This avoid the reference to PVE::AccessControl.
$delay = 0 if $delay < 0;
}
- my ($raw, $ct, $nocomp) = &$formatter($res, $res->{data}, $params, $path, $auth);
+ my $csrfgen_func = $self->can('generate_csrf_prevention_token');
+ my ($raw, $ct, $nocomp) = &$formatter($res, $res->{data}, $params, $path, $auth, $csrfgen_func);
my $resp;
if (ref($raw) && (ref($raw) eq 'HTTP::Response')) {
#return ($vmid, $node, $port);
}
+# formatters can call this when the generate a new page
+sub generate_csrf_prevention_token {
+ my ($username) = @_;
+
+ return undef; # do nothing by default
+}
+
sub auth_handler {
my ($self, $method, $rel_uri, $ticket, $token) = @_;
#};
}
-
sub rest_handler {
my ($self, $clientip, $method, $rel_uri, $auth, $params) = @_;
use HTML::Entities;
use JSON;
-use PVE::AccessControl; # to generate CSRF token
-
# Helpers to generate simple html pages using Bootstrap markup.
my $jssrc = <<_EOJS;
_EOJS
sub new {
- my ($class, $res, $url, $auth) = @_;
+ my ($class, $res, $url, $auth, $csrfgen_func) = @_;
my $self = bless {
url => $url,
js => '',
};
- if (my $username = $res->{auth}->{userid}) {
- $self->{csrftoken} = PVE::AccessControl::assemble_csrf_prevention_token($username);
+ if (my $username = $auth->{userid}) {
+ $self->{csrftoken} = &$csrfgen_func($username);
}
return $self;
});
PVE::APIServer::Formatter::register_formatter($portal_format, sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
# fixme: clumsy!
PVE::APIServer::Formatter::Standard::prepare_response_data($portal_format, $res);
$data = $res->{data};
my $html = '';
- my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth);
+ my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth, $csrfgen_func);
if (!HTTP::Status::is_success($res->{status})) {
$html .= $doc->alert(text => "Error $res->{status}: $res->{message}");
method => 'GET',
path => "/access/ticket",
code => sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
- my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth);
+ my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth, $csrfgen_func);
my $html = &$login_form($doc);
method => 'POST',
path => "/access/ticket",
code => sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
if (HTTP::Status::is_success($res->{status})) {
my $cookie = PVE::APIServer::Formatter::create_auth_cookie(
# Note: HTTP server redirects to 'GET /access/ticket', so below
# output is not really visible.
- my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth);
+ my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth, $csrfgen_func);
my $html = &$login_form($doc);
}
PVE::APIServer::Formatter::register_formatter('json', sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0;
PVE::APIServer::Formatter::register_formatter('extjs', sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0;
});
PVE::APIServer::Formatter::register_formatter('htmljs', sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0;
PVE::APIServer::Formatter::register_formatter('spiceconfig', sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0;
});
PVE::APIServer::Formatter::register_formatter('png', sub {
- my ($res, $data, $param, $path, $auth) = @_;
+ my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 1;