Mercurial > p > roundup > code

annotate roundup/cgi/actions.py @ 8492:166cb2632315

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2551413 - Broken MultiLink columns in CSV export (take 2) Changed how I solved this. Restored the original line that cmeerw took out, but use the 'id' field rather than the 'name' field. The if statements folowing the line change it to the 'name' field (realname if it's a user object): if there is one. Updated the tests to test for this error and exercise the code. I had to change the test to create/add messages to an issue. This required that I suppress the sending of nosy messages using SENDMAILDEBUG env var.
author John Rouillard <rouilj@ieee.org>
date Mon, 15 Dec 2025 00:04:16 -0500
parents 918792e35e0c
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1 import codecs
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
2 import csv
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
3 import re
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
4 import sys
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
5 from datetime import timedelta
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
6
7178
db06d4aeb978 unshadow stdlib token from roundup's token.
John Rouillard <rouilj@ieee.org>
parents: 7165
diff changeset
7 from roundup import hyperdb, token_r, date, password
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
8 from roundup.actions import Action as BaseAction
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
9 from roundup.anypy import urllib_
7582
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
10 from roundup.anypy.cgi_ import cgi
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
11 from roundup.anypy.html import html_escape
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
12 from roundup.anypy.strings import StringIO
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
13 from roundup.cgi import exceptions, templating
8408
e882a5d52ae5 refactor: move RateLimitExceeded to roundup.cgi.exceptions
John Rouillard <rouilj@ieee.org>
parents: 8305
diff changeset
14 from roundup.cgi.exceptions import RateLimitExceeded
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
15 from roundup.cgi.timestamp import Timestamped
8408
e882a5d52ae5 refactor: move RateLimitExceeded to roundup.cgi.exceptions
John Rouillard <rouilj@ieee.org>
parents: 8305
diff changeset
16 from roundup.exceptions import Reject, RejectRaw
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
17 from roundup.i18n import _
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
18 from roundup.mailgw import uidFromAddress
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
19 from roundup.rate_limit import Gcra, RateLimit
5717
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
20
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
21 # Also add action to client.py::Client.actions property
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
22 __all__ = ['Action', 'ShowAction', 'RetireAction', 'RestoreAction',
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
23 'SearchAction',
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
24 'EditCSVAction', 'EditItemAction', 'PassResetAction',
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
25 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction',
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
26 'NewItemAction', 'ExportCSVAction', 'ExportCSVWithIdAction',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
27 'ReauthAction']
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
28
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
29
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
30 class Action:
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
31 loginLimit = None
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
32
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
33 def __init__(self, client):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
34 self.client = client
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
35 self.form = client.form
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
36 self.db = client.db
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
37 self.nodeid = client.nodeid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
38 self.template = client.template
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
39 self.classname = client.classname
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
40 self.userid = client.userid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
41 self.base = client.base
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
42 self.user = client.user
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
43 self.context = templating.context(client)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
44
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
45 def handle(self):
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
46 """Action handler procedure"""
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
47 raise NotImplementedError
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
48
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
49 def execute(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
50 """Execute the action specified by this object."""
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
51 self.permission()
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
52 return self.handle()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
53
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
54 def examine_url(self, url):
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
55 '''Return URL validated to be under self.base and properly escaped
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
56
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
57 If url not properly escaped or validation fails raise ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
58
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
59 To try to prevent XSS attacks, validate that the url that is
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
60 passed in is under self.base for the tracker. This is used to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
61 clean up "__came_from" and "__redirect_to" form variables used
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
62 by the LoginAction and NewItemAction actions.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
63
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
64 The url that is passed in must be a properly url quoted
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
65 argument. I.E. all characters that are not valid according to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
66 RFC3986 must be % encoded. Schema should be lower case.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
67
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
68 It parses the passed url into components.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
69
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
70 It verifies that the scheme is http or https (so a redirect can
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
71 force https even if normal access to the tracker is via http).
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
72 Validates that the network component is the same as in self.base.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
73 Validates that the path component in the base url starts the url's
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
74 path component. It not it raises ValueError. If everything
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
75 validates:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
76
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
77 For each component, Appendix A of RFC 3986 says the following
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
78 are allowed::
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
79
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
80 pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
81 query = *( pchar / "/" / "?" )
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
82 unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
83 pct-encoded = "%" HEXDIG HEXDIG
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
84 sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
85 / "*" / "+" / "," / ";" / "="
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
86
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
87 Checks all parts with a regexp that matches any run of 0 or
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
88 more allowed characters. If the component doesn't validate,
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
89 raise ValueError. Don't attempt to ``urllib_.quote`` it. Either
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
90 it's correct as it comes in or it's a ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
91
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
92 Finally paste the whole thing together and return the new url.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
93 '''
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
94
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
95 parsed_url_tuple = urllib_.urlparse(url)
5164
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
96 if self.base:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
97 parsed_base_url_tuple = urllib_.urlparse(self.base)
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
98 else:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
99 raise ValueError(self._("Base url not set. Check configuration."))
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
100
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
101 info = {'url': url,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
102 'base_url': self.base,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
103 'base_scheme': parsed_base_url_tuple.scheme,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
104 'base_netloc': parsed_base_url_tuple.netloc,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
105 'base_path': parsed_base_url_tuple.path,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
106 'url_scheme': parsed_url_tuple.scheme,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
107 'url_netloc': parsed_url_tuple.netloc,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
108 'url_path': parsed_url_tuple.path,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
109 'url_params': parsed_url_tuple.params,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
110 'url_query': parsed_url_tuple.query,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
111 'url_fragment': parsed_url_tuple.fragment}
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
112
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
113 if parsed_base_url_tuple.scheme == "https":
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
114 if parsed_url_tuple.scheme != "https":
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
115 raise ValueError(self._("Base url %(base_url)s requires https."
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
116 " Redirect url %(url)s uses http.") %
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
117 info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
118 else:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
119 if parsed_url_tuple.scheme not in ('http', 'https'):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
120 raise ValueError(self._("Unrecognized scheme in %(url)s") %
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
121 info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
122
5382
1556b39fde7c Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
123 if parsed_url_tuple.netloc != parsed_base_url_tuple.netloc:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
124 raise ValueError(self._("Net location in %(url)s does not match "
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
125 "base: %(base_netloc)s") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
126
5382
1556b39fde7c Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
127 if parsed_url_tuple.path.find(parsed_base_url_tuple.path) != 0:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
128 raise ValueError(self._("Base path %(base_path)s is not a "
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
129 "prefix for url %(url)s") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
130
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
131 # I am not sure if this has to be language sensitive.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
132 # Do ranges depend on the LANG of the user??
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
133 # Is there a newer spec for URI's than what I am referencing?
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
134
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
135 # Also it really should be % HEXDIG HEXDIG that's allowed
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
136 # If %%% passes, the roundup server should be able to ignore/
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
137 # quote it so it doesn't do anything bad otherwise we have a
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
138 # different vector to handle.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
139 allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''')
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
140
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
141 if not allowed_pattern.match(parsed_url_tuple.path):
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
142 raise ValueError(self._("Path component (%(url_path)s) in %(url)s "
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
143 "is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
144
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
145 if not allowed_pattern.match(parsed_url_tuple.params):
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
146 raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
147
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
148 if not allowed_pattern.match(parsed_url_tuple.query):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
149 raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
150
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
151 if not allowed_pattern.match(parsed_url_tuple.fragment):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
152 raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
153
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
154 return urllib_.urlunparse(parsed_url_tuple)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
155
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
156 name = ''
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
157 permissionType = None
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
158
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
159 def permission(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
160 """Check whether the user has permission to execute this action.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
161
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
162 True by default. If the permissionType attribute is a string containing
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
163 a simple permission, check whether the user has that permission.
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
164 Subclasses must also define the name attribute if they define
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
165 permissionType.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
166
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
167 Despite having this permission, users may still be unauthorised to
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
168 perform parts of actions. It is up to the subclasses to detect this.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
169 """
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
170 if (self.permissionType and
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
171 not self.hasPermission(self.permissionType)):
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
172 info = {'action': self.name, 'classname': self.classname}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
173 raise exceptions.Unauthorised(self._(
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
174 'You do not have permission to '
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
175 '%(action)s the %(classname)s class.') % info)
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
176
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
177 _marker = []
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
178
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
179 def hasPermission(self, permission, classname=_marker, itemid=None,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
180 property=None):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
181 """Check whether the user has 'permission' on the current class."""
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
182 if classname is self._marker:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
183 classname = self.client.classname
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
184 return self.db.security.hasPermission(permission, self.client.userid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
185 classname=classname,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
186 itemid=itemid, property=property)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
187
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
188 def gettext(self, msgid):
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
189 """Return the localized translation of msgid"""
2563
420d5c2a49d9 use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2553
diff changeset
190 return self.client.translator.gettext(msgid)
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
191
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
192 _ = gettext
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
193
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
194
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
195 class ShowAction(Action):
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
196
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
197 typere = re.compile('[@:]type')
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
198 numre = re.compile('[@:]number')
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
199
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
200 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
201 """Show a node of a particular class/id."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
202 t = n = ''
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
203 for key in self.form:
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
204 if self.typere.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
205 t = self.form[key].value.strip()
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
206 elif self.numre.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
207 n = self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
208 if not t:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
209 raise ValueError(self._('No type specified'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
210 if not n:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
211 raise exceptions.SeriousError(self._('No ID entered'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
212 try:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
213 int(n)
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
214 except ValueError:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
215 d = {'input': n, 'classname': t}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
216 raise exceptions.SeriousError(self._(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
217 '"%(input)s" is not an ID (%(classname)s ID required)') % d)
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
218 url = '%s%s%s' % (self.base, t, n)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
219 raise exceptions.Redirect(url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
220
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
221
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
222 class RetireAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
223 name = 'retire'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
224 permissionType = 'Edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
225
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
226 def handle(self):
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
227 """Retire the context item."""
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
228 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
229 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
230 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
231
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
232 # if we want to view the index template now, then unset the itemid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
233 # context info (a special-case for retire actions on the index page)
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
234 itemid = self.nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
235 if self.template == 'index':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
236 self.client.nodeid = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
237
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
238 # make sure we don't try to retire admin or anonymous
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
239 if self.classname == 'user' and \
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
240 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
241 raise ValueError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
242 'You may not retire the admin or anonymous user'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
243
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
244 # check permission
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
245 if not self.hasPermission('Retire', classname=self.classname,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
246 itemid=itemid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
247 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
248 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
249 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
250
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
251 # do the retire
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
252 self.db.getclass(self.classname).retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
253 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
254
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
255 self.client.add_ok_message(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
256 self._('%(classname)s %(itemid)s has been retired') % {
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
257 'classname': self.classname.capitalize(), 'itemid': itemid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
258
3473
370bb8f3c4d1 fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents: 3469
diff changeset
259
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
260 class RestoreAction(Action):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
261 name = 'restore'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
262 permissionType = 'Edit'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
263
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
264 def handle(self):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
265 """Restore the context item."""
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
266 # ensure modification comes via POST
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
267 if self.client.env['REQUEST_METHOD'] != 'POST':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
268 raise Reject(self._('Invalid request'))
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
269
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
270 # if we want to view the index template now, then unset the itemid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
271 # context info (a special-case for retire actions on the index page)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
272 itemid = self.nodeid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
273 if self.template == 'index':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
274 self.client.nodeid = None
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
275
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
276 # check permission
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
277 if not self.hasPermission('Restore', classname=self.classname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
278 itemid=itemid):
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
279 raise exceptions.Unauthorised(self._(
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
280 'You do not have permission to restore %(class)s'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
281 ) % {'class': self.classname})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
282
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
283 # do the restore
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
284 self.db.getclass(self.classname).restore(itemid)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
285 self.db.commit()
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
286
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
287 self.client.add_ok_message(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
288 self._('%(classname)s %(itemid)s has been restored') % {
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
289 'classname': self.classname.capitalize(), 'itemid': itemid})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
290
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
291
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
292 class SearchAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
293 name = 'search'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
294 permissionType = 'View'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
295
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
296 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
297 """Mangle some of the form variables.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
298
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
299 Set the form ":filter" variable based on the values of the filter
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
300 variables - if they're set to anything other than "dontcare" then add
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
301 them to :filter.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
302
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
303 Handle the ":queryname" variable and save off the query to the user's
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
304 query list.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
305
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
306 Split any String query values on whitespace and comma.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
307
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
308 """
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
309 self.fakeFilterVars()
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
310 queryname = self.getQueryName()
3913
00896a2acaa5 clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3855
diff changeset
311
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
312 # editing existing query name?
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
313 old_queryname = self.getFromForm('old-queryname')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
314
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
315 # handle saving the query params
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
316 if queryname:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
317 # parse the environment and figure what the query _is_
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
318 req = templating.HTMLRequest(self.client)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
319
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
320 url = self.getCurrentURL(req)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
321
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
322 key = self.db.query.getkey()
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
323 if key:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
324 # edit the old way, only one query per name
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
325 # Note that use of queryname as key will automatically
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
326 # raise an error if there are duplicate names.
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
327 try:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
328 qid = self.db.query.lookup(old_queryname)
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
329 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
330 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
331 "You do not have permission to edit queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
332 self.db.query.set(qid, klass=self.classname, url=url)
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
333 except KeyError:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
334 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
335 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
336 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
337 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
338 qid = self.db.query.create(name=queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
339 klass=self.classname, url=url)
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
340 else:
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
341 uid = self.db.getuid()
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
342
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
343 # if the queryname is being changed from the old
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
344 # (original) value, make sure new queryname is not
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
345 # already in use by user.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
346 # if in use, return to edit/search screen and let
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
347 # user change it.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
348
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
349 if old_queryname != queryname:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
350 # we have a name change
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
351 qids = self.db.query.filter(None, {'name': queryname,
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
352 'creator': uid})
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
353 for qid in qids:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
354 # require an exact name match
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
355 if queryname != self.db.query.get(qid, 'name'):
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
356 continue
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
357 # whoops we found a duplicate; report error and return
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
358 message = _(
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
359 "You already own a query named '%s'. "
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
360 "Please choose another name.") % (queryname)
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
361
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
362 self.client.add_error_message(message)
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
363 return
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
364
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
365 # edit the new way, query name not a key any more
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
366 # see if we match an existing private query
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
367 qids = self.db.query.filter(None, {'name': old_queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
368 'private_for': uid})
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
369 if not qids:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
370 # ok, so there's not a private query for the current user
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
371 # - see if there's one created by them
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
372 qids = self.db.query.filter(None, {'name': old_queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
373 'creator': uid})
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
374
3581
d10008f756a4 fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents: 3549
diff changeset
375 if qids and old_queryname:
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
376 # edit query - make sure we get an exact match on the name
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
377 for qid in qids:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
378 if old_queryname != self.db.query.get(qid, 'name'):
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
379 continue
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
380 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
381 raise exceptions.Unauthorised(self._(
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
382 "You do not have permission to edit queries"))
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
383 self.db.query.set(qid, klass=self.classname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
384 url=url, name=queryname)
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
385 else:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
386 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
387 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
388 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
389 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
390 qid = self.db.query.create(name=queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
391 klass=self.classname, url=url,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
392 private_for=uid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
393
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
394 # and add it to the user's query multilink
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
395 queries = self.db.user.get(self.userid, 'queries')
2061
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
396 if qid not in queries:
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
397 queries.append(qid)
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
398 self.db.user.set(self.userid, queries=queries)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
399
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
400 # commit the query change to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
401 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
402
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
403 # This redirects to the index page. Add the @dispname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
404 # url param to the request so that the query name
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
405 # is displayed.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
406 req.form.list.append(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
407 cgi.MiniFieldStorage(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
408 "@dispname", queryname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
409 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
410 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
411
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
412 def fakeFilterVars(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
413 """Add a faked :filter form variable for each filtering prop."""
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
414 cls = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
415 for key in self.form:
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
416 prop = cls.get_transitive_prop(key)
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
417 if not prop:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
418 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
419 if isinstance(self.form[key], type([])):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
420 # search for at least one entry which is not empty
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
421 for minifield in self.form[key]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
422 if minifield.value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
423 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
424 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
425 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
426 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
427 if not self.form[key].value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
428 continue
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
429 if isinstance(prop, hyperdb.String):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
430 v = self.form[key].value
5245
bc16d91b7a50 Fix token_split() so its one error throws ValueError w/out extra arg.
Eric S. Raymond <esr@thyrsus.com>
parents: 5217
diff changeset
431 # If this ever has unbalanced quotes, hilarity will ensue
7178
db06d4aeb978 unshadow stdlib token from roundup's token.
John Rouillard <rouilj@ieee.org>
parents: 7165
diff changeset
432 tokens = token_r.token_split(v)
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
433 if len(tokens) != 1 or tokens[0] != v:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
434 self.form.value.remove(self.form[key])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
435 # replace the single value with the split list
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
436 for v in tokens:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
437 self.form.value.append(cgi.MiniFieldStorage(key, v))
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
438 elif isinstance(prop, hyperdb.Number):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
439 try:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
440 float(self.form[key].value)
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
441 except ValueError:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
442 raise exceptions.FormError(_("Invalid number: ") +
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
443 self.form[key].value)
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
444 elif isinstance(prop, hyperdb.Integer):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
445 try:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
446 val = self.form[key].value
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
447 if (str(int(val)) == val):
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
448 pass
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
449 else:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
450 raise ValueError
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
451 except ValueError:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
452 raise exceptions.FormError(_("Invalid integer: ") +
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
453 val)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
454
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
455 self.form.value.append(cgi.MiniFieldStorage('@filter', key))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
456
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
457 def getCurrentURL(self, req):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
458 """Get current URL for storing as a query.
3805
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
459
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
460 Note: We are removing the first character from the current URL,
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
461 because the leading '?' is not part of the query string.
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
462
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
463 Implementation note:
5173
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
464 We now store the template with the query if the template name is
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
465 different from 'index'
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
466 """
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
467 template = self.getFromForm('template')
6574
20d4ca71d458 Fix unwanted redirect from search index to edit on login error
John Rouillard <rouilj@ieee.org>
parents: 6468
diff changeset
468 if template and template not in ['index', 'index|search']:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
469 return req.indexargs_url('', {'@template': template})[1:]
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
470 return req.indexargs_url('', {})[1:]
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
471
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
472 def getFromForm(self, name):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
473 for key in ('@' + name, ':' + name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
474 if key in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
475 return self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
476 return ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
477
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
478 def getQueryName(self):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
479 return self.getFromForm('queryname')
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
480
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
481
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
482 class EditCSVAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
483 name = 'edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
484 permissionType = 'Edit'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
485
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
486 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
487 """Performs an edit of all of a class' items in one go.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
488
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
489 The "rows" CGI var defines the CSV-formatted entries for the class. New
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
490 nodes are identified by the ID 'X' (or any other non-existent ID) and
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
491 removed lines are retired.
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
492 """
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
493 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
494 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
495 raise Reject(self._('Invalid request'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
496
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
497 # figure the properties list for the class
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
498 cl = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
499 props_without_id = list(cl.getprops(protected=0))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
500
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
501 # the incoming CSV data will always have the properties in colums
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
502 # sorted and starting with the "id" column
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
503 props_without_id.sort()
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
504 props = ['id'] + props_without_id
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
505
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
506 # do the edit
5452
b50a4c85c270 fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5395
diff changeset
507 rows = StringIO(self.form['rows'].value)
3179
88dbe6b3d891 merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents: 3145
diff changeset
508 reader = csv.reader(rows)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
509 found = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
510 line = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
511 for values in reader:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
512 line += 1
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
513 if line == 1: continue # noqa: E701
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
514 # skip property names header
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
515 if values == props:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
516 continue
6435
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
517 # skip blank lines. Can be in the middle
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
518 # of the data or a newline at end of file.
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
519 if len(values) == 0:
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
520 continue
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
521
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
522 # extract the itemid
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
523 itemid, values = values[0], values[1:]
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
524 found[itemid] = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
525
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
526 # see if the node exists
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
527 if itemid in ('x', 'X') or not cl.hasnode(itemid):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
528 exists = 0
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
529
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
530 # check permission to create this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
531 if not self.hasPermission('Create', classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
532 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
533 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
534 ) % {'class': self.classname})
4293
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
535 elif cl.hasnode(itemid) and cl.is_retired(itemid):
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
536 # If a CSV line just mentions an id and the corresponding
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
537 # item is retired, then the item is restored.
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
538 cl.restore(itemid)
5515
cd0ceb2afdb8 fixed issue2550993 and added test case
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5503
diff changeset
539 exists = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
540 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
541 exists = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
542
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
543 # confirm correct weight
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
544 if len(props_without_id) != len(values):
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
545 self.client.add_error_message(
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
546 self._('Not enough values on line %(line)s') % {
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
547 'line': line})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
548 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
549
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
550 # extract the new values
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
551 d = {}
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
552 for name, value in zip(props_without_id, values):
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
553 # check permission to edit this property on this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
554 if exists and not self.hasPermission('Edit', itemid=itemid,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
555 classname=self.classname,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
556 property=name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
557 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
558 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
559 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
560
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
561 prop = cl.properties[name]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
562 value = value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
563 # only add the property if it has a value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
564 if value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
565 # if it's a multilink, split it
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
566 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
567 value = value.split(':')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
568 elif isinstance(prop, hyperdb.Password):
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
569 value = password.Password(value, config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
570 elif isinstance(prop, hyperdb.Interval):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
571 value = date.Interval(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
572 elif isinstance(prop, hyperdb.Date):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
573 value = date.Date(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
574 elif isinstance(prop, hyperdb.Boolean):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
575 value = value.lower() in ('yes', 'true', 'on', '1')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
576 elif isinstance(prop, hyperdb.Number):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
577 value = float(value)
5067
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
578 elif isinstance(prop, hyperdb.Integer):
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
579 value = int(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
580 d[name] = value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
581 elif exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
582 # nuke the existing value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
583 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
584 d[name] = []
5814
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
585 elif isinstance(prop, hyperdb.Password):
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
586 # create empty password entry
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
587 d[name] = password.Password("", config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
588 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
589 d[name] = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
590
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
591 # perform the edit
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
592 if exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
593 # edit existing
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
594 cl.set(itemid, **d)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
595 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
596 # new node
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
597 found[cl.create(**d)] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
598
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
599 # retire the removed entries
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
600 for itemid in cl.list():
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
601 if itemid not in found:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
602 # check permission to retire this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
603 if not self.hasPermission('Retire', itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
604 classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
605 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
606 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
607 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
608 cl.retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
609
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
610 # all OK
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
611 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
612
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
613 self.client.add_ok_message(self._('Items edited OK'))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
614
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
615
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
616 class EditCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
617 '''Utility methods for editing.'''
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
618
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
619 def _editnodes(self, all_props, all_links):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
620 ''' Use the props in all_props to perform edit and creation, then
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
621 use the link specs in all_links to do linking.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
622 '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
623 # figure dependencies and re-work links
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
624 deps = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
625 links = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
626 for cn, nodeid, propname, vlist in all_links:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
627 numeric_id = int(nodeid or 0)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
628 if not (numeric_id > 0 or (cn, nodeid) in all_props):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
629 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
630 continue
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
631
3852
0dd05c9e5fff New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3851
diff changeset
632 for value in vlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
633 if value not in all_props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
634 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
635 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
636 deps.setdefault((cn, nodeid), []).append(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
637 links.setdefault(value, []).append((cn, nodeid, propname))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
638
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
639 # figure chained dependencies ordering
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
640 order = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
641 done = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
642 # loop detection
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
643 change = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
644 while len(all_props) != len(done):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
645 for needed in all_props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
646 if needed in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
647 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
648 tlist = deps.get(needed, [])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
649 for target in tlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
650 if target not in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
651 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
652 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
653 done[needed] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
654 order.append(needed)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
655 change = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
656 if not change:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
657 raise ValueError('linking must not loop!')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
658
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
659 # now, edit / create
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
660 m = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
661 for needed in order:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
662 props = all_props[needed]
3851
5fe1f30f7f30 Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3850
diff changeset
663 cn, nodeid = needed
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
664 if props:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
665 if nodeid is not None and int(nodeid) > 0:
8305
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
666 # make changes to the node, if an error occurs the
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
667 # db may be in a state that needs rollback
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
668 try:
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
669 props = self._changenode(cn, nodeid, props)
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
670 except (IndexError, ValueError):
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
671 self.db.rollback ()
a81a3cd067fa Generate savepoint only if necessary
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8128
diff changeset
672 raise
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
673
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
674 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
675 if props:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
676 info = ', '.join(map(self._, props))
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
677 m.append(
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
678 self._('%(class)s %(id)s %(properties)s edited ok')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
679 % {'class': cn, 'id': nodeid, 'properties': info})
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
680 else:
5251
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
681 # this used to produce a message like:
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
682 # issue34 - nothing changed
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
683 # which is confusing if only quiet properties
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
684 # changed for the class/id. So don't report
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
685 # anything if the user didn't explicitly change
5251
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
686 # a visible (non-quiet) property.
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
687 pass
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
688 else:
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
689 # make a new node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
690 newid = self._createnode(cn, props)
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
691 if nodeid is None:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
692 self.nodeid = newid
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
693 nodeid = newid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
694
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
695 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
696 m.append(self._('%(class)s %(id)s created')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
697 % {'class': cn, 'id': newid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
698
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
699 # fill in new ids in links
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
700 if needed in links:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
701 for linkcn, linkid, linkprop in links[needed]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
702 props = all_props[(linkcn, linkid)]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
703 cl = self.db.classes[linkcn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
704 propdef = cl.getprops()[linkprop]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
705 if linkprop not in props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
706 if linkid is None or linkid.startswith('-'):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
707 # linking to a new item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
708 if isinstance(propdef, hyperdb.Multilink):
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
709 props[linkprop] = [nodeid]
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
710 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
711 props[linkprop] = nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
712 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
713 # linking to an existing item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
714 if isinstance(propdef, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
715 existing = cl.get(linkid, linkprop)[:]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
716 existing.append(nodeid)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
717 props[linkprop] = existing
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
718 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
719 props[linkprop] = nodeid
4992
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
720 elif isinstance(propdef, hyperdb.Multilink):
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
721 props[linkprop].append(nodeid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
722
4623
4f9c3858b671 Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4521
diff changeset
723 return '\n'.join(m)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
724
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
725 def _changenode(self, cn, nodeid, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
726 """Change the node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
727 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
728 if not self.editItemPermission(props, classname=cn, itemid=nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
729 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
730 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
731 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
732
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
733 # make the changes
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
734 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
735 return cl.set(nodeid, **props)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
736
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
737 def _createnode(self, cn, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
738 """Create a node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
739 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
740 if not self.newItemPermission(props, classname=cn):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
741 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
742 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
743 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
744
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
745 # create the node and return its id
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
746 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
747 return cl.create(**props)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
748
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
749 def isEditingSelf(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
750 """Check whether a user is editing his/her own details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
751 return (self.nodeid == self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
752 and self.db.user.get(self.nodeid, 'username') != 'anonymous')
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
753
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
754 _cn_marker = []
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
755
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
756 def editItemPermission(self, props, classname=_cn_marker, itemid=None):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
757 """Determine whether the user has permission to edit this item."""
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
758 if itemid is None:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
759 itemid = self.nodeid
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
760 if classname is self._cn_marker:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
761 classname = self.classname
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
762 # The user must have permission to edit each of the properties
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
763 # being changed.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
764 for p in props:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
765 if not self.hasPermission('Edit', itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
766 classname=classname, property=p):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
767 return 0
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
768 # Since the user has permission to edit all of the properties,
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
769 # the edit is OK.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
770 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
771
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
772 def newItemPermission(self, props, classname=None):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
773 """Determine whether the user has permission to create this item.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
774
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
775 Base behaviour is to check the user can edit this class. No additional
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
776 property checks are made.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
777 """
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
778
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
779 if not classname:
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
780 classname = self.client.classname
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
781
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
782 if not self.hasPermission('Create', classname=classname):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
783 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
784
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
785 # Check Create permission for each property, to avoid being able
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
786 # to set restricted ones on new item creation
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
787 for key in props:
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
788 if not self.hasPermission('Create', classname=classname,
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
789 property=key):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
790 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
791 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
792
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
793
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
794 class EditItemAction(EditCommon):
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
795 def lastUserActivity(self):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
796 if ':lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
797 d = date.Date(self.form[':lastactivity'].value)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
798 elif '@lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
799 d = date.Date(self.form['@lastactivity'].value)
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
800 else:
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
801 return None
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
802 d.second = int(d.second)
2264
9b34f41507ed *** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents: 2260
diff changeset
803 return d
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
804
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
805 def lastNodeActivity(self):
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
806 cl = getattr(self.client.db, self.classname)
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
807 activity = cl.get(self.nodeid, 'activity').local(0)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
808 activity.second = int(activity.second)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
809 return activity
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
810
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
811 def detectCollision(self, user_activity, node_activity):
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
812 '''Check for a collision and return the list of props we edited
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
813 that conflict.'''
3188
7faae85e1e33 merge from branch
Richard Jones <richard@users.sourceforge.net>
parents: 3179
diff changeset
814 if user_activity and user_activity < node_activity:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
815 props, links = self.client.parsePropsFromForm()
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
816 key = (self.classname, self.nodeid)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
817 # we really only collide for direct prop edit conflicts
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
818 return list(props[key])
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
819 else:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
820 return []
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
821
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
822 def handleCollision(self, props):
6301
45ba6b71f1cf actions.py translation. Using mapping rather than tuple for args.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
823 message = self._(
45ba6b71f1cf actions.py translation. Using mapping rather than tuple for args.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
824 'Edit Error: someone else has edited this %(klass)s (%(props)s). '
45ba6b71f1cf actions.py translation. Using mapping rather than tuple for args.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
825 'View <a target="_blank" href="%(klass)s%(id)s">their changes</a> '
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
826 'in a new window.') % {"klass": self.classname,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
827 "props": ', '.join(props),
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
828 "id": self.nodeid}
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
829 self.client.add_error_message(message, escape=False)
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
830 return
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
831
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
832 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
833 """Perform an edit of an item in the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
834
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
835 See parsePropsFromForm and _editnodes for special variables.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
836
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
837 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
838 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
839 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
840 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
841
2148
2490d26c88df Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents: 2143
diff changeset
842 user_activity = self.lastUserActivity()
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
843 if user_activity:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
844 props = self.detectCollision(user_activity, self.lastNodeActivity())
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
845 if props:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
846 self.handleCollision(props)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
847 return
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
848
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
849 props, links = self.client.parsePropsFromForm()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
850
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
851 # handle the props
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
852 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
853 message = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
854 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
855 escape = not isinstance(message, RejectRaw)
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
856 self.client.add_error_message(
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
857 self._('Edit Error: %s') % str(message), escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
858 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
859
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
860 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
861 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
862
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
863 # redirect to the item's edit page
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
864 # redirect to finish off
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
865 url = self.base + self.classname
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
866 # note that this action might have been called by an index page, so
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
867 # we will want to include index-page args in this URL too
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
868 if self.nodeid is not None:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
869 url += self.nodeid
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
870 url += '?@ok_message=%s&@template=%s' % (urllib_.quote(message),
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
871 urllib_.quote(self.template))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
872 if self.nodeid is None:
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
873 req = templating.HTMLRequest(self.client)
3130
7308c3c5a943 docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents: 3073
diff changeset
874 url += '&' + req.indexargs_url('', {})[1:]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
875 raise exceptions.Redirect(url)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
876
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
877
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
878 class NewItemAction(EditCommon):
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
879 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
880 ''' Add a new item to the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
881
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
882 This follows the same form as the EditItemAction, with the same
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
883 special form values.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
884 '''
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
885 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
886 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
887 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
888
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
889 # parse the props from the form
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
890 try:
2107
b7404a96b58a minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2082
diff changeset
891 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
892 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
893 self.client.add_error_message(self._('Error: %s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
894 % str(message))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
895 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
896
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
897 # handle the props - edit or create
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
898 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
899 # when it hits the None element, it'll set self.nodeid
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
900 messages = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
901 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
902 escape = not isinstance(message, RejectRaw)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
903 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
904 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
905 escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
906 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
907
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
908 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
909 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
910
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
911 # Allow an option to stay on the page to create new things
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
912 if '__redirect_to' in self.form:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
913 raise exceptions.Redirect('%s&@ok_message=%s' % (
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
914 self.examine_url(self.form['__redirect_to'].value),
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
915 urllib_.quote(messages)))
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
916
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
917 # otherwise redirect to the new item's page
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
918 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % (
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
919 self.base, self.classname, self.nodeid, urllib_.quote(messages),
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
920 urllib_.quote(self.template)))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
921
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
922
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
923 class PassResetAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
924 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
925 """Handle password reset requests.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
926
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
927 Presence of either "name" or "address" generates email. Presence of
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
928 "otk" performs the reset.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
929
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
930 """
2291
90cca653ef3d otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents: 2264
diff changeset
931 otks = self.db.getOTKManager()
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
932 if 'otk' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
933 # pull the rego information out of the otk database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
934 otk = self.form['otk'].value
3673
94b905502d26 removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents: 3635
diff changeset
935 uid = otks.get(otk, 'uid', default=None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
936 if uid is None:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
937 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
938 self._("Invalid One Time Key!\n"
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
939 "(a Mozilla bug may cause this message "
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
940 "to show up erroneously, please check your email)"))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
941 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
942
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
943 # pull the additional email address if exist
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
944 uaddress = otks.get(otk, 'uaddress', default=None)
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
945
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
946 # re-open the database as "admin"
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
947 if self.user != 'admin':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
948 self.client.opendb('admin')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
949 self.db = self.client.db
2372
c26bb78d2f0c couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents: 2362
diff changeset
950 otks = self.db.getOTKManager()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
951
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
952 # change the password
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
953 newpw = password.generatePassword()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
954
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
955 cl = self.db.user
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
956 # XXX we need to make the "default" page be able to display errors!
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
957 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
958 # set the password
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
959 cl.set(uid, password=password.Password(newpw,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
960 config=self.db.config))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
961 # clear the props from the otk database
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
962 otks.destroy(otk)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5256
diff changeset
963 otks.commit()
5340
ed6153d3ee6a Fix password reset
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5322
diff changeset
964 # commit the password change
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
965 self.db.commit()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
966 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
967 self.client.add_error_message(str(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
968 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
969
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
970 # user info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
971 name = self.db.user.get(uid, 'username')
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
972 if uaddress is None:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
973 address = self.db.user.get(uid, 'address')
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
974 else:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
975 address = uaddress
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
976
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
977 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
978 tracker_name = self.db.config.TRACKER_NAME
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
979 subject = self._('Password reset for %s') % tracker_name
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
980 body = self._('''
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
981 The password has been reset for username "%(name)s".
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
982
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
983 Your password is now: %(password)s
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
984 ''') % {'name': name, 'password': newpw}
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
985 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
986 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
987
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
988 self.client.add_ok_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
989 self._('Password reset and email sent to %s') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
990 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
991
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
992 # no OTK, so now figure the user
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
993 if 'username' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
994 name = self.form['username'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
995 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
996 uid = self.db.user.lookup(name)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
997 except KeyError:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
998 self.client.add_error_message(self._('Unknown username'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
999 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1000 address = self.db.user.get(uid, 'address')
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1001 elif 'address' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1002 address = self.form['address'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1003 uid = uidFromAddress(self.db, ('', address), create=0)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1004 if not uid:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1005 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
1006 self._('Unknown email address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1007 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1008 name = self.db.user.get(uid, 'username')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1009 else:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1010 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
1011 self._('You need to specify a username or address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1012 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1013
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1014 # generate the one-time-key and store the props for later
6823
fe0091279f50 Refactor session db logging and key generation for sessions/otks
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1015 otk = otks.getUniqueKey(length=32)
fe0091279f50 Refactor session db logging and key generation for sessions/otks
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1016
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
1017 otks.set(otk, uid=uid, uaddress=address)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5256
diff changeset
1018 otks.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1019
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1020 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1021 tracker_name = self.db.config.TRACKER_NAME
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1022 subject = self._('Confirm reset of password for %s') % tracker_name
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1023 body = self._('''
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1024 Someone, perhaps you, has requested that the password be changed for your
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1025 username, "%(name)s". If you wish to proceed with the change, please follow
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1026 the link below:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1027
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1028 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1029
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1030 You should then receive another email with the new password.
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1031 ''') % {'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk}
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1032 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1033 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1034
5253
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1035 if 'username' in self.form:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1036 self.client.add_ok_message(self._('Email sent to primary notification address for %s.') % name)
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1037 else:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1038 self.client.add_ok_message(self._('Email sent to %s.') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1039
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1040
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1041 class RegoCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1042 def finishRego(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1043 # log the new user in
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1044 self.client.userid = self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1045 user = self.client.user = self.db.user.get(self.userid, 'username')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1046 # re-open the database for real, using the user
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1047 self.client.opendb(user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1048
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1049 # update session data
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1050 self.client.session_api.set(user=user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1051
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1052 # nice message
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
1053 message = self._('You are now registered, welcome!')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1054 url = '%suser%s?@ok_message=%s' % (self.base, self.userid,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1055 urllib_.quote(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1056
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1057 # redirect to the user's page (but not 302, as some email clients seem
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1058 # to want to reload the page, or something)
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1059 return '''<html><head><title>%s</title></head>
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1060 <body><p><a href="%s">%s</a></p>
5217
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1061 <script nonce="%s" type="text/javascript">
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1062 window.setTimeout('window.location = "%s"', 1000);
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1063 </script>''' % (message, url, message,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1064 self.client.client_nonce, url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1065
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1066
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1067 class ConfRegoAction(RegoCommon):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1068 def handle(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1069 """Grab the OTK, use it to load up the new user details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1070 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1071 # pull the rego information out of the otk database
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1072 self.userid = self.db.confirm_registration(self.form['otk'].value)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1073 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1074 self.client.add_error_message(str(message))
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1075 return
3847
1a44e4bb2b54 Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents: 3805
diff changeset
1076 return self.finishRego()
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1077
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1078
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1079 class RegisterAction(RegoCommon, EditCommon, Timestamped):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
1080 name = 'register'
4146
42331c201b02 Fix issue2550553.
Stefan Seefeld <stefan@seefeld.name>
parents: 4127
diff changeset
1081 permissionType = 'Register'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1082
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1083 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1084 """Attempt to create a new user based on the contents of the form
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1085 and then remember it in session.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1086
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1087 Return 1 on successful login.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1088 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1089 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1090 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1091 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1092
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1093 # try to make sure user is not a bot by checking the
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1094 # hidden field opaqueregister to make sure it's at least
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1095 # WEB_REGISTRATION_DELAY seconds. If set to 0,
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1096 # disable the check.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1097 delaytime = self.db.config['WEB_REGISTRATION_DELAY']
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1098
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1099 if delaytime > 0:
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1100 self.timecheck('opaqueregister', delaytime)
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1101
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1102 # parse the props from the form
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1103 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1104 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1105 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1106 self.client.add_error_message(self._('Error: %s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1107 % str(message))
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1108 return
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1109
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1110 # skip the confirmation step?
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1111 if self.db.config['INSTANT_REGISTRATION']:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1112 # handle the create now
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1113 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1114 # when it hits the None element, it'll set self.nodeid
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1115 # execute for side effect
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1116 messages = self._editnodes(props, links) # noqa: F841
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1117 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1118 escape = not isinstance(message, RejectRaw)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1119 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1120 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1121 escape=escape)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1122 return
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1123
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1124 # fix up the initial roles
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1125 self.db.user.set(self.nodeid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1126 roles=self.db.config['NEW_WEB_USER_ROLES'])
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1127
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1128 # commit now that all the tricky stuff is done
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1129 self.db.commit()
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1130
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1131 # finish off by logging the user in
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1132 self.userid = self.nodeid
3466
0ecd0062abfb fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents: 3418
diff changeset
1133 return self.finishRego()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1134
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1135 # generate the one-time-key and store the props for later
4334
1aef7a4e4e39 fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents: 4329
diff changeset
1136 user_props = props[('user', None)]
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1137 # check that admin has requested username available check
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1138 check_user = self.db.config['WEB_REGISTRATION_PREVALIDATE_USERNAME']
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1139 if check_user:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1140 try:
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1141 # verify user exists
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1142 user_found = self.db.user.lookup(user_props['username']) \
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1143 # noqa: F841
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1144 # if user is found reject the request.
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1145 raise Reject(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1146 _("Username '%s' is already used.") % user_props['username'])
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1147 except KeyError:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1148 # user not found this is what we want.
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1149 pass
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1150
5395
23b8e6067f7c Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5382
diff changeset
1151 for propname, proptype in self.db.user.getprops().items():
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1152 value = user_props.get(propname, None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1153 if value is None:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1154 pass
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1155 elif isinstance(proptype, hyperdb.Date):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1156 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1157 elif isinstance(proptype, hyperdb.Interval):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1158 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1159 elif isinstance(proptype, hyperdb.Password):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1160 user_props[propname] = str(value)
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1161 otks = self.db.getOTKManager()
6823
fe0091279f50 Refactor session db logging and key generation for sessions/otks
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1162 otk = otks.getUniqueKey(length=32)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1163 otks.set(otk, **user_props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1164
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1165 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1166 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1167 tracker_email = self.db.config.TRACKER_EMAIL
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1168 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']:
7057
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1169 subject = _(
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1170 'Complete your registration to %(tracker_name)s -- key %(key)s') % {
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1171 'tracker_name': tracker_name,
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1172 'key': otk}
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1173
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1174 body = _("""To complete your registration of the user "%(name)s" with
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1175 %(tracker)s, please do one of the following:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1176
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1177 - send a reply to %(tracker_email)s and maintain the subject line as is (the
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1178 reply's additional "Re:" is ok),
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1179
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1180 - or visit the following URL:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1181
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1182 %(url)s?@action=confrego&otk=%(otk)s
2108
54815ca493a5 add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents: 2107
diff changeset
1183
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1184 """) % {'name': user_props['username'], 'tracker': tracker_name,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1185 'url': self.base, 'otk': otk, 'tracker_email': tracker_email} \
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1186 # noqa: E122
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1187 else:
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1188 subject = _('Complete your registration to %s') % (tracker_name)
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1189 body = _("""To complete your registration of the user "%(name)s" with
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1190 %(tracker)s, please visit the following URL:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1191
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1192 %(url)s?@action=confrego&otk=%(otk)s
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1193
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1194 """) % {'name': user_props['username'], 'tracker': tracker_name,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1195 'url': self.base, 'otk': otk} # noqa: E122
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1196 if not self.client.standard_message([user_props['address']], subject,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1197 body,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1198 (tracker_name, tracker_email)):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1199 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1200
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1201 # commit changes to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1202 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1203
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1204 # redirect to the "you're almost there" page
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1205 raise exceptions.Redirect('%suser?@template=rego_progress' % self.base)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1206
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1207 def newItemPermission(self, props, classname=None):
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1208 """Just check the "Register" permission.
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1209 """
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1210 # registration isn't allowed to supply roles
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1211 if 'roles' in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1212 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1213 "It is not permitted to supply roles at registration."))
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1214
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1215 # technically already checked, but here for clarity
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1216 return self.hasPermission('Register', classname=classname)
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1217
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1218
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1219 class LogoutAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1220 def handle(self):
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1221 """Make us really anonymous - nuke the session too."""
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1222 # log us out
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1223 self.client.make_user_anonymous()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1224 self.client.session_api.destroy()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1225
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1226 # Let the user know what's going on
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1227 self.client.add_ok_message(self._('You are logged out'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1228
3264
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1229 # reset client context to render tracker home page
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1230 # instead of last viewed page (may be inaccessibe for anonymous)
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1231 self.client.classname = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1232 self.client.nodeid = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1233 self.client.template = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1234
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1235 # Redirect to a new page on logout. This regenerates
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1236 # CSRF tokens so they are associated with the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1237 # anonymous user and not the user who logged out. If
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1238 # we don't the user gets an invalid CSRF token error
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1239 # As above choose the home page since everybody can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1240 # see that.
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1241 raise exceptions.Redirect(self.base)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1242
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1243
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1244 class LoginAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1245 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1246 """Attempt to log a user in.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1247
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1248 Sets up a session for the user which contains the login credentials.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1249
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1250 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1251 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1252 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1253 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1254
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1255 # we need the username at a minimum
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1256 if '__login_name' not in self.form:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1257 self.client.add_error_message(self._('Username required'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1258 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1259
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1260 # get the login info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1261 self.client.user = self.form['__login_name'].value
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1262 if '__login_password' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1263 password = self.form['__login_password'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1264 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1265 password = ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1266
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1267 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1268 # On valid or invalid login, redirect the user back to the page
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1269 # the started on. Searches, issue and other pages
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1270 # are all preserved in __came_from. Clean out any old feedback
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1271 # @error_message, @ok_message from the __came_from url.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1272 #
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1273 # 1. Split the url into components.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1274 # 2. Split the query string into parts.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1275 # 3. Delete @error_message and @ok_message if present.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1276 # 4. Define a new redirect_url missing the @...message entries.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1277 # This will be redefined if there is a login error to include
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1278 # a new error message
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1279
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
1280 clean_url = self.examine_url(self.form['__came_from'].value)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1281 redirect_url_tuple = urllib_.urlparse(clean_url)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1282 # now I have a tuple form for the __came_from url
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1283 try:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1284 query = urllib_.parse_qs(redirect_url_tuple.query)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1285 if "@error_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1286 del query["@error_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1287 if "@ok_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1288 del query["@ok_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1289 if "@action" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1290 # also remove the logout action from the redirect
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1291 # there is only ever one @action value.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1292 if query['@action'] == ["logout"]:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1293 del query["@action"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1294 except AttributeError:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1295 # no query param so nothing to remove. Just define.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1296 query = {}
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1297 pass
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1298
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1299 redirect_url = urllib_.urlunparse(
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1300 (redirect_url_tuple.scheme,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1301 redirect_url_tuple.netloc,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1302 redirect_url_tuple.path,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1303 redirect_url_tuple.params,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1304 urllib_.urlencode(list(sorted(query.items())), doseq=True),
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1305 redirect_url_tuple.fragment))
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1306
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1307 try:
5772
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1308 self.verifyLogin(self.client.user, password)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1309 except exceptions.LoginError as err:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1310 self.client.make_user_anonymous()
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1311 for arg in err.args:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1312 self.client.add_error_message(arg)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1313
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1314 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1315 # set a new error
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1316 query['@error_message'] = err.args
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1317 redirect_url = urllib_.urlunparse(
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1318 (redirect_url_tuple.scheme,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1319 redirect_url_tuple.netloc,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1320 redirect_url_tuple.path,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1321 redirect_url_tuple.params,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1322 urllib_.urlencode(list(sorted(query.items())), doseq=True),
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1323 redirect_url_tuple.fragment))
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1324 raise exceptions.Redirect(redirect_url)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1325 # if no __came_from, send back to base url with error
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1326 return
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1327 except RateLimitExceeded as err:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1328 self.client.make_user_anonymous()
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1329 for arg in err.args:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1330 self.client.add_error_message(arg)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1331
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1332 if '__came_from' in self.form:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1333 # usually web only. If API uses this they will get
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1334 # confused as the 429 isn't returned. Without this
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1335 # a web user will get redirected back to the home
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1336 # page rather than stay on the page where they tried
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1337 # to login.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1338 # set a new error message
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1339 query['@error_message'] = err.args
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1340 redirect_url = urllib_.urlunparse(
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1341 (redirect_url_tuple.scheme,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1342 redirect_url_tuple.netloc,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1343 redirect_url_tuple.path,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1344 redirect_url_tuple.params,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1345 urllib_.urlencode(list(sorted(query.items())), doseq=True),
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1346 redirect_url_tuple.fragment))
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1347 raise exceptions.Redirect(redirect_url)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1348 raise
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1349
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1350 # now we're OK, re-open the database for real, using the user
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1351 self.client.opendb(self.client.user)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1352
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1353 # save user in session
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1354 self.client.session_api.set(user=self.client.user)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1355 if 'remember' in self.form:
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1356 self.client.session_api.update(set_cookie=True, expire=24*3600*365)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1357
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1358 # If we came from someplace, go back there
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1359 if '__came_from' in self.form:
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1360 # add welcome message to user when logged in
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1361 query['@ok_message'] = _("Welcome %(username)s!") % {
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1362 "username": self.client.user, }
6468
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1363 redirect_url = urllib_.urlunparse((redirect_url_tuple.scheme,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1364 redirect_url_tuple.netloc,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1365 redirect_url_tuple.path,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1366 redirect_url_tuple.params,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1367 urllib_.urlencode(list(sorted(query.items())), doseq=True),
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1368 redirect_url_tuple.fragment))
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1369
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1370 raise exceptions.Redirect(redirect_url)
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1371
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1372 def rateLimitLogin(self, username, is_api=False, update=True):
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1373 """Implement rate limiting of logins by login name.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1374
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1375 username - username attempting to log in. May or may not
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1376 be valid.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1377 is_api - set to False for login via html page
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1378 set to "xmlrpc" for xmlrpc api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1379 set to "rest" for rest api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1380 update - if False will raise RateLimitExceeded without
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1381 updating the stored value. Default is True
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1382 which updates stored value. Used to deny access
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1383 when user successfully logs in but the user
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1384 doesn't have a valid attempt available.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1385
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1386 Login rates for a user are split based on html vs api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1387 login.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1388
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1389 Set self.client.db.config.WEB_LOGIN_ATTEMPTS_MIN to 0
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1390 to disable for web interface. Set
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1391 self.client.db.config.API_LOGIN_ATTEMPTS to 0
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1392 to disable for web interface.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1393
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1394 By setting LoginAction.limitLogin, the admin can override
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1395 the HTML web page rate limiter if they need to change the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1396 interval from 1 minute.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1397 """
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1398 config = self.client.db.config
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1399
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1400 if not is_api:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1401 # HTML web login. Period is fixed at 1 minute.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1402 # Override by setting self.loginLimit. Yech.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1403 allowed_attempts = config.WEB_LOGIN_ATTEMPTS_MIN
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1404 per_period = 60
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1405 rlkey = "LOGIN-" + username
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1406 else:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1407 # api login. Both Rest and XMLRPC use this.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1408 allowed_attempts = config.WEB_API_FAILED_LOGIN_LIMIT
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1409 per_period = config.WEB_API_FAILED_LOGIN_INTERVAL_IN_SEC
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1410 rlkey = "LOGIN-API" + username
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1411
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1412 if not allowed_attempts: # if allowed_attempt == 0 - off
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1413 return
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1414
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1415 if self.loginLimit and not is_api:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1416 # provide a way for user (via interfaces.py) to
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1417 # change the interval on the html login limit.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1418 limit = self.loginLimit
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1419 else:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1420 limit = RateLimit(allowed_attempts,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1421 timedelta(seconds=per_period))
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1422
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1423 gcra = Gcra()
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1424 otk = self.client.db.Otk
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1425
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1426 try:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1427 val = otk.getall(rlkey)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1428 gcra.set_tat_as_string(rlkey, val['tat'])
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1429 except KeyError:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1430 # ignore if tat not set, tat is 1970-1-1 by default.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1431 pass
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1432
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1433 # see if rate limit exceeded and we need to reject
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1434 # the attempt
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1435 reject = gcra.update(rlkey, limit)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1436
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1437 # Calculate a timestamp that will make OTK expire the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1438 # unused entry in twice the period defined for the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1439 # rate limiter.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1440 if update:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1441 ts = otk.lifetime(per_period*2)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1442 otk.set(rlkey, tat=gcra.get_tat_as_string(rlkey),
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1443 __timestamp=ts)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1444 otk.commit()
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1445
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1446 # User exceeded limits: find out how long to wait
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1447 limitStatus = gcra.status(rlkey, limit)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1448
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1449 if not reject:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1450 return
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1451
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1452 for header, value in limitStatus.items():
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1453 self.client.setHeader(header, value)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1454
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1455 # User exceeded limits: tell humans how long to wait
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1456 # Headers above will do the right thing for api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1457 # aware clients.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1458 try:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1459 retry_after = limitStatus['Retry-After']
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1460 except KeyError:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1461 # handle race condition. If the time between
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1462 # the call to grca.update and grca.status
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1463 # is sufficient to reload the bucket by 1
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1464 # item, Retry-After will be missing from
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1465 # limitStatus. So report a 1 second delay back
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1466 # to the client. We treat update as sole
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1467 # source of truth for exceeded rate limits.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1468 retry_after = 1
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1469 self.client.setHeader('Retry-After', '1')
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1470
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1471 # make rate limiting headers available to javascript
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1472 # even for non-api calls.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1473 self.client.setHeader(
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1474 "Access-Control-Expose-Headers",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1475 ", ".join([
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1476 "X-RateLimit-Limit",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1477 "X-RateLimit-Remaining",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1478 "X-RateLimit-Reset",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1479 "X-RateLimit-Limit-Period",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1480 "Retry-After"
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1481 ])
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1482 )
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1483
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1484 raise RateLimitExceeded(_("Logins occurring too fast. Please wait: %s seconds.") % retry_after)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1485
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1486 def verifyLogin(self, username, password, is_api=False):
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1487 """Authenticate the user with rate limits.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1488
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1489 All logins (valid and failing) from a web page calling the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1490 LoginAction method are rate limited to the config.ini
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1491 configured value in 1 minute. (Interval can be changed see
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1492 rateLimitLogin method.)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1493
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1494 API logins are only rate limited if they fail. Successful
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1495 api logins are rate limited using the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1496 api_calls_per_interval and api_interval_in_sec settings in
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1497 config.ini.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1498
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1499 Once a user receives a rate limit notice, they must
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1500 wait the recommended time to try again as the account is
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1501 locked out for the recommended time. If a user tries to
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1502 log in while locked out, they will get a 429 rejection
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1503 even if the username and password are correct.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1504 """
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1505 # make sure the user exists
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1506 try:
7179
804cc66692ac Add comment. lookup on a username doesn't return retired users.
John Rouillard <rouilj@ieee.org>
parents: 7178
diff changeset
1507 # Note: lookup only searches non-retired items.
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1508 self.client.userid = self.db.user.lookup(username)
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1509 except KeyError:
6375
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1510 # Perform password check against anonymous user.
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1511 # Prevents guessing of valid usernames by detecting
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1512 # delay caused by checking password only on valid
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1513 # users.
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1514 _discard = self.verifyPassword("2", password) # noqa: F841
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1515
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1516 # limit logins to an acceptable rate. Do it for
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1517 # invalid usernames so attempts to break
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1518 # an invalid user will also be rate limited.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1519 self.rateLimitLogin(username, is_api=is_api)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1520
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1521 # this is not hit if rate limit is exceeded
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1522 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1523
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1524 # if we are rate limited and the user tries again,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1525 # reject the login. update=false so we don't count
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1526 # a potentially valid login.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1527 self.rateLimitLogin(username, is_api=is_api, update=False)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1528
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1529 # verify the password
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1530 if not self.verifyPassword(self.client.userid, password):
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1531 self.rateLimitLogin(username, is_api=is_api)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1532 # this is not hit if rate limit is exceeded
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1533 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1534
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1535 # Determine whether the user has permission to log in.
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1536 # Base behaviour is to check the user has "Web Access".
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1537 if not self.hasPermission("Web Access"):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1538 raise exceptions.LoginError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1539 "You do not have permission to login"))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1540
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1541 def verifyPassword(self, userid, givenpw):
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1542 '''Verify the password that the user has supplied.
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1543 Optionally migrate to new password scheme if configured
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1544 '''
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1545 db = self.db
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1546 stored = db.user.get(userid, 'password')
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1547 if givenpw == stored:
7165
970cd6d2b8ea issue2551251 - migrate pbkdf2 passwords if more rounds configured
John Rouillard <rouilj@ieee.org>
parents: 7163
diff changeset
1548 if (db.config.WEB_MIGRATE_PASSWORDS and
970cd6d2b8ea issue2551251 - migrate pbkdf2 passwords if more rounds configured
John Rouillard <rouilj@ieee.org>
parents: 7163
diff changeset
1549 stored.needs_migration(config=db.config)):
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1550 newpw = password.Password(givenpw, config=db.config)
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1551 db.user.set(userid, password=newpw)
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1552 db.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1553 return 1
6684
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6676
diff changeset
1554 # allow blank password
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6676
diff changeset
1555 if db.config.WEB_LOGIN_EMPTY_PASSWORDS and not givenpw and not stored:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1556 return 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1557 return 0
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1558
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1559
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1560 class ExportCSVAction(Action):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1561 name = 'export'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1562 permissionType = 'View'
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1563 list_sep = ';' # Separator for list types
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1564
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1565 def handle(self):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1566 ''' Export the specified search query as CSV. '''
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1567 # figure the request
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1568 request = templating.HTMLRequest(self.client)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1569 filterspec = request.filterspec
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1570 sort = request.sort
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1571 group = request.group
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1572 columns = request.columns
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1573 klass = self.db.getclass(request.classname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1574
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1575 # check if all columns exist on class
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1576 # the exception must be raised before sending header
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1577 props = klass.getprops()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1578 for cname in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1579 if cname not in props:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1580 # use error code 400: Bad Request. Do not use
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1581 # error code 404: Not Found.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1582 self.client.response_code = 400
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1583 raise exceptions.NotFound(
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1584 self._('Column "%(column)s" not found in %(class)s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1585 % {'column': html_escape(cname),
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1586 'class': request.classname})
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1587
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1588 # full-text search
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1589 if request.search_text:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1590 indexer = self.db.indexer
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1591 if self.db.indexer.query_language:
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1592 try:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1593 matches = indexer.search(
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1594 [request.search_text], klass)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1595 except Exception as e:
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1596 error = " ".join(e.args)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1597 self.client.add_error_message(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1598 self.client.response_code = 400
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1599 # trigger error reporting. NotFound isn't right but...
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1600 raise exceptions.NotFound(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1601 else:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1602 matches = indexer.search(
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1603 re.findall(r'\b\w{%s,%s}\b' % (indexer.minlength,
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1604 indexer.maxlength),
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1605 request.search_text), klass)
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1606 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1607 matches = None
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1608
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1609 header = self.client.additional_headers
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1610 header['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1611 # some browsers will honor the filename here...
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1612 header['Content-Disposition'] = 'inline; filename=query.csv'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1613
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1614 self.client.header()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1615
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1616 if self.client.env['REQUEST_METHOD'] == 'HEAD':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1617 # all done, return a dummy string
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1618 return 'dummy'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1619
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1620 wfile = self.client.request.wfile
6083
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1621 if sys.version_info[0] > 2:
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1622 wfile = codecs.getwriter(self.client.charset)(wfile, 'replace')
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1623 elif self.client.charset != self.client.STORAGE_CHARSET:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1624 wfile = codecs.EncodedFile(wfile,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1625 self.client.STORAGE_CHARSET,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1626 self.client.charset, 'replace')
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1627
6190
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6083
diff changeset
1628 writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1629
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1630 # handle different types of columns.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1631 def repr_no_right(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1632 """User doesn't have the right to see the value of col."""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1633 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1634 return "[hidden]"
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1635 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1636
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1637 def repr_link(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1638 """Generate a function which returns the string representation of
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1639 a link depending on `cls` and `col`."""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1640 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1641 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1642 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1643 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1644 return str(cls.get(arg, col))
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1645 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1646
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1647 def repr_list(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1648 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1649 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1650 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1651 elif type(arg) is list:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1652 seq = [str(cls.get(val, col)) for val in arg]
5652
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1653 # python2/python 3 have different order in lists
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1654 # sort to not break tests
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1655 seq.sort()
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1656 return self.list_sep.join(seq)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1657 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1658
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1659 def repr_date():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1660 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1661 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1662 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1663 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1664 if (arg.local(self.db.getUserTimezone()).pretty('%H:%M') ==
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1665 '00:00'):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1666 fmt = '%Y-%m-%d'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1667 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1668 fmt = '%Y-%m-%d %H:%M'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1669 return arg.local(self.db.getUserTimezone()).pretty(fmt)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1670 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1671
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1672 def repr_val():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1673 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1674 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1675 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1676 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1677 return str(arg)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1678 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1679
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1680 props = klass.getprops()
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1681
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1682 # Determine translation map.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1683 ncols = []
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1684 represent = {}
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1685 for col in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1686 ncols.append(col)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1687 represent[col] = repr_val()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1688 if isinstance(props[col], hyperdb.Multilink):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1689 cname = props[col].classname
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1690 cclass = self.db.getclass(cname)
8492
166cb2632315 issue2551413 - Broken MultiLink columns in CSV export (take 2)
John Rouillard <rouilj@ieee.org>
parents: 8490
diff changeset
1691 # Use id by default to handle cases like messages
166cb2632315 issue2551413 - Broken MultiLink columns in CSV export (take 2)
John Rouillard <rouilj@ieee.org>
parents: 8490
diff changeset
1692 # which have no useful label field issue2551413
166cb2632315 issue2551413 - Broken MultiLink columns in CSV export (take 2)
John Rouillard <rouilj@ieee.org>
parents: 8490
diff changeset
1693 represent[col] = repr_list(cclass, 'id')
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1694 if not self.hasPermission(self.permissionType, classname=cname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1695 represent[col] = repr_no_right(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1696 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1697 if 'name' in cclass.getprops():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1698 represent[col] = repr_list(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1699 elif cname == 'user':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1700 represent[col] = repr_list(cclass, 'realname')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1701 if isinstance(props[col], hyperdb.Link):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1702 cname = props[col].classname
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1703 cclass = self.db.getclass(cname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1704 if not self.hasPermission(self.permissionType, classname=cname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1705 represent[col] = repr_no_right(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1706 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1707 if 'name' in cclass.getprops():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1708 represent[col] = repr_link(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1709 elif cname == 'user':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1710 represent[col] = repr_link(cclass, 'realname')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1711 if isinstance(props[col], hyperdb.Date):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1712 represent[col] = repr_date()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1713
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1714 columns = ncols
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1715 # generate the CSV output
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1716 self.client._socket_op(writer.writerow, columns)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1717 # and search
8128
261438b9c91c Use new filtering for csv export variants
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8040
diff changeset
1718 filter = klass.filter_with_permissions
261438b9c91c Use new filtering for csv export variants
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8040
diff changeset
1719 for itemid in filter(matches, filterspec, sort, group):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1720 row = []
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1721 for name in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1722 # check permission for this property on this item
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1723 # TODO: Permission filter doesn't work for the 'user' class
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1724 if not self.hasPermission(self.permissionType, itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1725 classname=request.classname,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1726 property=name):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1727 repr_function = repr_no_right(request.classname, name)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1728 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1729 repr_function = represent[name]
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1730 row.append(repr_function(klass.get(itemid, name)))
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1731 self.client._socket_op(writer.writerow, row)
8040
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1732
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1733 # force close of connection since we can't send a
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1734 # Content-Length header.
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1735 self.client.request.close_connection = True
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1736
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1737 return '\n'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1738
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1739
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1740 class ExportCSVWithIdAction(Action):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1741 ''' A variation of ExportCSVAction that returns ID number rather than
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1742 names. This is the original csv export function.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1743 '''
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1744 name = 'export'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1745 permissionType = 'View'
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1746
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1747 def handle(self):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1748 ''' Export the specified search query as CSV. '''
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1749 # figure the request
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1750 request = templating.HTMLRequest(self.client)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1751 filterspec = request.filterspec
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1752 sort = request.sort
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1753 group = request.group
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1754 columns = request.columns
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1755 klass = self.db.getclass(request.classname)
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1756
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1757 # check if all columns exist on class
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1758 # the exception must be raised before sending header
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1759 props = klass.getprops()
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1760 for cname in columns:
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1761 if cname not in props:
5165
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1762 # use error code 400: Bad Request. Do not use
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1763 # error code 404: Not Found.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1764 self.client.response_code = 400
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1765 raise exceptions.NotFound(
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1766 self._('Column "%(column)s" not found in %(class)s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1767 % {'column': html_escape(cname),
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1768 'class': request.classname})
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1769
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1770 # full-text search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1771 if request.search_text:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1772 indexer = self.db.indexer
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1773 if indexer.query_language:
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1774 try:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1775 matches = indexer.search(
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1776 [request.search_text], klass)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1777 except Exception as e:
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1778 error = " ".join(e.args)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1779 self.client.add_error_message(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1780 self.client.response_code = 400
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1781 # trigger error reporting. NotFound isn't right but...
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1782 raise exceptions.NotFound(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1783 else:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1784 matches = indexer.search(
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1785 re.findall(r'\b\w{%s,%s}\b' % (indexer.minlength,
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1786 indexer.maxlength),
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1787 request.search_text),
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1788 klass)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1789 else:
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1790 matches = None
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1791
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1792 h = self.client.additional_headers
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1793 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1794 # some browsers will honor the filename here...
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1795 h['Content-Disposition'] = 'inline; filename=query.csv'
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1796
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1797 self.client.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1798
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1799 if self.client.env['REQUEST_METHOD'] == 'HEAD':
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1800 # all done, return a dummy string
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1801 return 'dummy'
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1802
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1803 wfile = self.client.request.wfile
6083
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1804 if sys.version_info[0] > 2:
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1805 wfile = codecs.getwriter(self.client.charset)(wfile, 'replace')
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1806 elif self.client.charset != self.client.STORAGE_CHARSET:
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1807 wfile = codecs.EncodedFile(wfile,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1808 self.client.STORAGE_CHARSET,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1809 self.client.charset, 'replace')
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1810
6190
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6083
diff changeset
1811 writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)
3987
c4f7b3817d3d Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents: 3913
diff changeset
1812 self.client._socket_op(writer.writerow, columns)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1813
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1814 # and search
8128
261438b9c91c Use new filtering for csv export variants
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8040
diff changeset
1815 filter = klass.filter_with_permissions
261438b9c91c Use new filtering for csv export variants
Ralf Schlatterbeck <rsc@runtux.com>
parents: 8040
diff changeset
1816 for itemid in filter(matches, filterspec, sort, group):
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1817 row = []
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1818 for name in columns:
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1819 # check permission to view this property on this item
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1820 if not self.hasPermission(self.permissionType, itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1821 classname=request.classname,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1822 property=name):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1823 # FIXME: is this correct, or should we just
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1824 # emit a '[hidden]' string. Note that this may
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1825 # allow an attacker to figure out hidden schema
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1826 # properties.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1827 # A bad property name will result in an exception.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1828 # A valid property results in a column of '[hidden]'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1829 # values.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1830 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1831 'You do not have permission to view %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1832 ) % {'class': request.classname})
5652
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1833 value = klass.get(itemid, name)
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1834 try:
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1835 # python2/python 3 have different order in lists
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1836 # sort to not break tests
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1837 value.sort()
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1838 except AttributeError:
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1839 pass # value is not sortable, probably str
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1840 row.append(str(value))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1841 self.client._socket_op(writer.writerow, row)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1842
8040
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1843 # force close of connection since we can't send a
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1844 # Content-Length header.
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1845 self.client.request.close_connection = True
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1846
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1847 return '\n'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1848
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1849 class ReauthAction(Action):
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1850 '''Allow an auditor to require change verification with user's password.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1851
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1852 When changing sensitive information (e.g. passwords) it is
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1853 useful to ask for a validated authorization. This makes sure
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1854 that the user is present by typing their password.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1855
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1856 In an auditor adding::
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1857
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1858 if 'password' in newvalues and not getattr(db, 'reauth_done', False):
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1859 raise Reauth()
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1860
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1861 will present the user with a authorization page when the
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1862 password is changed. The page is generated from the
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1863 _generic.reauth.html template by default.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1864
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1865 Once the user enters their password and submits the page, the
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1866 password will be verified using:
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1867 roundup.cgi.actions:LoginAction::verifyPassword(). If the
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1868 password is correct the original change is done.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1869
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1870 To prevent the auditor from trigering another Reauth, the
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1871 attribute "reauth_done" is added to the db object. As a result,
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1872 the getattr call will return True and not raise Reauth.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1873
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1874 You get one reauth for the submitted change. Note you cannot
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1875 Reauth multiple properties separately. If you need to auth
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1876 multiple properties separately, you need to reject the change
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1877 and force the user to submit each sensitive property separately.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1878 For example::
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1879
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1880 if 'password' in newvalues and 'realname' in newvalues:
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1881 raise Reject('Changing the username and the realname '
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1882 'at the same time is not allowed. Please '
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1883 'submit two changes.')
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1884
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1885 if 'password' in newvalues and not getattr(db, 'reauth_done', False):
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1886 raise Reauth()
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1887
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1888 if 'realname' in newvalues and not getattr(db, 'reauth_done', False):
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1889 raise Reauth()
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1890
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1891 Limitations: Handling file inputs requires JavaScript on the browser.
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1892
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1893 See also: client.py:Client:reauth() which can be changed
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1894 using interfaces.py in your tracker.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1895 '''
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1896
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1897 def handle(self):
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1898 ''' Handle a form with a reauth request.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1899 '''
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1900
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1901 if self.client.env['REQUEST_METHOD'] != 'POST':
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1902 raise Reject(self._('Invalid request'))
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1903
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1904 if '@reauth_password' not in self.form:
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1905 self.client.add_error_message(self._('Password incorrect.'))
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1906 return
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1907
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1908 # Verify password
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1909 login = self.client.get_action_class('login')(self.client)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1910 if not self.verifyPassword():
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1911 self.client.add_error_message(self._("Password incorrect."))
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1912 self.client.template = "reauth"
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1913
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1914 # Strip fields that are added by the template. All
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1915 # the rest of the fields in self.form.list are added
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1916 # as hidden fields by the reauth template.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1917 self.form.list = [ x for x in self.form.list
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1918 if x.name not in (
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1919 '@action',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1920 '@csrf',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1921 '@reauth_password',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1922 '@template',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1923 'submit'
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1924 )
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1925 ]
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1926 return
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1927
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1928 # extract the info we need to preserve/reinject into
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1929 # the next action.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1930
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1931 if '@next_action' not in self.form: # required to look up next action
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1932 self.client.add_error_message(
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1933 self._('Missing action to be authorized.'))
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1934 return
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1935
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1936 action = self.form['@next_action'].value.lower()
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1937
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1938 next_template = None; # optional
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1939 if '@next_template' in self.form:
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1940 next_template = self.form['@next_template'].value
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1941
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1942 # rewrite the form for redisplay
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1943 # remove all the reauth_form_fields leaving just the original
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1944 # form fields from the form that trigered the reauth.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1945 # We extracted @next_* above to route to the original action
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1946 # and template.
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1947
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1948 reauth_form_fields = ('@reauth_password', '@template',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1949 '@next_template', '@action',
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1950 '@next_action', '@csrf', 'submit')
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1951
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1952 self.form.list = [ x for x in self.form.list
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1953 if x.name not in reauth_form_fields
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1954 ]
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1955
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1956 try:
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1957 action_klass = self.client.get_action_class(action)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1958
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1959 # set the template to go back to
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1960 # use "" not None as this value gets encoded and None is invalid
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1961 self.client.template = next_template if next_template else ""
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1962 # use this in detector (to skip reauth
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1963 self.client.db.reauth_done = True
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1964
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1965 # should raise exception Redirect
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1966 action_klass(self.client).execute()
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1967
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1968 except (ValueError, Reject) as err:
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1969 escape = not isinstance(err, RejectRaw)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1970 self.add_error_message(str(err), escape=escape)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1971
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1972 def verifyPassword(self):
8412
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1973 """Verify the reauth password/token
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1974
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1975 This can be overridden using interfaces.py.
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1976
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1977 The default implementation uses the
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1978 LoginAction::verifyPassword() method.
0663a7bcef6c feat: finish reauth docs, enhance code.
John Rouillard <rouilj@ieee.org>
parents: 8411
diff changeset
1979 """
8411
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1980 login = self.client.get_action_class('login')(self.client)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1981 return login.verifyPassword(self.userid,
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1982 self.form['@reauth_password'].value)
ef1ea918b07a feat(security): Add user confirmation/reauth for sensitive changes
John Rouillard <rouilj@ieee.org>
parents: 8408
diff changeset
1983
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1984
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1985 class Bridge(BaseAction):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1986 """Make roundup.actions.Action executable via CGI request.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1987
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1988 Using this allows users to write actions executable from multiple
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1989 frontends. CGI Form content is translated into a dictionary, which
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1990 then is passed as argument to 'handle()'. XMLRPC requests have to
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1991 pass this dictionary directly.
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1992 """
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1993
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1994 def __init__(self, *args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1995
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1996 # As this constructor is callable from multiple frontends, each with
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1997 # different Action interfaces, we have to look at the arguments to
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1998 # figure out how to complete construction.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1999 if (len(args) == 1 and
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
2000 hasattr(args[0], '__class__') and
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
2001 args[0].__class__.__name__ == 'Client'):
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2002 self.cgi = True
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2003 self.execute = self.execute_cgi
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2004 self.client = args[0]
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2005 self.form = self.client.form
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2006 else:
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2007 self.cgi = False
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2008
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2009 def execute_cgi(self):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2010 args = {}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
2011 for key in self.form:
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2012 args[key] = self.form.getvalue(key)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2013 self.permission(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2014 return self.handle(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2015
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2016 def permission(self, args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2017 """Raise Unauthorised if the current user is not allowed to execute
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2018 this action. Users may override this method."""
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
2019
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2020 pass
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2021
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2022 def handle(self, args):
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
2023
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2024 raise NotImplementedError
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
2025
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
2026 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/