts.'))
+ return shortcuts.redirect(urlresolvers.reverse('index'))
+ return f(*args, **kwargs)
+ return decorated
+
+
+def check_ip(f):
+ """Decorator to ensure that remote ip is not blocked."""
+ @functools.wraps(f)
+ def decorated(*args, **kwargs):
+ req = args[0]
+ block = utils.check_ip_blocked_from_create(req.META['REMOTE_ADDR'])
+ if block is not False:
+ messages.error(
+ req,
+ _(
+ 'Your IP address has been blocked from creating accounts. '
+ 'The reason given was: "%(reason)s"'
+ ) % {'reason': block})
+ return shortcuts.redirect(urlresolvers.reverse('index'))
+ return f(*args, **kwargs)
+ return decorated
+
+
+@anon_required
+@check_ip
def index(req):
ctx = {}
- if not req.user.is_anonymous():
- messages.error(
- req, _('Logged in users can not create new accounts.'))
- return shortcuts.redirect(urlresolvers.reverse('index'))
return shortcuts.render(req, 'register/index.html', ctx)
+@anon_required
+@check_ip
@oauth_required
def oauth(req):
- oauth = oauth_from_session(req.session)
+ oauth = utils.oauth_from_session(req.session)
if not utils.sul_available(oauth['username']):
messages.error(
req, _('Wikimedia unified account is already in use.'))
@@ -120,6 +150,8 @@
('confirm', forms.Confirm),
]
+ @method_decorator(anon_required)
+ @method_decorator(check_ip)
@method_decorator(oauth_required)
def dispatch(self, *args, **kwargs):
return super(AccountWizard, self).dispatch(*args, **kwargs)
@@ -128,7 +160,7 @@
return ['register/%s.html' % self.steps.current]
def get_form_initial(self, step):
- oauth = oauth_from_session(self.request.session)
+ oauth = utils.oauth_from_session(self.request.session)
if step == 'ldap':
# Suggest SUL username as LDAP username
return {
@@ -161,7 +193,7 @@
def get_context_data(self, form, **kwargs):
context = super(AccountWizard, self).get_context_data(
form=form, **kwargs)
- oauth = oauth_from_session(self.request.session)
+ oauth = utils.oauth_from_session(self.request.session)
if self.steps.current == 'confirm':
context.update({
'forms': self._get_all_forms(),
@@ -172,8 +204,8 @@
return context
def done(self, form_list, form_dict, **kwargs):
- oauth = oauth_from_session(self.request.session)
- ldap_user = add_ldap_user(
+ oauth = utils.oauth_from_session(self.request.session)
+ ldap_user = utils.add_ldap_user(
form_dict['ldap'].cleaned_data['username'],
form_dict['shell'].cleaned_data['shellname'],
form_dict['password'].cleaned_data['passwd'],
--
To view, visit https://gerrit.wikimedia.org/r/316026
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2a04b4d201d3e68f70f9f9dd88ab251fcb504ef4
Gerrit-PatchSet: 1
Gerrit-Project: labs/striker
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
