From e03b4722b052c335820bc2a0a4efd9090dc1a235 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 10 Dec 2015 14:10:47 +0800
Subject: [PATCH] defend attack

---
 jumpserver/api.py                    | 13 +++++++++++++
 jumpserver/views.py                  |  3 +++
 juser/views.py                       |  8 ++++++--
 templates/juser/forget_password.html |  5 ++++-
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/jumpserver/api.py b/jumpserver/api.py
index 723a4e9e7..b1f5b2cec 100644
--- a/jumpserver/api.py
+++ b/jumpserver/api.py
@@ -484,5 +484,18 @@ def get_tmp_dir():
     mkdir(dir_name, mode=0777)
     return dir_name
 
+
+def defend_attack(func):
+    def _deco(request, *args, **kwargs):
+        if int(request.session.get('visit', 1)) > 5:
+            return HttpResponse('Forbidden', status=403)
+        request.session['visit'] = request.session.get('visit', 1) + 1
+        request.session.set_expiry(300)
+        logger.debug(request.session.get('visit'))
+        return func(request, *args, **kwargs)
+    return _deco
+
+
+
 CRYPTOR = PyCrypt(KEY)
 logger = set_log(LOG_LEVEL)
diff --git a/jumpserver/views.py b/jumpserver/views.py
index 86d0b34e8..9a880aa4b 100644
--- a/jumpserver/views.py
+++ b/jumpserver/views.py
@@ -164,6 +164,7 @@ def is_latest():
         pass
 
 
+@defend_attack
 def Login(request):
     """登录界面"""
     error = ''
@@ -207,11 +208,13 @@ def Login(request):
     return render_to_response('login.html', {'error': error})
 
 
+@require_role('user')
 def Logout(request):
     logout(request)
     return HttpResponseRedirect('/login/')
 
 
+@require_role('admin')
 def setting(request):
     header_title, path1 = '项目设置', '设置'
     setting_default = get_object(Setting, name='default')
diff --git a/juser/views.py b/juser/views.py
index a083c5d85..2b6856aa8 100644
--- a/juser/views.py
+++ b/juser/views.py
@@ -268,7 +268,7 @@ def send_mail_retry(request):
     跳板机地址： %s
     用户名：%s
     重设密码：%s/juser/forget_password/
-    请登录web重新生成key
+    请登录web点击个人信息页面重新生成ssh密钥
     """ % (URL, user.username, URL)
 
     try:
@@ -278,11 +278,14 @@ def send_mail_retry(request):
     return HttpResponse('发送成功')
 
 
+@defend_attack
 def forget_password(request):
     if request.method == 'POST':
+        defend_attack(request)
         email = request.POST.get('email', '')
         username = request.POST.get('username', '')
-        user = get_object(User, username=username, email=email)
+        name = request.POST.get('name', '')
+        user = get_object(User, username=username, email=email, name=name)
         if user:
             timestamp = int(time.time())
             hash_encode = PyCrypt.md5_crypt(str(user.uuid) + str(timestamp) + KEY)
@@ -393,6 +396,7 @@ def user_edit(request):
     return my_render('juser/user_edit.html', locals(), request)
 
 
+@require_role('user')
 def profile(request):
     user_id = request.user.id
     if not user_id:
diff --git a/templates/juser/forget_password.html b/templates/juser/forget_password.html
index 88410fdca..1ba8284c4 100644
--- a/templates/juser/forget_password.html
+++ b/templates/juser/forget_password.html
@@ -16,7 +16,7 @@
 <body class="gray-bg">
 
     <div class="lock-word animated fadeInDown">
-        <span class="first-word">Jumperver</span>
+        <span class="first-word">Jumpserver</span>
     </div>
     <div class="middle-box text-center lockscreen animated fadeInDown">
         <div>
@@ -35,6 +35,9 @@
                 <div class="form-group">
                     <input type="text" name='username' class="form-control" placeholder="Username" required="">
                 </div>
+                <div class="form-group">
+                    <input type="text" name='name' class="form-control" placeholder="Name" required="">
+                </div>
                 <div class="form-group">
                     <input type="text" name='email' class="form-control" placeholder="Email" required="">
                 </div>