BryanDavis has uploaded a new change for review. https://gerrit.wikimedia.org/r/316026
Change subject: Check request ip for account creation blocks on Wikitech ...................................................................... Check request ip for account creation blocks on Wikitech Add a check for nocreate blocks tied to the remote ip on all account creation steps. Bug: T147024 Change-Id: I2a04b4d201d3e68f70f9f9dd88ab251fcb504ef4 --- M striker/mediawiki.py M striker/register/utils.py M striker/register/views.py 3 files changed, 65 insertions(+), 13 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/labs/striker refs/changes/26/316026/1 diff --git a/striker/mediawiki.py b/striker/mediawiki.py index 2cd3992..a306ad9 100644 --- a/striker/mediawiki.py +++ b/striker/mediawiki.py @@ -82,7 +82,15 @@ result = self.site.api( 'query', formatversion=2, meta='allmessages', - ammessages=message, amargs='|'.join(params), amlang=lang, + ammessages=message, amargs='|'.join(params), amlang=lang ) # TODO: error handling return result['query']['allmessages'][0]['content'] + + def query_blocks_ip(self, ip): + result = self.site.api( + 'query', formatversion=2, + list='blocks', + bkip=ip + ) + return result['query']['blocks'] diff --git a/striker/register/utils.py b/striker/register/utils.py index 3f2b21c..4c3aa27 100644 --- a/striker/register/utils.py +++ b/striker/register/utils.py @@ -94,3 +94,15 @@ logger.exception('Failed to get expanded message for %s', user) ret['error'] = user['cancreateerror'][0]['message'] return ret + + +def check_ip_blocked_from_create(ip): + """Check to see if an ip address is banned from creating accounts. + + Returns a block reason or False if not blocked. + """ + res = mwapi.query_blocks_ip(ip) + for block in res: + if block['nocreate']: + return block['reason'] + return False diff --git a/striker/register/views.py b/striker/register/views.py index 09a930b..85012e8 100644 --- a/striker/register/views.py +++ b/striker/register/views.py @@ -34,8 +34,6 @@ from formtools.wizard.views import NamedUrlSessionWizardView from striker.labsauth.models import LabsUser -from striker.labsauth.utils import add_ldap_user -from striker.labsauth.utils import oauth_from_session from striker.register import forms from striker.register import utils @@ -44,10 +42,11 @@ def oauth_required(f): + """Decorator to ensure that OAuth data is present in session.""" @functools.wraps(f) def decorated(*args, **kwargs): req = args[0] - oauth = oauth_from_session(req.session) + oauth = utils.oauth_from_session(req.session) if oauth['username'] is None: messages.error( req, _('Please login with your Wikimedia unified account')) @@ -56,18 +55,49 @@ return decorated +def anon_required(f): + """Decorator to ensure that user is not logged in.""" + @functools.wraps(f) + def decorated(*args, **kwargs): + req = args[0] + if not req.user.is_anonymous(): + messages.error( + req, _('Logged in users can not create new accounts.')) + return shortcuts.redirect(urlresolvers.reverse('index')) + return f(*args, **kwargs) + return decorated + + +def check_ip(f): + """Decorator to ensure that remote ip is not blocked.""" + @functools.wraps(f) + def decorated(*args, **kwargs): + req = args[0] + block = utils.check_ip_blocked_from_create(req.META['REMOTE_ADDR']) + if block is not False: + messages.error( + req, + _( + 'Your IP address has been blocked from creating accounts. ' + 'The reason given was: "%(reason)s"' + ) % {'reason': block}) + return shortcuts.redirect(urlresolvers.reverse('index')) + return f(*args, **kwargs) + return decorated + + +@anon_required +@check_ip def index(req): ctx = {} - if not req.user.is_anonymous(): - messages.error( - req, _('Logged in users can not create new accounts.')) - return shortcuts.redirect(urlresolvers.reverse('index')) return shortcuts.render(req, 'register/index.html', ctx) +@anon_required +@check_ip @oauth_required def oauth(req): - oauth = oauth_from_session(req.session) + oauth = utils.oauth_from_session(req.session) if not utils.sul_available(oauth['username']): messages.error( req, _('Wikimedia unified account is already in use.')) @@ -120,6 +150,8 @@ ('confirm', forms.Confirm), ] + @method_decorator(anon_required) + @method_decorator(check_ip) @method_decorator(oauth_required) def dispatch(self, *args, **kwargs): return super(AccountWizard, self).dispatch(*args, **kwargs) @@ -128,7 +160,7 @@ return ['register/%s.html' % self.steps.current] def get_form_initial(self, step): - oauth = oauth_from_session(self.request.session) + oauth = utils.oauth_from_session(self.request.session) if step == 'ldap': # Suggest SUL username as LDAP username return { @@ -161,7 +193,7 @@ def get_context_data(self, form, **kwargs): context = super(AccountWizard, self).get_context_data( form=form, **kwargs) - oauth = oauth_from_session(self.request.session) + oauth = utils.oauth_from_session(self.request.session) if self.steps.current == 'confirm': context.update({ 'forms': self._get_all_forms(), @@ -172,8 +204,8 @@ return context def done(self, form_list, form_dict, **kwargs): - oauth = oauth_from_session(self.request.session) - ldap_user = add_ldap_user( + oauth = utils.oauth_from_session(self.request.session) + ldap_user = utils.add_ldap_user( form_dict['ldap'].cleaned_data['username'], form_dict['shell'].cleaned_data['shellname'], form_dict['password'].cleaned_data['passwd'], -- To view, visit https://gerrit.wikimedia.org/r/316026 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2a04b4d201d3e68f70f9f9dd88ab251fcb504ef4 Gerrit-PatchSet: 1 Gerrit-Project: labs/striker Gerrit-Branch: master Gerrit-Owner: BryanDavis <bda...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits