Mercurial > p > roundup > code
annotate roundup/cgi/actions.py @ 5729:9ea2ce9d10cf
A few internet references report that etags for the same underlying
resource but with different representation (xml, json ...) should have
different etags.
That is currently not the case. Added code to allow incorporation of
representation info into the etag. By default the representation is
"json", but future patches can pass the representation down and modify
flow to match requested representation.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 25 May 2019 14:23:16 -0400 |
| parents | 2f116ba7e7cf |
| children | 8dbe307bdb57 |
| rev | line source |
|---|---|
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
1 import re, cgi, time, csv, codecs |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
2 |
|
3188
7faae85e1e33
merge from branch
Richard Jones <richard@users.sourceforge.net>
parents:
3179
diff
changeset
|
3 from roundup import hyperdb, token, date, password |
| 4083 | 4 from roundup.actions import Action as BaseAction |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
5 from roundup.i18n import _ |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
6 from roundup.cgi import exceptions, templating |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
7 from roundup.mailgw import uidFromAddress |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
8 from roundup.rate_limit import Gcra, RateLimit |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
9 from roundup.exceptions import Reject, RejectRaw |
|
5044
dce3cfe7ec61
Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents:
5010
diff
changeset
|
10 from roundup.anypy import urllib_ |
|
5452
b50a4c85c270
fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5395
diff
changeset
|
11 from roundup.anypy.strings import StringIO |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
12 import roundup.anypy.random_ as random_ |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
13 |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
14 import time |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
15 from datetime import timedelta |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
16 |
|
5119
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
17 # Also add action to client.py::Client.actions property |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
18 __all__ = ['Action', 'ShowAction', 'RetireAction', 'RestoreAction', 'SearchAction', |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
19 'EditCSVAction', 'EditItemAction', 'PassResetAction', |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
20 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction', |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
21 'NewItemAction', 'ExportCSVAction', 'ExportCSVWithIdAction'] |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
22 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
23 # used by a couple of routines |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
24 chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
25 |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
26 class Action: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
27 def __init__(self, client): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
28 self.client = client |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
29 self.form = client.form |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
30 self.db = client.db |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
31 self.nodeid = client.nodeid |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
32 self.template = client.template |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
33 self.classname = client.classname |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
34 self.userid = client.userid |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
35 self.base = client.base |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
36 self.user = client.user |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
37 self.context = templating.context(client) |
|
5718
842252c3ee22
Change access to config from dict to property. This makes doing the
John Rouillard <rouilj@ieee.org>
parents:
5717
diff
changeset
|
38 self.loginLimit = RateLimit(client.db.config.WEB_LOGIN_ATTEMPTS_MIN, timedelta(seconds=60)) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
39 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
40 def handle(self): |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
41 """Action handler procedure""" |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
42 raise NotImplementedError |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
43 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
44 def execute(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
45 """Execute the action specified by this object.""" |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
46 self.permission() |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
47 return self.handle() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
48 |
|
5162
3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents:
5161
diff
changeset
|
49 def examine_url(self, url): |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
50 '''Return URL validated to be under self.base and properly escaped |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
51 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
52 If url not properly escaped or validation fails raise ValueError. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
53 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
54 To try to prevent XSS attacks, validate that the url that is |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
55 passed in is under self.base for the tracker. This is used to |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
56 clean up "__came_from" and "__redirect_to" form variables used |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
57 by the LoginAction and NewItemAction actions. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
58 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
59 The url that is passed in must be a properly url quoted |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
60 argument. I.E. all characters that are not valid according to |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
61 RFC3986 must be % encoded. Schema should be lower case. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
62 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
63 It parses the passed url into components. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
64 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
65 It verifies that the scheme is http or https (so a redirect can |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
66 force https even if normal access to the tracker is via http). |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
67 Validates that the network component is the same as in self.base. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
68 Validates that the path component in the base url starts the url's |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
69 path component. It not it raises ValueError. If everything |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
70 validates: |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
71 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
72 For each component, Appendix A of RFC 3986 says the following |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
73 are allowed: |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
74 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
75 pchar = unreserved / pct-encoded / sub-delims / ":" / "@" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
76 query = *( pchar / "/" / "?" ) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
77 unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
78 pct-encoded = "%" HEXDIG HEXDIG |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
79 sub-delims = "!" / "$" / "&" / "'" / "(" / ")" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
80 / "*" / "+" / "," / ";" / "=" |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
81 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
82 Checks all parts with a regexp that matches any run of 0 or |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
83 more allowed characters. If the component doesn't validate, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
84 raise ValueError. Don't attempt to urllib_.quote it. Either |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
85 it's correct as it comes in or it's a ValueError. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
86 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
87 Finally paste the whole thing together and return the new url. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
88 ''' |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
89 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
90 parsed_url_tuple = urllib_.urlparse(url) |
|
5164
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
91 if self.base: |
|
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
92 parsed_base_url_tuple = urllib_.urlparse(self.base) |
|
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
93 else: |
|
114d9628fd77
Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents:
5162
diff
changeset
|
94 raise ValueError(self._("Base url not set. Check configuration.")) |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
95 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
96 info={ 'url': url, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
97 'base_url': self.base, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
98 'base_scheme': parsed_base_url_tuple.scheme, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
99 'base_netloc': parsed_base_url_tuple.netloc, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
100 'base_path': parsed_base_url_tuple.path, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
101 'url_scheme': parsed_url_tuple.scheme, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
102 'url_netloc': parsed_url_tuple.netloc, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
103 'url_path': parsed_url_tuple.path, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
104 'url_params': parsed_url_tuple.params, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
105 'url_query': parsed_url_tuple.query, |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
106 'url_fragment': parsed_url_tuple.fragment } |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
107 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
108 if parsed_base_url_tuple.scheme == "https": |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
109 if parsed_url_tuple.scheme != "https": |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
110 raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
111 else: |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
112 if parsed_url_tuple.scheme not in ('http', 'https'): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
113 raise ValueError(self._("Unrecognized scheme in %(url)s")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
114 |
|
5382
1556b39fde7c
Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
115 if parsed_url_tuple.netloc != parsed_base_url_tuple.netloc: |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
116 raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
117 |
|
5382
1556b39fde7c
Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5378
diff
changeset
|
118 if parsed_url_tuple.path.find(parsed_base_url_tuple.path) != 0: |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
119 raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
120 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
121 # I am not sure if this has to be language sensitive. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
122 # Do ranges depend on the LANG of the user?? |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
123 # Is there a newer spec for URI's than what I am referencing? |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
124 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
125 # Also it really should be % HEXDIG HEXDIG that's allowed |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
126 # If %%% passes, the roundup server should be able to ignore/ |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
127 # quote it so it doesn't do anything bad otherwise we have a |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
128 # different vector to handle. |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
129 allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''') |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
130 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
131 if not allowed_pattern.match(parsed_url_tuple.path): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
132 raise ValueError(self._("Path component (%(url_path)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
133 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
134 if not allowed_pattern.match(parsed_url_tuple.params): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
135 raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
136 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
137 if not allowed_pattern.match(parsed_url_tuple.query): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
138 raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
139 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
140 if not allowed_pattern.match(parsed_url_tuple.fragment): |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
141 raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped")%info) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
142 |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
143 return(urllib_.urlunparse(parsed_url_tuple)) |
|
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
144 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
145 name = '' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
146 permissionType = None |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
147 def permission(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
148 """Check whether the user has permission to execute this action. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
149 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
150 True by default. If the permissionType attribute is a string containing |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
151 a simple permission, check whether the user has that permission. |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
152 Subclasses must also define the name attribute if they define |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
153 permissionType. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
154 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
155 Despite having this permission, users may still be unauthorised to |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
156 perform parts of actions. It is up to the subclasses to detect this. |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
157 """ |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
158 if (self.permissionType and |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
159 not self.hasPermission(self.permissionType)): |
|
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
160 info = {'action': self.name, 'classname': self.classname} |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
161 raise exceptions.Unauthorised(self._( |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
162 'You do not have permission to ' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
163 '%(action)s the %(classname)s class.')%info) |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
164 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
165 _marker = [] |
| 4030 | 166 def hasPermission(self, permission, classname=_marker, itemid=None, property=None): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
167 """Check whether the user has 'permission' on the current class.""" |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
168 if classname is self._marker: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
169 classname = self.client.classname |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
170 return self.db.security.hasPermission(permission, self.client.userid, |
| 4030 | 171 classname=classname, itemid=itemid, property=property) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
172 |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
173 def gettext(self, msgid): |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
174 """Return the localized translation of msgid""" |
|
2563
420d5c2a49d9
use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2553
diff
changeset
|
175 return self.client.translator.gettext(msgid) |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
176 |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
177 _ = gettext |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
178 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
179 class ShowAction(Action): |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
180 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
181 typere=re.compile('[@:]type') |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
182 numre=re.compile('[@:]number') |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
183 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
184 def handle(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
185 """Show a node of a particular class/id.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
186 t = n = '' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
187 for key in self.form: |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
188 if self.typere.match(key): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
189 t = self.form[key].value.strip() |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
190 elif self.numre.match(key): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
191 n = self.form[key].value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
192 if not t: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
193 raise ValueError(self._('No type specified')) |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
194 if not n: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
195 raise exceptions.SeriousError(self._('No ID entered')) |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
196 try: |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
197 int(n) |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
198 except ValueError: |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
199 d = {'input': n, 'classname': t} |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
200 raise exceptions.SeriousError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
201 '"%(input)s" is not an ID (%(classname)s ID required)')%d) |
|
2183
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2169
diff
changeset
|
202 url = '%s%s%s'%(self.base, t, n) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
203 raise exceptions.Redirect(url) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
204 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
205 class RetireAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
206 name = 'retire' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
207 permissionType = 'Edit' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
208 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
209 def handle(self): |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
210 """Retire the context item.""" |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
211 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
212 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
213 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
214 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
215 # if we want to view the index template now, then unset the itemid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
216 # context info (a special-case for retire actions on the index page) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
217 itemid = self.nodeid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
218 if self.template == 'index': |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
219 self.client.nodeid = None |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
220 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
221 # make sure we don't try to retire admin or anonymous |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
222 if self.classname == 'user' and \ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
223 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
224 raise ValueError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
225 'You may not retire the admin or anonymous user')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
226 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
227 # check permission |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
228 if not self.hasPermission('Retire', classname=self.classname, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
229 itemid=itemid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
230 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
231 'You do not have permission to retire %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
232 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
233 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
234 # do the retire |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
235 self.db.getclass(self.classname).retire(itemid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
236 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
237 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
238 self.client.add_ok_message( |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
239 self._('%(classname)s %(itemid)s has been retired')%{ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
240 'classname': self.classname.capitalize(), 'itemid': itemid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
241 |
|
3473
370bb8f3c4d1
fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents:
3469
diff
changeset
|
242 |
|
5119
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
243 class RestoreAction(Action): |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
244 name = 'restore' |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
245 permissionType = 'Edit' |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
246 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
247 def handle(self): |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
248 """Restore the context item.""" |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
249 # ensure modification comes via POST |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
250 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
251 raise Reject(self._('Invalid request')) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
252 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
253 # if we want to view the index template now, then unset the itemid |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
254 # context info (a special-case for retire actions on the index page) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
255 itemid = self.nodeid |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
256 if self.template == 'index': |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
257 self.client.nodeid = None |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
258 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
259 # check permission |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
260 if not self.hasPermission('Restore', classname=self.classname, |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
261 itemid=itemid): |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
262 raise exceptions.Unauthorised(self._( |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
263 'You do not have permission to restore %(class)s' |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
264 ) % {'class': self.classname}) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
265 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
266 # do the restore |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
267 self.db.getclass(self.classname).restore(itemid) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
268 self.db.commit() |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
269 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
270 self.client.add_ok_message( |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
271 self._('%(classname)s %(itemid)s has been restored')%{ |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
272 'classname': self.classname.capitalize(), 'itemid': itemid}) |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
273 |
|
748ba87e1aca
Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents:
5097
diff
changeset
|
274 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
275 class SearchAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
276 name = 'search' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
277 permissionType = 'View' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
278 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
279 def handle(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
280 """Mangle some of the form variables. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
281 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
282 Set the form ":filter" variable based on the values of the filter |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
283 variables - if they're set to anything other than "dontcare" then add |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
284 them to :filter. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
285 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
286 Handle the ":queryname" variable and save off the query to the user's |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
287 query list. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
288 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
289 Split any String query values on whitespace and comma. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
290 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
291 """ |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
292 self.fakeFilterVars() |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
293 queryname = self.getQueryName() |
|
3913
00896a2acaa5
clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3855
diff
changeset
|
294 |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
295 # editing existing query name? |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
296 old_queryname = self.getFromForm('old-queryname') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
297 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
298 # handle saving the query params |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
299 if queryname: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
300 # parse the environment and figure what the query _is_ |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
301 req = templating.HTMLRequest(self.client) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
302 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
303 url = self.getCurrentURL(req) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
304 |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
305 key = self.db.query.getkey() |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
306 if key: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
307 # edit the old way, only one query per name |
| 5192 | 308 # Note that use of queryname as key will automatically |
| 309 # raise an error if there are duplicate names. | |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
310 try: |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
311 qid = self.db.query.lookup(old_queryname) |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
312 if not self.hasPermission('Edit', 'query', itemid=qid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
313 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
314 "You do not have permission to edit queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
315 self.db.query.set(qid, klass=self.classname, url=url) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
316 except KeyError: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
317 # create a query |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
318 if not self.hasPermission('Create', 'query'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
319 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
320 "You do not have permission to store queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
321 qid = self.db.query.create(name=queryname, |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
322 klass=self.classname, url=url) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
323 else: |
| 5192 | 324 uid = self.db.getuid() |
| 325 | |
| 326 # if the queryname is being changed from the old | |
| 327 # (original) value, make sure new queryname is not | |
| 328 # already in use by user. | |
| 329 # if in use, return to edit/search screen and let | |
| 330 # user change it. | |
| 331 | |
| 332 if old_queryname != queryname: | |
| 333 # we have a name change | |
| 334 qids = self.db.query.filter(None, {'name': queryname, | |
| 335 'creator': uid}) | |
| 336 for qid in qids: | |
| 337 # require an exact name match | |
| 338 if queryname != self.db.query.get(qid, 'name'): | |
| 339 continue | |
| 340 # whoops we found a duplicate; report error and return | |
| 341 message=_("You already own a query named '%s'. Please choose another name.")%(queryname) | |
| 342 self.client.add_error_message(message) | |
| 343 return | |
| 344 | |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
345 # edit the new way, query name not a key any more |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
346 # see if we match an existing private query |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
347 qids = self.db.query.filter(None, {'name': old_queryname, |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
348 'private_for': uid}) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
349 if not qids: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
350 # ok, so there's not a private query for the current user |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
351 # - see if there's one created by them |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
352 qids = self.db.query.filter(None, {'name': old_queryname, |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
353 'creator': uid}) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
354 |
|
3581
d10008f756a4
fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents:
3549
diff
changeset
|
355 if qids and old_queryname: |
|
2362
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
356 # edit query - make sure we get an exact match on the name |
|
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
357 for qid in qids: |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
358 if old_queryname != self.db.query.get(qid, 'name'): |
|
2362
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
359 continue |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
360 if not self.hasPermission('Edit', 'query', itemid=qid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
361 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
362 "You do not have permission to edit queries")) |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
363 self.db.query.set(qid, klass=self.classname, |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
364 url=url, name=queryname) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
365 else: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
366 # create a query |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
367 if not self.hasPermission('Create', 'query'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
368 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
369 "You do not have permission to store queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
370 qid = self.db.query.create(name=queryname, |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
371 klass=self.classname, url=url, private_for=uid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
372 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
373 # and add it to the user's query multilink |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
374 queries = self.db.user.get(self.userid, 'queries') |
|
2061
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
375 if qid not in queries: |
|
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
376 queries.append(qid) |
|
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
377 self.db.user.set(self.userid, queries=queries) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
378 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
379 # commit the query change to the database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
380 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
381 |
| 5192 | 382 # This redirects to the index page. Add the @dispname |
| 383 # url param to the request so that the query name | |
| 384 # is displayed. | |
| 385 req.form.list.append( | |
| 386 cgi.MiniFieldStorage( | |
| 387 "@dispname", queryname | |
| 388 ) | |
| 389 ) | |
| 390 | |
| 391 | |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
392 def fakeFilterVars(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
393 """Add a faked :filter form variable for each filtering prop.""" |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
394 cls = self.db.classes[self.classname] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
395 for key in self.form: |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
396 prop = cls.get_transitive_prop(key) |
|
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
397 if not prop: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
398 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
399 if isinstance(self.form[key], type([])): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
400 # search for at least one entry which is not empty |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
401 for minifield in self.form[key]: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
402 if minifield.value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
403 break |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
404 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
405 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
406 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
407 if not self.form[key].value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
408 continue |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
409 if isinstance(prop, hyperdb.String): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
410 v = self.form[key].value |
|
5245
bc16d91b7a50
Fix token_split() so its one error throws ValueError w/out extra arg.
Eric S. Raymond <esr@thyrsus.com>
parents:
5217
diff
changeset
|
411 # If this ever has unbalanced quotes, hilarity will ensue |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
412 l = token.token_split(v) |
|
4037
0b89c94a2387
Robustify SearchAction.fakeFilterVars
Stefan Seefeld <stefan@seefeld.name>
parents:
4030
diff
changeset
|
413 if len(l) != 1 or l[0] != v: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
414 self.form.value.remove(self.form[key]) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
415 # replace the single value with the split list |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
416 for v in l: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
417 self.form.value.append(cgi.MiniFieldStorage(key, v)) |
|
5097
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
418 elif isinstance(prop, hyperdb.Number): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
419 try: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
420 float(self.form[key].value) |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
421 except ValueError: |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5356
diff
changeset
|
422 raise exceptions.FormError("Invalid number: "+self.form[key].value) |
|
5097
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
423 elif isinstance(prop, hyperdb.Integer): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
424 try: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
425 val=self.form[key].value |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
426 if ( str(int(val)) == val ): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
427 pass |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
428 else: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
429 raise ValueError |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
430 except ValueError: |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5356
diff
changeset
|
431 raise exceptions.FormError("Invalid integer: "+val) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
432 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
433 self.form.value.append(cgi.MiniFieldStorage('@filter', key)) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
434 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
435 def getCurrentURL(self, req): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
436 """Get current URL for storing as a query. |
|
3805
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
437 |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
438 Note: We are removing the first character from the current URL, |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
439 because the leading '?' is not part of the query string. |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
440 |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
441 Implementation note: |
|
5173
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
442 We now store the template with the query if the template name is |
|
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
443 different from 'index' |
|
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
444 """ |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
445 template = self.getFromForm('template') |
|
5173
4f99aad7e8e8
Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5165
diff
changeset
|
446 if template and template != 'index': |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
447 return req.indexargs_url('', {'@template' : template})[1:] |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
448 return req.indexargs_url('', {})[1:] |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
449 |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
450 def getFromForm(self, name): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
451 for key in ('@' + name, ':' + name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
452 if key in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
453 return self.form[key].value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
454 return '' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
455 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
456 def getQueryName(self): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
457 return self.getFromForm('queryname') |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
458 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
459 class EditCSVAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
460 name = 'edit' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
461 permissionType = 'Edit' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
462 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
463 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
464 """Performs an edit of all of a class' items in one go. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
465 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
466 The "rows" CGI var defines the CSV-formatted entries for the class. New |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
467 nodes are identified by the ID 'X' (or any other non-existent ID) and |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
468 removed lines are retired. |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
469 """ |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
470 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
471 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
472 raise Reject(self._('Invalid request')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
473 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
474 # figure the properties list for the class |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
475 cl = self.db.classes[self.classname] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
476 props_without_id = list(cl.getprops(protected=0)) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
477 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
478 # the incoming CSV data will always have the properties in colums |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
479 # sorted and starting with the "id" column |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
480 props_without_id.sort() |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
481 props = ['id'] + props_without_id |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
482 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
483 # do the edit |
|
5452
b50a4c85c270
fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5395
diff
changeset
|
484 rows = StringIO(self.form['rows'].value) |
|
3179
88dbe6b3d891
merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents:
3145
diff
changeset
|
485 reader = csv.reader(rows) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
486 found = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
487 line = 0 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
488 for values in reader: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
489 line += 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
490 if line == 1: continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
491 # skip property names header |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
492 if values == props: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
493 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
494 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
495 # extract the itemid |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
496 itemid, values = values[0], values[1:] |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
497 found[itemid] = 1 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
498 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
499 # see if the node exists |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
500 if itemid in ('x', 'X') or not cl.hasnode(itemid): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
501 exists = 0 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
502 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
503 # check permission to create this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
504 if not self.hasPermission('Create', classname=self.classname): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
505 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
506 'You do not have permission to create %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
507 ) % {'class': self.classname}) |
|
4293
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
508 elif cl.hasnode(itemid) and cl.is_retired(itemid): |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
509 # If a CSV line just mentions an id and the corresponding |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
510 # item is retired, then the item is restored. |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
511 cl.restore(itemid) |
|
5515
cd0ceb2afdb8
fixed issue2550993 and added test case
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5503
diff
changeset
|
512 exists = 1 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
513 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
514 exists = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
515 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
516 # confirm correct weight |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
517 if len(props_without_id) != len(values): |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
518 self.client.add_error_message( |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
519 self._('Not enough values on line %(line)s')%{'line':line}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
520 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
521 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
522 # extract the new values |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
523 d = {} |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
524 for name, value in zip(props_without_id, values): |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
525 # check permission to edit this property on this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
526 if exists and not self.hasPermission('Edit', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
527 classname=self.classname, property=name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
528 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
529 'You do not have permission to edit %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
530 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
531 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
532 prop = cl.properties[name] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
533 value = value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
534 # only add the property if it has a value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
535 if value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
536 # if it's a multilink, split it |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
537 if isinstance(prop, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
538 value = value.split(':') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
539 elif isinstance(prop, hyperdb.Password): |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
540 value = password.Password(value, config=self.db.config) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
541 elif isinstance(prop, hyperdb.Interval): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
542 value = date.Interval(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
543 elif isinstance(prop, hyperdb.Date): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
544 value = date.Date(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
545 elif isinstance(prop, hyperdb.Boolean): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
546 value = value.lower() in ('yes', 'true', 'on', '1') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
547 elif isinstance(prop, hyperdb.Number): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
548 value = float(value) |
|
5067
e424987d294a
Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents:
5044
diff
changeset
|
549 elif isinstance(prop, hyperdb.Integer): |
|
e424987d294a
Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents:
5044
diff
changeset
|
550 value = int(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
551 d[name] = value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
552 elif exists: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
553 # nuke the existing value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
554 if isinstance(prop, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
555 d[name] = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
556 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
557 d[name] = None |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
558 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
559 # perform the edit |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
560 if exists: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
561 # edit existing |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
562 cl.set(itemid, **d) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
563 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
564 # new node |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
565 found[cl.create(**d)] = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
566 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
567 # retire the removed entries |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
568 for itemid in cl.list(): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
569 if itemid not in found: |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
570 # check permission to retire this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
571 if not self.hasPermission('Retire', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
572 classname=self.classname): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
573 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
574 'You do not have permission to retire %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
575 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
576 cl.retire(itemid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
577 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
578 # all OK |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
579 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
580 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
581 self.client.add_ok_message(self._('Items edited OK')) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
582 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
583 class EditCommon(Action): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
584 '''Utility methods for editing.''' |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
585 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
586 def _editnodes(self, all_props, all_links): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
587 ''' Use the props in all_props to perform edit and creation, then |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
588 use the link specs in all_links to do linking. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
589 ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
590 # figure dependencies and re-work links |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
591 deps = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
592 links = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
593 for cn, nodeid, propname, vlist in all_links: |
|
3855
de4c2e538e06
Bug-Fix: File attachments from the web-interface didn't work.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3853
diff
changeset
|
594 numeric_id = int (nodeid or 0) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
595 if not (numeric_id > 0 or (cn, nodeid) in all_props): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
596 # link item to link to doesn't (and won't) exist |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
597 continue |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
598 |
|
3852
0dd05c9e5fff
New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3851
diff
changeset
|
599 for value in vlist: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
600 if value not in all_props: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
601 # link item to link to doesn't (and won't) exist |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
602 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
603 deps.setdefault((cn, nodeid), []).append(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
604 links.setdefault(value, []).append((cn, nodeid, propname)) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
605 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
606 # figure chained dependencies ordering |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
607 order = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
608 done = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
609 # loop detection |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
610 change = 0 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
611 while len(all_props) != len(done): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
612 for needed in all_props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
613 if needed in done: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
614 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
615 tlist = deps.get(needed, []) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
616 for target in tlist: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
617 if target not in done: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
618 break |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
619 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
620 done[needed] = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
621 order.append(needed) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
622 change = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
623 if not change: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
624 raise ValueError('linking must not loop!') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
625 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
626 # now, edit / create |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
627 m = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
628 for needed in order: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
629 props = all_props[needed] |
|
3851
5fe1f30f7f30
Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3850
diff
changeset
|
630 cn, nodeid = needed |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
631 if props: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
632 if nodeid is not None and int(nodeid) > 0: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
633 # make changes to the node |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
634 props = self._changenode(cn, nodeid, props) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
635 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
636 # and some nice feedback for the user |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
637 if props: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
638 info = ', '.join(map(self._, props)) |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
639 m.append( |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
640 self._('%(class)s %(id)s %(properties)s edited ok') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
641 % {'class':cn, 'id':nodeid, 'properties':info}) |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
642 else: |
|
5251
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
643 # this used to produce a message like: |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
644 # issue34 - nothing changed |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
645 # which is confusing if only quiet properties |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
646 # changed for the class/id. So don't report |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
647 # anything is the user didn't explicitly change |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
648 # a visible (non-quiet) property. |
|
35b30ce991d0
Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
649 pass |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
650 else: |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
651 assert props |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
652 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
653 # make a new node |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
654 newid = self._createnode(cn, props) |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
655 if nodeid is None: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
656 self.nodeid = newid |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
657 nodeid = newid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
658 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
659 # and some nice feedback for the user |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
660 m.append(self._('%(class)s %(id)s created') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
661 % {'class':cn, 'id':newid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
662 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
663 # fill in new ids in links |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
664 if needed in links: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
665 for linkcn, linkid, linkprop in links[needed]: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
666 props = all_props[(linkcn, linkid)] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
667 cl = self.db.classes[linkcn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
668 propdef = cl.getprops()[linkprop] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
669 if linkprop not in props: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
670 if linkid is None or linkid.startswith('-'): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
671 # linking to a new item |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
672 if isinstance(propdef, hyperdb.Multilink): |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
673 props[linkprop] = [nodeid] |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
674 else: |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
675 props[linkprop] = nodeid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
676 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
677 # linking to an existing item |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
678 if isinstance(propdef, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
679 existing = cl.get(linkid, linkprop)[:] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
680 existing.append(nodeid) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
681 props[linkprop] = existing |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
682 else: |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
683 props[linkprop] = nodeid |
|
4992
b562df8a5056
Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4880
diff
changeset
|
684 elif isinstance(propdef, hyperdb.Multilink): |
|
b562df8a5056
Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4880
diff
changeset
|
685 props[linkprop].append(nodeid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
686 |
|
4623
4f9c3858b671
Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4521
diff
changeset
|
687 return '\n'.join(m) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
688 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
689 def _changenode(self, cn, nodeid, props): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
690 """Change the node based on the contents of the form.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
691 # check for permission |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
692 if not self.editItemPermission(props, classname=cn, itemid=nodeid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
693 raise exceptions.Unauthorised(self._( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
694 'You do not have permission to edit %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
695 ) % {'class': cn}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
696 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
697 # make the changes |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
698 cl = self.db.classes[cn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
699 return cl.set(nodeid, **props) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
700 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
701 def _createnode(self, cn, props): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
702 """Create a node based on the contents of the form.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
703 # check for permission |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
704 if not self.newItemPermission(props, classname=cn): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
705 raise exceptions.Unauthorised(self._( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
706 'You do not have permission to create %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
707 ) % {'class': cn}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
708 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
709 # create the node and return its id |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
710 cl = self.db.classes[cn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
711 return cl.create(**props) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
712 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
713 def isEditingSelf(self): |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
714 """Check whether a user is editing his/her own details.""" |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
715 return (self.nodeid == self.userid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
716 and self.db.user.get(self.nodeid, 'username') != 'anonymous') |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
717 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
718 _cn_marker = [] |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
719 def editItemPermission(self, props, classname=_cn_marker, itemid=None): |
| 4030 | 720 """Determine whether the user has permission to edit this item.""" |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
721 if itemid is None: |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
722 itemid = self.nodeid |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
723 if classname is self._cn_marker: |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
724 classname = self.classname |
| 4030 | 725 # The user must have permission to edit each of the properties |
| 726 # being changed. | |
| 727 for p in props: | |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
728 if not self.hasPermission('Edit', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
729 classname=classname, property=p): |
| 4030 | 730 return 0 |
| 731 # Since the user has permission to edit all of the properties, | |
| 732 # the edit is OK. | |
| 733 return 1 | |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
734 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
735 def newItemPermission(self, props, classname=None): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
736 """Determine whether the user has permission to create this item. |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
737 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
738 Base behaviour is to check the user can edit this class. No additional |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
739 property checks are made. |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
740 """ |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
741 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
742 if not classname : |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
743 classname = self.client.classname |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
744 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
745 if not self.hasPermission('Create', classname=classname): |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
746 return 0 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
747 |
|
4310
8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4304
diff
changeset
|
748 # Check Create permission for each property, to avoid being able |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
749 # to set restricted ones on new item creation |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
750 for key in props: |
|
4310
8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4304
diff
changeset
|
751 if not self.hasPermission('Create', classname=classname, |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
752 property=key): |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
753 return 0 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
754 return 1 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
755 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
756 class EditItemAction(EditCommon): |
|
2143
b29323f75718
wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents:
2136
diff
changeset
|
757 def lastUserActivity(self): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
758 if ':lastactivity' in self.form: |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
759 d = date.Date(self.form[':lastactivity'].value) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
760 elif '@lastactivity' in self.form: |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
761 d = date.Date(self.form['@lastactivity'].value) |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
762 else: |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
763 return None |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
764 d.second = int(d.second) |
|
2264
9b34f41507ed
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
2260
diff
changeset
|
765 return d |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
766 |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
767 def lastNodeActivity(self): |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
768 cl = getattr(self.client.db, self.classname) |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
769 activity = cl.get(self.nodeid, 'activity').local(0) |
|
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
770 activity.second = int(activity.second) |
|
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
771 return activity |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
772 |
|
2143
b29323f75718
wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents:
2136
diff
changeset
|
773 def detectCollision(self, user_activity, node_activity): |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
774 '''Check for a collision and return the list of props we edited |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
775 that conflict.''' |
|
3188
7faae85e1e33
merge from branch
Richard Jones <richard@users.sourceforge.net>
parents:
3179
diff
changeset
|
776 if user_activity and user_activity < node_activity: |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
777 props, links = self.client.parsePropsFromForm() |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
778 key = (self.classname, self.nodeid) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
779 # we really only collide for direct prop edit conflicts |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
780 return list(props[key]) |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
781 else: |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
782 return [] |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
783 |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
784 def handleCollision(self, props): |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
785 message = self._('Edit Error: someone else has edited this %s (%s). ' |
|
5322
875605281b02
Fix collision link to open in new window: target should be _blank not new.
John Rouillard <rouilj@ieee.org>
parents:
5319
diff
changeset
|
786 'View <a target="_blank" href="%s%s">their changes</a> ' |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
787 'in a new window.')%(self.classname, ', '.join(props), |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
788 self.classname, self.nodeid) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
789 self.client.add_error_message(message, escape=False) |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
790 return |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
791 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
792 def handle(self): |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
793 """Perform an edit of an item in the database. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
794 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
795 See parsePropsFromForm and _editnodes for special variables. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
796 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
797 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
798 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
799 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
800 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
801 |
|
2148
2490d26c88df
Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents:
2143
diff
changeset
|
802 user_activity = self.lastUserActivity() |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
803 if user_activity: |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
804 props = self.detectCollision(user_activity, self.lastNodeActivity()) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
805 if props: |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
806 self.handleCollision(props) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
807 return |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
808 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
809 props, links = self.client.parsePropsFromForm() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
810 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
811 # handle the props |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
812 try: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
813 message = self._editnodes(props, links) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
814 except (ValueError, KeyError, IndexError, Reject) as message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
815 escape = not isinstance(message, RejectRaw) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
816 self.client.add_error_message( |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
817 self._('Edit Error: %s') % str(message), escape=escape) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
818 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
819 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
820 # commit now that all the tricky stuff is done |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
821 self.db.commit() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
822 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
823 # redirect to the item's edit page |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
824 # redirect to finish off |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
825 url = self.base + self.classname |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
826 # note that this action might have been called by an index page, so |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
827 # we will want to include index-page args in this URL too |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
828 if self.nodeid is not None: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
829 url += self.nodeid |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
830 url += '?@ok_message=%s&@template=%s'%(urllib_.quote(message), |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
831 urllib_.quote(self.template)) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
832 if self.nodeid is None: |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
833 req = templating.HTMLRequest(self.client) |
|
3130
7308c3c5a943
docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents:
3073
diff
changeset
|
834 url += '&' + req.indexargs_url('', {})[1:] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
835 raise exceptions.Redirect(url) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
836 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
837 class NewItemAction(EditCommon): |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
838 def handle(self): |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
839 ''' Add a new item to the database. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
840 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
841 This follows the same form as the EditItemAction, with the same |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
842 special form values. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
843 ''' |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
844 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
845 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
846 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
847 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
848 # parse the props from the form |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
849 try: |
|
2107
b7404a96b58a
minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents:
2082
diff
changeset
|
850 props, links = self.client.parsePropsFromForm(create=1) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
851 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
852 self.client.add_error_message(self._('Error: %s') |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
853 % str(message)) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
854 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
855 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
856 # handle the props - edit or create |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
857 try: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
858 # when it hits the None element, it'll set self.nodeid |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
859 messages = self._editnodes(props, links) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
860 except (ValueError, KeyError, IndexError, Reject) as message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
861 escape = not isinstance(message, RejectRaw) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
862 # these errors might just be indicative of user dumbness |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
863 self.client.add_error_message(_('Error: %s') % str(message), |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
864 escape=escape) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
865 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
866 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
867 # commit now that all the tricky stuff is done |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
868 self.db.commit() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
869 |
|
5158
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
870 # Allow an option to stay on the page to create new things |
|
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
871 if '__redirect_to' in self.form: |
|
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
872 raise exceptions.Redirect('%s&@ok_message=%s'%( |
|
5162
3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents:
5161
diff
changeset
|
873 self.examine_url(self.form['__redirect_to'].value), |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
874 urllib_.quote(messages))) |
|
5158
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
875 |
|
63294ed25e84
issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents:
5121
diff
changeset
|
876 # otherwise redirect to the new item's page |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
877 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % ( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
878 self.base, self.classname, self.nodeid, urllib_.quote(messages), |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
879 urllib_.quote(self.template))) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
880 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
881 class PassResetAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
882 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
883 """Handle password reset requests. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
884 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
885 Presence of either "name" or "address" generates email. Presence of |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
886 "otk" performs the reset. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
887 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
888 """ |
|
2291
90cca653ef3d
otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents:
2264
diff
changeset
|
889 otks = self.db.getOTKManager() |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
890 if 'otk' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
891 # pull the rego information out of the otk database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
892 otk = self.form['otk'].value |
|
3673
94b905502d26
removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents:
3635
diff
changeset
|
893 uid = otks.get(otk, 'uid', default=None) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
894 if uid is None: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
895 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
896 self._("Invalid One Time Key!\n" |
|
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
897 "(a Mozilla bug may cause this message " |
|
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
898 "to show up erroneously, please check your email)")) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
899 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
900 |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
901 # pull the additional email address if exist |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
902 uaddress = otks.get(otk, 'uaddress', default=None) |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
903 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
904 # re-open the database as "admin" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
905 if self.user != 'admin': |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
906 self.client.opendb('admin') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
907 self.db = self.client.db |
|
2372
c26bb78d2f0c
couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents:
2362
diff
changeset
|
908 otks = self.db.getOTKManager() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
909 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
910 # change the password |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
911 newpw = password.generatePassword() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
912 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
913 cl = self.db.user |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
914 # XXX we need to make the "default" page be able to display errors! |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
915 try: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
916 # set the password |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
917 cl.set(uid, password=password.Password(newpw, config=self.db.config)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
918 # clear the props from the otk database |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
919 otks.destroy(otk) |
|
5319
62de601bdf6f
Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5256
diff
changeset
|
920 otks.commit() |
| 5340 | 921 # commit the password change |
| 922 self.db.commit () | |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
923 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
924 self.client.add_error_message(str(message)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
925 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
926 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
927 # user info |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
928 name = self.db.user.get(uid, 'username') |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
929 if uaddress is None: |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
930 address = self.db.user.get(uid, 'address') |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
931 else: |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
932 address = uaddress |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
933 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
934 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
935 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
936 subject = 'Password reset for %s'%tracker_name |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
937 body = ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
938 The password has been reset for username "%(name)s". |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
939 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
940 Your password is now: %(password)s |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
941 '''%{'name': name, 'password': newpw} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
942 if not self.client.standard_message([address], subject, body): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
943 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
944 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
945 self.client.add_ok_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
946 self._('Password reset and email sent to %s') % address) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
947 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
948 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
949 # no OTK, so now figure the user |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
950 if 'username' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
951 name = self.form['username'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
952 try: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
953 uid = self.db.user.lookup(name) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
954 except KeyError: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
955 self.client.add_error_message(self._('Unknown username')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
956 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
957 address = self.db.user.get(uid, 'address') |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
958 elif 'address' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
959 address = self.form['address'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
960 uid = uidFromAddress(self.db, ('', address), create=0) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
961 if not uid: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
962 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
963 self._('Unknown email address')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
964 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
965 name = self.db.user.get(uid, 'username') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
966 else: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
967 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
968 self._('You need to specify a username or address')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
969 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
970 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
971 # generate the one-time-key and store the props for later |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
972 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
973 while otks.exists(otk): |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
974 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
975 otks.set(otk, uid=uid, uaddress=address) |
|
5319
62de601bdf6f
Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents:
5256
diff
changeset
|
976 otks.commit() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
977 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
978 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
979 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
980 subject = 'Confirm reset of password for %s'%tracker_name |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
981 body = ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
982 Someone, perhaps you, has requested that the password be changed for your |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
983 username, "%(name)s". If you wish to proceed with the change, please follow |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
984 the link below: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
985 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
986 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
987 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
988 You should then receive another email with the new password. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
989 '''%{'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
990 if not self.client.standard_message([address], subject, body): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
991 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
992 |
|
5253
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
993 if 'username' in self.form: |
|
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
994 self.client.add_ok_message(self._('Email sent to primary notification address for %s.') % name) |
|
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
995 else: |
|
2d61e39b89c8
Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents:
5217
diff
changeset
|
996 self.client.add_ok_message(self._('Email sent to %s.') % address) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
997 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
998 class RegoCommon(Action): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
999 def finishRego(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1000 # log the new user in |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1001 self.client.userid = self.userid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1002 user = self.client.user = self.db.user.get(self.userid, 'username') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1003 # re-open the database for real, using the user |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1004 self.client.opendb(user) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1005 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1006 # update session data |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1007 self.client.session_api.set(user=user) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1008 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1009 # nice message |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
1010 message = self._('You are now registered, welcome!') |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1011 url = '%suser%s?@ok_message=%s'%(self.base, self.userid, |
|
4416
36d52125c9cf
fixed registration, issue2550665 (thanks Timo Paulssen)
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
1012 urllib_.quote(message)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1013 |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1014 # redirect to the user's page (but not 302, as some email clients seem |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1015 # to want to reload the page, or something) |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1016 return '''<html><head><title>%s</title></head> |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1017 <body><p><a href="%s">%s</a></p> |
|
5217
17b213eab274
Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1018 <script nonce="%s" type="text/javascript"> |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
1019 window.setTimeout('window.location = "%s"', 1000); |
|
5217
17b213eab274
Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1020 </script>'''%(message, url, message, |
|
17b213eab274
Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents:
5201
diff
changeset
|
1021 self.client.client_nonce, url) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1022 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1023 class ConfRegoAction(RegoCommon): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1024 def handle(self): |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1025 """Grab the OTK, use it to load up the new user details.""" |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1026 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1027 # pull the rego information out of the otk database |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1028 self.userid = self.db.confirm_registration(self.form['otk'].value) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1029 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1030 self.client.add_error_message(str(message)) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1031 return |
|
3847
1a44e4bb2b54
Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents:
3805
diff
changeset
|
1032 return self.finishRego() |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1033 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1034 class RegisterAction(RegoCommon, EditCommon): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
1035 name = 'register' |
| 4146 | 1036 permissionType = 'Register' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
1037 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1038 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1039 """Attempt to create a new user based on the contents of the form |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1040 and then remember it in session. |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1041 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1042 Return 1 on successful login. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
1043 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1044 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1045 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1046 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1047 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1048 # parse the props from the form |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1049 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1050 props, links = self.client.parsePropsFromForm(create=1) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1051 except (ValueError, KeyError) as message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1052 self.client.add_error_message(self._('Error: %s') |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1053 % str(message)) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1054 return |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1055 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1056 # skip the confirmation step? |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1057 if self.db.config['INSTANT_REGISTRATION']: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1058 # handle the create now |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1059 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1060 # when it hits the None element, it'll set self.nodeid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1061 messages = self._editnodes(props, links) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1062 except (ValueError, KeyError, IndexError, Reject) as message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1063 escape = not isinstance(message, RejectRaw) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1064 # these errors might just be indicative of user dumbness |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1065 self.client.add_error_message(_('Error: %s') % str(message), |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1066 escape=escape) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1067 return |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1068 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1069 # fix up the initial roles |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1070 self.db.user.set(self.nodeid, |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1071 roles=self.db.config['NEW_WEB_USER_ROLES']) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1072 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1073 # commit now that all the tricky stuff is done |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1074 self.db.commit() |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1075 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1076 # finish off by logging the user in |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1077 self.userid = self.nodeid |
|
3466
0ecd0062abfb
fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents:
3418
diff
changeset
|
1078 return self.finishRego() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1079 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1080 # generate the one-time-key and store the props for later |
|
4334
1aef7a4e4e39
fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents:
4329
diff
changeset
|
1081 user_props = props[('user', None)] |
|
5395
23b8e6067f7c
Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5382
diff
changeset
|
1082 for propname, proptype in self.db.user.getprops().items(): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1083 value = user_props.get(propname, None) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1084 if value is None: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1085 pass |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1086 elif isinstance(proptype, hyperdb.Date): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1087 user_props[propname] = str(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1088 elif isinstance(proptype, hyperdb.Interval): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1089 user_props[propname] = str(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1090 elif isinstance(proptype, hyperdb.Password): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1091 user_props[propname] = str(value) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
1092 otks = self.db.getOTKManager() |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
1093 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
1094 while otks.exists(otk): |
|
5488
52cb53eedf77
reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5452
diff
changeset
|
1095 otk = ''.join([random_.choice(chars) for x in range(32)]) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1096 otks.set(otk, **user_props) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1097 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1098 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1099 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1100 tracker_email = self.db.config.TRACKER_EMAIL |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1101 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1102 subject = 'Complete your registration to %s -- key %s'%(tracker_name, |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1103 otk) |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1104 body = """To complete your registration of the user "%(name)s" with |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1105 %(tracker)s, please do one of the following: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1106 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1107 - send a reply to %(tracker_email)s and maintain the subject line as is (the |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1108 reply's additional "Re:" is ok), |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1109 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1110 - or visit the following URL: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1111 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1112 %(url)s?@action=confrego&otk=%(otk)s |
|
2108
54815ca493a5
add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents:
2107
diff
changeset
|
1113 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1114 """ % {'name': user_props['username'], 'tracker': tracker_name, |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1115 'url': self.base, 'otk': otk, 'tracker_email': tracker_email} |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1116 else: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1117 subject = 'Complete your registration to %s'%(tracker_name) |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1118 body = """To complete your registration of the user "%(name)s" with |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1119 %(tracker)s, please visit the following URL: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1120 |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1121 %(url)s?@action=confrego&otk=%(otk)s |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1122 |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1123 """ % {'name': user_props['username'], 'tracker': tracker_name, |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
1124 'url': self.base, 'otk': otk} |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
1125 if not self.client.standard_message([user_props['address']], subject, |
|
3604
ccf516e6c3f8
responses to user rego email [SF#1470254]
Richard Jones <richard@users.sourceforge.net>
parents:
3581
diff
changeset
|
1126 body, (tracker_name, tracker_email)): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1127 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1128 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1129 # commit changes to the database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1130 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1131 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1132 # redirect to the "you're almost there" page |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1133 raise exceptions.Redirect('%suser?@template=rego_progress'%self.base) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1134 |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1135 def newItemPermission(self, props, classname=None): |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1136 """Just check the "Register" permission. |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1137 """ |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1138 # registration isn't allowed to supply roles |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1139 if 'roles' in props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1140 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1141 "It is not permitted to supply roles at registration.")) |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1142 |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1143 # technically already checked, but here for clarity |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1144 return self.hasPermission('Register', classname=classname) |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
1145 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1146 class LogoutAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1147 def handle(self): |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1148 """Make us really anonymous - nuke the session too.""" |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1149 # log us out |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1150 self.client.make_user_anonymous() |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1151 self.client.session_api.destroy() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1152 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1153 # Let the user know what's going on |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1154 self.client.add_ok_message(self._('You are logged out')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1155 |
|
3264
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1156 # reset client context to render tracker home page |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1157 # instead of last viewed page (may be inaccessibe for anonymous) |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1158 self.client.classname = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1159 self.client.nodeid = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1160 self.client.template = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
1161 |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1162 # Redirect to a new page on logout. This regenerates |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1163 # CSRF tokens so they are associated with the |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1164 # anonymous user and not the user who logged out. If |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1165 # we don't the user gets an invalid CSRF token error |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1166 # As above choose the home page since everybody can |
|
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1167 # see that. |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5356
diff
changeset
|
1168 raise exceptions.Redirect(self.base) |
|
5201
a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents:
5192
diff
changeset
|
1169 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1170 class LoginAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1171 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1172 """Attempt to log a user in. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1173 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1174 Sets up a session for the user which contains the login credentials. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1175 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1176 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1177 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1178 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
1179 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1180 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1181 # we need the username at a minimum |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1182 if '__login_name' not in self.form: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1183 self.client.add_error_message(self._('Username required')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1184 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1185 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1186 # get the login info |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1187 self.client.user = self.form['__login_name'].value |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1188 if '__login_password' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1189 password = self.form['__login_password'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1190 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1191 password = '' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1192 |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1193 if '__came_from' in self.form: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1194 # On valid or invalid login, redirect the user back to the page |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1195 # the started on. Searches, issue and other pages |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1196 # are all preserved in __came_from. Clean out any old feedback |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1197 # @error_message, @ok_message from the __came_from url. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1198 # |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1199 # 1. Split the url into components. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1200 # 2. Split the query string into parts. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1201 # 3. Delete @error_message and @ok_message if present. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1202 # 4. Define a new redirect_url missing the @...message entries. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1203 # This will be redefined if there is a login error to include |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1204 # a new error message |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
1205 |
|
5162
3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents:
5161
diff
changeset
|
1206 clean_url = self.examine_url(self.form['__came_from'].value) |
|
5161
12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents:
5158
diff
changeset
|
1207 redirect_url_tuple = urllib_.urlparse(clean_url) |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1208 # now I have a tuple form for the __came_from url |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1209 try: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1210 query=urllib_.parse_qs(redirect_url_tuple.query) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1211 if "@error_message" in query: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1212 del query["@error_message"] |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1213 if "@ok_message" in query: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1214 del query["@ok_message"] |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1215 if "@action" in query: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1216 # also remove the logout action from the redirect |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1217 # there is only ever one @action value. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1218 if query['@action'] == ["logout"]: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1219 del query["@action"] |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1220 except AttributeError: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1221 # no query param so nothing to remove. Just define. |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1222 query = {} |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1223 pass |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1224 |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1225 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1226 redirect_url_tuple.netloc, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1227 redirect_url_tuple.path, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1228 redirect_url_tuple.params, |
|
5503
4f6e1ce89557
always encode query parameters in sorted order
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5488
diff
changeset
|
1229 urllib_.urlencode(list(sorted(query.items())), doseq=True), |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1230 redirect_url_tuple.fragment) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1231 ) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1232 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1233 try: |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1234 # Implement rate limiting of logins by login name. |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1235 # Use prefix to prevent key collisions maybe?? |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1236 rlkey="LOGIN-" + self.client.user |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1237 limit=self.loginLimit |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
1238 gcra=Gcra() |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1239 otk=self.client.db.Otk |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1240 try: |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1241 val=otk.getall(rlkey) |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
1242 gcra.set_tat_as_string(rlkey, val['tat']) |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1243 except KeyError: |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1244 # ignore if tat not set, it's 1970-1-1 by default. |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1245 pass |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1246 # see if rate limit exceeded and we need to reject the attempt |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
1247 reject=gcra.update(rlkey, limit) |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1248 |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1249 # Calculate a timestamp that will make OTK expire the |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1250 # unused entry 1 hour in the future |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1251 ts = time.time() - (60 * 60 * 24 * 7) + 3600 |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
1252 otk.set(rlkey, tat=gcra.get_tat_as_string(rlkey), |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1253 __timestamp=ts) |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1254 otk.commit() |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1255 |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1256 if reject: |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1257 # User exceeded limits: find out how long to wait |
|
5722
2f116ba7e7cf
Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents:
5718
diff
changeset
|
1258 status=gcra.status(rlkey, limit) |
|
5717
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1259 raise Reject(_("Logins occurring too fast. Please wait: %d seconds.")%status['Retry-After']) |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1260 else: |
|
cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents:
5652
diff
changeset
|
1261 self.verifyLogin(self.client.user, password) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5245
diff
changeset
|
1262 except exceptions.LoginError as err: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1263 self.client.make_user_anonymous() |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1264 for arg in err.args: |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1265 self.client.add_error_message(arg) |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1266 |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1267 if '__came_from' in self.form: |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1268 # set a new error |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1269 query['@error_message'] = err.args |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1270 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1271 redirect_url_tuple.netloc, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1272 redirect_url_tuple.path, |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1273 redirect_url_tuple.params, |
|
5503
4f6e1ce89557
always encode query parameters in sorted order
Christof Meerwald <cmeerw@cmeerw.org>
parents:
5488
diff
changeset
|
1274 urllib_.urlencode(list(sorted(query.items())), doseq=True), |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1275 redirect_url_tuple.fragment ) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1276 ) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1277 raise exceptions.Redirect(redirect_url) |
|
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1278 # if no __came_from, send back to base url with error |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1279 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1280 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1281 # now we're OK, re-open the database for real, using the user |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1282 self.client.opendb(self.client.user) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1283 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1284 # save user in session |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1285 self.client.session_api.set(user=self.client.user) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1286 if 'remember' in self.form: |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1287 self.client.session_api.update(set_cookie=True, expire=24*3600*365) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1288 |
|
3418
9b8019f28158
remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents:
3382
diff
changeset
|
1289 # If we came from someplace, go back there |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1290 if '__came_from' in self.form: |
|
5121
894aa07be6cb
issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents:
5119
diff
changeset
|
1291 raise exceptions.Redirect(redirect_url) |
|
3418
9b8019f28158
remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents:
3382
diff
changeset
|
1292 |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1293 def verifyLogin(self, username, password): |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1294 # make sure the user exists |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1295 try: |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1296 self.client.userid = self.db.user.lookup(username) |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1297 except KeyError: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1298 raise exceptions.LoginError(self._('Invalid login')) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1299 |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1300 # verify the password |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1301 if not self.verifyPassword(self.client.userid, password): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1302 raise exceptions.LoginError(self._('Invalid login')) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1303 |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1304 # Determine whether the user has permission to log in. |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1305 # Base behaviour is to check the user has "Web Access". |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1306 if not self.hasPermission("Web Access"): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1307 raise exceptions.LoginError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1308 "You do not have permission to login")) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1309 |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1310 def verifyPassword(self, userid, givenpw): |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1311 '''Verify the password that the user has supplied. |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1312 Optionally migrate to new password scheme if configured |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1313 ''' |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1314 db = self.db |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1315 stored = db.user.get(userid, 'password') |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1316 if givenpw == stored: |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1317 if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration(): |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
1318 newpw = password.Password(givenpw, config=db.config) |
|
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
1319 db.user.set(userid, password=newpw) |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1320 db.commit() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1321 return 1 |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1322 if not givenpw and not stored: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1323 return 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1324 return 0 |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1325 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1326 class ExportCSVAction(Action): |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1327 name = 'export' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1328 permissionType = 'View' |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1329 list_sep = ';' # Separator for list types |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1330 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1331 def handle(self): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1332 ''' Export the specified search query as CSV. ''' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1333 # figure the request |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1334 request = templating.HTMLRequest(self.client) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1335 filterspec = request.filterspec |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1336 sort = request.sort |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1337 group = request.group |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1338 columns = request.columns |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1339 klass = self.db.getclass(request.classname) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1340 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1341 # check if all columns exist on class |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1342 # the exception must be raised before sending header |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1343 props = klass.getprops() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1344 for cname in columns: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1345 if cname not in props: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1346 # use error code 400: Bad Request. Do not use |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1347 # error code 404: Not Found. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1348 self.client.response_code = 400 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1349 raise exceptions.NotFound( |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1350 self._('Column "%(column)s" not found in %(class)s') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1351 % {'column': cgi.escape(cname), 'class': request.classname}) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1352 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1353 # full-text search |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1354 if request.search_text: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1355 matches = self.db.indexer.search( |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1356 re.findall(r'\b\w{2,25}\b', request.search_text), klass) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1357 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1358 matches = None |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1359 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1360 header = self.client.additional_headers |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1361 header['Content-Type'] = 'text/csv; charset=%s' % self.client.charset |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1362 # some browsers will honor the filename here... |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1363 header['Content-Disposition'] = 'inline; filename=query.csv' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1364 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1365 self.client.header() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1366 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1367 if self.client.env['REQUEST_METHOD'] == 'HEAD': |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1368 # all done, return a dummy string |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1369 return 'dummy' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1370 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1371 wfile = self.client.request.wfile |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1372 if self.client.charset != self.client.STORAGE_CHARSET: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1373 wfile = codecs.EncodedFile(wfile, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1374 self.client.STORAGE_CHARSET, self.client.charset, 'replace') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1375 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1376 writer = csv.writer(wfile) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1377 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1378 # handle different types of columns. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1379 def repr_no_right(cls, col): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1380 """User doesn't have the right to see the value of col.""" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1381 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1382 return "[hidden]" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1383 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1384 def repr_link(cls, col): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1385 """Generate a function which returns the string representation of |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1386 a link depending on `cls` and `col`.""" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1387 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1388 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1389 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1390 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1391 return str(cls.get(arg, col)) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1392 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1393 def repr_list(cls, col): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1394 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1395 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1396 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1397 elif type(arg) is list: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1398 seq = [str(cls.get(val, col)) for val in arg] |
|
5652
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1399 # python2/python 3 have different order in lists |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1400 # sort to not break tests |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1401 seq.sort() |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1402 return self.list_sep.join(seq) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1403 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1404 def repr_date(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1405 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1406 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1407 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1408 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1409 if (arg.local(self.db.getUserTimezone()).pretty('%H:%M') == |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1410 '00:00'): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1411 fmt = '%Y-%m-%d' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1412 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1413 fmt = '%Y-%m-%d %H:%M' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1414 return arg.local(self.db.getUserTimezone()).pretty(fmt) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1415 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1416 def repr_val(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1417 def fct(arg): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1418 if arg == None: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1419 return "" |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1420 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1421 return str(arg) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1422 return fct |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1423 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1424 props = klass.getprops() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1425 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1426 # Determine translation map. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1427 ncols = [] |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1428 represent = {} |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1429 for col in columns: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1430 ncols.append(col) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1431 represent[col] = repr_val() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1432 if isinstance(props[col], hyperdb.Multilink): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1433 cname = props[col].classname |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1434 cclass = self.db.getclass(cname) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1435 represent[col] = repr_list(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1436 if not self.hasPermission(self.permissionType, classname=cname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1437 represent[col] = repr_no_right(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1438 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1439 if 'name' in cclass.getprops(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1440 represent[col] = repr_list(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1441 elif cname == 'user': |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1442 represent[col] = repr_list(cclass, 'realname') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1443 if isinstance(props[col], hyperdb.Link): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1444 cname = props[col].classname |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1445 cclass = self.db.getclass(cname) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1446 if not self.hasPermission(self.permissionType, classname=cname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1447 represent[col] = repr_no_right(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1448 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1449 if 'name' in cclass.getprops(): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1450 represent[col] = repr_link(cclass, 'name') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1451 elif cname == 'user': |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1452 represent[col] = repr_link(cclass, 'realname') |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1453 if isinstance(props[col], hyperdb.Date): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1454 represent[col] = repr_date() |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1455 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1456 columns = ncols |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1457 # generate the CSV output |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1458 self.client._socket_op(writer.writerow, columns) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1459 # and search |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1460 for itemid in klass.filter(matches, filterspec, sort, group): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1461 row = [] |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1462 # don't put out a row of [hidden] fields if the user has |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1463 # no access to the issue. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1464 if not self.hasPermission(self.permissionType, itemid=itemid, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1465 classname=request.classname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1466 continue |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1467 for name in columns: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1468 # check permission for this property on this item |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1469 # TODO: Permission filter doesn't work for the 'user' class |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1470 if not self.hasPermission(self.permissionType, itemid=itemid, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1471 classname=request.classname, property=name): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1472 repr_function = repr_no_right(request.classname, name) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1473 else: |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1474 repr_function = represent[name] |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1475 row.append(repr_function(klass.get(itemid, name))) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1476 self.client._socket_op(writer.writerow, row) |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1477 return '\n' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1478 |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1479 class ExportCSVWithIdAction(Action): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1480 ''' A variation of ExportCSVAction that returns ID number rather than |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1481 names. This is the original csv export function. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1482 ''' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1483 name = 'export' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1484 permissionType = 'View' |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1485 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1486 def handle(self): |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1487 ''' Export the specified search query as CSV. ''' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1488 # figure the request |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1489 request = templating.HTMLRequest(self.client) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1490 filterspec = request.filterspec |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1491 sort = request.sort |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1492 group = request.group |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1493 columns = request.columns |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1494 klass = self.db.getclass(request.classname) |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1495 |
|
4624
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1496 # check if all columns exist on class |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1497 # the exception must be raised before sending header |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1498 props = klass.getprops() |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1499 for cname in columns: |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1500 if cname not in props: |
|
5165
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1501 # use error code 400: Bad Request. Do not use |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1502 # error code 404: Not Found. |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1503 self.client.response_code = 400 |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1504 raise exceptions.NotFound( |
|
a86860224d80
issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents:
5164
diff
changeset
|
1505 self._('Column "%(column)s" not found in %(class)s') |
|
4624
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1506 % {'column': cgi.escape(cname), 'class': request.classname}) |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1507 |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1508 # full-text search |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1509 if request.search_text: |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1510 matches = self.db.indexer.search( |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1511 re.findall(r'\b\w{2,25}\b', request.search_text), klass) |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1512 else: |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1513 matches = None |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1514 |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1515 h = self.client.additional_headers |
|
3499
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1516 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1517 # some browsers will honor the filename here... |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1518 h['Content-Disposition'] = 'inline; filename=query.csv' |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1519 |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1520 self.client.header() |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1521 |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1522 if self.client.env['REQUEST_METHOD'] == 'HEAD': |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1523 # all done, return a dummy string |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1524 return 'dummy' |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1525 |
|
3499
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1526 wfile = self.client.request.wfile |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1527 if self.client.charset != self.client.STORAGE_CHARSET: |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1528 wfile = codecs.EncodedFile(wfile, |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1529 self.client.STORAGE_CHARSET, self.client.charset, 'replace') |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1530 |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1531 writer = csv.writer(wfile) |
|
3987
c4f7b3817d3d
Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents:
3913
diff
changeset
|
1532 self.client._socket_op(writer.writerow, columns) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1533 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1534 # and search |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1535 for itemid in klass.filter(matches, filterspec, sort, group): |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1536 row = [] |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1537 # FIXME should this code raise an exception if an item |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1538 # is included that can't be accessed? Enabling this |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1539 # check will just skip the row for the inaccessible item. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1540 # This makes it act more like the web interface. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1541 #if not self.hasPermission(self.permissionType, itemid=itemid, |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1542 # classname=request.classname): |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1543 # continue |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1544 for name in columns: |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1545 # check permission to view this property on this item |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1546 if not self.hasPermission(self.permissionType, itemid=itemid, |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1547 classname=request.classname, property=name): |
|
5614
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1548 # FIXME: is this correct, or should we just |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1549 # emit a '[hidden]' string. Note that this may |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1550 # allow an attacker to figure out hidden schema |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1551 # properties. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1552 # A bad property name will result in an exception. |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1553 # A valid property results in a column of '[hidden]' |
|
be99aa02c616
issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents:
5515
diff
changeset
|
1554 # values. |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1555 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1556 'You do not have permission to view %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1557 ) % {'class': request.classname}) |
|
5652
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1558 value = klass.get(itemid, name) |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1559 try: |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1560 # python2/python 3 have different order in lists |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1561 # sort to not break tests |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1562 value.sort() |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1563 except AttributeError: |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1564 pass # value is not sortable, probably str |
|
9689d1bf9bb0
python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents:
5614
diff
changeset
|
1565 row.append(str(value)) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1566 self.client._socket_op(writer.writerow, row) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1567 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1568 return '\n' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1569 |
| 4083 | 1570 class Bridge(BaseAction): |
| 1571 """Make roundup.actions.Action executable via CGI request. | |
| 1572 | |
| 1573 Using this allows users to write actions executable from multiple frontends. | |
| 1574 CGI Form content is translated into a dictionary, which then is passed as | |
| 1575 argument to 'handle()'. XMLRPC requests have to pass this dictionary | |
| 1576 directly. | |
| 1577 """ | |
| 1578 | |
| 1579 def __init__(self, *args): | |
| 1580 | |
| 1581 # As this constructor is callable from multiple frontends, each with | |
| 1582 # different Action interfaces, we have to look at the arguments to | |
| 1583 # figure out how to complete construction. | |
| 1584 if (len(args) == 1 and | |
| 1585 hasattr(args[0], '__class__') and | |
| 1586 args[0].__class__.__name__ == 'Client'): | |
| 1587 self.cgi = True | |
| 1588 self.execute = self.execute_cgi | |
| 1589 self.client = args[0] | |
| 1590 self.form = self.client.form | |
| 1591 else: | |
| 1592 self.cgi = False | |
| 1593 | |
| 1594 def execute_cgi(self): | |
| 1595 args = {} | |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1596 for key in self.form: |
| 4083 | 1597 args[key] = self.form.getvalue(key) |
| 1598 self.permission(args) | |
| 1599 return self.handle(args) | |
| 1600 | |
| 1601 def permission(self, args): | |
| 1602 """Raise Unauthorised if the current user is not allowed to execute | |
| 1603 this action. Users may override this method.""" | |
|
4118
878767b75e1d
fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents:
4112
diff
changeset
|
1604 |
| 4083 | 1605 pass |
| 1606 | |
| 1607 def handle(self, args): | |
|
4118
878767b75e1d
fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents:
4112
diff
changeset
|
1608 |
| 4083 | 1609 raise NotImplementedError |
| 1610 | |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1611 # vim: set filetype=python sts=4 sw=4 et si : |