Mercurial > p > roundup > code
annotate roundup/cgi/actions.py @ 5113:cf112b90fa8d
issue2550855: added search perms for anonymous to the user class.
This lets the "show unassigned" search work for anonymous.
Patch by Stuart McGraw.
Added warning to upgrading.txt and a comment block before the schema
change in every template tracker except minimal (doesn't have the
search).
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 30 Jun 2016 21:08:15 -0400 |
| parents | 156cbc1d182c |
| children | 748ba87e1aca |
| rev | line source |
|---|---|
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1 import re, cgi, time, random, csv, codecs |
|
5044
dce3cfe7ec61
Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents:
5010
diff
changeset
|
2 from io import BytesIO |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
3 |
|
3188
7faae85e1e33
merge from branch
Richard Jones <richard@users.sourceforge.net>
parents:
3179
diff
changeset
|
4 from roundup import hyperdb, token, date, password |
| 4083 | 5 from roundup.actions import Action as BaseAction |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
6 from roundup.i18n import _ |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
7 from roundup.cgi import exceptions, templating |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
8 from roundup.mailgw import uidFromAddress |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
9 from roundup.exceptions import Reject, RejectRaw |
|
5044
dce3cfe7ec61
Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents:
5010
diff
changeset
|
10 from roundup.anypy import urllib_ |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
11 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
12 __all__ = ['Action', 'ShowAction', 'RetireAction', 'SearchAction', |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
13 'EditCSVAction', 'EditItemAction', 'PassResetAction', |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
14 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction', |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
15 'NewItemAction', 'ExportCSVAction'] |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
16 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
17 # used by a couple of routines |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
18 chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
19 |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
20 class Action: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
21 def __init__(self, client): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
22 self.client = client |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
23 self.form = client.form |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
24 self.db = client.db |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
25 self.nodeid = client.nodeid |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
26 self.template = client.template |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
27 self.classname = client.classname |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
28 self.userid = client.userid |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
29 self.base = client.base |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
30 self.user = client.user |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
31 self.context = templating.context(client) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
32 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
33 def handle(self): |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
34 """Action handler procedure""" |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
35 raise NotImplementedError |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
36 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
37 def execute(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
38 """Execute the action specified by this object.""" |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
39 self.permission() |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
40 return self.handle() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
41 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
42 name = '' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
43 permissionType = None |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
44 def permission(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
45 """Check whether the user has permission to execute this action. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
46 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
47 True by default. If the permissionType attribute is a string containing |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
48 a simple permission, check whether the user has that permission. |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
49 Subclasses must also define the name attribute if they define |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
50 permissionType. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
51 |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
52 Despite having this permission, users may still be unauthorised to |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
53 perform parts of actions. It is up to the subclasses to detect this. |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
54 """ |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
55 if (self.permissionType and |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
56 not self.hasPermission(self.permissionType)): |
|
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
57 info = {'action': self.name, 'classname': self.classname} |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
58 raise exceptions.Unauthorised(self._( |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
59 'You do not have permission to ' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
60 '%(action)s the %(classname)s class.')%info) |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
61 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
62 _marker = [] |
| 4030 | 63 def hasPermission(self, permission, classname=_marker, itemid=None, property=None): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
64 """Check whether the user has 'permission' on the current class.""" |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
65 if classname is self._marker: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
66 classname = self.client.classname |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
67 return self.db.security.hasPermission(permission, self.client.userid, |
| 4030 | 68 classname=classname, itemid=itemid, property=property) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
69 |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
70 def gettext(self, msgid): |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
71 """Return the localized translation of msgid""" |
|
2563
420d5c2a49d9
use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2553
diff
changeset
|
72 return self.client.translator.gettext(msgid) |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
73 |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
74 _ = gettext |
|
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
75 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
76 class ShowAction(Action): |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
77 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
78 typere=re.compile('[@:]type') |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
79 numre=re.compile('[@:]number') |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
80 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
81 def handle(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
82 """Show a node of a particular class/id.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
83 t = n = '' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
84 for key in self.form: |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
85 if self.typere.match(key): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
86 t = self.form[key].value.strip() |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
87 elif self.numre.match(key): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
88 n = self.form[key].value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
89 if not t: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
90 raise ValueError(self._('No type specified')) |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
91 if not n: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
92 raise exceptions.SeriousError(self._('No ID entered')) |
|
2052
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
93 try: |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
94 int(n) |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
95 except ValueError: |
|
78e6a1e4984e
forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents:
2045
diff
changeset
|
96 d = {'input': n, 'classname': t} |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
97 raise exceptions.SeriousError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
98 '"%(input)s" is not an ID (%(classname)s ID required)')%d) |
|
2183
ac24a9c74cca
be paranoid about TRACKER_WEB
Richard Jones <richard@users.sourceforge.net>
parents:
2169
diff
changeset
|
99 url = '%s%s%s'%(self.base, t, n) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
100 raise exceptions.Redirect(url) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
101 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
102 class RetireAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
103 name = 'retire' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
104 permissionType = 'Edit' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
105 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
106 def handle(self): |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
107 """Retire the context item.""" |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
108 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
109 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
110 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
111 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
112 # if we want to view the index template now, then unset the itemid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
113 # context info (a special-case for retire actions on the index page) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
114 itemid = self.nodeid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
115 if self.template == 'index': |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
116 self.client.nodeid = None |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
117 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
118 # make sure we don't try to retire admin or anonymous |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
119 if self.classname == 'user' and \ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
120 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
121 raise ValueError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
122 'You may not retire the admin or anonymous user')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
123 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
124 # check permission |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
125 if not self.hasPermission('Retire', classname=self.classname, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
126 itemid=itemid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
127 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
128 'You do not have permission to retire %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
129 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
130 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
131 # do the retire |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
132 self.db.getclass(self.classname).retire(itemid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
133 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
134 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
135 self.client.add_ok_message( |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
136 self._('%(classname)s %(itemid)s has been retired')%{ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
137 'classname': self.classname.capitalize(), 'itemid': itemid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
138 |
|
3473
370bb8f3c4d1
fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents:
3469
diff
changeset
|
139 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
140 class SearchAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
141 name = 'search' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
142 permissionType = 'View' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
143 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
144 def handle(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
145 """Mangle some of the form variables. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
146 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
147 Set the form ":filter" variable based on the values of the filter |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
148 variables - if they're set to anything other than "dontcare" then add |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
149 them to :filter. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
150 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
151 Handle the ":queryname" variable and save off the query to the user's |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
152 query list. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
153 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
154 Split any String query values on whitespace and comma. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
155 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
156 """ |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
157 self.fakeFilterVars() |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
158 queryname = self.getQueryName() |
|
3913
00896a2acaa5
clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents:
3855
diff
changeset
|
159 |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
160 # editing existing query name? |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
161 old_queryname = self.getFromForm('old-queryname') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
162 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
163 # handle saving the query params |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
164 if queryname: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
165 # parse the environment and figure what the query _is_ |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
166 req = templating.HTMLRequest(self.client) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
167 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
168 url = self.getCurrentURL(req) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
169 |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
170 key = self.db.query.getkey() |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
171 if key: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
172 # edit the old way, only one query per name |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
173 try: |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
174 qid = self.db.query.lookup(old_queryname) |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
175 if not self.hasPermission('Edit', 'query', itemid=qid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
176 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
177 "You do not have permission to edit queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
178 self.db.query.set(qid, klass=self.classname, url=url) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
179 except KeyError: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
180 # create a query |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
181 if not self.hasPermission('Create', 'query'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
182 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
183 "You do not have permission to store queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
184 qid = self.db.query.create(name=queryname, |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
185 klass=self.classname, url=url) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
186 else: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
187 # edit the new way, query name not a key any more |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
188 # see if we match an existing private query |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
189 uid = self.db.getuid() |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
190 qids = self.db.query.filter(None, {'name': old_queryname, |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
191 'private_for': uid}) |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
192 if not qids: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
193 # ok, so there's not a private query for the current user |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
194 # - see if there's one created by them |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
195 qids = self.db.query.filter(None, {'name': old_queryname, |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
196 'creator': uid}) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
197 |
|
3581
d10008f756a4
fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents:
3549
diff
changeset
|
198 if qids and old_queryname: |
|
2362
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
199 # edit query - make sure we get an exact match on the name |
|
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
200 for qid in qids: |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
201 if old_queryname != self.db.query.get(qid, 'name'): |
|
2362
10fc45eea226
fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents:
2291
diff
changeset
|
202 continue |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
203 if not self.hasPermission('Edit', 'query', itemid=qid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
204 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
205 "You do not have permission to edit queries")) |
|
3518
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
206 self.db.query.set(qid, klass=self.classname, |
|
7fb8cfe3c737
enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents:
3499
diff
changeset
|
207 url=url, name=queryname) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
208 else: |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
209 # create a query |
|
3073
7fefb1e29ed0
fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents:
3012
diff
changeset
|
210 if not self.hasPermission('Create', 'query'): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
211 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
212 "You do not have permission to store queries")) |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
213 qid = self.db.query.create(name=queryname, |
|
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
214 klass=self.classname, url=url, private_for=uid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
215 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
216 # and add it to the user's query multilink |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
217 queries = self.db.user.get(self.userid, 'queries') |
|
2061
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
218 if qid not in queries: |
|
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
219 queries.append(qid) |
|
0eeecaac008a
query saving fix
Richard Jones <richard@users.sourceforge.net>
parents:
2052
diff
changeset
|
220 self.db.user.set(self.userid, queries=queries) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
221 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
222 # commit the query change to the database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
223 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
224 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
225 def fakeFilterVars(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
226 """Add a faked :filter form variable for each filtering prop.""" |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
227 cls = self.db.classes[self.classname] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
228 for key in self.form: |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
229 prop = cls.get_transitive_prop(key) |
|
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
230 if not prop: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
231 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
232 if isinstance(self.form[key], type([])): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
233 # search for at least one entry which is not empty |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
234 for minifield in self.form[key]: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
235 if minifield.value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
236 break |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
237 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
238 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
239 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
240 if not self.form[key].value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
241 continue |
|
3635
53987aa153d2
Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3604
diff
changeset
|
242 if isinstance(prop, hyperdb.String): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
243 v = self.form[key].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
244 l = token.token_split(v) |
|
4037
0b89c94a2387
Robustify SearchAction.fakeFilterVars
Stefan Seefeld <stefan@seefeld.name>
parents:
4030
diff
changeset
|
245 if len(l) != 1 or l[0] != v: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
246 self.form.value.remove(self.form[key]) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
247 # replace the single value with the split list |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
248 for v in l: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
249 self.form.value.append(cgi.MiniFieldStorage(key, v)) |
|
5097
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
250 elif isinstance(prop, hyperdb.Number): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
251 try: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
252 float(self.form[key].value) |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
253 except ValueError: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
254 raise exceptions.FormError, "Invalid number: "+self.form[key].value |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
255 elif isinstance(prop, hyperdb.Integer): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
256 try: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
257 val=self.form[key].value |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
258 if ( str(int(val)) == val ): |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
259 pass |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
260 else: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
261 raise ValueError |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
262 except ValueError: |
|
156cbc1d182c
Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents:
5093
diff
changeset
|
263 raise exceptions.FormError, "Invalid integer: "+val |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
264 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
265 self.form.value.append(cgi.MiniFieldStorage('@filter', key)) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
266 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
267 def getCurrentURL(self, req): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
268 """Get current URL for storing as a query. |
|
3805
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
269 |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
270 Note: We are removing the first character from the current URL, |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
271 because the leading '?' is not part of the query string. |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
272 |
|
f86d9531c8db
comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3804
diff
changeset
|
273 Implementation note: |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
274 But maybe the template should be part of the stored query: |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
275 template = self.getFromForm('template') |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
276 if template: |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
277 return req.indexargs_url('', {'@template' : template})[1:] |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
278 """ |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
279 return req.indexargs_url('', {})[1:] |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
280 |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
281 def getFromForm(self, name): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
282 for key in ('@' + name, ':' + name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
283 if key in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
284 return self.form[key].value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
285 return '' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
286 |
|
3804
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
287 def getQueryName(self): |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
288 return self.getFromForm('queryname') |
|
5445ff8c442b
factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3673
diff
changeset
|
289 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
290 class EditCSVAction(Action): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
291 name = 'edit' |
|
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
292 permissionType = 'Edit' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
293 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
294 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
295 """Performs an edit of all of a class' items in one go. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
296 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
297 The "rows" CGI var defines the CSV-formatted entries for the class. New |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
298 nodes are identified by the ID 'X' (or any other non-existent ID) and |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
299 removed lines are retired. |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
300 """ |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
301 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
302 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
303 raise Reject(self._('Invalid request')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
304 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
305 # figure the properties list for the class |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
306 cl = self.db.classes[self.classname] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
307 props_without_id = list(cl.getprops(protected=0)) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
308 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
309 # the incoming CSV data will always have the properties in colums |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
310 # sorted and starting with the "id" column |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
311 props_without_id.sort() |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
312 props = ['id'] + props_without_id |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
313 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
314 # do the edit |
|
5044
dce3cfe7ec61
Remove roundup.anypy.io_
John Kristensen <john@jerrykan.com>
parents:
5010
diff
changeset
|
315 rows = BytesIO(self.form['rows'].value) |
|
3179
88dbe6b3d891
merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents:
3145
diff
changeset
|
316 reader = csv.reader(rows) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
317 found = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
318 line = 0 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
319 for values in reader: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
320 line += 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
321 if line == 1: continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
322 # skip property names header |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
323 if values == props: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
324 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
325 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
326 # extract the itemid |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
327 itemid, values = values[0], values[1:] |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
328 found[itemid] = 1 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
329 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
330 # see if the node exists |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
331 if itemid in ('x', 'X') or not cl.hasnode(itemid): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
332 exists = 0 |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
333 |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
334 # check permission to create this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
335 if not self.hasPermission('Create', classname=self.classname): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
336 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
337 'You do not have permission to create %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
338 ) % {'class': self.classname}) |
|
4293
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
339 elif cl.hasnode(itemid) and cl.is_retired(itemid): |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
340 # If a CSV line just mentions an id and the corresponding |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
341 # item is retired, then the item is restored. |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
342 cl.restore(itemid) |
|
9b9ab6109254
Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents:
4146
diff
changeset
|
343 continue |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
344 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
345 exists = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
346 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
347 # confirm correct weight |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
348 if len(props_without_id) != len(values): |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
349 self.client.add_error_message( |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
350 self._('Not enough values on line %(line)s')%{'line':line}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
351 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
352 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
353 # extract the new values |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
354 d = {} |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
355 for name, value in zip(props_without_id, values): |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
356 # check permission to edit this property on this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
357 if exists and not self.hasPermission('Edit', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
358 classname=self.classname, property=name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
359 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
360 'You do not have permission to edit %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
361 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
362 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
363 prop = cl.properties[name] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
364 value = value.strip() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
365 # only add the property if it has a value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
366 if value: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
367 # if it's a multilink, split it |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
368 if isinstance(prop, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
369 value = value.split(':') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
370 elif isinstance(prop, hyperdb.Password): |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
371 value = password.Password(value, config=self.db.config) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
372 elif isinstance(prop, hyperdb.Interval): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
373 value = date.Interval(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
374 elif isinstance(prop, hyperdb.Date): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
375 value = date.Date(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
376 elif isinstance(prop, hyperdb.Boolean): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
377 value = value.lower() in ('yes', 'true', 'on', '1') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
378 elif isinstance(prop, hyperdb.Number): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
379 value = float(value) |
|
5067
e424987d294a
Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents:
5044
diff
changeset
|
380 elif isinstance(prop, hyperdb.Integer): |
|
e424987d294a
Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents:
5044
diff
changeset
|
381 value = int(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
382 d[name] = value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
383 elif exists: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
384 # nuke the existing value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
385 if isinstance(prop, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
386 d[name] = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
387 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
388 d[name] = None |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
389 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
390 # perform the edit |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
391 if exists: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
392 # edit existing |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
393 cl.set(itemid, **d) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
394 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
395 # new node |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
396 found[cl.create(**d)] = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
397 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
398 # retire the removed entries |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
399 for itemid in cl.list(): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
400 if itemid not in found: |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
401 # check permission to retire this item |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
402 if not self.hasPermission('Retire', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
403 classname=self.classname): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
404 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
405 'You do not have permission to retire %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
406 ) % {'class': self.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
407 cl.retire(itemid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
408 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
409 # all OK |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
410 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
411 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
412 self.client.add_ok_message(self._('Items edited OK')) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
413 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
414 class EditCommon(Action): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
415 '''Utility methods for editing.''' |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
416 |
|
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
417 def _editnodes(self, all_props, all_links): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
418 ''' Use the props in all_props to perform edit and creation, then |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
419 use the link specs in all_links to do linking. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
420 ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
421 # figure dependencies and re-work links |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
422 deps = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
423 links = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
424 for cn, nodeid, propname, vlist in all_links: |
|
3855
de4c2e538e06
Bug-Fix: File attachments from the web-interface didn't work.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3853
diff
changeset
|
425 numeric_id = int (nodeid or 0) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
426 if not (numeric_id > 0 or (cn, nodeid) in all_props): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
427 # link item to link to doesn't (and won't) exist |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
428 continue |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
429 |
|
3852
0dd05c9e5fff
New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3851
diff
changeset
|
430 for value in vlist: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
431 if value not in all_props: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
432 # link item to link to doesn't (and won't) exist |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
433 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
434 deps.setdefault((cn, nodeid), []).append(value) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
435 links.setdefault(value, []).append((cn, nodeid, propname)) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
436 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
437 # figure chained dependencies ordering |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
438 order = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
439 done = {} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
440 # loop detection |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
441 change = 0 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
442 while len(all_props) != len(done): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
443 for needed in all_props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
444 if needed in done: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
445 continue |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
446 tlist = deps.get(needed, []) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
447 for target in tlist: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
448 if target not in done: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
449 break |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
450 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
451 done[needed] = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
452 order.append(needed) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
453 change = 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
454 if not change: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
455 raise ValueError('linking must not loop!') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
456 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
457 # now, edit / create |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
458 m = [] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
459 for needed in order: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
460 props = all_props[needed] |
|
3851
5fe1f30f7f30
Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
3850
diff
changeset
|
461 cn, nodeid = needed |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
462 if props: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
463 if nodeid is not None and int(nodeid) > 0: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
464 # make changes to the node |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
465 props = self._changenode(cn, nodeid, props) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
466 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
467 # and some nice feedback for the user |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
468 if props: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
469 info = ', '.join(map(self._, props)) |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
470 m.append( |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
471 self._('%(class)s %(id)s %(properties)s edited ok') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
472 % {'class':cn, 'id':nodeid, 'properties':info}) |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
473 else: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
474 m.append(self._('%(class)s %(id)s - nothing changed') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
475 % {'class':cn, 'id':nodeid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
476 else: |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
477 assert props |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
478 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
479 # make a new node |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
480 newid = self._createnode(cn, props) |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
481 if nodeid is None: |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
482 self.nodeid = newid |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
483 nodeid = newid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
484 |
|
3850
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
485 # and some nice feedback for the user |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
486 m.append(self._('%(class)s %(id)s created') |
|
326269886c32
Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents:
3847
diff
changeset
|
487 % {'class':cn, 'id':newid}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
488 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
489 # fill in new ids in links |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
490 if needed in links: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
491 for linkcn, linkid, linkprop in links[needed]: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
492 props = all_props[(linkcn, linkid)] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
493 cl = self.db.classes[linkcn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
494 propdef = cl.getprops()[linkprop] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
495 if linkprop not in props: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
496 if linkid is None or linkid.startswith('-'): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
497 # linking to a new item |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
498 if isinstance(propdef, hyperdb.Multilink): |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
499 props[linkprop] = [nodeid] |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
500 else: |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
501 props[linkprop] = nodeid |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
502 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
503 # linking to an existing item |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
504 if isinstance(propdef, hyperdb.Multilink): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
505 existing = cl.get(linkid, linkprop)[:] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
506 existing.append(nodeid) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
507 props[linkprop] = existing |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
508 else: |
|
4304
df7a4400c2ce
Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4293
diff
changeset
|
509 props[linkprop] = nodeid |
|
4992
b562df8a5056
Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4880
diff
changeset
|
510 elif isinstance(propdef, hyperdb.Multilink): |
|
b562df8a5056
Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4880
diff
changeset
|
511 props[linkprop].append(nodeid) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
512 |
|
4623
4f9c3858b671
Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4521
diff
changeset
|
513 return '\n'.join(m) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
514 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
515 def _changenode(self, cn, nodeid, props): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
516 """Change the node based on the contents of the form.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
517 # check for permission |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
518 if not self.editItemPermission(props, classname=cn, itemid=nodeid): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
519 raise exceptions.Unauthorised(self._( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
520 'You do not have permission to edit %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
521 ) % {'class': cn}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
522 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
523 # make the changes |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
524 cl = self.db.classes[cn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
525 return cl.set(nodeid, **props) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
526 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
527 def _createnode(self, cn, props): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
528 """Create a node based on the contents of the form.""" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
529 # check for permission |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
530 if not self.newItemPermission(props, classname=cn): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
531 raise exceptions.Unauthorised(self._( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
532 'You do not have permission to create %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
533 ) % {'class': cn}) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
534 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
535 # create the node and return its id |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
536 cl = self.db.classes[cn] |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
537 return cl.create(**props) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
538 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
539 def isEditingSelf(self): |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
540 """Check whether a user is editing his/her own details.""" |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
541 return (self.nodeid == self.userid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
542 and self.db.user.get(self.nodeid, 'username') != 'anonymous') |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
543 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
544 _cn_marker = [] |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
545 def editItemPermission(self, props, classname=_cn_marker, itemid=None): |
| 4030 | 546 """Determine whether the user has permission to edit this item.""" |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
547 if itemid is None: |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
548 itemid = self.nodeid |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
549 if classname is self._cn_marker: |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
550 classname = self.classname |
| 4030 | 551 # The user must have permission to edit each of the properties |
| 552 # being changed. | |
| 553 for p in props: | |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
554 if not self.hasPermission('Edit', itemid=itemid, |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
555 classname=classname, property=p): |
| 4030 | 556 return 0 |
| 557 # Since the user has permission to edit all of the properties, | |
| 558 # the edit is OK. | |
| 559 return 1 | |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
560 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
561 def newItemPermission(self, props, classname=None): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
562 """Determine whether the user has permission to create this item. |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
563 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
564 Base behaviour is to check the user can edit this class. No additional |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
565 property checks are made. |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
566 """ |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
567 |
|
3468
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
568 if not classname : |
|
6f3b30925975
fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents:
3466
diff
changeset
|
569 classname = self.client.classname |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
570 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
571 if not self.hasPermission('Create', classname=classname): |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
572 return 0 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
573 |
|
4310
8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4304
diff
changeset
|
574 # Check Create permission for each property, to avoid being able |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
575 # to set restricted ones on new item creation |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
576 for key in props: |
|
4310
8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4304
diff
changeset
|
577 if not self.hasPermission('Create', classname=classname, |
|
4126
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
578 property=key): |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
579 return 0 |
|
e67379669e11
Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents:
4118
diff
changeset
|
580 return 1 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
581 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
582 class EditItemAction(EditCommon): |
|
2143
b29323f75718
wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents:
2136
diff
changeset
|
583 def lastUserActivity(self): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
584 if ':lastactivity' in self.form: |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
585 d = date.Date(self.form[':lastactivity'].value) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
586 elif '@lastactivity' in self.form: |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
587 d = date.Date(self.form['@lastactivity'].value) |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
588 else: |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
589 return None |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
590 d.second = int(d.second) |
|
2264
9b34f41507ed
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
2260
diff
changeset
|
591 return d |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
592 |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
593 def lastNodeActivity(self): |
|
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
594 cl = getattr(self.client.db, self.classname) |
|
2260
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
595 activity = cl.get(self.nodeid, 'activity').local(0) |
|
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
596 activity.second = int(activity.second) |
|
46d9cc1e4fc4
collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents:
2248
diff
changeset
|
597 return activity |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
598 |
|
2143
b29323f75718
wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents:
2136
diff
changeset
|
599 def detectCollision(self, user_activity, node_activity): |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
600 '''Check for a collision and return the list of props we edited |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
601 that conflict.''' |
|
3188
7faae85e1e33
merge from branch
Richard Jones <richard@users.sourceforge.net>
parents:
3179
diff
changeset
|
602 if user_activity and user_activity < node_activity: |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
603 props, links = self.client.parsePropsFromForm() |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
604 key = (self.classname, self.nodeid) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
605 # we really only collide for direct prop edit conflicts |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
606 return list(props[key]) |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
607 else: |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
608 return [] |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
609 |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
610 def handleCollision(self, props): |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
611 message = self._('Edit Error: someone else has edited this %s (%s). ' |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
612 'View <a target="new" href="%s%s">their changes</a> ' |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
613 'in a new window.')%(self.classname, ', '.join(props), |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
614 self.classname, self.nodeid) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
615 self.client.add_error_message(message, escape=False) |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
616 return |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
617 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
618 def handle(self): |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
619 """Perform an edit of an item in the database. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
620 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
621 See parsePropsFromForm and _editnodes for special variables. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
622 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
623 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
624 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
625 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
626 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
627 |
|
2148
2490d26c88df
Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents:
2143
diff
changeset
|
628 user_activity = self.lastUserActivity() |
|
3145
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
629 if user_activity: |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
630 props = self.detectCollision(user_activity, self.lastNodeActivity()) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
631 if props: |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
632 self.handleCollision(props) |
|
9aa9436a81e0
better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents:
3130
diff
changeset
|
633 return |
|
2014
366d3bbce982
Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2012
diff
changeset
|
634 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
635 props, links = self.client.parsePropsFromForm() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
636 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
637 # handle the props |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
638 try: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
639 message = self._editnodes(props, links) |
|
5010
0428d2004a86
Fix exception handling to be python2.5 compatible
John Kristensen <john@jerrykan.com>
parents:
5004
diff
changeset
|
640 except (ValueError, KeyError, IndexError, Reject), message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
641 escape = not isinstance(message, RejectRaw) |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
642 self.client.add_error_message( |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
643 self._('Edit Error: %s') % str(message), escape=escape) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
644 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
645 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
646 # commit now that all the tricky stuff is done |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
647 self.db.commit() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
648 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
649 # redirect to the item's edit page |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
650 # redirect to finish off |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
651 url = self.base + self.classname |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
652 # note that this action might have been called by an index page, so |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
653 # we will want to include index-page args in this URL too |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
654 if self.nodeid is not None: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
655 url += self.nodeid |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
656 url += '?@ok_message=%s&@template=%s'%(urllib_.quote(message), |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
657 urllib_.quote(self.template)) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
658 if self.nodeid is None: |
|
2136
ee3cf6a44f29
queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents:
2130
diff
changeset
|
659 req = templating.HTMLRequest(self.client) |
|
3130
7308c3c5a943
docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents:
3073
diff
changeset
|
660 url += '&' + req.indexargs_url('', {})[1:] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
661 raise exceptions.Redirect(url) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
662 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
663 class NewItemAction(EditCommon): |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
664 def handle(self): |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
665 ''' Add a new item to the database. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
666 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
667 This follows the same form as the EditItemAction, with the same |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
668 special form values. |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
669 ''' |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
670 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
671 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
672 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
673 |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
674 # parse the props from the form |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
675 try: |
|
2107
b7404a96b58a
minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents:
2082
diff
changeset
|
676 props, links = self.client.parsePropsFromForm(create=1) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
677 except (ValueError, KeyError), message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
678 self.client.add_error_message(self._('Error: %s') |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
679 % str(message)) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
680 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
681 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
682 # handle the props - edit or create |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
683 try: |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
684 # when it hits the None element, it'll set self.nodeid |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
685 messages = self._editnodes(props, links) |
|
5010
0428d2004a86
Fix exception handling to be python2.5 compatible
John Kristensen <john@jerrykan.com>
parents:
5004
diff
changeset
|
686 except (ValueError, KeyError, IndexError, Reject), message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
687 escape = not isinstance(message, RejectRaw) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
688 # these errors might just be indicative of user dumbness |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
689 self.client.add_error_message(_('Error: %s') % str(message), |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
690 escape=escape) |
|
2012
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
691 return |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
692 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
693 # commit now that all the tricky stuff is done |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
694 self.db.commit() |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
695 |
|
9cc7b7d0ca3f
Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2010
diff
changeset
|
696 # redirect to the new item's page |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
697 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % ( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
698 self.base, self.classname, self.nodeid, urllib_.quote(messages), |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
699 urllib_.quote(self.template))) |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
700 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
701 class PassResetAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
702 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
703 """Handle password reset requests. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
704 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
705 Presence of either "name" or "address" generates email. Presence of |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
706 "otk" performs the reset. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
707 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
708 """ |
|
2291
90cca653ef3d
otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents:
2264
diff
changeset
|
709 otks = self.db.getOTKManager() |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
710 if 'otk' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
711 # pull the rego information out of the otk database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
712 otk = self.form['otk'].value |
|
3673
94b905502d26
removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents:
3635
diff
changeset
|
713 uid = otks.get(otk, 'uid', default=None) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
714 if uid is None: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
715 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
716 self._("Invalid One Time Key!\n" |
|
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
717 "(a Mozilla bug may cause this message " |
|
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
718 "to show up erroneously, please check your email)")) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
719 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
720 |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
721 # pull the additional email address if exist |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
722 uaddress = otks.get(otk, 'uaddress', default=None) |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
723 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
724 # re-open the database as "admin" |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
725 if self.user != 'admin': |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
726 self.client.opendb('admin') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
727 self.db = self.client.db |
|
2372
c26bb78d2f0c
couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents:
2362
diff
changeset
|
728 otks = self.db.getOTKManager() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
729 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
730 # change the password |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
731 newpw = password.generatePassword() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
732 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
733 cl = self.db.user |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
734 # XXX we need to make the "default" page be able to display errors! |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
735 try: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
736 # set the password |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
737 cl.set(uid, password=password.Password(newpw, config=self.db.config)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
738 # clear the props from the otk database |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
739 otks.destroy(otk) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
740 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
741 except (ValueError, KeyError), message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
742 self.client.add_error_message(str(message)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
743 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
744 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
745 # user info |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
746 name = self.db.user.get(uid, 'username') |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
747 if uaddress is None: |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
748 address = self.db.user.get(uid, 'address') |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
749 else: |
|
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
750 address = uaddress |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
751 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
752 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
753 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
754 subject = 'Password reset for %s'%tracker_name |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
755 body = ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
756 The password has been reset for username "%(name)s". |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
757 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
758 Your password is now: %(password)s |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
759 '''%{'name': name, 'password': newpw} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
760 if not self.client.standard_message([address], subject, body): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
761 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
762 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
763 self.client.add_ok_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
764 self._('Password reset and email sent to %s') % address) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
765 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
766 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
767 # no OTK, so now figure the user |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
768 if 'username' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
769 name = self.form['username'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
770 try: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
771 uid = self.db.user.lookup(name) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
772 except KeyError: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
773 self.client.add_error_message(self._('Unknown username')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
774 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
775 address = self.db.user.get(uid, 'address') |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
776 elif 'address' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
777 address = self.form['address'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
778 uid = uidFromAddress(self.db, ('', address), create=0) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
779 if not uid: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
780 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
781 self._('Unknown email address')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
782 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
783 name = self.db.user.get(uid, 'username') |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
784 else: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
785 self.client.add_error_message( |
|
2531
f8c6a09ef485
translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2391
diff
changeset
|
786 self._('You need to specify a username or address')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
787 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
788 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
789 # generate the one-time-key and store the props for later |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
790 otk = ''.join([random.choice(chars) for x in range(32)]) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
791 while otks.exists(otk): |
|
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
792 otk = ''.join([random.choice(chars) for x in range(32)]) |
|
5092
fc03c1381690
issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents:
4880
diff
changeset
|
793 otks.set(otk, uid=uid, uaddress=address) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
794 self.db.commit() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
795 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
796 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
797 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
798 subject = 'Confirm reset of password for %s'%tracker_name |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
799 body = ''' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
800 Someone, perhaps you, has requested that the password be changed for your |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
801 username, "%(name)s". If you wish to proceed with the change, please follow |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
802 the link below: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
803 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
804 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
805 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
806 You should then receive another email with the new password. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
807 '''%{'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk} |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
808 if not self.client.standard_message([address], subject, body): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
809 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
810 |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
811 self.client.add_ok_message(self._('Email sent to %s') % address) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
812 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
813 class RegoCommon(Action): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
814 def finishRego(self): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
815 # log the new user in |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
816 self.client.userid = self.userid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
817 user = self.client.user = self.db.user.get(self.userid, 'username') |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
818 # re-open the database for real, using the user |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
819 self.client.opendb(user) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
820 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
821 # update session data |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
822 self.client.session_api.set(user=user) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
823 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
824 # nice message |
|
2391
3a0a248289dd
action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2372
diff
changeset
|
825 message = self._('You are now registered, welcome!') |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
826 url = '%suser%s?@ok_message=%s'%(self.base, self.userid, |
|
4416
36d52125c9cf
fixed registration, issue2550665 (thanks Timo Paulssen)
Richard Jones <richard@users.sourceforge.net>
parents:
4362
diff
changeset
|
827 urllib_.quote(message)) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
828 |
|
2045
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
829 # redirect to the user's page (but not 302, as some email clients seem |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
830 # to want to reload the page, or something) |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
831 return '''<html><head><title>%s</title></head> |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
832 <body><p><a href="%s">%s</a></p> |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
833 <script type="text/javascript"> |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
834 window.setTimeout('window.location = "%s"', 1000); |
|
d124af927369
Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents:
2032
diff
changeset
|
835 </script>'''%(message, url, message, url) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
836 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
837 class ConfRegoAction(RegoCommon): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
838 def handle(self): |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
839 """Grab the OTK, use it to load up the new user details.""" |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
840 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
841 # pull the rego information out of the otk database |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
842 self.userid = self.db.confirm_registration(self.form['otk'].value) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
843 except (ValueError, KeyError), message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
844 self.client.add_error_message(str(message)) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
845 return |
|
3847
1a44e4bb2b54
Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents:
3805
diff
changeset
|
846 return self.finishRego() |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
847 |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
848 class RegisterAction(RegoCommon, EditCommon): |
|
2018
96a1bf48efdd
Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
2014
diff
changeset
|
849 name = 'register' |
| 4146 | 850 permissionType = 'Register' |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
851 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
852 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
853 """Attempt to create a new user based on the contents of the form |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
854 and then remember it in session. |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
855 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
856 Return 1 on successful login. |
|
2032
5a7ec0c63095
fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents:
2031
diff
changeset
|
857 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
858 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
859 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
860 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
861 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
862 # parse the props from the form |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
863 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
864 props, links = self.client.parsePropsFromForm(create=1) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
865 except (ValueError, KeyError), message: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
866 self.client.add_error_message(self._('Error: %s') |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
867 % str(message)) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
868 return |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
869 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
870 # skip the confirmation step? |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
871 if self.db.config['INSTANT_REGISTRATION']: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
872 # handle the create now |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
873 try: |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
874 # when it hits the None element, it'll set self.nodeid |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
875 messages = self._editnodes(props, links) |
|
5010
0428d2004a86
Fix exception handling to be python2.5 compatible
John Kristensen <john@jerrykan.com>
parents:
5004
diff
changeset
|
876 except (ValueError, KeyError, IndexError, Reject), message: |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
877 escape = not isinstance(message, RejectRaw) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
878 # these errors might just be indicative of user dumbness |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
879 self.client.add_error_message(_('Error: %s') % str(message), |
|
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
880 escape=escape) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
881 return |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
882 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
883 # fix up the initial roles |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
884 self.db.user.set(self.nodeid, |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
885 roles=self.db.config['NEW_WEB_USER_ROLES']) |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
886 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
887 # commit now that all the tricky stuff is done |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
888 self.db.commit() |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
889 |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
890 # finish off by logging the user in |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
891 self.userid = self.nodeid |
|
3466
0ecd0062abfb
fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents:
3418
diff
changeset
|
892 return self.finishRego() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
893 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
894 # generate the one-time-key and store the props for later |
|
4334
1aef7a4e4e39
fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents:
4329
diff
changeset
|
895 user_props = props[('user', None)] |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
896 for propname, proptype in self.db.user.getprops().iteritems(): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
897 value = user_props.get(propname, None) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
898 if value is None: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
899 pass |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
900 elif isinstance(proptype, hyperdb.Date): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
901 user_props[propname] = str(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
902 elif isinstance(proptype, hyperdb.Interval): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
903 user_props[propname] = str(value) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
904 elif isinstance(proptype, hyperdb.Password): |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
905 user_props[propname] = str(value) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
906 otks = self.db.getOTKManager() |
|
2169
12cd4fa91eb7
OTK generation was busted (thanks Stuart D. Gathman)
Richard Jones <richard@users.sourceforge.net>
parents:
2163
diff
changeset
|
907 otk = ''.join([random.choice(chars) for x in range(32)]) |
|
2082
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
908 while otks.exists(otk): |
|
c091cacdc505
Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents:
2061
diff
changeset
|
909 otk = ''.join([random.choice(chars) for x in range(32)]) |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
910 otks.set(otk, **user_props) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
911 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
912 # send the email |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
913 tracker_name = self.db.config.TRACKER_NAME |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
914 tracker_email = self.db.config.TRACKER_EMAIL |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
915 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
916 subject = 'Complete your registration to %s -- key %s'%(tracker_name, |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
917 otk) |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
918 body = """To complete your registration of the user "%(name)s" with |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
919 %(tracker)s, please do one of the following: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
920 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
921 - send a reply to %(tracker_email)s and maintain the subject line as is (the |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
922 reply's additional "Re:" is ok), |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
923 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
924 - or visit the following URL: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
925 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
926 %(url)s?@action=confrego&otk=%(otk)s |
|
2108
54815ca493a5
add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents:
2107
diff
changeset
|
927 |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
928 """ % {'name': user_props['username'], 'tracker': tracker_name, |
|
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
929 'url': self.base, 'otk': otk, 'tracker_email': tracker_email} |
|
3469
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
930 else: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
931 subject = 'Complete your registration to %s'%(tracker_name) |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
932 body = """To complete your registration of the user "%(name)s" with |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
933 %(tracker)s, please visit the following URL: |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
934 |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
935 %(url)s?@action=confrego&otk=%(otk)s |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
936 |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
937 """ % {'name': user_props['username'], 'tracker': tracker_name, |
|
d3b02352484f
enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents:
3468
diff
changeset
|
938 'url': self.base, 'otk': otk} |
|
2649
1df7d4a41da4
Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents:
2592
diff
changeset
|
939 if not self.client.standard_message([user_props['address']], subject, |
|
3604
ccf516e6c3f8
responses to user rego email [SF#1470254]
Richard Jones <richard@users.sourceforge.net>
parents:
3581
diff
changeset
|
940 body, (tracker_name, tracker_email)): |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
941 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
942 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
943 # commit changes to the database |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
944 self.db.commit() |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
945 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
946 # redirect to the "you're almost there" page |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
947 raise exceptions.Redirect('%suser?@template=rego_progress'%self.base) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
948 |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
949 def newItemPermission(self, props, classname=None): |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
950 """Just check the "Register" permission. |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
951 """ |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
952 # registration isn't allowed to supply roles |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
953 if 'roles' in props: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
954 raise exceptions.Unauthorised(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
955 "It is not permitted to supply roles at registration.")) |
|
4329
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
956 |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
957 # technically already checked, but here for clarity |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
958 return self.hasPermission('Register', classname=classname) |
|
58b7ba47af87
fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents:
4310
diff
changeset
|
959 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
960 class LogoutAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
961 def handle(self): |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
962 """Make us really anonymous - nuke the session too.""" |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
963 # log us out |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
964 self.client.make_user_anonymous() |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
965 self.client.session_api.destroy() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
966 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
967 # Let the user know what's going on |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
968 self.client.add_ok_message(self._('You are logged out')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
969 |
|
3264
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
970 # reset client context to render tracker home page |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
971 # instead of last viewed page (may be inaccessibe for anonymous) |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
972 self.client.classname = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
973 self.client.nodeid = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
974 self.client.template = None |
|
6fc18923f837
LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
3188
diff
changeset
|
975 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
976 class LoginAction(Action): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
977 def handle(self): |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
978 """Attempt to log a user in. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
979 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
980 Sets up a session for the user which contains the login credentials. |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
981 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
982 """ |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
983 # ensure modification comes via POST |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
984 if self.client.env['REQUEST_METHOD'] != 'POST': |
|
5004
494d255043c9
Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents:
4992
diff
changeset
|
985 raise Reject(self._('Invalid request')) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
986 |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
987 # we need the username at a minimum |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
988 if '__login_name' not in self.form: |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
989 self.client.add_error_message(self._('Username required')) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
990 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
991 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
992 # get the login info |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
993 self.client.user = self.form['__login_name'].value |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
994 if '__login_password' in self.form: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
995 password = self.form['__login_password'].value |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
996 else: |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
997 password = '' |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
998 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
999 try: |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1000 self.verifyLogin(self.client.user, password) |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1001 except exceptions.LoginError, err: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1002 self.client.make_user_anonymous() |
|
4880
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1003 for arg in err.args: |
|
ca692423e401
Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents:
4624
diff
changeset
|
1004 self.client.add_error_message(arg) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1005 return |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1006 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1007 # now we're OK, re-open the database for real, using the user |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1008 self.client.opendb(self.client.user) |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1009 |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1010 # save user in session |
|
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1011 self.client.session_api.set(user=self.client.user) |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1012 if 'remember' in self.form: |
|
3989
0112e9e1d068
improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents:
3987
diff
changeset
|
1013 self.client.session_api.update(set_cookie=True, expire=24*3600*365) |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1014 |
|
3418
9b8019f28158
remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents:
3382
diff
changeset
|
1015 # If we came from someplace, go back there |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1016 if '__came_from' in self.form: |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1017 raise exceptions.Redirect(self.form['__came_from'].value) |
|
3418
9b8019f28158
remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents:
3382
diff
changeset
|
1018 |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1019 def verifyLogin(self, username, password): |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1020 # make sure the user exists |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1021 try: |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1022 self.client.userid = self.db.user.lookup(username) |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1023 except KeyError: |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1024 raise exceptions.LoginError(self._('Invalid login')) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1025 |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1026 # verify the password |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1027 if not self.verifyPassword(self.client.userid, password): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1028 raise exceptions.LoginError(self._('Invalid login')) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1029 |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1030 # Determine whether the user has permission to log in. |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1031 # Base behaviour is to check the user has "Web Access". |
|
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1032 if not self.hasPermission("Web Access"): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1033 raise exceptions.LoginError(self._( |
|
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1034 "You do not have permission to login")) |
|
2927
9ecca789544f
applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2657
diff
changeset
|
1035 |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1036 def verifyPassword(self, userid, givenpw): |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1037 '''Verify the password that the user has supplied. |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1038 Optionally migrate to new password scheme if configured |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1039 ''' |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1040 db = self.db |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1041 stored = db.user.get(userid, 'password') |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1042 if givenpw == stored: |
|
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1043 if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration(): |
|
4486
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
1044 newpw = password.Password(givenpw, config=db.config) |
|
693c75d56ebe
Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4484
diff
changeset
|
1045 db.user.set(userid, password=newpw) |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1046 db.commit() |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1047 return 1 |
|
4484
52e13bf0bb40
Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents:
4416
diff
changeset
|
1048 if not givenpw and not stored: |
|
2004
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1049 return 1 |
|
1782fe36e7b8
Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff
changeset
|
1050 return 0 |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1051 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1052 class ExportCSVAction(Action): |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1053 name = 'export' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1054 permissionType = 'View' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1055 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1056 def handle(self): |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1057 ''' Export the specified search query as CSV. ''' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1058 # figure the request |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1059 request = templating.HTMLRequest(self.client) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1060 filterspec = request.filterspec |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1061 sort = request.sort |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1062 group = request.group |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1063 columns = request.columns |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1064 klass = self.db.getclass(request.classname) |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1065 |
|
4624
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1066 # check if all columns exist on class |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1067 # the exception must be raised before sending header |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1068 props = klass.getprops() |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1069 for cname in columns: |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1070 if cname not in props: |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1071 # TODO raise exceptions.NotFound(.....) does not give message |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1072 # so using SeriousError instead |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1073 self.client.response_code = 404 |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1074 raise exceptions.SeriousError( |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1075 self._('Column "%(column)s" not found on %(class)s') |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1076 % {'column': cgi.escape(cname), 'class': request.classname}) |
|
21705126dafa
Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents:
4623
diff
changeset
|
1077 |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1078 # full-text search |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1079 if request.search_text: |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1080 matches = self.db.indexer.search( |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1081 re.findall(r'\b\w{2,25}\b', request.search_text), klass) |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1082 else: |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1083 matches = None |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1084 |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1085 h = self.client.additional_headers |
|
3499
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1086 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1087 # some browsers will honor the filename here... |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1088 h['Content-Disposition'] = 'inline; filename=query.csv' |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1089 |
|
2163
791c66a3b738
fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents:
2160
diff
changeset
|
1090 self.client.header() |
|
2592
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1091 |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1092 if self.client.env['REQUEST_METHOD'] == 'HEAD': |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1093 # all done, return a dummy string |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1094 return 'dummy' |
|
5a8d9465827e
implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents:
2563
diff
changeset
|
1095 |
|
3499
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1096 wfile = self.client.request.wfile |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1097 if self.client.charset != self.client.STORAGE_CHARSET: |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1098 wfile = codecs.EncodedFile(wfile, |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1099 self.client.STORAGE_CHARSET, self.client.charset, 'replace') |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1100 |
|
230fb5d49c19
CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents:
3484
diff
changeset
|
1101 writer = csv.writer(wfile) |
|
3987
c4f7b3817d3d
Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents:
3913
diff
changeset
|
1102 self.client._socket_op(writer.writerow, columns) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1103 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1104 # and search |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1105 for itemid in klass.filter(matches, filterspec, sort, group): |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1106 row = [] |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1107 for name in columns: |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1108 # check permission to view this property on this item |
|
4112
6441ffe588f7
fix bug introduced into CSV export and view (issue 2550529)
Richard Jones <richard@users.sourceforge.net>
parents:
4088
diff
changeset
|
1109 if not self.hasPermission('View', itemid=itemid, |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1110 classname=request.classname, property=name): |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1111 raise exceptions.Unauthorised(self._( |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1112 'You do not have permission to view %(class)s' |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1113 ) % {'class': request.classname}) |
|
4088
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1114 row.append(str(klass.get(itemid, name))) |
|
34434785f308
Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents:
4083
diff
changeset
|
1115 self.client._socket_op(writer.writerow, row) |
|
2112
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1116 |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1117 return '\n' |
|
b86f0627b07c
added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents:
2108
diff
changeset
|
1118 |
| 4083 | 1119 |
| 1120 class Bridge(BaseAction): | |
| 1121 """Make roundup.actions.Action executable via CGI request. | |
| 1122 | |
| 1123 Using this allows users to write actions executable from multiple frontends. | |
| 1124 CGI Form content is translated into a dictionary, which then is passed as | |
| 1125 argument to 'handle()'. XMLRPC requests have to pass this dictionary | |
| 1126 directly. | |
| 1127 """ | |
| 1128 | |
| 1129 def __init__(self, *args): | |
| 1130 | |
| 1131 # As this constructor is callable from multiple frontends, each with | |
| 1132 # different Action interfaces, we have to look at the arguments to | |
| 1133 # figure out how to complete construction. | |
| 1134 if (len(args) == 1 and | |
| 1135 hasattr(args[0], '__class__') and | |
| 1136 args[0].__class__.__name__ == 'Client'): | |
| 1137 self.cgi = True | |
| 1138 self.execute = self.execute_cgi | |
| 1139 self.client = args[0] | |
| 1140 self.form = self.client.form | |
| 1141 else: | |
| 1142 self.cgi = False | |
| 1143 | |
| 1144 def execute_cgi(self): | |
| 1145 args = {} | |
|
4362
74476eaac38a
more modernisation
Richard Jones <richard@users.sourceforge.net>
parents:
4334
diff
changeset
|
1146 for key in self.form: |
| 4083 | 1147 args[key] = self.form.getvalue(key) |
| 1148 self.permission(args) | |
| 1149 return self.handle(args) | |
| 1150 | |
| 1151 def permission(self, args): | |
| 1152 """Raise Unauthorised if the current user is not allowed to execute | |
| 1153 this action. Users may override this method.""" | |
|
4118
878767b75e1d
fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents:
4112
diff
changeset
|
1154 |
| 4083 | 1155 pass |
| 1156 | |
| 1157 def handle(self, args): | |
|
4118
878767b75e1d
fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents:
4112
diff
changeset
|
1158 |
| 4083 | 1159 raise NotImplementedError |
| 1160 | |
|
2934
c8ee5907f1e2
pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
2927
diff
changeset
|
1161 # vim: set filetype=python sts=4 sw=4 et si : |