Mercurial > p > roundup > code

annotate roundup/cgi/actions.py @ 5256:3639f4b55936

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Issue2550716 Email address displayed after password reset request (fix) Change the message displayed upon password reset using an account name to no longer expose the email address. Password reset triggered using an email address will still display the user supplied email address.
author John Rouillard <rouilj@ieee.org>
date Sat, 26 Aug 2017 20:48:57 -0400
parents 28b6bfd303c3 2d61e39b89c8
children 62de601bdf6f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1 import re, cgi, time, random, csv, codecs
5044
dce3cfe7ec61 Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents: 5010
diff changeset
2 from io import BytesIO
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
3
3188
7faae85e1e33 merge from branch
Richard Jones <richard@users.sourceforge.net>
parents: 3179
diff changeset
4 from roundup import hyperdb, token, date, password
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
5 from roundup.actions import Action as BaseAction
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
6 from roundup.i18n import _
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
7 from roundup.cgi import exceptions, templating
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
8 from roundup.mailgw import uidFromAddress
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
9 from roundup.exceptions import Reject, RejectRaw
5044
dce3cfe7ec61 Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents: 5010
diff changeset
10 from roundup.anypy import urllib_
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
11
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
12 # Also add action to client.py::Client.actions property
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
13 __all__ = ['Action', 'ShowAction', 'RetireAction', 'RestoreAction', 'SearchAction',
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
14 'EditCSVAction', 'EditItemAction', 'PassResetAction',
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
15 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction',
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
16 'NewItemAction', 'ExportCSVAction']
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
17
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
18 # used by a couple of routines
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
19 chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
20
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
21 class Action:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
22 def __init__(self, client):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
23 self.client = client
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
24 self.form = client.form
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
25 self.db = client.db
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
26 self.nodeid = client.nodeid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
27 self.template = client.template
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
28 self.classname = client.classname
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
29 self.userid = client.userid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
30 self.base = client.base
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
31 self.user = client.user
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
32 self.context = templating.context(client)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
33
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
34 def handle(self):
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
35 """Action handler procedure"""
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
36 raise NotImplementedError
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
37
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
38 def execute(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
39 """Execute the action specified by this object."""
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
40 self.permission()
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
41 return self.handle()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
42
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
43 def examine_url(self, url):
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
44 '''Return URL validated to be under self.base and properly escaped
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
45
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
46 If url not properly escaped or validation fails raise ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
47
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
48 To try to prevent XSS attacks, validate that the url that is
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
49 passed in is under self.base for the tracker. This is used to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
50 clean up "__came_from" and "__redirect_to" form variables used
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
51 by the LoginAction and NewItemAction actions.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
52
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
53 The url that is passed in must be a properly url quoted
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
54 argument. I.E. all characters that are not valid according to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
55 RFC3986 must be % encoded. Schema should be lower case.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
56
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
57 It parses the passed url into components.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
58
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
59 It verifies that the scheme is http or https (so a redirect can
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
60 force https even if normal access to the tracker is via http).
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
61 Validates that the network component is the same as in self.base.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
62 Validates that the path component in the base url starts the url's
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
63 path component. It not it raises ValueError. If everything
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
64 validates:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
65
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
66 For each component, Appendix A of RFC 3986 says the following
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
67 are allowed:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
68
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
69 pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
70 query = *( pchar / "/" / "?" )
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
71 unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
72 pct-encoded = "%" HEXDIG HEXDIG
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
73 sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
74 / "*" / "+" / "," / ";" / "="
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
75
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
76 Checks all parts with a regexp that matches any run of 0 or
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
77 more allowed characters. If the component doesn't validate,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
78 raise ValueError. Don't attempt to urllib_.quote it. Either
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
79 it's correct as it comes in or it's a ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
80
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
81 Finally paste the whole thing together and return the new url.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
82 '''
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
83
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
84 parsed_url_tuple = urllib_.urlparse(url)
5164
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
85 if self.base:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
86 parsed_base_url_tuple = urllib_.urlparse(self.base)
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
87 else:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
88 raise ValueError(self._("Base url not set. Check configuration."))
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
89
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
90 info={ 'url': url,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
91 'base_url': self.base,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
92 'base_scheme': parsed_base_url_tuple.scheme,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
93 'base_netloc': parsed_base_url_tuple.netloc,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
94 'base_path': parsed_base_url_tuple.path,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
95 'url_scheme': parsed_url_tuple.scheme,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
96 'url_netloc': parsed_url_tuple.netloc,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
97 'url_path': parsed_url_tuple.path,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
98 'url_params': parsed_url_tuple.params,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
99 'url_query': parsed_url_tuple.query,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
100 'url_fragment': parsed_url_tuple.fragment }
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
101
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
102 if parsed_base_url_tuple.scheme == "https":
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
103 if parsed_url_tuple.scheme != "https":
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
104 raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
105 else:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
106 if parsed_url_tuple.scheme not in ('http', 'https'):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
107 raise ValueError(self._("Unrecognized scheme in %(url)s")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
108
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
109 if parsed_url_tuple.netloc <> parsed_base_url_tuple.netloc:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
110 raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
111
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
112 if parsed_url_tuple.path.find(parsed_base_url_tuple.path) <> 0:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
113 raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
114
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
115 # I am not sure if this has to be language sensitive.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
116 # Do ranges depend on the LANG of the user??
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
117 # Is there a newer spec for URI's than what I am referencing?
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
118
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
119 # Also it really should be % HEXDIG HEXDIG that's allowed
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
120 # If %%% passes, the roundup server should be able to ignore/
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
121 # quote it so it doesn't do anything bad otherwise we have a
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
122 # different vector to handle.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
123 allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''')
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
124
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
125 if not allowed_pattern.match(parsed_url_tuple.path):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
126 raise ValueError(self._("Path component (%(url_path)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
127
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
128 if not allowed_pattern.match(parsed_url_tuple.params):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
129 raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
130
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
131 if not allowed_pattern.match(parsed_url_tuple.query):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
132 raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
133
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
134 if not allowed_pattern.match(parsed_url_tuple.fragment):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
135 raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
136
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
137 return(urllib_.urlunparse(parsed_url_tuple))
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
138
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
139 name = ''
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
140 permissionType = None
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
141 def permission(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
142 """Check whether the user has permission to execute this action.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
143
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
144 True by default. If the permissionType attribute is a string containing
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
145 a simple permission, check whether the user has that permission.
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
146 Subclasses must also define the name attribute if they define
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
147 permissionType.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
148
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
149 Despite having this permission, users may still be unauthorised to
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
150 perform parts of actions. It is up to the subclasses to detect this.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
151 """
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
152 if (self.permissionType and
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
153 not self.hasPermission(self.permissionType)):
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
154 info = {'action': self.name, 'classname': self.classname}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
155 raise exceptions.Unauthorised(self._(
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
156 'You do not have permission to '
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
157 '%(action)s the %(classname)s class.')%info)
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
158
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
159 _marker = []
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
160 def hasPermission(self, permission, classname=_marker, itemid=None, property=None):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
161 """Check whether the user has 'permission' on the current class."""
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
162 if classname is self._marker:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
163 classname = self.client.classname
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
164 return self.db.security.hasPermission(permission, self.client.userid,
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
165 classname=classname, itemid=itemid, property=property)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
166
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
167 def gettext(self, msgid):
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
168 """Return the localized translation of msgid"""
2563
420d5c2a49d9 use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2553
diff changeset
169 return self.client.translator.gettext(msgid)
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
170
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
171 _ = gettext
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
172
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
173 class ShowAction(Action):
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
174
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
175 typere=re.compile('[@:]type')
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
176 numre=re.compile('[@:]number')
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
177
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
178 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
179 """Show a node of a particular class/id."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
180 t = n = ''
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
181 for key in self.form:
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
182 if self.typere.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
183 t = self.form[key].value.strip()
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
184 elif self.numre.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
185 n = self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
186 if not t:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
187 raise ValueError(self._('No type specified'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
188 if not n:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
189 raise exceptions.SeriousError(self._('No ID entered'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
190 try:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
191 int(n)
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
192 except ValueError:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
193 d = {'input': n, 'classname': t}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
194 raise exceptions.SeriousError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
195 '"%(input)s" is not an ID (%(classname)s ID required)')%d)
2183
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2169
diff changeset
196 url = '%s%s%s'%(self.base, t, n)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
197 raise exceptions.Redirect(url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
198
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
199 class RetireAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
200 name = 'retire'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
201 permissionType = 'Edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
202
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
203 def handle(self):
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
204 """Retire the context item."""
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
205 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
206 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
207 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
208
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
209 # if we want to view the index template now, then unset the itemid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
210 # context info (a special-case for retire actions on the index page)
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
211 itemid = self.nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
212 if self.template == 'index':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
213 self.client.nodeid = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
214
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
215 # make sure we don't try to retire admin or anonymous
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
216 if self.classname == 'user' and \
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
217 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
218 raise ValueError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
219 'You may not retire the admin or anonymous user'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
220
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
221 # check permission
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
222 if not self.hasPermission('Retire', classname=self.classname,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
223 itemid=itemid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
224 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
225 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
226 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
227
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
228 # do the retire
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
229 self.db.getclass(self.classname).retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
230 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
231
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
232 self.client.add_ok_message(
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
233 self._('%(classname)s %(itemid)s has been retired')%{
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
234 'classname': self.classname.capitalize(), 'itemid': itemid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
235
3473
370bb8f3c4d1 fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents: 3469
diff changeset
236
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
237 class RestoreAction(Action):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
238 name = 'restore'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
239 permissionType = 'Edit'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
240
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
241 def handle(self):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
242 """Restore the context item."""
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
243 # ensure modification comes via POST
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
244 if self.client.env['REQUEST_METHOD'] != 'POST':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
245 raise Reject(self._('Invalid request'))
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
246
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
247 # if we want to view the index template now, then unset the itemid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
248 # context info (a special-case for retire actions on the index page)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
249 itemid = self.nodeid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
250 if self.template == 'index':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
251 self.client.nodeid = None
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
252
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
253 # check permission
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
254 if not self.hasPermission('Restore', classname=self.classname,
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
255 itemid=itemid):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
256 raise exceptions.Unauthorised(self._(
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
257 'You do not have permission to restore %(class)s'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
258 ) % {'class': self.classname})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
259
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
260 # do the restore
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
261 self.db.getclass(self.classname).restore(itemid)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
262 self.db.commit()
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
263
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
264 self.client.add_ok_message(
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
265 self._('%(classname)s %(itemid)s has been restored')%{
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
266 'classname': self.classname.capitalize(), 'itemid': itemid})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
267
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
268
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
269 class SearchAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
270 name = 'search'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
271 permissionType = 'View'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
272
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
273 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
274 """Mangle some of the form variables.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
275
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
276 Set the form ":filter" variable based on the values of the filter
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
277 variables - if they're set to anything other than "dontcare" then add
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
278 them to :filter.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
279
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
280 Handle the ":queryname" variable and save off the query to the user's
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
281 query list.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
282
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
283 Split any String query values on whitespace and comma.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
284
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
285 """
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
286 self.fakeFilterVars()
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
287 queryname = self.getQueryName()
3913
00896a2acaa5 clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3855
diff changeset
288
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
289 # editing existing query name?
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
290 old_queryname = self.getFromForm('old-queryname')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
291
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
292 # handle saving the query params
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
293 if queryname:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
294 # parse the environment and figure what the query _is_
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
295 req = templating.HTMLRequest(self.client)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
296
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
297 url = self.getCurrentURL(req)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
298
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
299 key = self.db.query.getkey()
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
300 if key:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
301 # edit the old way, only one query per name
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
302 # Note that use of queryname as key will automatically
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
303 # raise an error if there are duplicate names.
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
304 try:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
305 qid = self.db.query.lookup(old_queryname)
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
306 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
307 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
308 "You do not have permission to edit queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
309 self.db.query.set(qid, klass=self.classname, url=url)
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
310 except KeyError:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
311 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
312 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
313 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
314 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
315 qid = self.db.query.create(name=queryname,
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
316 klass=self.classname, url=url)
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
317 else:
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
318 uid = self.db.getuid()
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
319
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
320 # if the queryname is being changed from the old
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
321 # (original) value, make sure new queryname is not
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
322 # already in use by user.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
323 # if in use, return to edit/search screen and let
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
324 # user change it.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
325
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
326 if old_queryname != queryname:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
327 # we have a name change
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
328 qids = self.db.query.filter(None, {'name': queryname,
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
329 'creator': uid})
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
330 for qid in qids:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
331 # require an exact name match
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
332 if queryname != self.db.query.get(qid, 'name'):
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
333 continue
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
334 # whoops we found a duplicate; report error and return
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
335 message=_("You already own a query named '%s'. Please choose another name.")%(queryname)
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
336 self.client.add_error_message(message)
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
337 return
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
338
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
339 # edit the new way, query name not a key any more
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
340 # see if we match an existing private query
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
341 qids = self.db.query.filter(None, {'name': old_queryname,
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
342 'private_for': uid})
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
343 if not qids:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
344 # ok, so there's not a private query for the current user
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
345 # - see if there's one created by them
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
346 qids = self.db.query.filter(None, {'name': old_queryname,
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
347 'creator': uid})
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
348
3581
d10008f756a4 fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents: 3549
diff changeset
349 if qids and old_queryname:
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
350 # edit query - make sure we get an exact match on the name
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
351 for qid in qids:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
352 if old_queryname != self.db.query.get(qid, 'name'):
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
353 continue
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
354 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
355 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
356 "You do not have permission to edit queries"))
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
357 self.db.query.set(qid, klass=self.classname,
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
358 url=url, name=queryname)
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
359 else:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
360 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
361 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
362 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
363 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
364 qid = self.db.query.create(name=queryname,
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
365 klass=self.classname, url=url, private_for=uid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
366
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
367 # and add it to the user's query multilink
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
368 queries = self.db.user.get(self.userid, 'queries')
2061
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
369 if qid not in queries:
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
370 queries.append(qid)
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
371 self.db.user.set(self.userid, queries=queries)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
372
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
373 # commit the query change to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
374 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
375
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
376 # This redirects to the index page. Add the @dispname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
377 # url param to the request so that the query name
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
378 # is displayed.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
379 req.form.list.append(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
380 cgi.MiniFieldStorage(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
381 "@dispname", queryname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
382 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
383 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
384
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
385
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
386 def fakeFilterVars(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
387 """Add a faked :filter form variable for each filtering prop."""
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
388 cls = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
389 for key in self.form:
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
390 prop = cls.get_transitive_prop(key)
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
391 if not prop:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
392 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
393 if isinstance(self.form[key], type([])):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
394 # search for at least one entry which is not empty
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
395 for minifield in self.form[key]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
396 if minifield.value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
397 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
398 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
399 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
400 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
401 if not self.form[key].value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
402 continue
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
403 if isinstance(prop, hyperdb.String):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
404 v = self.form[key].value
5245
bc16d91b7a50 Fix token_split() so its one error throws ValueError w/out extra arg.
Eric S. Raymond <esr@thyrsus.com>
parents: 5217
diff changeset
405 # If this ever has unbalanced quotes, hilarity will ensue
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
406 l = token.token_split(v)
4037
0b89c94a2387 Robustify SearchAction.fakeFilterVars
Stefan Seefeld <stefan@seefeld.name>
parents: 4030
diff changeset
407 if len(l) != 1 or l[0] != v:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
408 self.form.value.remove(self.form[key])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
409 # replace the single value with the split list
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
410 for v in l:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
411 self.form.value.append(cgi.MiniFieldStorage(key, v))
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
412 elif isinstance(prop, hyperdb.Number):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
413 try:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
414 float(self.form[key].value)
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
415 except ValueError:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
416 raise exceptions.FormError, "Invalid number: "+self.form[key].value
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
417 elif isinstance(prop, hyperdb.Integer):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
418 try:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
419 val=self.form[key].value
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
420 if ( str(int(val)) == val ):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
421 pass
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
422 else:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
423 raise ValueError
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
424 except ValueError:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
425 raise exceptions.FormError, "Invalid integer: "+val
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
426
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
427 self.form.value.append(cgi.MiniFieldStorage('@filter', key))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
428
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
429 def getCurrentURL(self, req):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
430 """Get current URL for storing as a query.
3805
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
431
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
432 Note: We are removing the first character from the current URL,
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
433 because the leading '?' is not part of the query string.
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
434
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
435 Implementation note:
5173
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
436 We now store the template with the query if the template name is
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
437 different from 'index'
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
438 """
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
439 template = self.getFromForm('template')
5173
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
440 if template and template != 'index':
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
441 return req.indexargs_url('', {'@template' : template})[1:]
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
442 return req.indexargs_url('', {})[1:]
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
443
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
444 def getFromForm(self, name):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
445 for key in ('@' + name, ':' + name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
446 if key in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
447 return self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
448 return ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
449
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
450 def getQueryName(self):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
451 return self.getFromForm('queryname')
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
452
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
453 class EditCSVAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
454 name = 'edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
455 permissionType = 'Edit'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
456
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
457 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
458 """Performs an edit of all of a class' items in one go.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
459
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
460 The "rows" CGI var defines the CSV-formatted entries for the class. New
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
461 nodes are identified by the ID 'X' (or any other non-existent ID) and
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
462 removed lines are retired.
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
463 """
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
464 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
465 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
466 raise Reject(self._('Invalid request'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
467
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
468 # figure the properties list for the class
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
469 cl = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
470 props_without_id = list(cl.getprops(protected=0))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
471
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
472 # the incoming CSV data will always have the properties in colums
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
473 # sorted and starting with the "id" column
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
474 props_without_id.sort()
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
475 props = ['id'] + props_without_id
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
476
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
477 # do the edit
5044
dce3cfe7ec61 Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents: 5010
diff changeset
478 rows = BytesIO(self.form['rows'].value)
3179
88dbe6b3d891 merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents: 3145
diff changeset
479 reader = csv.reader(rows)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
480 found = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
481 line = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
482 for values in reader:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
483 line += 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
484 if line == 1: continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
485 # skip property names header
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
486 if values == props:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
487 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
488
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
489 # extract the itemid
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
490 itemid, values = values[0], values[1:]
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
491 found[itemid] = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
492
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
493 # see if the node exists
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
494 if itemid in ('x', 'X') or not cl.hasnode(itemid):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
495 exists = 0
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
496
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
497 # check permission to create this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
498 if not self.hasPermission('Create', classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
499 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
500 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
501 ) % {'class': self.classname})
4293
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
502 elif cl.hasnode(itemid) and cl.is_retired(itemid):
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
503 # If a CSV line just mentions an id and the corresponding
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
504 # item is retired, then the item is restored.
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
505 cl.restore(itemid)
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
506 continue
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
507 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
508 exists = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
509
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
510 # confirm correct weight
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
511 if len(props_without_id) != len(values):
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
512 self.client.add_error_message(
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
513 self._('Not enough values on line %(line)s')%{'line':line})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
514 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
515
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
516 # extract the new values
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
517 d = {}
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
518 for name, value in zip(props_without_id, values):
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
519 # check permission to edit this property on this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
520 if exists and not self.hasPermission('Edit', itemid=itemid,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
521 classname=self.classname, property=name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
522 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
523 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
524 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
525
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
526 prop = cl.properties[name]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
527 value = value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
528 # only add the property if it has a value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
529 if value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
530 # if it's a multilink, split it
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
531 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
532 value = value.split(':')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
533 elif isinstance(prop, hyperdb.Password):
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
534 value = password.Password(value, config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
535 elif isinstance(prop, hyperdb.Interval):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
536 value = date.Interval(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
537 elif isinstance(prop, hyperdb.Date):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
538 value = date.Date(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
539 elif isinstance(prop, hyperdb.Boolean):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
540 value = value.lower() in ('yes', 'true', 'on', '1')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
541 elif isinstance(prop, hyperdb.Number):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
542 value = float(value)
5067
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
543 elif isinstance(prop, hyperdb.Integer):
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
544 value = int(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
545 d[name] = value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
546 elif exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
547 # nuke the existing value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
548 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
549 d[name] = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
550 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
551 d[name] = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
552
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
553 # perform the edit
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
554 if exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
555 # edit existing
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
556 cl.set(itemid, **d)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
557 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
558 # new node
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
559 found[cl.create(**d)] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
560
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
561 # retire the removed entries
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
562 for itemid in cl.list():
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
563 if itemid not in found:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
564 # check permission to retire this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
565 if not self.hasPermission('Retire', itemid=itemid,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
566 classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
567 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
568 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
569 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
570 cl.retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
571
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
572 # all OK
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
573 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
574
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
575 self.client.add_ok_message(self._('Items edited OK'))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
576
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
577 class EditCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
578 '''Utility methods for editing.'''
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
579
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
580 def _editnodes(self, all_props, all_links):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
581 ''' Use the props in all_props to perform edit and creation, then
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
582 use the link specs in all_links to do linking.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
583 '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
584 # figure dependencies and re-work links
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
585 deps = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
586 links = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
587 for cn, nodeid, propname, vlist in all_links:
3855
de4c2e538e06 Bug-Fix: File attachments from the web-interface didn't work.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3853
diff changeset
588 numeric_id = int (nodeid or 0)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
589 if not (numeric_id > 0 or (cn, nodeid) in all_props):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
590 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
591 continue
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
592
3852
0dd05c9e5fff New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3851
diff changeset
593 for value in vlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
594 if value not in all_props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
595 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
596 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
597 deps.setdefault((cn, nodeid), []).append(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
598 links.setdefault(value, []).append((cn, nodeid, propname))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
599
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
600 # figure chained dependencies ordering
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
601 order = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
602 done = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
603 # loop detection
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
604 change = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
605 while len(all_props) != len(done):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
606 for needed in all_props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
607 if needed in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
608 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
609 tlist = deps.get(needed, [])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
610 for target in tlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
611 if target not in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
612 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
613 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
614 done[needed] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
615 order.append(needed)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
616 change = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
617 if not change:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
618 raise ValueError('linking must not loop!')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
619
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
620 # now, edit / create
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
621 m = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
622 for needed in order:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
623 props = all_props[needed]
3851
5fe1f30f7f30 Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3850
diff changeset
624 cn, nodeid = needed
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
625 if props:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
626 if nodeid is not None and int(nodeid) > 0:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
627 # make changes to the node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
628 props = self._changenode(cn, nodeid, props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
629
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
630 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
631 if props:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
632 info = ', '.join(map(self._, props))
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
633 m.append(
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
634 self._('%(class)s %(id)s %(properties)s edited ok')
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
635 % {'class':cn, 'id':nodeid, 'properties':info})
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
636 else:
5251
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
637 # this used to produce a message like:
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
638 # issue34 - nothing changed
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
639 # which is confusing if only quiet properties
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
640 # changed for the class/id. So don't report
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
641 # anything is the user didn't explicitly change
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
642 # a visible (non-quiet) property.
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
643 pass
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
644 else:
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
645 assert props
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
646
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
647 # make a new node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
648 newid = self._createnode(cn, props)
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
649 if nodeid is None:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
650 self.nodeid = newid
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
651 nodeid = newid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
652
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
653 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
654 m.append(self._('%(class)s %(id)s created')
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
655 % {'class':cn, 'id':newid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
656
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
657 # fill in new ids in links
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
658 if needed in links:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
659 for linkcn, linkid, linkprop in links[needed]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
660 props = all_props[(linkcn, linkid)]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
661 cl = self.db.classes[linkcn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
662 propdef = cl.getprops()[linkprop]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
663 if linkprop not in props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
664 if linkid is None or linkid.startswith('-'):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
665 # linking to a new item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
666 if isinstance(propdef, hyperdb.Multilink):
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
667 props[linkprop] = [nodeid]
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
668 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
669 props[linkprop] = nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
670 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
671 # linking to an existing item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
672 if isinstance(propdef, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
673 existing = cl.get(linkid, linkprop)[:]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
674 existing.append(nodeid)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
675 props[linkprop] = existing
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
676 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
677 props[linkprop] = nodeid
4992
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
678 elif isinstance(propdef, hyperdb.Multilink):
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
679 props[linkprop].append(nodeid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
680
4623
4f9c3858b671 Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4521
diff changeset
681 return '\n'.join(m)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
682
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
683 def _changenode(self, cn, nodeid, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
684 """Change the node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
685 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
686 if not self.editItemPermission(props, classname=cn, itemid=nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
687 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
688 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
689 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
690
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
691 # make the changes
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
692 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
693 return cl.set(nodeid, **props)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
694
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
695 def _createnode(self, cn, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
696 """Create a node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
697 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
698 if not self.newItemPermission(props, classname=cn):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
699 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
700 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
701 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
702
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
703 # create the node and return its id
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
704 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
705 return cl.create(**props)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
706
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
707 def isEditingSelf(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
708 """Check whether a user is editing his/her own details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
709 return (self.nodeid == self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
710 and self.db.user.get(self.nodeid, 'username') != 'anonymous')
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
711
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
712 _cn_marker = []
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
713 def editItemPermission(self, props, classname=_cn_marker, itemid=None):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
714 """Determine whether the user has permission to edit this item."""
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
715 if itemid is None:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
716 itemid = self.nodeid
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
717 if classname is self._cn_marker:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
718 classname = self.classname
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
719 # The user must have permission to edit each of the properties
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
720 # being changed.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
721 for p in props:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
722 if not self.hasPermission('Edit', itemid=itemid,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
723 classname=classname, property=p):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
724 return 0
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
725 # Since the user has permission to edit all of the properties,
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
726 # the edit is OK.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
727 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
728
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
729 def newItemPermission(self, props, classname=None):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
730 """Determine whether the user has permission to create this item.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
731
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
732 Base behaviour is to check the user can edit this class. No additional
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
733 property checks are made.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
734 """
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
735
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
736 if not classname :
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
737 classname = self.client.classname
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
738
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
739 if not self.hasPermission('Create', classname=classname):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
740 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
741
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
742 # Check Create permission for each property, to avoid being able
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
743 # to set restricted ones on new item creation
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
744 for key in props:
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
745 if not self.hasPermission('Create', classname=classname,
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
746 property=key):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
747 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
748 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
749
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
750 class EditItemAction(EditCommon):
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
751 def lastUserActivity(self):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
752 if ':lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
753 d = date.Date(self.form[':lastactivity'].value)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
754 elif '@lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
755 d = date.Date(self.form['@lastactivity'].value)
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
756 else:
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
757 return None
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
758 d.second = int(d.second)
2264
9b34f41507ed *** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents: 2260
diff changeset
759 return d
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
760
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
761 def lastNodeActivity(self):
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
762 cl = getattr(self.client.db, self.classname)
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
763 activity = cl.get(self.nodeid, 'activity').local(0)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
764 activity.second = int(activity.second)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
765 return activity
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
766
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
767 def detectCollision(self, user_activity, node_activity):
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
768 '''Check for a collision and return the list of props we edited
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
769 that conflict.'''
3188
7faae85e1e33 merge from branch
Richard Jones <richard@users.sourceforge.net>
parents: 3179
diff changeset
770 if user_activity and user_activity < node_activity:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
771 props, links = self.client.parsePropsFromForm()
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
772 key = (self.classname, self.nodeid)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
773 # we really only collide for direct prop edit conflicts
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
774 return list(props[key])
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
775 else:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
776 return []
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
777
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
778 def handleCollision(self, props):
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
779 message = self._('Edit Error: someone else has edited this %s (%s). '
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
780 'View <a target="new" href="%s%s">their changes</a> '
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
781 'in a new window.')%(self.classname, ', '.join(props),
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
782 self.classname, self.nodeid)
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
783 self.client.add_error_message(message, escape=False)
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
784 return
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
785
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
786 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
787 """Perform an edit of an item in the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
788
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
789 See parsePropsFromForm and _editnodes for special variables.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
790
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
791 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
792 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
793 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
794 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
795
2148
2490d26c88df Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents: 2143
diff changeset
796 user_activity = self.lastUserActivity()
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
797 if user_activity:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
798 props = self.detectCollision(user_activity, self.lastNodeActivity())
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
799 if props:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
800 self.handleCollision(props)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
801 return
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
802
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
803 props, links = self.client.parsePropsFromForm()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
804
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
805 # handle the props
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
806 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
807 message = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
808 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
809 escape = not isinstance(message, RejectRaw)
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
810 self.client.add_error_message(
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
811 self._('Edit Error: %s') % str(message), escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
812 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
813
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
814 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
815 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
816
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
817 # redirect to the item's edit page
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
818 # redirect to finish off
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
819 url = self.base + self.classname
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
820 # note that this action might have been called by an index page, so
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
821 # we will want to include index-page args in this URL too
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
822 if self.nodeid is not None:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
823 url += self.nodeid
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
824 url += '?@ok_message=%s&@template=%s'%(urllib_.quote(message),
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
825 urllib_.quote(self.template))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
826 if self.nodeid is None:
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
827 req = templating.HTMLRequest(self.client)
3130
7308c3c5a943 docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents: 3073
diff changeset
828 url += '&' + req.indexargs_url('', {})[1:]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
829 raise exceptions.Redirect(url)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
830
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
831 class NewItemAction(EditCommon):
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
832 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
833 ''' Add a new item to the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
834
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
835 This follows the same form as the EditItemAction, with the same
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
836 special form values.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
837 '''
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
838 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
839 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
840 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
841
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
842 # parse the props from the form
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
843 try:
2107
b7404a96b58a minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2082
diff changeset
844 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
845 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
846 self.client.add_error_message(self._('Error: %s')
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
847 % str(message))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
848 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
849
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
850 # handle the props - edit or create
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
851 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
852 # when it hits the None element, it'll set self.nodeid
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
853 messages = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
854 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
855 escape = not isinstance(message, RejectRaw)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
856 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
857 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
858 escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
859 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
860
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
861 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
862 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
863
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
864 # Allow an option to stay on the page to create new things
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
865 if '__redirect_to' in self.form:
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
866 raise exceptions.Redirect('%s&@ok_message=%s'%(
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
867 self.examine_url(self.form['__redirect_to'].value),
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
868 urllib_.quote(messages)))
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
869
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
870 # otherwise redirect to the new item's page
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
871 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % (
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
872 self.base, self.classname, self.nodeid, urllib_.quote(messages),
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
873 urllib_.quote(self.template)))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
874
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
875 class PassResetAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
876 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
877 """Handle password reset requests.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
878
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
879 Presence of either "name" or "address" generates email. Presence of
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
880 "otk" performs the reset.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
881
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
882 """
2291
90cca653ef3d otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents: 2264
diff changeset
883 otks = self.db.getOTKManager()
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
884 if 'otk' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
885 # pull the rego information out of the otk database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
886 otk = self.form['otk'].value
3673
94b905502d26 removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents: 3635
diff changeset
887 uid = otks.get(otk, 'uid', default=None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
888 if uid is None:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
889 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
890 self._("Invalid One Time Key!\n"
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
891 "(a Mozilla bug may cause this message "
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
892 "to show up erroneously, please check your email)"))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
893 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
894
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
895 # pull the additional email address if exist
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
896 uaddress = otks.get(otk, 'uaddress', default=None)
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
897
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
898 # re-open the database as "admin"
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
899 if self.user != 'admin':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
900 self.client.opendb('admin')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
901 self.db = self.client.db
2372
c26bb78d2f0c couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents: 2362
diff changeset
902 otks = self.db.getOTKManager()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
903
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
904 # change the password
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
905 newpw = password.generatePassword()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
906
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
907 cl = self.db.user
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
908 # XXX we need to make the "default" page be able to display errors!
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
909 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
910 # set the password
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
911 cl.set(uid, password=password.Password(newpw, config=self.db.config))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
912 # clear the props from the otk database
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
913 otks.destroy(otk)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
914 self.db.commit()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
915 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
916 self.client.add_error_message(str(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
917 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
918
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
919 # user info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
920 name = self.db.user.get(uid, 'username')
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
921 if uaddress is None:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
922 address = self.db.user.get(uid, 'address')
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
923 else:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
924 address = uaddress
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
925
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
926 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
927 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
928 subject = 'Password reset for %s'%tracker_name
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
929 body = '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
930 The password has been reset for username "%(name)s".
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
931
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
932 Your password is now: %(password)s
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
933 '''%{'name': name, 'password': newpw}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
934 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
935 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
936
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
937 self.client.add_ok_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
938 self._('Password reset and email sent to %s') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
939 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
940
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
941 # no OTK, so now figure the user
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
942 if 'username' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
943 name = self.form['username'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
944 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
945 uid = self.db.user.lookup(name)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
946 except KeyError:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
947 self.client.add_error_message(self._('Unknown username'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
948 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
949 address = self.db.user.get(uid, 'address')
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
950 elif 'address' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
951 address = self.form['address'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
952 uid = uidFromAddress(self.db, ('', address), create=0)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
953 if not uid:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
954 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
955 self._('Unknown email address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
956 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
957 name = self.db.user.get(uid, 'username')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
958 else:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
959 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
960 self._('You need to specify a username or address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
961 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
962
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
963 # generate the one-time-key and store the props for later
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
964 otk = ''.join([random.choice(chars) for x in range(32)])
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
965 while otks.exists(otk):
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
966 otk = ''.join([random.choice(chars) for x in range(32)])
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
967 otks.set(otk, uid=uid, uaddress=address)
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
968 self.db.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
969
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
970 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
971 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
972 subject = 'Confirm reset of password for %s'%tracker_name
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
973 body = '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
974 Someone, perhaps you, has requested that the password be changed for your
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
975 username, "%(name)s". If you wish to proceed with the change, please follow
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
976 the link below:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
977
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
978 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
979
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
980 You should then receive another email with the new password.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
981 '''%{'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
982 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
983 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
984
5253
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
985 if 'username' in self.form:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
986 self.client.add_ok_message(self._('Email sent to primary notification address for %s.') % name)
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
987 else:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
988 self.client.add_ok_message(self._('Email sent to %s.') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
989
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
990 class RegoCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
991 def finishRego(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
992 # log the new user in
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
993 self.client.userid = self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
994 user = self.client.user = self.db.user.get(self.userid, 'username')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
995 # re-open the database for real, using the user
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
996 self.client.opendb(user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
997
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
998 # update session data
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
999 self.client.session_api.set(user=user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1000
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1001 # nice message
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
1002 message = self._('You are now registered, welcome!')
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1003 url = '%suser%s?@ok_message=%s'%(self.base, self.userid,
4416
36d52125c9cf fixed registration, issue2550665 (thanks Timo Paulssen)
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1004 urllib_.quote(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1005
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1006 # redirect to the user's page (but not 302, as some email clients seem
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1007 # to want to reload the page, or something)
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1008 return '''<html><head><title>%s</title></head>
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1009 <body><p><a href="%s">%s</a></p>
5217
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1010 <script nonce="%s" type="text/javascript">
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1011 window.setTimeout('window.location = "%s"', 1000);
5217
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1012 </script>'''%(message, url, message,
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1013 self.client.client_nonce, url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1014
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1015 class ConfRegoAction(RegoCommon):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1016 def handle(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1017 """Grab the OTK, use it to load up the new user details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1018 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1019 # pull the rego information out of the otk database
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1020 self.userid = self.db.confirm_registration(self.form['otk'].value)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1021 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1022 self.client.add_error_message(str(message))
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1023 return
3847
1a44e4bb2b54 Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents: 3805
diff changeset
1024 return self.finishRego()
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1025
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1026 class RegisterAction(RegoCommon, EditCommon):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
1027 name = 'register'
4146
42331c201b02 Fix issue2550553.
Stefan Seefeld <stefan@seefeld.name>
parents: 4127
diff changeset
1028 permissionType = 'Register'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1029
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1030 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1031 """Attempt to create a new user based on the contents of the form
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1032 and then remember it in session.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1033
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1034 Return 1 on successful login.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1035 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1036 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1037 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1038 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1039
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1040 # parse the props from the form
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1041 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1042 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1043 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1044 self.client.add_error_message(self._('Error: %s')
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1045 % str(message))
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1046 return
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1047
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1048 # skip the confirmation step?
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1049 if self.db.config['INSTANT_REGISTRATION']:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1050 # handle the create now
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1051 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1052 # when it hits the None element, it'll set self.nodeid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1053 messages = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1054 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1055 escape = not isinstance(message, RejectRaw)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1056 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1057 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1058 escape=escape)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1059 return
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1060
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1061 # fix up the initial roles
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1062 self.db.user.set(self.nodeid,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1063 roles=self.db.config['NEW_WEB_USER_ROLES'])
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1064
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1065 # commit now that all the tricky stuff is done
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1066 self.db.commit()
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1067
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1068 # finish off by logging the user in
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1069 self.userid = self.nodeid
3466
0ecd0062abfb fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents: 3418
diff changeset
1070 return self.finishRego()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1071
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1072 # generate the one-time-key and store the props for later
4334
1aef7a4e4e39 fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents: 4329
diff changeset
1073 user_props = props[('user', None)]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1074 for propname, proptype in self.db.user.getprops().iteritems():
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1075 value = user_props.get(propname, None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1076 if value is None:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1077 pass
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1078 elif isinstance(proptype, hyperdb.Date):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1079 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1080 elif isinstance(proptype, hyperdb.Interval):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1081 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1082 elif isinstance(proptype, hyperdb.Password):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1083 user_props[propname] = str(value)
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1084 otks = self.db.getOTKManager()
2169
12cd4fa91eb7 OTK generation was busted (thanks Stuart D. Gathman)
Richard Jones <richard@users.sourceforge.net>
parents: 2163
diff changeset
1085 otk = ''.join([random.choice(chars) for x in range(32)])
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1086 while otks.exists(otk):
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1087 otk = ''.join([random.choice(chars) for x in range(32)])
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1088 otks.set(otk, **user_props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1089
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1090 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1091 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1092 tracker_email = self.db.config.TRACKER_EMAIL
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1093 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1094 subject = 'Complete your registration to %s -- key %s'%(tracker_name,
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1095 otk)
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1096 body = """To complete your registration of the user "%(name)s" with
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1097 %(tracker)s, please do one of the following:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1098
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1099 - send a reply to %(tracker_email)s and maintain the subject line as is (the
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1100 reply's additional "Re:" is ok),
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1101
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1102 - or visit the following URL:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1103
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1104 %(url)s?@action=confrego&otk=%(otk)s
2108
54815ca493a5 add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents: 2107
diff changeset
1105
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1106 """ % {'name': user_props['username'], 'tracker': tracker_name,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1107 'url': self.base, 'otk': otk, 'tracker_email': tracker_email}
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1108 else:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1109 subject = 'Complete your registration to %s'%(tracker_name)
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1110 body = """To complete your registration of the user "%(name)s" with
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1111 %(tracker)s, please visit the following URL:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1112
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1113 %(url)s?@action=confrego&otk=%(otk)s
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1114
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1115 """ % {'name': user_props['username'], 'tracker': tracker_name,
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1116 'url': self.base, 'otk': otk}
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1117 if not self.client.standard_message([user_props['address']], subject,
3604
ccf516e6c3f8 responses to user rego email [SF#1470254]
Richard Jones <richard@users.sourceforge.net>
parents: 3581
diff changeset
1118 body, (tracker_name, tracker_email)):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1119 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1120
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1121 # commit changes to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1122 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1123
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1124 # redirect to the "you're almost there" page
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1125 raise exceptions.Redirect('%suser?@template=rego_progress'%self.base)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1126
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1127 def newItemPermission(self, props, classname=None):
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1128 """Just check the "Register" permission.
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1129 """
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1130 # registration isn't allowed to supply roles
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1131 if 'roles' in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1132 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1133 "It is not permitted to supply roles at registration."))
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1134
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1135 # technically already checked, but here for clarity
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1136 return self.hasPermission('Register', classname=classname)
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1137
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1138 class LogoutAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1139 def handle(self):
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1140 """Make us really anonymous - nuke the session too."""
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1141 # log us out
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1142 self.client.make_user_anonymous()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1143 self.client.session_api.destroy()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1144
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1145 # Let the user know what's going on
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1146 self.client.add_ok_message(self._('You are logged out'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1147
3264
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1148 # reset client context to render tracker home page
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1149 # instead of last viewed page (may be inaccessibe for anonymous)
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1150 self.client.classname = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1151 self.client.nodeid = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1152 self.client.template = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1153
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1154 # Redirect to a new page on logout. This regenerates
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1155 # CSRF tokens so they are associated with the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1156 # anonymous user and not the user who logged out. If
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1157 # we don't the user gets an invalid CSRF token error
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1158 # As above choose the home page since everybody can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1159 # see that.
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1160 raise exceptions.Redirect, self.base
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1161
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1162 class LoginAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1163 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1164 """Attempt to log a user in.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1165
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1166 Sets up a session for the user which contains the login credentials.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1167
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1168 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1169 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1170 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1171 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1172
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1173 # we need the username at a minimum
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1174 if '__login_name' not in self.form:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1175 self.client.add_error_message(self._('Username required'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1176 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1177
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1178 # get the login info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1179 self.client.user = self.form['__login_name'].value
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1180 if '__login_password' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1181 password = self.form['__login_password'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1182 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1183 password = ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1184
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1185 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1186 # On valid or invalid login, redirect the user back to the page
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1187 # the started on. Searches, issue and other pages
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1188 # are all preserved in __came_from. Clean out any old feedback
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1189 # @error_message, @ok_message from the __came_from url.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1190 #
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1191 # 1. Split the url into components.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1192 # 2. Split the query string into parts.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1193 # 3. Delete @error_message and @ok_message if present.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1194 # 4. Define a new redirect_url missing the @...message entries.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1195 # This will be redefined if there is a login error to include
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1196 # a new error message
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1197
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
1198 clean_url = self.examine_url(self.form['__came_from'].value)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1199 redirect_url_tuple = urllib_.urlparse(clean_url)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1200 # now I have a tuple form for the __came_from url
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1201 try:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1202 query=urllib_.parse_qs(redirect_url_tuple.query)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1203 if "@error_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1204 del query["@error_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1205 if "@ok_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1206 del query["@ok_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1207 if "@action" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1208 # also remove the logout action from the redirect
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1209 # there is only ever one @action value.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1210 if query['@action'] == ["logout"]:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1211 del query["@action"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1212 except AttributeError:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1213 # no query param so nothing to remove. Just define.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1214 query = {}
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1215 pass
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1216
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1217 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1218 redirect_url_tuple.netloc,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1219 redirect_url_tuple.path,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1220 redirect_url_tuple.params,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1221 urllib_.urlencode(query, doseq=True),
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1222 redirect_url_tuple.fragment)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1223 )
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1224
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1225 try:
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1226 self.verifyLogin(self.client.user, password)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1227 except exceptions.LoginError as err:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1228 self.client.make_user_anonymous()
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1229 for arg in err.args:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1230 self.client.add_error_message(arg)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1231
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1232 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1233 # set a new error
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1234 query['@error_message'] = err.args
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1235 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1236 redirect_url_tuple.netloc,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1237 redirect_url_tuple.path,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1238 redirect_url_tuple.params,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1239 urllib_.urlencode(query, doseq=True),
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1240 redirect_url_tuple.fragment )
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1241 )
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1242 raise exceptions.Redirect(redirect_url)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1243 # if no __came_from, send back to base url with error
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1244 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1245
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1246 # now we're OK, re-open the database for real, using the user
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1247 self.client.opendb(self.client.user)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1248
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1249 # save user in session
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1250 self.client.session_api.set(user=self.client.user)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1251 if 'remember' in self.form:
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1252 self.client.session_api.update(set_cookie=True, expire=24*3600*365)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1253
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1254 # If we came from someplace, go back there
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1255 if '__came_from' in self.form:
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1256 raise exceptions.Redirect(redirect_url)
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1257
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1258 def verifyLogin(self, username, password):
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1259 # make sure the user exists
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1260 try:
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1261 self.client.userid = self.db.user.lookup(username)
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1262 except KeyError:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1263 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1264
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1265 # verify the password
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1266 if not self.verifyPassword(self.client.userid, password):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1267 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1268
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1269 # Determine whether the user has permission to log in.
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1270 # Base behaviour is to check the user has "Web Access".
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1271 if not self.hasPermission("Web Access"):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1272 raise exceptions.LoginError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1273 "You do not have permission to login"))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1274
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1275 def verifyPassword(self, userid, givenpw):
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1276 '''Verify the password that the user has supplied.
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1277 Optionally migrate to new password scheme if configured
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1278 '''
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1279 db = self.db
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1280 stored = db.user.get(userid, 'password')
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1281 if givenpw == stored:
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1282 if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration():
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1283 newpw = password.Password(givenpw, config=db.config)
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1284 db.user.set(userid, password=newpw)
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1285 db.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1286 return 1
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1287 if not givenpw and not stored:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1288 return 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1289 return 0
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1290
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1291 class ExportCSVAction(Action):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1292 name = 'export'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1293 permissionType = 'View'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1294
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1295 def handle(self):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1296 ''' Export the specified search query as CSV. '''
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1297 # figure the request
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1298 request = templating.HTMLRequest(self.client)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1299 filterspec = request.filterspec
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1300 sort = request.sort
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1301 group = request.group
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1302 columns = request.columns
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1303 klass = self.db.getclass(request.classname)
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1304
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1305 # check if all columns exist on class
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1306 # the exception must be raised before sending header
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1307 props = klass.getprops()
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1308 for cname in columns:
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1309 if cname not in props:
5165
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1310 # use error code 400: Bad Request. Do not use
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1311 # error code 404: Not Found.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1312 self.client.response_code = 400
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1313 raise exceptions.NotFound(
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1314 self._('Column "%(column)s" not found in %(class)s')
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1315 % {'column': cgi.escape(cname), 'class': request.classname})
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1316
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1317 # full-text search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1318 if request.search_text:
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1319 matches = self.db.indexer.search(
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1320 re.findall(r'\b\w{2,25}\b', request.search_text), klass)
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1321 else:
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1322 matches = None
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1323
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1324 h = self.client.additional_headers
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1325 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1326 # some browsers will honor the filename here...
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1327 h['Content-Disposition'] = 'inline; filename=query.csv'
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1328
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1329 self.client.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1330
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1331 if self.client.env['REQUEST_METHOD'] == 'HEAD':
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1332 # all done, return a dummy string
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1333 return 'dummy'
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1334
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1335 wfile = self.client.request.wfile
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1336 if self.client.charset != self.client.STORAGE_CHARSET:
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1337 wfile = codecs.EncodedFile(wfile,
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1338 self.client.STORAGE_CHARSET, self.client.charset, 'replace')
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1339
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1340 writer = csv.writer(wfile)
3987
c4f7b3817d3d Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents: 3913
diff changeset
1341 self.client._socket_op(writer.writerow, columns)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1342
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1343 # and search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1344 for itemid in klass.filter(matches, filterspec, sort, group):
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1345 row = []
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1346 for name in columns:
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1347 # check permission to view this property on this item
4112
6441ffe588f7 fix bug introduced into CSV export and view (issue 2550529)
Richard Jones <richard@users.sourceforge.net>
parents: 4088
diff changeset
1348 if not self.hasPermission('View', itemid=itemid,
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1349 classname=request.classname, property=name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1350 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1351 'You do not have permission to view %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1352 ) % {'class': request.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1353 row.append(str(klass.get(itemid, name)))
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1354 self.client._socket_op(writer.writerow, row)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1355
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1356 return '\n'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1357
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1358
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1359 class Bridge(BaseAction):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1360 """Make roundup.actions.Action executable via CGI request.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1361
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1362 Using this allows users to write actions executable from multiple frontends.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1363 CGI Form content is translated into a dictionary, which then is passed as
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1364 argument to 'handle()'. XMLRPC requests have to pass this dictionary
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1365 directly.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1366 """
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1367
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1368 def __init__(self, *args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1369
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1370 # As this constructor is callable from multiple frontends, each with
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1371 # different Action interfaces, we have to look at the arguments to
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1372 # figure out how to complete construction.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1373 if (len(args) == 1 and
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1374 hasattr(args[0], '__class__') and
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1375 args[0].__class__.__name__ == 'Client'):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1376 self.cgi = True
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1377 self.execute = self.execute_cgi
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1378 self.client = args[0]
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1379 self.form = self.client.form
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1380 else:
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1381 self.cgi = False
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1382
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1383 def execute_cgi(self):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1384 args = {}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1385 for key in self.form:
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1386 args[key] = self.form.getvalue(key)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1387 self.permission(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1388 return self.handle(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1389
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1390 def permission(self, args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1391 """Raise Unauthorised if the current user is not allowed to execute
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1392 this action. Users may override this method."""
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
1393
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1394 pass
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1395
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1396 def handle(self, args):
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
1397
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1398 raise NotImplementedError
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1399
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1400 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/