From: Ant Zucaro Date: Sun, 11 Aug 2013 14:21:23 +0000 (-0400) Subject: Pull the hashkey from the request headers. X-Git-Url: https://git.rm.cloudns.org/?a=commitdiff_plain;h=26ffe42bb07e46d3dd9f938aa8315b47bfc7fa56;p=xonotic%2Fxonstat.git Pull the hashkey from the request headers. Instead of passing the hashkey in the URL itself, it will be passed via the blind id header similar to submissions. This will help to ensure that it is a Xonotic client or server making the request. --- diff --git a/xonstat/views/player.py b/xonstat/views/player.py index d299d88..fa8cde4 100644 --- a/xonstat/views/player.py +++ b/xonstat/views/player.py @@ -8,7 +8,7 @@ from collections import namedtuple from webhelpers.paginate import Page from xonstat.models import * from xonstat.util import page_url, to_json, pretty_date, datetime_seconds -from xonstat.util import is_cake_day +from xonstat.util import is_cake_day, verify_request from xonstat.views.helpers import RecentGame, recent_games_q log = logging.getLogger(__name__) @@ -788,12 +788,15 @@ def player_damage_json(request): def player_hashkey_info_data(request): - hashkey = request.matchdict['hashkey'] + (idfp, status) = verify_request(request) + + # if config is to *not* verify requests and we get nothing back, this + # query will return nothing and we'll 404. try: player = DBSession.query(Player).\ filter(Player.player_id == Hashkey.player_id).\ filter(Player.active_ind == True).\ - filter(Hashkey.hashkey == hashkey).one() + filter(Hashkey.hashkey == idfp).one() games_played = get_games_played(player.player_id) overall_stats = get_overall_stats(player.player_id)