Mercurial > p > roundup > code

annotate roundup/cgi/actions.py @ 5995:b4b5b7afacd9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2551007 - Selection fields are not translated Added a FIXME to a section of code that should mark a string as translatable, but I am not sure how to mark it that way.
author John Rouillard <rouilj@ieee.org>
date Tue, 24 Dec 2019 20:44:19 -0500
parents 71c68961d9f4
children 8128ca0cb764
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5452
diff changeset
1 import re, cgi, time, csv, codecs
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
2
3188
7faae85e1e33 merge from branch
Richard Jones <richard@users.sourceforge.net>
parents: 3179
diff changeset
3 from roundup import hyperdb, token, date, password
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
4 from roundup.actions import Action as BaseAction
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
5 from roundup.i18n import _
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
6 from roundup.cgi import exceptions, templating
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
7 from roundup.mailgw import uidFromAddress
5722
2f116ba7e7cf Rename Store class in rate_limit.py to Gcra. The name Store makes no
John Rouillard <rouilj@ieee.org>
parents: 5718
diff changeset
8 from roundup.rate_limit import Gcra, RateLimit
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
9 from roundup.cgi.timestamp import Timestamped
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
10 from roundup.exceptions import Reject, RejectRaw
5044
dce3cfe7ec61 Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents: 5010
diff changeset
11 from roundup.anypy import urllib_
5452
b50a4c85c270 fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5395
diff changeset
12 from roundup.anypy.strings import StringIO
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5452
diff changeset
13 import roundup.anypy.random_ as random_
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
14
5837
883c9e90b403 Fix problem with cgi.escape being depricated a different way. This way
John Rouillard <rouilj@ieee.org>
parents: 5814
diff changeset
15 from roundup.anypy.html import html_escape
5800
1a835db41674 Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents: 5772
diff changeset
16
5717
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
17 import time
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
18 from datetime import timedelta
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
19
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
20 # Also add action to client.py::Client.actions property
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
21 __all__ = ['Action', 'ShowAction', 'RetireAction', 'RestoreAction', 'SearchAction',
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
22 'EditCSVAction', 'EditItemAction', 'PassResetAction',
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
23 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction',
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
24 'NewItemAction', 'ExportCSVAction', 'ExportCSVWithIdAction']
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
25
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
26 # used by a couple of routines
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
27 chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
28
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
29 class Action:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
30 def __init__(self, client):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
31 self.client = client
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
32 self.form = client.form
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
33 self.db = client.db
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
34 self.nodeid = client.nodeid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
35 self.template = client.template
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
36 self.classname = client.classname
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
37 self.userid = client.userid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
38 self.base = client.base
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
39 self.user = client.user
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
40 self.context = templating.context(client)
5718
842252c3ee22 Change access to config from dict to property. This makes doing the
John Rouillard <rouilj@ieee.org>
parents: 5717
diff changeset
41 self.loginLimit = RateLimit(client.db.config.WEB_LOGIN_ATTEMPTS_MIN, timedelta(seconds=60))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
42
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
43 def handle(self):
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
44 """Action handler procedure"""
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
45 raise NotImplementedError
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
46
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
47 def execute(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
48 """Execute the action specified by this object."""
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
49 self.permission()
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
50 return self.handle()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
51
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
52 def examine_url(self, url):
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
53 '''Return URL validated to be under self.base and properly escaped
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
54
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
55 If url not properly escaped or validation fails raise ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
56
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
57 To try to prevent XSS attacks, validate that the url that is
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
58 passed in is under self.base for the tracker. This is used to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
59 clean up "__came_from" and "__redirect_to" form variables used
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
60 by the LoginAction and NewItemAction actions.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
61
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
62 The url that is passed in must be a properly url quoted
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
63 argument. I.E. all characters that are not valid according to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
64 RFC3986 must be % encoded. Schema should be lower case.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
65
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
66 It parses the passed url into components.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
67
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
68 It verifies that the scheme is http or https (so a redirect can
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
69 force https even if normal access to the tracker is via http).
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
70 Validates that the network component is the same as in self.base.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
71 Validates that the path component in the base url starts the url's
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
72 path component. It not it raises ValueError. If everything
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
73 validates:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
74
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
75 For each component, Appendix A of RFC 3986 says the following
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
76 are allowed:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
77
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
78 pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
79 query = *( pchar / "/" / "?" )
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
80 unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
81 pct-encoded = "%" HEXDIG HEXDIG
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
82 sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
83 / "*" / "+" / "," / ";" / "="
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
84
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
85 Checks all parts with a regexp that matches any run of 0 or
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
86 more allowed characters. If the component doesn't validate,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
87 raise ValueError. Don't attempt to urllib_.quote it. Either
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
88 it's correct as it comes in or it's a ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
89
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
90 Finally paste the whole thing together and return the new url.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
91 '''
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
92
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
93 parsed_url_tuple = urllib_.urlparse(url)
5164
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
94 if self.base:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
95 parsed_base_url_tuple = urllib_.urlparse(self.base)
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
96 else:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
97 raise ValueError(self._("Base url not set. Check configuration."))
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
98
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
99 info={ 'url': url,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
100 'base_url': self.base,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
101 'base_scheme': parsed_base_url_tuple.scheme,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
102 'base_netloc': parsed_base_url_tuple.netloc,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
103 'base_path': parsed_base_url_tuple.path,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
104 'url_scheme': parsed_url_tuple.scheme,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
105 'url_netloc': parsed_url_tuple.netloc,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
106 'url_path': parsed_url_tuple.path,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
107 'url_params': parsed_url_tuple.params,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
108 'url_query': parsed_url_tuple.query,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
109 'url_fragment': parsed_url_tuple.fragment }
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
110
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
111 if parsed_base_url_tuple.scheme == "https":
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
112 if parsed_url_tuple.scheme != "https":
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
113 raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
114 else:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
115 if parsed_url_tuple.scheme not in ('http', 'https'):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
116 raise ValueError(self._("Unrecognized scheme in %(url)s")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
117
5382
1556b39fde7c Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
118 if parsed_url_tuple.netloc != parsed_base_url_tuple.netloc:
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
119 raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
120
5382
1556b39fde7c Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
121 if parsed_url_tuple.path.find(parsed_base_url_tuple.path) != 0:
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
122 raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
123
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
124 # I am not sure if this has to be language sensitive.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
125 # Do ranges depend on the LANG of the user??
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
126 # Is there a newer spec for URI's than what I am referencing?
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
127
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
128 # Also it really should be % HEXDIG HEXDIG that's allowed
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
129 # If %%% passes, the roundup server should be able to ignore/
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
130 # quote it so it doesn't do anything bad otherwise we have a
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
131 # different vector to handle.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
132 allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''')
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
133
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
134 if not allowed_pattern.match(parsed_url_tuple.path):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
135 raise ValueError(self._("Path component (%(url_path)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
136
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
137 if not allowed_pattern.match(parsed_url_tuple.params):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
138 raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
139
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
140 if not allowed_pattern.match(parsed_url_tuple.query):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
141 raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
142
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
143 if not allowed_pattern.match(parsed_url_tuple.fragment):
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
144 raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped")%info)
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
145
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
146 return(urllib_.urlunparse(parsed_url_tuple))
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
147
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
148 name = ''
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
149 permissionType = None
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
150 def permission(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
151 """Check whether the user has permission to execute this action.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
152
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
153 True by default. If the permissionType attribute is a string containing
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
154 a simple permission, check whether the user has that permission.
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
155 Subclasses must also define the name attribute if they define
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
156 permissionType.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
157
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
158 Despite having this permission, users may still be unauthorised to
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
159 perform parts of actions. It is up to the subclasses to detect this.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
160 """
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
161 if (self.permissionType and
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
162 not self.hasPermission(self.permissionType)):
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
163 info = {'action': self.name, 'classname': self.classname}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
164 raise exceptions.Unauthorised(self._(
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
165 'You do not have permission to '
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
166 '%(action)s the %(classname)s class.')%info)
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
167
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
168 _marker = []
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
169 def hasPermission(self, permission, classname=_marker, itemid=None, property=None):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
170 """Check whether the user has 'permission' on the current class."""
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
171 if classname is self._marker:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
172 classname = self.client.classname
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
173 return self.db.security.hasPermission(permission, self.client.userid,
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
174 classname=classname, itemid=itemid, property=property)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
175
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
176 def gettext(self, msgid):
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
177 """Return the localized translation of msgid"""
2563
420d5c2a49d9 use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2553
diff changeset
178 return self.client.translator.gettext(msgid)
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
179
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
180 _ = gettext
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
181
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
182 class ShowAction(Action):
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
183
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
184 typere=re.compile('[@:]type')
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
185 numre=re.compile('[@:]number')
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
186
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
187 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
188 """Show a node of a particular class/id."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
189 t = n = ''
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
190 for key in self.form:
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
191 if self.typere.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
192 t = self.form[key].value.strip()
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
193 elif self.numre.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
194 n = self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
195 if not t:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
196 raise ValueError(self._('No type specified'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
197 if not n:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
198 raise exceptions.SeriousError(self._('No ID entered'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
199 try:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
200 int(n)
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
201 except ValueError:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
202 d = {'input': n, 'classname': t}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
203 raise exceptions.SeriousError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
204 '"%(input)s" is not an ID (%(classname)s ID required)')%d)
2183
ac24a9c74cca be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents: 2169
diff changeset
205 url = '%s%s%s'%(self.base, t, n)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
206 raise exceptions.Redirect(url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
207
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
208 class RetireAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
209 name = 'retire'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
210 permissionType = 'Edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
211
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
212 def handle(self):
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
213 """Retire the context item."""
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
214 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
215 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
216 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
217
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
218 # if we want to view the index template now, then unset the itemid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
219 # context info (a special-case for retire actions on the index page)
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
220 itemid = self.nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
221 if self.template == 'index':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
222 self.client.nodeid = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
223
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
224 # make sure we don't try to retire admin or anonymous
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
225 if self.classname == 'user' and \
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
226 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
227 raise ValueError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
228 'You may not retire the admin or anonymous user'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
229
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
230 # check permission
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
231 if not self.hasPermission('Retire', classname=self.classname,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
232 itemid=itemid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
233 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
234 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
235 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
236
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
237 # do the retire
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
238 self.db.getclass(self.classname).retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
239 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
240
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
241 self.client.add_ok_message(
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
242 self._('%(classname)s %(itemid)s has been retired')%{
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
243 'classname': self.classname.capitalize(), 'itemid': itemid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
244
3473
370bb8f3c4d1 fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents: 3469
diff changeset
245
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
246 class RestoreAction(Action):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
247 name = 'restore'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
248 permissionType = 'Edit'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
249
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
250 def handle(self):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
251 """Restore the context item."""
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
252 # ensure modification comes via POST
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
253 if self.client.env['REQUEST_METHOD'] != 'POST':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
254 raise Reject(self._('Invalid request'))
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
255
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
256 # if we want to view the index template now, then unset the itemid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
257 # context info (a special-case for retire actions on the index page)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
258 itemid = self.nodeid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
259 if self.template == 'index':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
260 self.client.nodeid = None
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
261
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
262 # check permission
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
263 if not self.hasPermission('Restore', classname=self.classname,
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
264 itemid=itemid):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
265 raise exceptions.Unauthorised(self._(
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
266 'You do not have permission to restore %(class)s'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
267 ) % {'class': self.classname})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
268
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
269 # do the restore
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
270 self.db.getclass(self.classname).restore(itemid)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
271 self.db.commit()
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
272
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
273 self.client.add_ok_message(
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
274 self._('%(classname)s %(itemid)s has been restored')%{
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
275 'classname': self.classname.capitalize(), 'itemid': itemid})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
276
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
277
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
278 class SearchAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
279 name = 'search'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
280 permissionType = 'View'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
281
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
282 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
283 """Mangle some of the form variables.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
284
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
285 Set the form ":filter" variable based on the values of the filter
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
286 variables - if they're set to anything other than "dontcare" then add
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
287 them to :filter.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
288
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
289 Handle the ":queryname" variable and save off the query to the user's
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
290 query list.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
291
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
292 Split any String query values on whitespace and comma.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
293
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
294 """
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
295 self.fakeFilterVars()
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
296 queryname = self.getQueryName()
3913
00896a2acaa5 clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3855
diff changeset
297
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
298 # editing existing query name?
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
299 old_queryname = self.getFromForm('old-queryname')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
300
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
301 # handle saving the query params
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
302 if queryname:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
303 # parse the environment and figure what the query _is_
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
304 req = templating.HTMLRequest(self.client)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
305
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
306 url = self.getCurrentURL(req)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
307
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
308 key = self.db.query.getkey()
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
309 if key:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
310 # edit the old way, only one query per name
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
311 # Note that use of queryname as key will automatically
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
312 # raise an error if there are duplicate names.
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
313 try:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
314 qid = self.db.query.lookup(old_queryname)
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
315 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
316 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
317 "You do not have permission to edit queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
318 self.db.query.set(qid, klass=self.classname, url=url)
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
319 except KeyError:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
320 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
321 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
322 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
323 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
324 qid = self.db.query.create(name=queryname,
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
325 klass=self.classname, url=url)
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
326 else:
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
327 uid = self.db.getuid()
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
328
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
329 # if the queryname is being changed from the old
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
330 # (original) value, make sure new queryname is not
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
331 # already in use by user.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
332 # if in use, return to edit/search screen and let
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
333 # user change it.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
334
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
335 if old_queryname != queryname:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
336 # we have a name change
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
337 qids = self.db.query.filter(None, {'name': queryname,
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
338 'creator': uid})
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
339 for qid in qids:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
340 # require an exact name match
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
341 if queryname != self.db.query.get(qid, 'name'):
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
342 continue
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
343 # whoops we found a duplicate; report error and return
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
344 message=_("You already own a query named '%s'. Please choose another name.")%(queryname)
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
345 self.client.add_error_message(message)
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
346 return
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
347
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
348 # edit the new way, query name not a key any more
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
349 # see if we match an existing private query
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
350 qids = self.db.query.filter(None, {'name': old_queryname,
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
351 'private_for': uid})
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
352 if not qids:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
353 # ok, so there's not a private query for the current user
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
354 # - see if there's one created by them
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
355 qids = self.db.query.filter(None, {'name': old_queryname,
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
356 'creator': uid})
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
357
3581
d10008f756a4 fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents: 3549
diff changeset
358 if qids and old_queryname:
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
359 # edit query - make sure we get an exact match on the name
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
360 for qid in qids:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
361 if old_queryname != self.db.query.get(qid, 'name'):
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
362 continue
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
363 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
364 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
365 "You do not have permission to edit queries"))
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
366 self.db.query.set(qid, klass=self.classname,
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
367 url=url, name=queryname)
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
368 else:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
369 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
370 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
371 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
372 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
373 qid = self.db.query.create(name=queryname,
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
374 klass=self.classname, url=url, private_for=uid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
375
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
376 # and add it to the user's query multilink
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
377 queries = self.db.user.get(self.userid, 'queries')
2061
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
378 if qid not in queries:
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
379 queries.append(qid)
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
380 self.db.user.set(self.userid, queries=queries)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
381
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
382 # commit the query change to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
383 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
384
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
385 # This redirects to the index page. Add the @dispname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
386 # url param to the request so that the query name
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
387 # is displayed.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
388 req.form.list.append(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
389 cgi.MiniFieldStorage(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
390 "@dispname", queryname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
391 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
392 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
393
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
394
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
395 def fakeFilterVars(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
396 """Add a faked :filter form variable for each filtering prop."""
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
397 cls = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
398 for key in self.form:
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
399 prop = cls.get_transitive_prop(key)
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
400 if not prop:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
401 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
402 if isinstance(self.form[key], type([])):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
403 # search for at least one entry which is not empty
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
404 for minifield in self.form[key]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
405 if minifield.value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
406 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
407 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
408 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
409 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
410 if not self.form[key].value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
411 continue
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
412 if isinstance(prop, hyperdb.String):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
413 v = self.form[key].value
5245
bc16d91b7a50 Fix token_split() so its one error throws ValueError w/out extra arg.
Eric S. Raymond <esr@thyrsus.com>
parents: 5217
diff changeset
414 # If this ever has unbalanced quotes, hilarity will ensue
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
415 l = token.token_split(v)
4037
0b89c94a2387 Robustify SearchAction.fakeFilterVars
Stefan Seefeld <stefan@seefeld.name>
parents: 4030
diff changeset
416 if len(l) != 1 or l[0] != v:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
417 self.form.value.remove(self.form[key])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
418 # replace the single value with the split list
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
419 for v in l:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
420 self.form.value.append(cgi.MiniFieldStorage(key, v))
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
421 elif isinstance(prop, hyperdb.Number):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
422 try:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
423 float(self.form[key].value)
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
424 except ValueError:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
425 raise exceptions.FormError("Invalid number: "+self.form[key].value)
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
426 elif isinstance(prop, hyperdb.Integer):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
427 try:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
428 val=self.form[key].value
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
429 if ( str(int(val)) == val ):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
430 pass
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
431 else:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
432 raise ValueError
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
433 except ValueError:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
434 raise exceptions.FormError("Invalid integer: "+val)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
435
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
436 self.form.value.append(cgi.MiniFieldStorage('@filter', key))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
437
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
438 def getCurrentURL(self, req):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
439 """Get current URL for storing as a query.
3805
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
440
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
441 Note: We are removing the first character from the current URL,
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
442 because the leading '?' is not part of the query string.
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
443
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
444 Implementation note:
5173
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
445 We now store the template with the query if the template name is
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
446 different from 'index'
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
447 """
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
448 template = self.getFromForm('template')
5173
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
449 if template and template != 'index':
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
450 return req.indexargs_url('', {'@template' : template})[1:]
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
451 return req.indexargs_url('', {})[1:]
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
452
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
453 def getFromForm(self, name):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
454 for key in ('@' + name, ':' + name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
455 if key in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
456 return self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
457 return ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
458
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
459 def getQueryName(self):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
460 return self.getFromForm('queryname')
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
461
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
462 class EditCSVAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
463 name = 'edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
464 permissionType = 'Edit'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
465
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
466 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
467 """Performs an edit of all of a class' items in one go.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
468
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
469 The "rows" CGI var defines the CSV-formatted entries for the class. New
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
470 nodes are identified by the ID 'X' (or any other non-existent ID) and
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
471 removed lines are retired.
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
472 """
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
473 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
474 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
475 raise Reject(self._('Invalid request'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
476
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
477 # figure the properties list for the class
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
478 cl = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
479 props_without_id = list(cl.getprops(protected=0))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
480
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
481 # the incoming CSV data will always have the properties in colums
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
482 # sorted and starting with the "id" column
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
483 props_without_id.sort()
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
484 props = ['id'] + props_without_id
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
485
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
486 # do the edit
5452
b50a4c85c270 fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5395
diff changeset
487 rows = StringIO(self.form['rows'].value)
3179
88dbe6b3d891 merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents: 3145
diff changeset
488 reader = csv.reader(rows)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
489 found = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
490 line = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
491 for values in reader:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
492 line += 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
493 if line == 1: continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
494 # skip property names header
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
495 if values == props:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
496 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
497
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
498 # extract the itemid
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
499 itemid, values = values[0], values[1:]
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
500 found[itemid] = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
501
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
502 # see if the node exists
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
503 if itemid in ('x', 'X') or not cl.hasnode(itemid):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
504 exists = 0
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
505
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
506 # check permission to create this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
507 if not self.hasPermission('Create', classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
508 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
509 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
510 ) % {'class': self.classname})
4293
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
511 elif cl.hasnode(itemid) and cl.is_retired(itemid):
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
512 # If a CSV line just mentions an id and the corresponding
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
513 # item is retired, then the item is restored.
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
514 cl.restore(itemid)
5515
cd0ceb2afdb8 fixed issue2550993 and added test case
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5503
diff changeset
515 exists = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
516 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
517 exists = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
518
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
519 # confirm correct weight
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
520 if len(props_without_id) != len(values):
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
521 self.client.add_error_message(
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
522 self._('Not enough values on line %(line)s')%{'line':line})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
523 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
524
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
525 # extract the new values
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
526 d = {}
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
527 for name, value in zip(props_without_id, values):
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
528 # check permission to edit this property on this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
529 if exists and not self.hasPermission('Edit', itemid=itemid,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
530 classname=self.classname, property=name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
531 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
532 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
533 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
534
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
535 prop = cl.properties[name]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
536 value = value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
537 # only add the property if it has a value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
538 if value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
539 # if it's a multilink, split it
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
540 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
541 value = value.split(':')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
542 elif isinstance(prop, hyperdb.Password):
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
543 value = password.Password(value, config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
544 elif isinstance(prop, hyperdb.Interval):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
545 value = date.Interval(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
546 elif isinstance(prop, hyperdb.Date):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
547 value = date.Date(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
548 elif isinstance(prop, hyperdb.Boolean):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
549 value = value.lower() in ('yes', 'true', 'on', '1')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
550 elif isinstance(prop, hyperdb.Number):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
551 value = float(value)
5067
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
552 elif isinstance(prop, hyperdb.Integer):
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
553 value = int(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
554 d[name] = value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
555 elif exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
556 # nuke the existing value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
557 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
558 d[name] = []
5814
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
559 elif isinstance(prop, hyperdb.Password):
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
560 # create empty password entry
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
561 d[name] = password.Password("", config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
562 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
563 d[name] = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
564
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
565 # perform the edit
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
566 if exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
567 # edit existing
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
568 cl.set(itemid, **d)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
569 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
570 # new node
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
571 found[cl.create(**d)] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
572
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
573 # retire the removed entries
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
574 for itemid in cl.list():
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
575 if itemid not in found:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
576 # check permission to retire this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
577 if not self.hasPermission('Retire', itemid=itemid,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
578 classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
579 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
580 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
581 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
582 cl.retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
583
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
584 # all OK
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
585 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
586
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
587 self.client.add_ok_message(self._('Items edited OK'))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
588
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
589 class EditCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
590 '''Utility methods for editing.'''
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
591
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
592 def _editnodes(self, all_props, all_links):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
593 ''' Use the props in all_props to perform edit and creation, then
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
594 use the link specs in all_links to do linking.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
595 '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
596 # figure dependencies and re-work links
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
597 deps = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
598 links = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
599 for cn, nodeid, propname, vlist in all_links:
3855
de4c2e538e06 Bug-Fix: File attachments from the web-interface didn't work.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3853
diff changeset
600 numeric_id = int (nodeid or 0)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
601 if not (numeric_id > 0 or (cn, nodeid) in all_props):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
602 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
603 continue
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
604
3852
0dd05c9e5fff New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3851
diff changeset
605 for value in vlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
606 if value not in all_props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
607 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
608 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
609 deps.setdefault((cn, nodeid), []).append(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
610 links.setdefault(value, []).append((cn, nodeid, propname))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
611
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
612 # figure chained dependencies ordering
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
613 order = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
614 done = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
615 # loop detection
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
616 change = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
617 while len(all_props) != len(done):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
618 for needed in all_props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
619 if needed in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
620 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
621 tlist = deps.get(needed, [])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
622 for target in tlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
623 if target not in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
624 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
625 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
626 done[needed] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
627 order.append(needed)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
628 change = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
629 if not change:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
630 raise ValueError('linking must not loop!')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
631
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
632 # now, edit / create
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
633 m = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
634 for needed in order:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
635 props = all_props[needed]
3851
5fe1f30f7f30 Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3850
diff changeset
636 cn, nodeid = needed
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
637 if props:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
638 if nodeid is not None and int(nodeid) > 0:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
639 # make changes to the node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
640 props = self._changenode(cn, nodeid, props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
641
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
642 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
643 if props:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
644 info = ', '.join(map(self._, props))
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
645 m.append(
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
646 self._('%(class)s %(id)s %(properties)s edited ok')
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
647 % {'class':cn, 'id':nodeid, 'properties':info})
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
648 else:
5251
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
649 # this used to produce a message like:
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
650 # issue34 - nothing changed
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
651 # which is confusing if only quiet properties
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
652 # changed for the class/id. So don't report
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
653 # anything is the user didn't explicitly change
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
654 # a visible (non-quiet) property.
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
655 pass
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
656 else:
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
657 assert props
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
658
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
659 # make a new node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
660 newid = self._createnode(cn, props)
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
661 if nodeid is None:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
662 self.nodeid = newid
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
663 nodeid = newid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
664
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
665 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
666 m.append(self._('%(class)s %(id)s created')
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
667 % {'class':cn, 'id':newid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
668
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
669 # fill in new ids in links
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
670 if needed in links:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
671 for linkcn, linkid, linkprop in links[needed]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
672 props = all_props[(linkcn, linkid)]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
673 cl = self.db.classes[linkcn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
674 propdef = cl.getprops()[linkprop]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
675 if linkprop not in props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
676 if linkid is None or linkid.startswith('-'):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
677 # linking to a new item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
678 if isinstance(propdef, hyperdb.Multilink):
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
679 props[linkprop] = [nodeid]
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
680 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
681 props[linkprop] = nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
682 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
683 # linking to an existing item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
684 if isinstance(propdef, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
685 existing = cl.get(linkid, linkprop)[:]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
686 existing.append(nodeid)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
687 props[linkprop] = existing
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
688 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
689 props[linkprop] = nodeid
4992
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
690 elif isinstance(propdef, hyperdb.Multilink):
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
691 props[linkprop].append(nodeid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
692
4623
4f9c3858b671 Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4521
diff changeset
693 return '\n'.join(m)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
694
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
695 def _changenode(self, cn, nodeid, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
696 """Change the node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
697 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
698 if not self.editItemPermission(props, classname=cn, itemid=nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
699 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
700 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
701 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
702
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
703 # make the changes
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
704 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
705 return cl.set(nodeid, **props)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
706
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
707 def _createnode(self, cn, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
708 """Create a node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
709 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
710 if not self.newItemPermission(props, classname=cn):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
711 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
712 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
713 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
714
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
715 # create the node and return its id
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
716 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
717 return cl.create(**props)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
718
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
719 def isEditingSelf(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
720 """Check whether a user is editing his/her own details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
721 return (self.nodeid == self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
722 and self.db.user.get(self.nodeid, 'username') != 'anonymous')
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
723
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
724 _cn_marker = []
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
725 def editItemPermission(self, props, classname=_cn_marker, itemid=None):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
726 """Determine whether the user has permission to edit this item."""
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
727 if itemid is None:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
728 itemid = self.nodeid
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
729 if classname is self._cn_marker:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
730 classname = self.classname
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
731 # The user must have permission to edit each of the properties
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
732 # being changed.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
733 for p in props:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
734 if not self.hasPermission('Edit', itemid=itemid,
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
735 classname=classname, property=p):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
736 return 0
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
737 # Since the user has permission to edit all of the properties,
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
738 # the edit is OK.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
739 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
740
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
741 def newItemPermission(self, props, classname=None):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
742 """Determine whether the user has permission to create this item.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
743
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
744 Base behaviour is to check the user can edit this class. No additional
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
745 property checks are made.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
746 """
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
747
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
748 if not classname :
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
749 classname = self.client.classname
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
750
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
751 if not self.hasPermission('Create', classname=classname):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
752 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
753
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
754 # Check Create permission for each property, to avoid being able
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
755 # to set restricted ones on new item creation
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
756 for key in props:
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
757 if not self.hasPermission('Create', classname=classname,
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
758 property=key):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
759 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
760 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
761
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
762 class EditItemAction(EditCommon):
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
763 def lastUserActivity(self):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
764 if ':lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
765 d = date.Date(self.form[':lastactivity'].value)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
766 elif '@lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
767 d = date.Date(self.form['@lastactivity'].value)
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
768 else:
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
769 return None
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
770 d.second = int(d.second)
2264
9b34f41507ed *** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents: 2260
diff changeset
771 return d
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
772
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
773 def lastNodeActivity(self):
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
774 cl = getattr(self.client.db, self.classname)
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
775 activity = cl.get(self.nodeid, 'activity').local(0)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
776 activity.second = int(activity.second)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
777 return activity
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
778
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
779 def detectCollision(self, user_activity, node_activity):
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
780 '''Check for a collision and return the list of props we edited
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
781 that conflict.'''
3188
7faae85e1e33 merge from branch
Richard Jones <richard@users.sourceforge.net>
parents: 3179
diff changeset
782 if user_activity and user_activity < node_activity:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
783 props, links = self.client.parsePropsFromForm()
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
784 key = (self.classname, self.nodeid)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
785 # we really only collide for direct prop edit conflicts
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
786 return list(props[key])
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
787 else:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
788 return []
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
789
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
790 def handleCollision(self, props):
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
791 message = self._('Edit Error: someone else has edited this %s (%s). '
5322
875605281b02 Fix collision link to open in new window: target should be _blank not new.
John Rouillard <rouilj@ieee.org>
parents: 5319
diff changeset
792 'View <a target="_blank" href="%s%s">their changes</a> '
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
793 'in a new window.')%(self.classname, ', '.join(props),
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
794 self.classname, self.nodeid)
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
795 self.client.add_error_message(message, escape=False)
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
796 return
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
797
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
798 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
799 """Perform an edit of an item in the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
800
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
801 See parsePropsFromForm and _editnodes for special variables.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
802
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
803 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
804 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
805 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
806 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
807
2148
2490d26c88df Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents: 2143
diff changeset
808 user_activity = self.lastUserActivity()
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
809 if user_activity:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
810 props = self.detectCollision(user_activity, self.lastNodeActivity())
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
811 if props:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
812 self.handleCollision(props)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
813 return
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
814
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
815 props, links = self.client.parsePropsFromForm()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
816
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
817 # handle the props
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
818 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
819 message = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
820 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
821 escape = not isinstance(message, RejectRaw)
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
822 self.client.add_error_message(
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
823 self._('Edit Error: %s') % str(message), escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
824 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
825
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
826 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
827 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
828
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
829 # redirect to the item's edit page
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
830 # redirect to finish off
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
831 url = self.base + self.classname
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
832 # note that this action might have been called by an index page, so
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
833 # we will want to include index-page args in this URL too
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
834 if self.nodeid is not None:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
835 url += self.nodeid
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
836 url += '?@ok_message=%s&@template=%s'%(urllib_.quote(message),
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
837 urllib_.quote(self.template))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
838 if self.nodeid is None:
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
839 req = templating.HTMLRequest(self.client)
3130
7308c3c5a943 docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents: 3073
diff changeset
840 url += '&' + req.indexargs_url('', {})[1:]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
841 raise exceptions.Redirect(url)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
842
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
843 class NewItemAction(EditCommon):
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
844 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
845 ''' Add a new item to the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
846
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
847 This follows the same form as the EditItemAction, with the same
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
848 special form values.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
849 '''
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
850 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
851 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
852 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
853
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
854 # parse the props from the form
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
855 try:
2107
b7404a96b58a minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2082
diff changeset
856 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
857 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
858 self.client.add_error_message(self._('Error: %s')
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
859 % str(message))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
860 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
861
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
862 # handle the props - edit or create
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
863 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
864 # when it hits the None element, it'll set self.nodeid
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
865 messages = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
866 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
867 escape = not isinstance(message, RejectRaw)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
868 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
869 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
870 escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
871 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
872
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
873 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
874 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
875
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
876 # Allow an option to stay on the page to create new things
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
877 if '__redirect_to' in self.form:
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
878 raise exceptions.Redirect('%s&@ok_message=%s'%(
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
879 self.examine_url(self.form['__redirect_to'].value),
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
880 urllib_.quote(messages)))
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
881
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
882 # otherwise redirect to the new item's page
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
883 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % (
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
884 self.base, self.classname, self.nodeid, urllib_.quote(messages),
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
885 urllib_.quote(self.template)))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
886
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
887 class PassResetAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
888 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
889 """Handle password reset requests.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
890
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
891 Presence of either "name" or "address" generates email. Presence of
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
892 "otk" performs the reset.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
893
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
894 """
2291
90cca653ef3d otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents: 2264
diff changeset
895 otks = self.db.getOTKManager()
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
896 if 'otk' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
897 # pull the rego information out of the otk database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
898 otk = self.form['otk'].value
3673
94b905502d26 removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents: 3635
diff changeset
899 uid = otks.get(otk, 'uid', default=None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
900 if uid is None:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
901 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
902 self._("Invalid One Time Key!\n"
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
903 "(a Mozilla bug may cause this message "
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
904 "to show up erroneously, please check your email)"))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
905 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
906
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
907 # pull the additional email address if exist
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
908 uaddress = otks.get(otk, 'uaddress', default=None)
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
909
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
910 # re-open the database as "admin"
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
911 if self.user != 'admin':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
912 self.client.opendb('admin')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
913 self.db = self.client.db
2372
c26bb78d2f0c couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents: 2362
diff changeset
914 otks = self.db.getOTKManager()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
915
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
916 # change the password
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
917 newpw = password.generatePassword()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
918
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
919 cl = self.db.user
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
920 # XXX we need to make the "default" page be able to display errors!
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
921 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
922 # set the password
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
923 cl.set(uid, password=password.Password(newpw, config=self.db.config))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
924 # clear the props from the otk database
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
925 otks.destroy(otk)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5256
diff changeset
926 otks.commit()
5340
ed6153d3ee6a Fix password reset
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5322
diff changeset
927 # commit the password change
ed6153d3ee6a Fix password reset
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5322
diff changeset
928 self.db.commit ()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
929 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
930 self.client.add_error_message(str(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
931 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
932
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
933 # user info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
934 name = self.db.user.get(uid, 'username')
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
935 if uaddress is None:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
936 address = self.db.user.get(uid, 'address')
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
937 else:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
938 address = uaddress
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
939
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
940 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
941 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
942 subject = 'Password reset for %s'%tracker_name
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
943 body = '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
944 The password has been reset for username "%(name)s".
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
945
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
946 Your password is now: %(password)s
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
947 '''%{'name': name, 'password': newpw}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
948 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
949 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
950
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
951 self.client.add_ok_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
952 self._('Password reset and email sent to %s') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
953 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
954
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
955 # no OTK, so now figure the user
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
956 if 'username' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
957 name = self.form['username'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
958 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
959 uid = self.db.user.lookup(name)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
960 except KeyError:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
961 self.client.add_error_message(self._('Unknown username'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
962 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
963 address = self.db.user.get(uid, 'address')
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
964 elif 'address' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
965 address = self.form['address'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
966 uid = uidFromAddress(self.db, ('', address), create=0)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
967 if not uid:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
968 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
969 self._('Unknown email address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
970 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
971 name = self.db.user.get(uid, 'username')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
972 else:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
973 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
974 self._('You need to specify a username or address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
975 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
976
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
977 # generate the one-time-key and store the props for later
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5452
diff changeset
978 otk = ''.join([random_.choice(chars) for x in range(32)])
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
979 while otks.exists(otk):
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5452
diff changeset
980 otk = ''.join([random_.choice(chars) for x in range(32)])
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
981 otks.set(otk, uid=uid, uaddress=address)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5256
diff changeset
982 otks.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
983
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
984 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
985 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
986 subject = 'Confirm reset of password for %s'%tracker_name
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
987 body = '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
988 Someone, perhaps you, has requested that the password be changed for your
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
989 username, "%(name)s". If you wish to proceed with the change, please follow
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
990 the link below:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
991
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
992 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
993
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
994 You should then receive another email with the new password.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
995 '''%{'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
996 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
997 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
998
5253
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
999 if 'username' in self.form:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1000 self.client.add_ok_message(self._('Email sent to primary notification address for %s.') % name)
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1001 else:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1002 self.client.add_ok_message(self._('Email sent to %s.') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1003
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1004 class RegoCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1005 def finishRego(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1006 # log the new user in
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1007 self.client.userid = self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1008 user = self.client.user = self.db.user.get(self.userid, 'username')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1009 # re-open the database for real, using the user
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1010 self.client.opendb(user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1011
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1012 # update session data
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1013 self.client.session_api.set(user=user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1014
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1015 # nice message
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
1016 message = self._('You are now registered, welcome!')
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1017 url = '%suser%s?@ok_message=%s'%(self.base, self.userid,
4416
36d52125c9cf fixed registration, issue2550665 (thanks Timo Paulssen)
Richard Jones <richard@users.sourceforge.net>
parents: 4362
diff changeset
1018 urllib_.quote(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1019
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1020 # redirect to the user's page (but not 302, as some email clients seem
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1021 # to want to reload the page, or something)
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1022 return '''<html><head><title>%s</title></head>
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1023 <body><p><a href="%s">%s</a></p>
5217
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1024 <script nonce="%s" type="text/javascript">
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1025 window.setTimeout('window.location = "%s"', 1000);
5217
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1026 </script>'''%(message, url, message,
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1027 self.client.client_nonce, url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1028
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1029 class ConfRegoAction(RegoCommon):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1030 def handle(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1031 """Grab the OTK, use it to load up the new user details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1032 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1033 # pull the rego information out of the otk database
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1034 self.userid = self.db.confirm_registration(self.form['otk'].value)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1035 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1036 self.client.add_error_message(str(message))
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1037 return
3847
1a44e4bb2b54 Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents: 3805
diff changeset
1038 return self.finishRego()
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1039
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1040 class RegisterAction(RegoCommon, EditCommon, Timestamped):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
1041 name = 'register'
4146
42331c201b02 Fix issue2550553.
Stefan Seefeld <stefan@seefeld.name>
parents: 4127
diff changeset
1042 permissionType = 'Register'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1043
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1044 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1045 """Attempt to create a new user based on the contents of the form
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1046 and then remember it in session.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1047
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1048 Return 1 on successful login.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1049 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1050 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1051 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1052 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1053
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1054 # try to make sure user is not a bot by checking the
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1055 # hidden field opaqueregister to make sure it's at least
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1056 # WEB_REGISTRATION_DELAY seconds. If set to 0,
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1057 # disable the check.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1058 delaytime = self.db.config['WEB_REGISTRATION_DELAY']
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1059
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1060 if delaytime > 0:
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1061 self.timecheck('opaqueregister', delaytime)
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1062
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1063 # parse the props from the form
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1064 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1065 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1066 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1067 self.client.add_error_message(self._('Error: %s')
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1068 % str(message))
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1069 return
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1070
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1071 # skip the confirmation step?
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1072 if self.db.config['INSTANT_REGISTRATION']:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1073 # handle the create now
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1074 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1075 # when it hits the None element, it'll set self.nodeid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1076 messages = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1077 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1078 escape = not isinstance(message, RejectRaw)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1079 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1080 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1081 escape=escape)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1082 return
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1083
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1084 # fix up the initial roles
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1085 self.db.user.set(self.nodeid,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1086 roles=self.db.config['NEW_WEB_USER_ROLES'])
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1087
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1088 # commit now that all the tricky stuff is done
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1089 self.db.commit()
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1090
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1091 # finish off by logging the user in
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1092 self.userid = self.nodeid
3466
0ecd0062abfb fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents: 3418
diff changeset
1093 return self.finishRego()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1094
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1095 # generate the one-time-key and store the props for later
4334
1aef7a4e4e39 fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents: 4329
diff changeset
1096 user_props = props[('user', None)]
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1097 # check that admin has requested username available check
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1098 check_user = self.db.config['WEB_REGISTRATION_PREVALIDATE_USERNAME']
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1099 if check_user:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1100 try:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1101 user_found = self.db.user.lookup(user_props['username'])
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1102 # if user is found reject the request.
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1103 raise Reject(
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1104 _("Username '%s' is already used.")%user_props['username'])
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1105 except KeyError:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1106 # user not found this is what we want.
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1107 pass
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1108
5395
23b8e6067f7c Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5382
diff changeset
1109 for propname, proptype in self.db.user.getprops().items():
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1110 value = user_props.get(propname, None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1111 if value is None:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1112 pass
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1113 elif isinstance(proptype, hyperdb.Date):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1114 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1115 elif isinstance(proptype, hyperdb.Interval):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1116 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1117 elif isinstance(proptype, hyperdb.Password):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1118 user_props[propname] = str(value)
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1119 otks = self.db.getOTKManager()
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5452
diff changeset
1120 otk = ''.join([random_.choice(chars) for x in range(32)])
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1121 while otks.exists(otk):
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5452
diff changeset
1122 otk = ''.join([random_.choice(chars) for x in range(32)])
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1123 otks.set(otk, **user_props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1124
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1125 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1126 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1127 tracker_email = self.db.config.TRACKER_EMAIL
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1128 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1129 subject = 'Complete your registration to %s -- key %s'%(tracker_name,
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1130 otk)
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1131 body = """To complete your registration of the user "%(name)s" with
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1132 %(tracker)s, please do one of the following:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1133
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1134 - send a reply to %(tracker_email)s and maintain the subject line as is (the
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1135 reply's additional "Re:" is ok),
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1136
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1137 - or visit the following URL:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1138
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1139 %(url)s?@action=confrego&otk=%(otk)s
2108
54815ca493a5 add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents: 2107
diff changeset
1140
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1141 """ % {'name': user_props['username'], 'tracker': tracker_name,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1142 'url': self.base, 'otk': otk, 'tracker_email': tracker_email}
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1143 else:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1144 subject = 'Complete your registration to %s'%(tracker_name)
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1145 body = """To complete your registration of the user "%(name)s" with
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1146 %(tracker)s, please visit the following URL:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1147
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1148 %(url)s?@action=confrego&otk=%(otk)s
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1149
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1150 """ % {'name': user_props['username'], 'tracker': tracker_name,
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1151 'url': self.base, 'otk': otk}
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1152 if not self.client.standard_message([user_props['address']], subject,
3604
ccf516e6c3f8 responses to user rego email [SF#1470254]
Richard Jones <richard@users.sourceforge.net>
parents: 3581
diff changeset
1153 body, (tracker_name, tracker_email)):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1154 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1155
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1156 # commit changes to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1157 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1158
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1159 # redirect to the "you're almost there" page
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1160 raise exceptions.Redirect('%suser?@template=rego_progress'%self.base)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1161
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1162 def newItemPermission(self, props, classname=None):
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1163 """Just check the "Register" permission.
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1164 """
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1165 # registration isn't allowed to supply roles
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1166 if 'roles' in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1167 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1168 "It is not permitted to supply roles at registration."))
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1169
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1170 # technically already checked, but here for clarity
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1171 return self.hasPermission('Register', classname=classname)
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1172
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1173 class LogoutAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1174 def handle(self):
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1175 """Make us really anonymous - nuke the session too."""
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1176 # log us out
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1177 self.client.make_user_anonymous()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1178 self.client.session_api.destroy()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1179
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1180 # Let the user know what's going on
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1181 self.client.add_ok_message(self._('You are logged out'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1182
3264
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1183 # reset client context to render tracker home page
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1184 # instead of last viewed page (may be inaccessibe for anonymous)
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1185 self.client.classname = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1186 self.client.nodeid = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1187 self.client.template = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1188
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1189 # Redirect to a new page on logout. This regenerates
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1190 # CSRF tokens so they are associated with the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1191 # anonymous user and not the user who logged out. If
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1192 # we don't the user gets an invalid CSRF token error
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1193 # As above choose the home page since everybody can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1194 # see that.
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1195 raise exceptions.Redirect(self.base)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1196
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1197 class LoginAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1198 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1199 """Attempt to log a user in.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1200
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1201 Sets up a session for the user which contains the login credentials.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1202
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1203 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1204 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1205 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1206 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1207
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1208 # we need the username at a minimum
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1209 if '__login_name' not in self.form:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1210 self.client.add_error_message(self._('Username required'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1211 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1212
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1213 # get the login info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1214 self.client.user = self.form['__login_name'].value
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1215 if '__login_password' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1216 password = self.form['__login_password'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1217 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1218 password = ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1219
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1220 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1221 # On valid or invalid login, redirect the user back to the page
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1222 # the started on. Searches, issue and other pages
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1223 # are all preserved in __came_from. Clean out any old feedback
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1224 # @error_message, @ok_message from the __came_from url.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1225 #
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1226 # 1. Split the url into components.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1227 # 2. Split the query string into parts.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1228 # 3. Delete @error_message and @ok_message if present.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1229 # 4. Define a new redirect_url missing the @...message entries.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1230 # This will be redefined if there is a login error to include
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1231 # a new error message
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1232
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
1233 clean_url = self.examine_url(self.form['__came_from'].value)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1234 redirect_url_tuple = urllib_.urlparse(clean_url)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1235 # now I have a tuple form for the __came_from url
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1236 try:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1237 query=urllib_.parse_qs(redirect_url_tuple.query)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1238 if "@error_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1239 del query["@error_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1240 if "@ok_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1241 del query["@ok_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1242 if "@action" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1243 # also remove the logout action from the redirect
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1244 # there is only ever one @action value.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1245 if query['@action'] == ["logout"]:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1246 del query["@action"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1247 except AttributeError:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1248 # no query param so nothing to remove. Just define.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1249 query = {}
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1250 pass
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1251
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1252 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1253 redirect_url_tuple.netloc,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1254 redirect_url_tuple.path,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1255 redirect_url_tuple.params,
5503
4f6e1ce89557 always encode query parameters in sorted order
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5488
diff changeset
1256 urllib_.urlencode(list(sorted(query.items())), doseq=True),
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1257 redirect_url_tuple.fragment)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1258 )
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1259
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1260 try:
5717
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
1261 # Implement rate limiting of logins by login name.
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
1262 # Use prefix to prevent key collisions maybe??
5772
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1263 # set client.db.config.WEB_LOGIN_ATTEMPTS_MIN to 0
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1264 # to disable
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1265 if self.client.db.config.WEB_LOGIN_ATTEMPTS_MIN: # if 0 - off
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1266 rlkey="LOGIN-" + self.client.user
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1267 limit=self.loginLimit
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1268 gcra=Gcra()
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1269 otk=self.client.db.Otk
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1270 try:
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1271 val=otk.getall(rlkey)
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1272 gcra.set_tat_as_string(rlkey, val['tat'])
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1273 except KeyError:
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1274 # ignore if tat not set, it's 1970-1-1 by default.
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1275 pass
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1276 # see if rate limit exceeded and we need to reject the attempt
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1277 reject=gcra.update(rlkey, limit)
5717
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
1278
5772
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1279 # Calculate a timestamp that will make OTK expire the
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1280 # unused entry 1 hour in the future
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1281 ts = time.time() - (60 * 60 * 24 * 7) + 3600
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1282 otk.set(rlkey, tat=gcra.get_tat_as_string(rlkey),
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1283 __timestamp=ts)
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1284 otk.commit()
5717
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
1285
5772
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1286 if reject:
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1287 # User exceeded limits: find out how long to wait
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1288 status=gcra.status(rlkey, limit)
5937
5d0873a4de4a fix rate limit headers - were ints/floats need to be strings
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
1289 raise Reject(_("Logins occurring too fast. Please wait: %s seconds.")%status['Retry-After'])
5772
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1290
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1291 self.verifyLogin(self.client.user, password)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1292 except exceptions.LoginError as err:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1293 self.client.make_user_anonymous()
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1294 for arg in err.args:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1295 self.client.add_error_message(arg)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1296
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1297 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1298 # set a new error
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1299 query['@error_message'] = err.args
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1300 redirect_url = urllib_.urlunparse( (redirect_url_tuple.scheme,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1301 redirect_url_tuple.netloc,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1302 redirect_url_tuple.path,
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1303 redirect_url_tuple.params,
5503
4f6e1ce89557 always encode query parameters in sorted order
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5488
diff changeset
1304 urllib_.urlencode(list(sorted(query.items())), doseq=True),
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1305 redirect_url_tuple.fragment )
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1306 )
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1307 raise exceptions.Redirect(redirect_url)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1308 # if no __came_from, send back to base url with error
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1309 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1310
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1311 # now we're OK, re-open the database for real, using the user
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1312 self.client.opendb(self.client.user)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1313
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1314 # save user in session
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1315 self.client.session_api.set(user=self.client.user)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1316 if 'remember' in self.form:
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1317 self.client.session_api.update(set_cookie=True, expire=24*3600*365)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1318
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1319 # If we came from someplace, go back there
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1320 if '__came_from' in self.form:
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1321 raise exceptions.Redirect(redirect_url)
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1322
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1323 def verifyLogin(self, username, password):
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1324 # make sure the user exists
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1325 try:
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1326 self.client.userid = self.db.user.lookup(username)
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1327 except KeyError:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1328 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1329
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1330 # verify the password
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1331 if not self.verifyPassword(self.client.userid, password):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1332 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1333
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1334 # Determine whether the user has permission to log in.
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1335 # Base behaviour is to check the user has "Web Access".
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1336 if not self.hasPermission("Web Access"):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1337 raise exceptions.LoginError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1338 "You do not have permission to login"))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1339
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1340 def verifyPassword(self, userid, givenpw):
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1341 '''Verify the password that the user has supplied.
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1342 Optionally migrate to new password scheme if configured
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1343 '''
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1344 db = self.db
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1345 stored = db.user.get(userid, 'password')
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1346 if givenpw == stored:
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1347 if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration():
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1348 newpw = password.Password(givenpw, config=db.config)
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1349 db.user.set(userid, password=newpw)
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1350 db.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1351 return 1
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1352 if not givenpw and not stored:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1353 return 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1354 return 0
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1355
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1356 class ExportCSVAction(Action):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1357 name = 'export'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1358 permissionType = 'View'
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1359 list_sep = ';' # Separator for list types
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1360
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1361 def handle(self):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1362 ''' Export the specified search query as CSV. '''
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1363 # figure the request
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1364 request = templating.HTMLRequest(self.client)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1365 filterspec = request.filterspec
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1366 sort = request.sort
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1367 group = request.group
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1368 columns = request.columns
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1369 klass = self.db.getclass(request.classname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1370
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1371 # check if all columns exist on class
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1372 # the exception must be raised before sending header
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1373 props = klass.getprops()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1374 for cname in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1375 if cname not in props:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1376 # use error code 400: Bad Request. Do not use
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1377 # error code 404: Not Found.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1378 self.client.response_code = 400
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1379 raise exceptions.NotFound(
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1380 self._('Column "%(column)s" not found in %(class)s')
5800
1a835db41674 Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents: 5772
diff changeset
1381 % {'column': html_escape(cname), 'class': request.classname})
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1382
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1383 # full-text search
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1384 if request.search_text:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1385 matches = self.db.indexer.search(
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1386 re.findall(r'\b\w{2,25}\b', request.search_text), klass)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1387 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1388 matches = None
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1389
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1390 header = self.client.additional_headers
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1391 header['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1392 # some browsers will honor the filename here...
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1393 header['Content-Disposition'] = 'inline; filename=query.csv'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1394
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1395 self.client.header()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1396
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1397 if self.client.env['REQUEST_METHOD'] == 'HEAD':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1398 # all done, return a dummy string
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1399 return 'dummy'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1400
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1401 wfile = self.client.request.wfile
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1402 if self.client.charset != self.client.STORAGE_CHARSET:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1403 wfile = codecs.EncodedFile(wfile,
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1404 self.client.STORAGE_CHARSET, self.client.charset, 'replace')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1405
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1406 writer = csv.writer(wfile)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1407
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1408 # handle different types of columns.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1409 def repr_no_right(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1410 """User doesn't have the right to see the value of col."""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1411 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1412 return "[hidden]"
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1413 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1414 def repr_link(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1415 """Generate a function which returns the string representation of
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1416 a link depending on `cls` and `col`."""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1417 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1418 if arg == None:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1419 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1420 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1421 return str(cls.get(arg, col))
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1422 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1423 def repr_list(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1424 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1425 if arg == None:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1426 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1427 elif type(arg) is list:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1428 seq = [str(cls.get(val, col)) for val in arg]
5652
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1429 # python2/python 3 have different order in lists
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1430 # sort to not break tests
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1431 seq.sort()
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1432 return self.list_sep.join(seq)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1433 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1434 def repr_date():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1435 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1436 if arg == None:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1437 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1438 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1439 if (arg.local(self.db.getUserTimezone()).pretty('%H:%M') ==
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1440 '00:00'):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1441 fmt = '%Y-%m-%d'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1442 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1443 fmt = '%Y-%m-%d %H:%M'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1444 return arg.local(self.db.getUserTimezone()).pretty(fmt)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1445 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1446 def repr_val():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1447 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1448 if arg == None:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1449 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1450 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1451 return str(arg)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1452 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1453
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1454 props = klass.getprops()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1455
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1456 # Determine translation map.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1457 ncols = []
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1458 represent = {}
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1459 for col in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1460 ncols.append(col)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1461 represent[col] = repr_val()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1462 if isinstance(props[col], hyperdb.Multilink):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1463 cname = props[col].classname
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1464 cclass = self.db.getclass(cname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1465 represent[col] = repr_list(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1466 if not self.hasPermission(self.permissionType, classname=cname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1467 represent[col] = repr_no_right(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1468 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1469 if 'name' in cclass.getprops():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1470 represent[col] = repr_list(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1471 elif cname == 'user':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1472 represent[col] = repr_list(cclass, 'realname')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1473 if isinstance(props[col], hyperdb.Link):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1474 cname = props[col].classname
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1475 cclass = self.db.getclass(cname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1476 if not self.hasPermission(self.permissionType, classname=cname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1477 represent[col] = repr_no_right(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1478 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1479 if 'name' in cclass.getprops():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1480 represent[col] = repr_link(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1481 elif cname == 'user':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1482 represent[col] = repr_link(cclass, 'realname')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1483 if isinstance(props[col], hyperdb.Date):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1484 represent[col] = repr_date()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1485
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1486 columns = ncols
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1487 # generate the CSV output
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1488 self.client._socket_op(writer.writerow, columns)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1489 # and search
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1490 for itemid in klass.filter(matches, filterspec, sort, group):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1491 row = []
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1492 # don't put out a row of [hidden] fields if the user has
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1493 # no access to the issue.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1494 if not self.hasPermission(self.permissionType, itemid=itemid,
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1495 classname=request.classname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1496 continue
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1497 for name in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1498 # check permission for this property on this item
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1499 # TODO: Permission filter doesn't work for the 'user' class
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1500 if not self.hasPermission(self.permissionType, itemid=itemid,
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1501 classname=request.classname, property=name):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1502 repr_function = repr_no_right(request.classname, name)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1503 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1504 repr_function = represent[name]
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1505 row.append(repr_function(klass.get(itemid, name)))
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1506 self.client._socket_op(writer.writerow, row)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1507 return '\n'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1508
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1509 class ExportCSVWithIdAction(Action):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1510 ''' A variation of ExportCSVAction that returns ID number rather than
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1511 names. This is the original csv export function.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1512 '''
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1513 name = 'export'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1514 permissionType = 'View'
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1515
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1516 def handle(self):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1517 ''' Export the specified search query as CSV. '''
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1518 # figure the request
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1519 request = templating.HTMLRequest(self.client)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1520 filterspec = request.filterspec
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1521 sort = request.sort
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1522 group = request.group
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1523 columns = request.columns
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1524 klass = self.db.getclass(request.classname)
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1525
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1526 # check if all columns exist on class
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1527 # the exception must be raised before sending header
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1528 props = klass.getprops()
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1529 for cname in columns:
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1530 if cname not in props:
5165
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1531 # use error code 400: Bad Request. Do not use
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1532 # error code 404: Not Found.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1533 self.client.response_code = 400
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1534 raise exceptions.NotFound(
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1535 self._('Column "%(column)s" not found in %(class)s')
5800
1a835db41674 Call cgi.escape only on python 2. Replace with html.escapeif it can be
John Rouillard <rouilj@ieee.org>
parents: 5772
diff changeset
1536 % {'column': html_escape(cname), 'class': request.classname})
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1537
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1538 # full-text search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1539 if request.search_text:
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1540 matches = self.db.indexer.search(
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1541 re.findall(r'\b\w{2,25}\b', request.search_text), klass)
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1542 else:
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1543 matches = None
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1544
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1545 h = self.client.additional_headers
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1546 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1547 # some browsers will honor the filename here...
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1548 h['Content-Disposition'] = 'inline; filename=query.csv'
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1549
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1550 self.client.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1551
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1552 if self.client.env['REQUEST_METHOD'] == 'HEAD':
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1553 # all done, return a dummy string
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1554 return 'dummy'
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1555
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1556 wfile = self.client.request.wfile
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1557 if self.client.charset != self.client.STORAGE_CHARSET:
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1558 wfile = codecs.EncodedFile(wfile,
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1559 self.client.STORAGE_CHARSET, self.client.charset, 'replace')
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1560
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1561 writer = csv.writer(wfile)
3987
c4f7b3817d3d Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents: 3913
diff changeset
1562 self.client._socket_op(writer.writerow, columns)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1563
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1564 # and search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1565 for itemid in klass.filter(matches, filterspec, sort, group):
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1566 row = []
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1567 # FIXME should this code raise an exception if an item
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1568 # is included that can't be accessed? Enabling this
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1569 # check will just skip the row for the inaccessible item.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1570 # This makes it act more like the web interface.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1571 #if not self.hasPermission(self.permissionType, itemid=itemid,
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1572 # classname=request.classname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1573 # continue
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1574 for name in columns:
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1575 # check permission to view this property on this item
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1576 if not self.hasPermission(self.permissionType, itemid=itemid,
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1577 classname=request.classname, property=name):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1578 # FIXME: is this correct, or should we just
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1579 # emit a '[hidden]' string. Note that this may
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1580 # allow an attacker to figure out hidden schema
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1581 # properties.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1582 # A bad property name will result in an exception.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1583 # A valid property results in a column of '[hidden]'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1584 # values.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1585 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1586 'You do not have permission to view %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1587 ) % {'class': request.classname})
5652
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1588 value = klass.get(itemid, name)
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1589 try:
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1590 # python2/python 3 have different order in lists
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1591 # sort to not break tests
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1592 value.sort()
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1593 except AttributeError:
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1594 pass # value is not sortable, probably str
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1595 row.append(str(value))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1596 self.client._socket_op(writer.writerow, row)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1597
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1598 return '\n'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1599
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1600 class Bridge(BaseAction):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1601 """Make roundup.actions.Action executable via CGI request.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1602
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1603 Using this allows users to write actions executable from multiple frontends.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1604 CGI Form content is translated into a dictionary, which then is passed as
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1605 argument to 'handle()'. XMLRPC requests have to pass this dictionary
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1606 directly.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1607 """
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1608
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1609 def __init__(self, *args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1610
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1611 # As this constructor is callable from multiple frontends, each with
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1612 # different Action interfaces, we have to look at the arguments to
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1613 # figure out how to complete construction.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1614 if (len(args) == 1 and
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1615 hasattr(args[0], '__class__') and
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1616 args[0].__class__.__name__ == 'Client'):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1617 self.cgi = True
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1618 self.execute = self.execute_cgi
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1619 self.client = args[0]
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1620 self.form = self.client.form
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1621 else:
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1622 self.cgi = False
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1623
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1624 def execute_cgi(self):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1625 args = {}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1626 for key in self.form:
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1627 args[key] = self.form.getvalue(key)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1628 self.permission(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1629 return self.handle(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1630
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1631 def permission(self, args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1632 """Raise Unauthorised if the current user is not allowed to execute
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1633 this action. Users may override this method."""
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
1634
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1635 pass
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1636
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1637 def handle(self, args):
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
1638
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1639 raise NotImplementedError
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1640
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1641 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/