Merge branch 'dev' of https://git.coding.net/jumpserver/jumpserver into dev

2015-12-10 14:40:45 +08:00 · 2015-12-10 14:40:45 +08:00 · e9fe871af3
parent 80b1bda51c e117cd003f
commit e9fe871af3
4 changed files with 26 additions and 3 deletions
--- a/jumpserver/api.py
+++ b/jumpserver/api.py
@ -484,5 +484,18 @@ def get_tmp_dir():
    mkdir(dir_name, mode=0777)
    return dir_name

+
+def defend_attack(func):
+    def _deco(request, *args, **kwargs):
+        if int(request.session.get('visit', 1)) > 5:
+            return HttpResponse('Forbidden', status=403)
+        request.session['visit'] = request.session.get('visit', 1) + 1
+        request.session.set_expiry(300)
+        logger.debug(request.session.get('visit'))
+        return func(request, *args, **kwargs)
+    return _deco
+
+
+
 CRYPTOR = PyCrypt(KEY)
 logger = set_log(LOG_LEVEL)
--- a/jumpserver/views.py
+++ b/jumpserver/views.py
@ -164,6 +164,7 @@ def is_latest():
        pass


+@defend_attack
 def Login(request):
    """登录界面"""
    error = ''
@ -207,11 +208,13 @@ def Login(request):
    return render_to_response('login.html', {'error': error})


+@require_role('user')
 def Logout(request):
    logout(request)
    return HttpResponseRedirect('/login/')


+@require_role('admin')
 def setting(request):
    header_title, path1 = '项目设置', '设置'
    setting_default = get_object(Setting, name='default')
--- a/juser/views.py
+++ b/juser/views.py
@ -268,7 +268,7 @@ def send_mail_retry(request):
    跳板机地址： %s
    用户名：%s
    重设密码：%s/juser/forget_password/
-    请登录web重新生成key
+    请登录web点击个人信息页面重新生成ssh密钥
    """ % (URL, user.username, URL)

    try:
@ -278,11 +278,14 @@ def send_mail_retry(request):
    return HttpResponse('发送成功')


+@defend_attack
 def forget_password(request):
    if request.method == 'POST':
+        defend_attack(request)
        email = request.POST.get('email', '')
        username = request.POST.get('username', '')
-        user = get_object(User, username=username, email=email)
+        name = request.POST.get('name', '')
+        user = get_object(User, username=username, email=email, name=name)
        if user:
            timestamp = int(time.time())
            hash_encode = PyCrypt.md5_crypt(str(user.uuid) + str(timestamp) + KEY)
@ -393,6 +396,7 @@ def user_edit(request):
    return my_render('juser/user_edit.html', locals(), request)


+@require_role('user')
 def profile(request):
    user_id = request.user.id
    if not user_id:
--- a/templates/juser/forget_password.html
+++ b/templates/juser/forget_password.html
@ -16,7 +16,7 @@
 <body class="gray-bg">

    <div class="lock-word animated fadeInDown">
-        <span class="first-word">Jumperver</span>
+        <span class="first-word">Jumpserver</span>
    </div>
    <div class="middle-box text-center lockscreen animated fadeInDown">
        <div>
@ -35,6 +35,9 @@
                <div class="form-group">
                    <input type="text" name='username' class="form-control" placeholder="Username" required="">
                </div>
+                <div class="form-group">
+                    <input type="text" name='name' class="form-control" placeholder="Name" required="">
+                </div>
                <div class="form-group">
                    <input type="text" name='email' class="form-control" placeholder="Email" required="">
                </div>