Mercurial > p > roundup > code
annotate roundup/cgi/actions.py @ 5800:1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
found.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 11 Jun 2019 21:29:24 -0400 |
| parents | 8dbe307bdb57 |
| children | bd6d41f21a5a |
| rev | line source |
|---|---|
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
1 import re, cgi, time, csv, codecs |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
2 |
|
3188
7faae85e1e33
merge from branch
Richard Jones <richard@users.sourceforge.net>
parents:
3179
diff
changeset
|
3 from roundup import hyperdb, token, date, password |
| 4083 | 4 from roundup.actions import Action as BaseAction |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
5 from roundup.i18n import _ |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
6 from roundup.cgi import exceptions, templating |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
7 from roundup.mailgw import uidFromAddress |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
8 from roundup.rate_limit import Gcra, RateLimit |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
9 from roundup.exceptions import Reject, RejectRaw |
|
5044
dce3cfe7ec61
Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents:
5010
diff
changeset
|
10 from roundup.anypy import urllib_ |
|
5452
b50a4c85c270
fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5395
diff
changeset
|
11 from roundup.anypy.strings import StringIO |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
12 import roundup.anypy.random_ as random_ |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
13 |
|
5800
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
14 try: |
|
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
15 from html import escape as html_escape # python 3 |
|
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
16 except ImportError: |
|
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
17 from cgi import escape as html_escape # python 2 fallback |
|
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
18 |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
19 import time |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
20 from datetime import timedelta |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
21 |
|
5119
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
22 # Also add action to client.py::Client.actions property |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
23 __all__ = ['Action', 'ShowAction', 'RetireAction', 'RestoreAction', 'SearchAction', |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
24 'EditCSVAction', 'EditItemAction', 'PassResetAction', |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
25 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction', |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
26 'NewItemAction', 'ExportCSVAction', 'ExportCSVWithIdAction'] |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
27 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
28 # used by a couple of routines |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
29 chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
30 |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
31 class Action: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
32 def __init__(self, client): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
33 self.client = client |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
34 self.form = client.form |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
35 self.db = client.db |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
36 self.nodeid = client.nodeid |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
37 self.template = client.template |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
38 self.classname = client.classname |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
39 self.userid = client.userid |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
40 self.base = client.base |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
41 self.user = client.user |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
42 self.context = templating.context(client) |
|
5718
842252c3ee22
Change access to config from dict to property. This makes doing the
John Rouillard <rouilj@ieee.org>
parents:
5717
diff
changeset
|
43 self.loginLimit = RateLimit(client.db.config.WEB_LOGIN_ATTEMPTS_MIN, timedelta(seconds=60)) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
44 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
45 def handle(self): |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
46 """Action handler procedure""" |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
47 raise NotImplementedError |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
48 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
49 def execute(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
50 """Execute the action specified by this object.""" |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
51 self.permission() |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
52 return self.handle() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
53 |
|
5162
3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents:
5161
diff
changeset
|
54 def examine_url(self, url): |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
55 '''Return URL validated to be under self.base and properly escaped |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
56 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
57 If url not properly escaped or validation fails raise ValueError. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
58 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
59 To try to prevent XSS attacks, validate that the url that is |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
60 passed in is under self.base for the tracker. This is used to |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
61 clean up "__came_from" and "__redirect_to" form variables used |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
62 by the LoginAction and NewItemAction actions. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
63 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
64 The url that is passed in must be a properly url quoted |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
65 argument. I.E. all characters that are not valid according to |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
66 RFC3986 must be % encoded. Schema should be lower case. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
67 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
68 It parses the passed url into components. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
69 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
70 It verifies that the scheme is http or https (so a redirect can |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
71 force https even if normal access to the tracker is via http). |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
72 Validates that the network component is the same as in self.base. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
73 Validates that the path component in the base url starts the url's |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
74 path component. It not it raises ValueError. If everything |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
75 validates: |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
76 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
77 For each component, Appendix A of RFC 3986 says the following |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
78 are allowed: |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
79 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
80 pchar = unreserved / pct-encoded / sub-delims / ":" / "@" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
81 query = *( pchar / "/" / "?" ) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
82 unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
83 pct-encoded = "%" HEXDIG HEXDIG |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
84 sub-delims = "!" / "$" / "&" / "'" / "(" / ")" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
85 / "*" / "+" / "," / ";" / "=" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
86 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
87 Checks all parts with a regexp that matches any run of 0 or |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
88 more allowed characters. If the component doesn't validate, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
89 raise ValueError. Don't attempt to urllib_.quote it. Either |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
90 it's correct as it comes in or it's a ValueError. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
91 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
92 Finally paste the whole thing together and return the new url. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
93 ''' |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
94 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
95 parsed_url_tuple = urllib_.urlparse(url) |
|
5164
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
96 if self.base: |
|
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
97 parsed_base_url_tuple = urllib_.urlparse(self.base) |
|
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
98 else: |
|
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
99 raise ValueError(self._("Base url not set. Check configuration.")) |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
100 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
101 info={ 'url': url, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
102 'base_url': self.base, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
103 'base_scheme': parsed_base_url_tuple.scheme, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
104 'base_netloc': parsed_base_url_tuple.netloc, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
105 'base_path': parsed_base_url_tuple.path, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
106 'url_scheme': parsed_url_tuple.scheme, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
107 'url_netloc': parsed_url_tuple.netloc, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
108 'url_path': parsed_url_tuple.path, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
109 'url_params': parsed_url_tuple.params, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
110 'url_query': parsed_url_tuple.query, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
111 'url_fragment': parsed_url_tuple.fragment } |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
112 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
113 if parsed_base_url_tuple.scheme == "https": |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
114 if parsed_url_tuple.scheme != "https": |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
115 raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
116 else: |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
117 if parsed_url_tuple.scheme not in ('http', 'https'): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
118 raise ValueError(self._("Unrecognized scheme in %(url)s")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
119 |
|
5382
1556b39fde7c
Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
120 if parsed_url_tuple.netloc != parsed_base_url_tuple.netloc: |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
121 raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
122 |
|
5382
1556b39fde7c
Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
123 if parsed_url_tuple.path.find(parsed_base_url_tuple.path) != 0: |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
124 raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
125 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
126 # I am not sure if this has to be language sensitive. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
127 # Do ranges depend on the LANG of the user?? |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
128 # Is there a newer spec for URI's than what I am referencing? |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
129 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
130 # Also it really should be % HEXDIG HEXDIG that's allowed |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
131 # If %%% passes, the roundup server should be able to ignore/ |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
132 # quote it so it doesn't do anything bad otherwise we have a |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
133 # different vector to handle. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
134 allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''') |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
135 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
136 if not allowed_pattern.match(parsed_url_tuple.path): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
137 raise ValueError(self._("Path component (%(url_path)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
138 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
139 if not allowed_pattern.match(parsed_url_tuple.params): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
140 raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
141 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
142 if not allowed_pattern.match(parsed_url_tuple.query): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
143 raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
144 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
145 if not allowed_pattern.match(parsed_url_tuple.fragment): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
146 raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
147 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
148 return(urllib_.urlunparse(parsed_url_tuple)) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
149 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
150 name = '' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
151 permissionType = None |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
152 def permission(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
153 """Check whether the user has permission to execute this action. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
154 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
155 True by default. If the permissionType attribute is a string containing |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
156 a simple permission, check whether the user has that permission. |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
157 Subclasses must also define the name attribute if they define |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
158 permissionType. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
159 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
160 Despite having this permission, users may still be unauthorised to |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
161 perform parts of actions. It is up to the subclasses to detect this. |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
162 """ |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
163 if (self.permissionType and |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
164 not self.hasPermission(self.permissionType)): |
|
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
165 info = {'action': self.name, 'classname': self.classname} |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
166 raise exceptions.Unauthorised(self._( |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
167 'You do not have permission to ' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
168 '%(action)s the %(classname)s class.')%info) |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
169 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
170 _marker = [] |
| 4030 | 171 def hasPermission(self, permission, classname=_marker, itemid=None, property=None): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
172 """Check whether the user has 'permission' on the current class.""" |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
173 if classname is self._marker: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
174 classname = self.client.classname |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
175 return self.db.security.hasPermission(permission, self.client.userid, |
| 4030 | 176 classname=classname, itemid=itemid, property=property) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
177 |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
178 def gettext(self, msgid): |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
179 """Return the localized translation of msgid""" |
|
2563
420d5c2a49d9
use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2553
diff
changeset
|
180 return self.client.translator.gettext(msgid) |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
181 |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
182 _ = gettext |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
183 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
184 class ShowAction(Action): |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
185 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
186 typere=re.compile('[@:]type') |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
187 numre=re.compile('[@:]number') |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
188 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
189 def handle(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
190 """Show a node of a particular class/id.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
191 t = n = '' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
192 for key in self.form: |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
193 if self.typere.match(key): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
194 t = self.form[key].value.strip() |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
195 elif self.numre.match(key): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
196 n = self.form[key].value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
197 if not t: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
198 raise ValueError(self._('No type specified')) |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
199 if not n: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
200 raise exceptions.SeriousError(self._('No ID entered')) |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
201 try: |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
202 int(n) |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
203 except ValueError: |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
204 d = {'input': n, 'classname': t} |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
205 raise exceptions.SeriousError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
206 '"%(input)s" is not an ID (%(classname)s ID required)')%d) |
|
2183
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2169
diff
changeset
|
207 url = '%s%s%s'%(self.base, t, n) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
208 raise exceptions.Redirect(url) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
209 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
210 class RetireAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
211 name = 'retire' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
212 permissionType = 'Edit' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
213 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
214 def handle(self): |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
215 """Retire the context item.""" |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
216 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
217 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
218 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
219 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
220 # if we want to view the index template now, then unset the itemid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
221 # context info (a special-case for retire actions on the index page) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
222 itemid = self.nodeid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
223 if self.template == 'index': |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
224 self.client.nodeid = None |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
225 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
226 # make sure we don't try to retire admin or anonymous |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
227 if self.classname == 'user' and \ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
228 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
229 raise ValueError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
230 'You may not retire the admin or anonymous user')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
231 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
232 # check permission |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
233 if not self.hasPermission('Retire', classname=self.classname, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
234 itemid=itemid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
235 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
236 'You do not have permission to retire %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
237 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
238 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
239 # do the retire |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
240 self.db.getclass(self.classname).retire(itemid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
241 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
242 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
243 self.client.add_ok_message( |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
244 self._('%(classname)s %(itemid)s has been retired')%{ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
245 'classname': self.classname.capitalize(), 'itemid': itemid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
246 |
|
3473
370bb8f3c4d1
fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents:
3469
diff
changeset
|
247 |
|
5119
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
248 class RestoreAction(Action): |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
249 name = 'restore' |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
250 permissionType = 'Edit' |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
251 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
252 def handle(self): |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
253 """Restore the context item.""" |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
254 # ensure modification comes via POST |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
255 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
256 raise Reject(self._('Invalid request')) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
257 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
258 # if we want to view the index template now, then unset the itemid |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
259 # context info (a special-case for retire actions on the index page) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
260 itemid = self.nodeid |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
261 if self.template == 'index': |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
262 self.client.nodeid = None |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
263 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
264 # check permission |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
265 if not self.hasPermission('Restore', classname=self.classname, |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
266 itemid=itemid): |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
267 raise exceptions.Unauthorised(self._( |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
268 'You do not have permission to restore %(class)s' |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
269 ) % {'class': self.classname}) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
270 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
271 # do the restore |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
272 self.db.getclass(self.classname).restore(itemid) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
273 self.db.commit() |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
274 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
275 self.client.add_ok_message( |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
276 self._('%(classname)s %(itemid)s has been restored')%{ |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
277 'classname': self.classname.capitalize(), 'itemid': itemid}) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
278 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
279 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
280 class SearchAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
281 name = 'search' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
282 permissionType = 'View' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
283 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
284 def handle(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
285 """Mangle some of the form variables. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
286 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
287 Set the form ":filter" variable based on the values of the filter |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
288 variables - if they're set to anything other than "dontcare" then add |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
289 them to :filter. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
290 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
291 Handle the ":queryname" variable and save off the query to the user's |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
292 query list. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
293 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
294 Split any String query values on whitespace and comma. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
295 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
296 """ |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
297 self.fakeFilterVars() |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
298 queryname = self.getQueryName() |
|
3913
00896a2acaa5
clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3855
diff
changeset
|
299 |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
300 # editing existing query name? |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
301 old_queryname = self.getFromForm('old-queryname') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
302 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
303 # handle saving the query params |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
304 if queryname: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
305 # parse the environment and figure what the query _is_ |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
306 req = templating.HTMLRequest(self.client) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
307 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
308 url = self.getCurrentURL(req) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
309 |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
310 key = self.db.query.getkey() |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
311 if key: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
312 # edit the old way, only one query per name |
| 5192 | 313 # Note that use of queryname as key will automatically |
| 314 # raise an error if there are duplicate names. | |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
315 try: |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
316 qid = self.db.query.lookup(old_queryname) |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
317 if not self.hasPermission('Edit', 'query', itemid=qid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
318 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
319 "You do not have permission to edit queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
320 self.db.query.set(qid, klass=self.classname, url=url) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
321 except KeyError: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
322 # create a query |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
323 if not self.hasPermission('Create', 'query'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
324 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
325 "You do not have permission to store queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
326 qid = self.db.query.create(name=queryname, |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
327 klass=self.classname, url=url) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
328 else: |
| 5192 | 329 uid = self.db.getuid() |
| 330 | |
| 331 # if the queryname is being changed from the old | |
| 332 # (original) value, make sure new queryname is not | |
| 333 # already in use by user. | |
| 334 # if in use, return to edit/search screen and let | |
| 335 # user change it. | |
| 336 | |
| 337 if old_queryname != queryname: | |
| 338 # we have a name change | |
| 339 qids = self.db.query.filter(None, {'name': queryname, | |
| 340 'creator': uid}) | |
| 341 for qid in qids: | |
| 342 # require an exact name match | |
| 343 if queryname != self.db.query.get(qid, 'name'): | |
| 344 continue | |
| 345 # whoops we found a duplicate; report error and return | |
| 346 message=_("You already own a query named '%s'. Please choose another name.")%(queryname) | |
| 347 self.client.add_error_message(message) | |
| 348 return | |
| 349 | |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
350 # edit the new way, query name not a key any more |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
351 # see if we match an existing private query |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
352 qids = self.db.query.filter(None, {'name': old_queryname, |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
353 'private_for': uid}) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
354 if not qids: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
355 # ok, so there's not a private query for the current user |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
356 # - see if there's one created by them |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
357 qids = self.db.query.filter(None, {'name': old_queryname, |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
358 'creator': uid}) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
359 |
|
3581
d10008f756a4
fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents:
3549
diff
changeset
|
360 if qids and old_queryname: |
|
2362
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
361 # edit query - make sure we get an exact match on the name |
|
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
362 for qid in qids: |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
363 if old_queryname != self.db.query.get(qid, 'name'): |
|
2362
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
364 continue |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
365 if not self.hasPermission('Edit', 'query', itemid=qid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
366 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
367 "You do not have permission to edit queries")) |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
368 self.db.query.set(qid, klass=self.classname, |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
369 url=url, name=queryname) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
370 else: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
371 # create a query |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
372 if not self.hasPermission('Create', 'query'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
373 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
374 "You do not have permission to store queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
375 qid = self.db.query.create(name=queryname, |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
376 klass=self.classname, url=url, private_for=uid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
377 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
378 # and add it to the user's query multilink |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
379 queries = self.db.user.get(self.userid, 'queries') |
|
2061
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
380 if qid not in queries: |
|
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
381 queries.append(qid) |
|
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
382 self.db.user.set(self.userid, queries=queries) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
383 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
384 # commit the query change to the database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
385 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
386 |
| 5192 | 387 # This redirects to the index page. Add the @dispname |
| 388 # url param to the request so that the query name | |
| 389 # is displayed. | |
| 390 req.form.list.append( | |
| 391 cgi.MiniFieldStorage( | |
| 392 "@dispname", queryname | |
| 393 ) | |
| 394 ) | |
| 395 | |
| 396 | |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
397 def fakeFilterVars(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
398 """Add a faked :filter form variable for each filtering prop.""" |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
399 cls = self.db.classes[self.classname] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
400 for key in self.form: |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
401 prop = cls.get_transitive_prop(key) |
|
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
402 if not prop: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
403 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
404 if isinstance(self.form[key], type([])): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
405 # search for at least one entry which is not empty |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
406 for minifield in self.form[key]: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
407 if minifield.value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
408 break |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
409 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
410 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
411 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
412 if not self.form[key].value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
413 continue |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
414 if isinstance(prop, hyperdb.String): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
415 v = self.form[key].value |
|
5245
bc16d91b7a50
Fix token_split() so its one error throws ValueError w/out extra arg.
Eric S. Raymond <esr@thyrsus.com>
parents:
5217
diff
changeset
|
416 # If this ever has unbalanced quotes, hilarity will ensue |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
417 l = token.token_split(v) |
|
4037
0b89c94a2387
Robustify SearchAction.fakeFilterVars
Stefan Seefeld <stefan@seefeld.name>
parents:
4030
diff
changeset
|
418 if len(l) != 1 or l[0] != v: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
419 self.form.value.remove(self.form[key]) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
420 # replace the single value with the split list |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
421 for v in l: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
422 self.form.value.append(cgi.MiniFieldStorage(key, v)) |
|
5097
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
423 elif isinstance(prop, hyperdb.Number): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
424 try: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
425 float(self.form[key].value) |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
426 except ValueError: |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5356
diff
changeset
|
427 raise exceptions.FormError("Invalid number: "+self.form[key].value) |
|
5097
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
428 elif isinstance(prop, hyperdb.Integer): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
429 try: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
430 val=self.form[key].value |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
431 if ( str(int(val)) == val ): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
432 pass |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
433 else: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
434 raise ValueError |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
435 except ValueError: |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5356
diff
changeset
|
436 raise exceptions.FormError("Invalid integer: "+val) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
437 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
438 self.form.value.append(cgi.MiniFieldStorage('@filter', key)) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
439 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
440 def getCurrentURL(self, req): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
441 """Get current URL for storing as a query. |
|
3805
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
442 |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
443 Note: We are removing the first character from the current URL, |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
444 because the leading '?' is not part of the query string. |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
445 |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
446 Implementation note: |
|
5173
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
447 We now store the template with the query if the template name is |
|
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
448 different from 'index' |
|
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
449 """ |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
450 template = self.getFromForm('template') |
|
5173
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
451 if template and template != 'index': |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
452 return req.indexargs_url('', {'@template' : template})[1:] |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
453 return req.indexargs_url('', {})[1:] |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
454 |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
455 def getFromForm(self, name): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
456 for key in ('@' + name, ':' + name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
457 if key in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
458 return self.form[key].value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
459 return '' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
460 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
461 def getQueryName(self): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
462 return self.getFromForm('queryname') |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
463 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
464 class EditCSVAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
465 name = 'edit' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
466 permissionType = 'Edit' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
467 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
468 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
469 """Performs an edit of all of a class' items in one go. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
470 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
471 The "rows" CGI var defines the CSV-formatted entries for the class. New |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
472 nodes are identified by the ID 'X' (or any other non-existent ID) and |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
473 removed lines are retired. |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
474 """ |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
475 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
476 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
477 raise Reject(self._('Invalid request')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
478 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
479 # figure the properties list for the class |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
480 cl = self.db.classes[self.classname] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
481 props_without_id = list(cl.getprops(protected=0)) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
482 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
483 # the incoming CSV data will always have the properties in colums |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
484 # sorted and starting with the "id" column |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
485 props_without_id.sort() |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
486 props = ['id'] + props_without_id |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
487 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
488 # do the edit |
|
5452
b50a4c85c270
fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5395
diff
changeset
|
489 rows = StringIO(self.form['rows'].value) |
|
3179
88dbe6b3d891
merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents:
3145
diff
changeset
|
490 reader = csv.reader(rows) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
491 found = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
492 line = 0 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
493 for values in reader: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
494 line += 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
495 if line == 1: continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
496 # skip property names header |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
497 if values == props: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
498 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
499 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
500 # extract the itemid |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
501 itemid, values = values[0], values[1:] |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
502 found[itemid] = 1 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
503 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
504 # see if the node exists |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
505 if itemid in ('x', 'X') or not cl.hasnode(itemid): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
506 exists = 0 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
507 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
508 # check permission to create this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
509 if not self.hasPermission('Create', classname=self.classname): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
510 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
511 'You do not have permission to create %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
512 ) % {'class': self.classname}) |
|
4293
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
513 elif cl.hasnode(itemid) and cl.is_retired(itemid): |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
514 # If a CSV line just mentions an id and the corresponding |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
515 # item is retired, then the item is restored. |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
516 cl.restore(itemid) |
|
5515
cd0ceb2afdb8
fixed issue2550993 and added test case
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5503
diff
changeset
|
517 exists = 1 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
518 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
519 exists = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
520 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
521 # confirm correct weight |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
522 if len(props_without_id) != len(values): |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
523 self.client.add_error_message( |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
524 self._('Not enough values on line %(line)s')%{'line':line}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
525 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
526 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
527 # extract the new values |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
528 d = {} |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
529 for name, value in zip(props_without_id, values): |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
530 # check permission to edit this property on this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
531 if exists and not self.hasPermission('Edit', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
532 classname=self.classname, property=name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
533 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
534 'You do not have permission to edit %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
535 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
536 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
537 prop = cl.properties[name] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
538 value = value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
539 # only add the property if it has a value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
540 if value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
541 # if it's a multilink, split it |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
542 if isinstance(prop, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
543 value = value.split(':') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
544 elif isinstance(prop, hyperdb.Password): |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
545 value = password.Password(value, config=self.db.config) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
546 elif isinstance(prop, hyperdb.Interval): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
547 value = date.Interval(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
548 elif isinstance(prop, hyperdb.Date): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
549 value = date.Date(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
550 elif isinstance(prop, hyperdb.Boolean): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
551 value = value.lower() in ('yes', 'true', 'on', '1') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
552 elif isinstance(prop, hyperdb.Number): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
553 value = float(value) |
|
5067
e424987d294a
Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents:
5044
diff
changeset
|
554 elif isinstance(prop, hyperdb.Integer): |
|
e424987d294a
Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents:
5044
diff
changeset
|
555 value = int(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
556 d[name] = value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
557 elif exists: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
558 # nuke the existing value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
559 if isinstance(prop, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
560 d[name] = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
561 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
562 d[name] = None |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
563 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
564 # perform the edit |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
565 if exists: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
566 # edit existing |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
567 cl.set(itemid, **d) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
568 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
569 # new node |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
570 found[cl.create(**d)] = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
571 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
572 # retire the removed entries |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
573 for itemid in cl.list(): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
574 if itemid not in found: |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
575 # check permission to retire this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
576 if not self.hasPermission('Retire', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
577 classname=self.classname): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
578 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
579 'You do not have permission to retire %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
580 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
581 cl.retire(itemid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
582 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
583 # all OK |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
584 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
585 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
586 self.client.add_ok_message(self._('Items edited OK')) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
587 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
588 class EditCommon(Action): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
589 '''Utility methods for editing.''' |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
590 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
591 def _editnodes(self, all_props, all_links): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
592 ''' Use the props in all_props to perform edit and creation, then |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
593 use the link specs in all_links to do linking. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
594 ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
595 # figure dependencies and re-work links |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
596 deps = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
597 links = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
598 for cn, nodeid, propname, vlist in all_links: |
|
3855
de4c2e538e06
Bug-Fix: File attachments from the web-interface didn't work.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3853
diff
changeset
|
599 numeric_id = int (nodeid or 0) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
600 if not (numeric_id > 0 or (cn, nodeid) in all_props): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
601 # link item to link to doesn't (and won't) exist |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
602 continue |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
603 |
|
3852
0dd05c9e5fff
New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3851
diff
changeset
|
604 for value in vlist: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
605 if value not in all_props: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
606 # link item to link to doesn't (and won't) exist |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
607 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
608 deps.setdefault((cn, nodeid), []).append(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
609 links.setdefault(value, []).append((cn, nodeid, propname)) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
610 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
611 # figure chained dependencies ordering |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
612 order = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
613 done = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
614 # loop detection |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
615 change = 0 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
616 while len(all_props) != len(done): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
617 for needed in all_props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
618 if needed in done: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
619 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
620 tlist = deps.get(needed, []) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
621 for target in tlist: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
622 if target not in done: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
623 break |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
624 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
625 done[needed] = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
626 order.append(needed) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
627 change = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
628 if not change: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
629 raise ValueError('linking must not loop!') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
630 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
631 # now, edit / create |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
632 m = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
633 for needed in order: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
634 props = all_props[needed] |
|
3851
5fe1f30f7f30
Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3850
diff
changeset
|
635 cn, nodeid = needed |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
636 if props: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
637 if nodeid is not None and int(nodeid) > 0: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
638 # make changes to the node |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
639 props = self._changenode(cn, nodeid, props) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
640 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
641 # and some nice feedback for the user |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
642 if props: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
643 info = ', '.join(map(self._, props)) |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
644 m.append( |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
645 self._('%(class)s %(id)s %(properties)s edited ok') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
646 % {'class':cn, 'id':nodeid, 'properties':info}) |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
647 else: |
|
5251
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
648 # this used to produce a message like: |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
649 # issue34 - nothing changed |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
650 # which is confusing if only quiet properties |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
651 # changed for the class/id. So don't report |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
652 # anything is the user didn't explicitly change |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
653 # a visible (non-quiet) property. |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
654 pass |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
655 else: |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
656 assert props |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
657 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
658 # make a new node |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
659 newid = self._createnode(cn, props) |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
660 if nodeid is None: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
661 self.nodeid = newid |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
662 nodeid = newid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
663 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
664 # and some nice feedback for the user |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
665 m.append(self._('%(class)s %(id)s created') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
666 % {'class':cn, 'id':newid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
667 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
668 # fill in new ids in links |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
669 if needed in links: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
670 for linkcn, linkid, linkprop in links[needed]: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
671 props = all_props[(linkcn, linkid)] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
672 cl = self.db.classes[linkcn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
673 propdef = cl.getprops()[linkprop] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
674 if linkprop not in props: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
675 if linkid is None or linkid.startswith('-'): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
676 # linking to a new item |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
677 if isinstance(propdef, hyperdb.Multilink): |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
678 props[linkprop] = [nodeid] |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
679 else: |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
680 props[linkprop] = nodeid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
681 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
682 # linking to an existing item |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
683 if isinstance(propdef, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
684 existing = cl.get(linkid, linkprop)[:] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
685 existing.append(nodeid) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
686 props[linkprop] = existing |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
687 else: |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
688 props[linkprop] = nodeid |
|
4992
b562df8a5056
Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4880
diff
changeset
|
689 elif isinstance(propdef, hyperdb.Multilink): |
|
b562df8a5056
Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4880
diff
changeset
|
690 props[linkprop].append(nodeid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
691 |
|
4623
4f9c3858b671
Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4521
diff
changeset
|
692 return '\n'.join(m) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
693 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
694 def _changenode(self, cn, nodeid, props): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
695 """Change the node based on the contents of the form.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
696 # check for permission |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
697 if not self.editItemPermission(props, classname=cn, itemid=nodeid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
698 raise exceptions.Unauthorised(self._( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
699 'You do not have permission to edit %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
700 ) % {'class': cn}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
701 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
702 # make the changes |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
703 cl = self.db.classes[cn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
704 return cl.set(nodeid, **props) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
705 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
706 def _createnode(self, cn, props): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
707 """Create a node based on the contents of the form.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
708 # check for permission |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
709 if not self.newItemPermission(props, classname=cn): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
710 raise exceptions.Unauthorised(self._( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
711 'You do not have permission to create %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
712 ) % {'class': cn}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
713 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
714 # create the node and return its id |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
715 cl = self.db.classes[cn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
716 return cl.create(**props) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
717 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
718 def isEditingSelf(self): |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
719 """Check whether a user is editing his/her own details.""" |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
720 return (self.nodeid == self.userid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
721 and self.db.user.get(self.nodeid, 'username') != 'anonymous') |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
722 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
723 _cn_marker = [] |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
724 def editItemPermission(self, props, classname=_cn_marker, itemid=None): |
| 4030 | 725 """Determine whether the user has permission to edit this item.""" |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
726 if itemid is None: |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
727 itemid = self.nodeid |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
728 if classname is self._cn_marker: |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
729 classname = self.classname |
| 4030 | 730 # The user must have permission to edit each of the properties |
| 731 # being changed. | |
| 732 for p in props: | |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
733 if not self.hasPermission('Edit', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
734 classname=classname, property=p): |
| 4030 | 735 return 0 |
| 736 # Since the user has permission to edit all of the properties, | |
| 737 # the edit is OK. | |
| 738 return 1 | |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
739 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
740 def newItemPermission(self, props, classname=None): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
741 """Determine whether the user has permission to create this item. |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
742 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
743 Base behaviour is to check the user can edit this class. No additional |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
744 property checks are made. |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
745 """ |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
746 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
747 if not classname : |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
748 classname = self.client.classname |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
749 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
750 if not self.hasPermission('Create', classname=classname): |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
751 return 0 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
752 |
|
4310
8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4304
diff
changeset
|
753 # Check Create permission for each property, to avoid being able |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
754 # to set restricted ones on new item creation |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
755 for key in props: |
|
4310
8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4304
diff
changeset
|
756 if not self.hasPermission('Create', classname=classname, |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
757 property=key): |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
758 return 0 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
759 return 1 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
760 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
761 class EditItemAction(EditCommon): |
|
2143
b29323f75718
wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents:
2136
diff
changeset
|
762 def lastUserActivity(self): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
763 if ':lastactivity' in self.form: |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
764 d = date.Date(self.form[':lastactivity'].value) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
765 elif '@lastactivity' in self.form: |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
766 d = date.Date(self.form['@lastactivity'].value) |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
767 else: |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
768 return None |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
769 d.second = int(d.second) |
|
2264
9b34f41507ed
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
2260
diff
changeset
|
770 return d |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
771 |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
772 def lastNodeActivity(self): |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
773 cl = getattr(self.client.db, self.classname) |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
774 activity = cl.get(self.nodeid, 'activity').local(0) |
|
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
775 activity.second = int(activity.second) |
|
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
776 return activity |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
777 |
|
2143
b29323f75718
wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents:
2136
diff
changeset
|
778 def detectCollision(self, user_activity, node_activity): |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
779 '''Check for a collision and return the list of props we edited |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
780 that conflict.''' |
|
3188
7faae85e1e33
merge from branch
Richard Jones <richard@users.sourceforge.net>
parents:
3179
diff
changeset
|
781 if user_activity and user_activity < node_activity: |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
782 props, links = self.client.parsePropsFromForm() |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
783 key = (self.classname, self.nodeid) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
784 # we really only collide for direct prop edit conflicts |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
785 return list(props[key]) |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
786 else: |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
787 return [] |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
788 |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
789 def handleCollision(self, props): |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
790 message = self._('Edit Error: someone else has edited this %s (%s). ' |
|
5322
875605281b02
Fix collision link to open in new window: target should be _blank not new.
John Rouillard <rouilj@ieee.org>
parents:
5319
diff
changeset
|
791 'View <a target="_blank" href="%s%s">their changes</a> ' |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
792 'in a new window.')%(self.classname, ', '.join(props), |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
793 self.classname, self.nodeid) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
794 self.client.add_error_message(message, escape=False) |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
795 return |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
796 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
797 def handle(self): |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
798 """Perform an edit of an item in the database. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
799 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
800 See parsePropsFromForm and _editnodes for special variables. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
801 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
802 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
803 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
804 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
805 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
806 |
|
2148
2490d26c88df
Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents:
2143
diff
changeset
|
807 user_activity = self.lastUserActivity() |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
808 if user_activity: |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
809 props = self.detectCollision(user_activity, self.lastNodeActivity()) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
810 if props: |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
811 self.handleCollision(props) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
812 return |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
813 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
814 props, links = self.client.parsePropsFromForm() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
815 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
816 # handle the props |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
817 try: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
818 message = self._editnodes(props, links) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
819 except (ValueError, KeyError, IndexError, Reject) as message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
820 escape = not isinstance(message, RejectRaw) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
821 self.client.add_error_message( |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
822 self._('Edit Error: %s') % str(message), escape=escape) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
823 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
824 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
825 # commit now that all the tricky stuff is done |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
826 self.db.commit() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
827 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
828 # redirect to the item's edit page |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
829 # redirect to finish off |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
830 url = self.base + self.classname |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
831 # note that this action might have been called by an index page, so |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
832 # we will want to include index-page args in this URL too |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
833 if self.nodeid is not None: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
834 url += self.nodeid |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
835 url += '?@ok_message=%s&@template=%s'%(urllib_.quote(message), |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
836 urllib_.quote(self.template)) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
837 if self.nodeid is None: |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
838 req = templating.HTMLRequest(self.client) |
|
3130
7308c3c5a943
docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents:
3073
diff
changeset
|
839 url += '&' + req.indexargs_url('', {})[1:] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
840 raise exceptions.Redirect(url) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
841 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
842 class NewItemAction(EditCommon): |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
843 def handle(self): |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
844 ''' Add a new item to the database. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
845 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
846 This follows the same form as the EditItemAction, with the same |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
847 special form values. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
848 ''' |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
849 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
850 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
851 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
852 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
853 # parse the props from the form |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
854 try: |
|
2107
b7404a96b58a
minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents:
2082
diff
changeset
|
855 props, links = self.client.parsePropsFromForm(create=1) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
856 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
857 self.client.add_error_message(self._('Error: %s') |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
858 % str(message)) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
859 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
860 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
861 # handle the props - edit or create |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
862 try: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
863 # when it hits the None element, it'll set self.nodeid |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
864 messages = self._editnodes(props, links) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
865 except (ValueError, KeyError, IndexError, Reject) as message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
866 escape = not isinstance(message, RejectRaw) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
867 # these errors might just be indicative of user dumbness |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
868 self.client.add_error_message(_('Error: %s') % str(message), |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
869 escape=escape) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
870 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
871 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
872 # commit now that all the tricky stuff is done |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
873 self.db.commit() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
874 |
|
5158
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
875 # Allow an option to stay on the page to create new things |
|
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
876 if '__redirect_to' in self.form: |
|
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
877 raise exceptions.Redirect('%s&@ok_message=%s'%( |
|
5162
3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents:
5161
diff
changeset
|
878 self.examine_url(self.form['__redirect_to'].value), |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
879 urllib_.quote(messages))) |
|
5158
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
880 |
|
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
881 # otherwise redirect to the new item's page |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
882 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % ( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
883 self.base, self.classname, self.nodeid, urllib_.quote(messages), |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
884 urllib_.quote(self.template))) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
885 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
886 class PassResetAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
887 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
888 """Handle password reset requests. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
889 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
890 Presence of either "name" or "address" generates email. Presence of |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
891 "otk" performs the reset. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
892 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
893 """ |
|
2291
90cca653ef3d
otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents:
2264
diff
changeset
|
894 otks = self.db.getOTKManager() |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
895 if 'otk' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
896 # pull the rego information out of the otk database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
897 otk = self.form['otk'].value |
|
3673
94b905502d26
removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents:
3635
diff
changeset
|
898 uid = otks.get(otk, 'uid', default=None) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
899 if uid is None: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
900 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
901 self._("Invalid One Time Key!\n" |
|
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
902 "(a Mozilla bug may cause this message " |
|
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
903 "to show up erroneously, please check your email)")) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
904 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
905 |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
906 # pull the additional email address if exist |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
907 uaddress = otks.get(otk, 'uaddress', default=None) |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
908 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
909 # re-open the database as "admin" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
910 if self.user != 'admin': |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
911 self.client.opendb('admin') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
912 self.db = self.client.db |
|
2372
c26bb78d2f0c
couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents:
2362
diff
changeset
|
913 otks = self.db.getOTKManager() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
914 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
915 # change the password |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
916 newpw = password.generatePassword() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
917 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
918 cl = self.db.user |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
919 # XXX we need to make the "default" page be able to display errors! |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
920 try: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
921 # set the password |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
922 cl.set(uid, password=password.Password(newpw, config=self.db.config)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
923 # clear the props from the otk database |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
924 otks.destroy(otk) |
|
5319
62de601bdf6f
Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5256
diff
changeset
|
925 otks.commit() |
| 5340 | 926 # commit the password change |
| 927 self.db.commit () | |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
928 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
929 self.client.add_error_message(str(message)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
930 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
931 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
932 # user info |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
933 name = self.db.user.get(uid, 'username') |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
934 if uaddress is None: |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
935 address = self.db.user.get(uid, 'address') |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
936 else: |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
937 address = uaddress |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
938 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
939 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
940 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
941 subject = 'Password reset for %s'%tracker_name |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
942 body = ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
943 The password has been reset for username "%(name)s". |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
944 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
945 Your password is now: %(password)s |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
946 '''%{'name': name, 'password': newpw} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
947 if not self.client.standard_message([address], subject, body): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
948 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
949 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
950 self.client.add_ok_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
951 self._('Password reset and email sent to %s') % address) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
952 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
953 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
954 # no OTK, so now figure the user |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
955 if 'username' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
956 name = self.form['username'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
957 try: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
958 uid = self.db.user.lookup(name) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
959 except KeyError: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
960 self.client.add_error_message(self._('Unknown username')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
961 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
962 address = self.db.user.get(uid, 'address') |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
963 elif 'address' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
964 address = self.form['address'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
965 uid = uidFromAddress(self.db, ('', address), create=0) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
966 if not uid: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
967 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
968 self._('Unknown email address')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
969 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
970 name = self.db.user.get(uid, 'username') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
971 else: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
972 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
973 self._('You need to specify a username or address')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
974 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
975 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
976 # generate the one-time-key and store the props for later |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
977 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
978 while otks.exists(otk): |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
979 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
980 otks.set(otk, uid=uid, uaddress=address) |
|
5319
62de601bdf6f
Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5256
diff
changeset
|
981 otks.commit() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
982 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
983 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
984 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
985 subject = 'Confirm reset of password for %s'%tracker_name |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
986 body = ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
987 Someone, perhaps you, has requested that the password be changed for your |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
988 username, "%(name)s". If you wish to proceed with the change, please follow |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
989 the link below: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
990 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
991 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
992 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
993 You should then receive another email with the new password. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
994 '''%{'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
995 if not self.client.standard_message([address], subject, body): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
996 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
997 |
|
5253
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
998 if 'username' in self.form: |
|
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
999 self.client.add_ok_message(self._('Email sent to primary notification address for %s.') % name) |
|
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
1000 else: |
|
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
1001 self.client.add_ok_message(self._('Email sent to %s.') % address) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1002 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1003 class RegoCommon(Action): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1004 def finishRego(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1005 # log the new user in |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1006 self.client.userid = self.userid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1007 user = self.client.user = self.db.user.get(self.userid, 'username') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1008 # re-open the database for real, using the user |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1009 self.client.opendb(user) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1010 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1011 # update session data |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1012 self.client.session_api.set(user=user) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1013 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1014 # nice message |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
1015 message = self._('You are now registered, welcome!') |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1016 url = '%suser%s?@ok_message=%s'%(self.base, self.userid, |
|
4416
36d52125c9cf
fixed registration, issue2550665 (thanks Timo Paulssen)
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1017 urllib_.quote(message)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1018 |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1019 # redirect to the user's page (but not 302, as some email clients seem |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1020 # to want to reload the page, or something) |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1021 return '''<html><head><title>%s</title></head> |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1022 <body><p><a href="%s">%s</a></p> |
|
5217
17b213eab274
Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1023 <script nonce="%s" type="text/javascript"> |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1024 window.setTimeout('window.location = "%s"', 1000); |
|
5217
17b213eab274
Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1025 </script>'''%(message, url, message, |
|
17b213eab274
Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1026 self.client.client_nonce, url) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1027 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1028 class ConfRegoAction(RegoCommon): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1029 def handle(self): |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1030 """Grab the OTK, use it to load up the new user details.""" |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1031 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1032 # pull the rego information out of the otk database |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1033 self.userid = self.db.confirm_registration(self.form['otk'].value) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1034 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1035 self.client.add_error_message(str(message)) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1036 return |
|
3847
1a44e4bb2b54
Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents:
3805
diff
changeset
|
1037 return self.finishRego() |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1038 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1039 class RegisterAction(RegoCommon, EditCommon): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
1040 name = 'register' |
| 4146 | 1041 permissionType = 'Register' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
1042 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1043 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1044 """Attempt to create a new user based on the contents of the form |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1045 and then remember it in session. |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1046 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1047 Return 1 on successful login. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
1048 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1049 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1050 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1051 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1052 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1053 # parse the props from the form |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1054 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1055 props, links = self.client.parsePropsFromForm(create=1) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1056 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1057 self.client.add_error_message(self._('Error: %s') |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1058 % str(message)) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1059 return |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1060 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1061 # skip the confirmation step? |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1062 if self.db.config['INSTANT_REGISTRATION']: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1063 # handle the create now |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1064 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1065 # when it hits the None element, it'll set self.nodeid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1066 messages = self._editnodes(props, links) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1067 except (ValueError, KeyError, IndexError, Reject) as message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1068 escape = not isinstance(message, RejectRaw) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1069 # these errors might just be indicative of user dumbness |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1070 self.client.add_error_message(_('Error: %s') % str(message), |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1071 escape=escape) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1072 return |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1073 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1074 # fix up the initial roles |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1075 self.db.user.set(self.nodeid, |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1076 roles=self.db.config['NEW_WEB_USER_ROLES']) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1077 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1078 # commit now that all the tricky stuff is done |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1079 self.db.commit() |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1080 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1081 # finish off by logging the user in |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1082 self.userid = self.nodeid |
|
3466
0ecd0062abfb
fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents:
3418
diff
changeset
|
1083 return self.finishRego() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1084 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1085 # generate the one-time-key and store the props for later |
|
4334
1aef7a4e4e39
fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents:
4329
diff
changeset
|
1086 user_props = props[('user', None)] |
|
5395
23b8e6067f7c
Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5382
diff
changeset
|
1087 for propname, proptype in self.db.user.getprops().items(): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1088 value = user_props.get(propname, None) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1089 if value is None: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1090 pass |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1091 elif isinstance(proptype, hyperdb.Date): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1092 user_props[propname] = str(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1093 elif isinstance(proptype, hyperdb.Interval): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1094 user_props[propname] = str(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1095 elif isinstance(proptype, hyperdb.Password): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1096 user_props[propname] = str(value) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
1097 otks = self.db.getOTKManager() |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
1098 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
1099 while otks.exists(otk): |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
1100 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1101 otks.set(otk, **user_props) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1102 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1103 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1104 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1105 tracker_email = self.db.config.TRACKER_EMAIL |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1106 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1107 subject = 'Complete your registration to %s -- key %s'%(tracker_name, |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1108 otk) |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1109 body = """To complete your registration of the user "%(name)s" with |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1110 %(tracker)s, please do one of the following: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1111 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1112 - send a reply to %(tracker_email)s and maintain the subject line as is (the |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1113 reply's additional "Re:" is ok), |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1114 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1115 - or visit the following URL: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1116 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1117 %(url)s?@action=confrego&otk=%(otk)s |
|
2108
54815ca493a5
add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents:
2107
diff
changeset
|
1118 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1119 """ % {'name': user_props['username'], 'tracker': tracker_name, |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1120 'url': self.base, 'otk': otk, 'tracker_email': tracker_email} |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1121 else: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1122 subject = 'Complete your registration to %s'%(tracker_name) |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1123 body = """To complete your registration of the user "%(name)s" with |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1124 %(tracker)s, please visit the following URL: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1125 |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1126 %(url)s?@action=confrego&otk=%(otk)s |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1127 |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1128 """ % {'name': user_props['username'], 'tracker': tracker_name, |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1129 'url': self.base, 'otk': otk} |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1130 if not self.client.standard_message([user_props['address']], subject, |
|
3604
ccf516e6c3f8
responses to user rego email [SF#1470254]
Richard Jones <richard@users.sourceforge.net>
parents:
3581
diff
changeset
|
1131 body, (tracker_name, tracker_email)): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1132 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1133 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1134 # commit changes to the database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1135 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1136 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1137 # redirect to the "you're almost there" page |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1138 raise exceptions.Redirect('%suser?@template=rego_progress'%self.base) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1139 |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1140 def newItemPermission(self, props, classname=None): |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1141 """Just check the "Register" permission. |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1142 """ |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1143 # registration isn't allowed to supply roles |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1144 if 'roles' in props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1145 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1146 "It is not permitted to supply roles at registration.")) |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1147 |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1148 # technically already checked, but here for clarity |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1149 return self.hasPermission('Register', classname=classname) |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1150 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1151 class LogoutAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1152 def handle(self): |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1153 """Make us really anonymous - nuke the session too.""" |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1154 # log us out |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1155 self.client.make_user_anonymous() |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1156 self.client.session_api.destroy() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1157 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1158 # Let the user know what's going on |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1159 self.client.add_ok_message(self._('You are logged out')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1160 |
|
3264
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1161 # reset client context to render tracker home page |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1162 # instead of last viewed page (may be inaccessibe for anonymous) |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1163 self.client.classname = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1164 self.client.nodeid = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1165 self.client.template = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1166 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1167 # Redirect to a new page on logout. This regenerates |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1168 # CSRF tokens so they are associated with the |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1169 # anonymous user and not the user who logged out. If |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1170 # we don't the user gets an invalid CSRF token error |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1171 # As above choose the home page since everybody can |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1172 # see that. |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5356
diff
changeset
|
1173 raise exceptions.Redirect(self.base) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1174 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1175 class LoginAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1176 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1177 """Attempt to log a user in. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1178 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1179 Sets up a session for the user which contains the login credentials. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1180 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1181 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1182 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1183 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1184 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1185 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1186 # we need the username at a minimum |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1187 if '__login_name' not in self.form: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1188 self.client.add_error_message(self._('Username required')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1189 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1190 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1191 # get the login info |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1192 self.client.user = self.form['__login_name'].value |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1193 if '__login_password' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1194 password = self.form['__login_password'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1195 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1196 password = '' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1197 |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1198 if '__came_from' in self.form: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1199 # On valid or invalid login, redirect the user back to the page |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1200 # the started on. Searches, issue and other pages |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1201 # are all preserved in __came_from. Clean out any old feedback |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1202 # @error_message, @ok_message from the __came_from url. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1203 # |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1204 # 1. Split the url into components. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1205 # 2. Split the query string into parts. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1206 # 3. Delete @error_message and @ok_message if present. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1207 # 4. Define a new redirect_url missing the @...message entries. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1208 # This will be redefined if there is a login error to include |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1209 # a new error message |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
1210 |
|
5162
3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents:
5161
diff
changeset
|
1211 clean_url = self.examine_url(self.form['__came_from'].value) |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
1212 redirect_url_tuple = urllib_.urlparse(clean_url) |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1213 # now I have a tuple form for the __came_from url |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1214 try: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1215 query=urllib_.parse_qs(redirect_url_tuple.query) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1216 if "@error_message" in query: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1217 del query["@error_message"] |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1218 if "@ok_message" in query: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1219 del query["@ok_message"] |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1220 if "@action" in query: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1221 # also remove the logout action from the redirect |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1222 # there is only ever one @action value. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1223 if query['@action'] == ["logout"]: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1224 del query["@action"] |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1225 except AttributeError: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1226 # no query param so nothing to remove. Just define. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1227 query = {} |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1228 pass |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1229 |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1230 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1231 redirect_url_tuple.netloc, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1232 redirect_url_tuple.path, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1233 redirect_url_tuple.params, |
|
5503
4f6e1ce89557
always encode query parameters in sorted order
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5488
diff
changeset
|
1234 urllib_.urlencode(list(sorted(query.items())), doseq=True), |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1235 redirect_url_tuple.fragment) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1236 ) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1237 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1238 try: |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1239 # Implement rate limiting of logins by login name. |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1240 # Use prefix to prevent key collisions maybe?? |
|
5772
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1241 # set client.db.config.WEB_LOGIN_ATTEMPTS_MIN to 0 |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1242 # to disable |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1243 if self.client.db.config.WEB_LOGIN_ATTEMPTS_MIN: # if 0 - off |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1244 rlkey="LOGIN-" + self.client.user |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1245 limit=self.loginLimit |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1246 gcra=Gcra() |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1247 otk=self.client.db.Otk |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1248 try: |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1249 val=otk.getall(rlkey) |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1250 gcra.set_tat_as_string(rlkey, val['tat']) |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1251 except KeyError: |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1252 # ignore if tat not set, it's 1970-1-1 by default. |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1253 pass |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1254 # see if rate limit exceeded and we need to reject the attempt |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1255 reject=gcra.update(rlkey, limit) |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1256 |
|
5772
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1257 # Calculate a timestamp that will make OTK expire the |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1258 # unused entry 1 hour in the future |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1259 ts = time.time() - (60 * 60 * 24 * 7) + 3600 |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1260 otk.set(rlkey, tat=gcra.get_tat_as_string(rlkey), |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1261 __timestamp=ts) |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1262 otk.commit() |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1263 |
|
5772
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1264 if reject: |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1265 # User exceeded limits: find out how long to wait |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1266 status=gcra.status(rlkey, limit) |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1267 raise Reject(_("Logins occurring too fast. Please wait: %d seconds.")%status['Retry-After']) |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1268 |
|
8dbe307bdb57
Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents:
5722
diff
changeset
|
1269 self.verifyLogin(self.client.user, password) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1270 except exceptions.LoginError as err: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1271 self.client.make_user_anonymous() |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1272 for arg in err.args: |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1273 self.client.add_error_message(arg) |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1274 |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1275 if '__came_from' in self.form: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1276 # set a new error |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1277 query['@error_message'] = err.args |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1278 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1279 redirect_url_tuple.netloc, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1280 redirect_url_tuple.path, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1281 redirect_url_tuple.params, |
|
5503
4f6e1ce89557
always encode query parameters in sorted order
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5488
diff
changeset
|
1282 urllib_.urlencode(list(sorted(query.items())), doseq=True), |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1283 redirect_url_tuple.fragment ) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1284 ) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1285 raise exceptions.Redirect(redirect_url) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1286 # if no __came_from, send back to base url with error |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1287 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1288 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1289 # now we're OK, re-open the database for real, using the user |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1290 self.client.opendb(self.client.user) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1291 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1292 # save user in session |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1293 self.client.session_api.set(user=self.client.user) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1294 if 'remember' in self.form: |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1295 self.client.session_api.update(set_cookie=True, expire=24*3600*365) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1296 |
|
3418
9b8019f28158
remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents:
3382
diff
changeset
|
1297 # If we came from someplace, go back there |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1298 if '__came_from' in self.form: |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1299 raise exceptions.Redirect(redirect_url) |
|
3418
9b8019f28158
remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents:
3382
diff
changeset
|
1300 |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1301 def verifyLogin(self, username, password): |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1302 # make sure the user exists |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1303 try: |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1304 self.client.userid = self.db.user.lookup(username) |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1305 except KeyError: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1306 raise exceptions.LoginError(self._('Invalid login')) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1307 |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1308 # verify the password |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1309 if not self.verifyPassword(self.client.userid, password): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1310 raise exceptions.LoginError(self._('Invalid login')) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1311 |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1312 # Determine whether the user has permission to log in. |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1313 # Base behaviour is to check the user has "Web Access". |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1314 if not self.hasPermission("Web Access"): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1315 raise exceptions.LoginError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1316 "You do not have permission to login")) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1317 |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1318 def verifyPassword(self, userid, givenpw): |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1319 '''Verify the password that the user has supplied. |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1320 Optionally migrate to new password scheme if configured |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1321 ''' |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1322 db = self.db |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1323 stored = db.user.get(userid, 'password') |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1324 if givenpw == stored: |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1325 if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration(): |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
1326 newpw = password.Password(givenpw, config=db.config) |
|
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
1327 db.user.set(userid, password=newpw) |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1328 db.commit() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1329 return 1 |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1330 if not givenpw and not stored: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1331 return 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1332 return 0 |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1333 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1334 class ExportCSVAction(Action): |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1335 name = 'export' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1336 permissionType = 'View' |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1337 list_sep = ';' # Separator for list types |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1338 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1339 def handle(self): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1340 ''' Export the specified search query as CSV. ''' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1341 # figure the request |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1342 request = templating.HTMLRequest(self.client) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1343 filterspec = request.filterspec |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1344 sort = request.sort |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1345 group = request.group |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1346 columns = request.columns |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1347 klass = self.db.getclass(request.classname) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1348 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1349 # check if all columns exist on class |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1350 # the exception must be raised before sending header |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1351 props = klass.getprops() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1352 for cname in columns: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1353 if cname not in props: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1354 # use error code 400: Bad Request. Do not use |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1355 # error code 404: Not Found. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1356 self.client.response_code = 400 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1357 raise exceptions.NotFound( |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1358 self._('Column "%(column)s" not found in %(class)s') |
|
5800
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
1359 % {'column': html_escape(cname), 'class': request.classname}) |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1360 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1361 # full-text search |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1362 if request.search_text: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1363 matches = self.db.indexer.search( |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1364 re.findall(r'\b\w{2,25}\b', request.search_text), klass) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1365 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1366 matches = None |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1367 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1368 header = self.client.additional_headers |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1369 header['Content-Type'] = 'text/csv; charset=%s' % self.client.charset |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1370 # some browsers will honor the filename here... |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1371 header['Content-Disposition'] = 'inline; filename=query.csv' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1372 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1373 self.client.header() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1374 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1375 if self.client.env['REQUEST_METHOD'] == 'HEAD': |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1376 # all done, return a dummy string |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1377 return 'dummy' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1378 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1379 wfile = self.client.request.wfile |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1380 if self.client.charset != self.client.STORAGE_CHARSET: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1381 wfile = codecs.EncodedFile(wfile, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1382 self.client.STORAGE_CHARSET, self.client.charset, 'replace') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1383 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1384 writer = csv.writer(wfile) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1385 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1386 # handle different types of columns. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1387 def repr_no_right(cls, col): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1388 """User doesn't have the right to see the value of col.""" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1389 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1390 return "[hidden]" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1391 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1392 def repr_link(cls, col): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1393 """Generate a function which returns the string representation of |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1394 a link depending on `cls` and `col`.""" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1395 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1396 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1397 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1398 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1399 return str(cls.get(arg, col)) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1400 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1401 def repr_list(cls, col): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1402 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1403 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1404 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1405 elif type(arg) is list: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1406 seq = [str(cls.get(val, col)) for val in arg] |
|
5652
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1407 # python2/python 3 have different order in lists |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1408 # sort to not break tests |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1409 seq.sort() |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1410 return self.list_sep.join(seq) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1411 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1412 def repr_date(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1413 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1414 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1415 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1416 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1417 if (arg.local(self.db.getUserTimezone()).pretty('%H:%M') == |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1418 '00:00'): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1419 fmt = '%Y-%m-%d' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1420 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1421 fmt = '%Y-%m-%d %H:%M' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1422 return arg.local(self.db.getUserTimezone()).pretty(fmt) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1423 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1424 def repr_val(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1425 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1426 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1427 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1428 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1429 return str(arg) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1430 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1431 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1432 props = klass.getprops() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1433 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1434 # Determine translation map. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1435 ncols = [] |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1436 represent = {} |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1437 for col in columns: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1438 ncols.append(col) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1439 represent[col] = repr_val() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1440 if isinstance(props[col], hyperdb.Multilink): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1441 cname = props[col].classname |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1442 cclass = self.db.getclass(cname) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1443 represent[col] = repr_list(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1444 if not self.hasPermission(self.permissionType, classname=cname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1445 represent[col] = repr_no_right(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1446 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1447 if 'name' in cclass.getprops(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1448 represent[col] = repr_list(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1449 elif cname == 'user': |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1450 represent[col] = repr_list(cclass, 'realname') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1451 if isinstance(props[col], hyperdb.Link): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1452 cname = props[col].classname |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1453 cclass = self.db.getclass(cname) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1454 if not self.hasPermission(self.permissionType, classname=cname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1455 represent[col] = repr_no_right(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1456 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1457 if 'name' in cclass.getprops(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1458 represent[col] = repr_link(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1459 elif cname == 'user': |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1460 represent[col] = repr_link(cclass, 'realname') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1461 if isinstance(props[col], hyperdb.Date): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1462 represent[col] = repr_date() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1463 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1464 columns = ncols |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1465 # generate the CSV output |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1466 self.client._socket_op(writer.writerow, columns) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1467 # and search |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1468 for itemid in klass.filter(matches, filterspec, sort, group): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1469 row = [] |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1470 # don't put out a row of [hidden] fields if the user has |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1471 # no access to the issue. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1472 if not self.hasPermission(self.permissionType, itemid=itemid, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1473 classname=request.classname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1474 continue |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1475 for name in columns: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1476 # check permission for this property on this item |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1477 # TODO: Permission filter doesn't work for the 'user' class |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1478 if not self.hasPermission(self.permissionType, itemid=itemid, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1479 classname=request.classname, property=name): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1480 repr_function = repr_no_right(request.classname, name) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1481 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1482 repr_function = represent[name] |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1483 row.append(repr_function(klass.get(itemid, name))) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1484 self.client._socket_op(writer.writerow, row) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1485 return '\n' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1486 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1487 class ExportCSVWithIdAction(Action): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1488 ''' A variation of ExportCSVAction that returns ID number rather than |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1489 names. This is the original csv export function. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1490 ''' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1491 name = 'export' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1492 permissionType = 'View' |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1493 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1494 def handle(self): |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1495 ''' Export the specified search query as CSV. ''' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1496 # figure the request |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1497 request = templating.HTMLRequest(self.client) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1498 filterspec = request.filterspec |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1499 sort = request.sort |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1500 group = request.group |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1501 columns = request.columns |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1502 klass = self.db.getclass(request.classname) |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1503 |
|
4624
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1504 # check if all columns exist on class |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1505 # the exception must be raised before sending header |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1506 props = klass.getprops() |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1507 for cname in columns: |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1508 if cname not in props: |
|
5165
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1509 # use error code 400: Bad Request. Do not use |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1510 # error code 404: Not Found. |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1511 self.client.response_code = 400 |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1512 raise exceptions.NotFound( |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1513 self._('Column "%(column)s" not found in %(class)s') |
|
5800
1a835db41674
Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents:
5772
diff
changeset
|
1514 % {'column': html_escape(cname), 'class': request.classname}) |
|
4624
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1515 |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1516 # full-text search |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1517 if request.search_text: |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1518 matches = self.db.indexer.search( |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1519 re.findall(r'\b\w{2,25}\b', request.search_text), klass) |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1520 else: |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1521 matches = None |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1522 |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1523 h = self.client.additional_headers |
|
3499
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1524 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1525 # some browsers will honor the filename here... |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1526 h['Content-Disposition'] = 'inline; filename=query.csv' |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1527 |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1528 self.client.header() |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1529 |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1530 if self.client.env['REQUEST_METHOD'] == 'HEAD': |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1531 # all done, return a dummy string |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1532 return 'dummy' |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1533 |
|
3499
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1534 wfile = self.client.request.wfile |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1535 if self.client.charset != self.client.STORAGE_CHARSET: |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1536 wfile = codecs.EncodedFile(wfile, |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1537 self.client.STORAGE_CHARSET, self.client.charset, 'replace') |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1538 |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1539 writer = csv.writer(wfile) |
|
3987
c4f7b3817d3d
Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents:
3913
diff
changeset
|
1540 self.client._socket_op(writer.writerow, columns) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1541 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1542 # and search |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1543 for itemid in klass.filter(matches, filterspec, sort, group): |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1544 row = [] |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1545 # FIXME should this code raise an exception if an item |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1546 # is included that can't be accessed? Enabling this |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1547 # check will just skip the row for the inaccessible item. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1548 # This makes it act more like the web interface. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1549 #if not self.hasPermission(self.permissionType, itemid=itemid, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1550 # classname=request.classname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1551 # continue |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1552 for name in columns: |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1553 # check permission to view this property on this item |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1554 if not self.hasPermission(self.permissionType, itemid=itemid, |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1555 classname=request.classname, property=name): |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1556 # FIXME: is this correct, or should we just |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1557 # emit a '[hidden]' string. Note that this may |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1558 # allow an attacker to figure out hidden schema |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1559 # properties. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1560 # A bad property name will result in an exception. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1561 # A valid property results in a column of '[hidden]' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1562 # values. |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1563 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1564 'You do not have permission to view %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1565 ) % {'class': request.classname}) |
|
5652
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1566 value = klass.get(itemid, name) |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1567 try: |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1568 # python2/python 3 have different order in lists |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1569 # sort to not break tests |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1570 value.sort() |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1571 except AttributeError: |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1572 pass # value is not sortable, probably str |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1573 row.append(str(value)) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1574 self.client._socket_op(writer.writerow, row) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1575 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1576 return '\n' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1577 |
| 4083 | 1578 class Bridge(BaseAction): |
| 1579 """Make roundup.actions.Action executable via CGI request. | |
| 1580 | |
| 1581 Using this allows users to write actions executable from multiple frontends. | |
| 1582 CGI Form content is translated into a dictionary, which then is passed as | |
| 1583 argument to 'handle()'. XMLRPC requests have to pass this dictionary | |
| 1584 directly. | |
| 1585 """ | |
| 1586 | |
| 1587 def __init__(self, *args): | |
| 1588 | |
| 1589 # As this constructor is callable from multiple frontends, each with | |
| 1590 # different Action interfaces, we have to look at the arguments to | |
| 1591 # figure out how to complete construction. | |
| 1592 if (len(args) == 1 and | |
| 1593 hasattr(args[0], '__class__') and | |
| 1594 args[0].__class__.__name__ == 'Client'): | |
| 1595 self.cgi = True | |
| 1596 self.execute = self.execute_cgi | |
| 1597 self.client = args[0] | |
| 1598 self.form = self.client.form | |
| 1599 else: | |
| 1600 self.cgi = False | |
| 1601 | |
| 1602 def execute_cgi(self): | |
| 1603 args = {} | |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1604 for key in self.form: |
| 4083 | 1605 args[key] = self.form.getvalue(key) |
| 1606 self.permission(args) | |
| 1607 return self.handle(args) | |
| 1608 | |
| 1609 def permission(self, args): | |
| 1610 """Raise Unauthorised if the current user is not allowed to execute | |
| 1611 this action. Users may override this method.""" | |
|
4118
878767b75e1d
fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents:
4112
diff
changeset
|
1612 |
| 4083 | 1613 pass |
| 1614 | |
| 1615 def handle(self, args): | |
|
4118
878767b75e1d
fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents:
4112
diff
changeset
|
1616 |
| 4083 | 1617 raise NotImplementedError |
| 1618 | |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1619 # vim: set filetype=python sts=4 sw=4 et si : |