Mercurial > p > roundup > code

annotate roundup/cgi/actions.py @ 8126:f7bd22bdef9d permission-performance

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Move permission check code to hyperdb Now the hyperdb has a method filter_with_permissions that performs the permission checks before (for filtering on sort/group/filterspec arguments) and after a call to hyperdb.filter. This also fixes possible problems on the unfiltered sort/group/filterspec arguments in roundup/rest.py and roundup/cgi/templating.py
author Ralf Schlatterbeck <rsc@runtux.com>
date Mon, 21 Oct 2024 18:12:03 +0200
parents 19cef1e285b0
children 261438b9c91c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1 import codecs
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
2 import csv
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
3 import re
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
4 import sys
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
5 from datetime import timedelta
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
6
7178
db06d4aeb978 unshadow stdlib token from roundup's token.
John Rouillard <rouilj@ieee.org>
parents: 7165
diff changeset
7 from roundup import hyperdb, token_r, date, password
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
8 from roundup.actions import Action as BaseAction
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
9 from roundup.anypy import urllib_
7582
978285986b2c fix: issue2551193 - Fix roundup for removal of cgi and cgitb ...
John Rouillard <rouilj@ieee.org>
parents: 7556
diff changeset
10 from roundup.anypy.cgi_ import cgi
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
11 from roundup.anypy.html import html_escape
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
12 from roundup.anypy.strings import StringIO
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
13 from roundup.cgi import exceptions, templating
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
14 from roundup.cgi.timestamp import Timestamped
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
15 from roundup.exceptions import RateLimitExceeded, Reject, RejectRaw
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
16 from roundup.i18n import _
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
17 from roundup.mailgw import uidFromAddress
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
18 from roundup.rate_limit import Gcra, RateLimit
5717
cad18de2b988 issue2550949: Rate limit password guesses/login attempts.
John Rouillard <rouilj@ieee.org>
parents: 5652
diff changeset
19
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
20 # Also add action to client.py::Client.actions property
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
21 __all__ = ['Action', 'ShowAction', 'RetireAction', 'RestoreAction',
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
22 'SearchAction',
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
23 'EditCSVAction', 'EditItemAction', 'PassResetAction',
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
24 'ConfRegoAction', 'RegisterAction', 'LoginAction', 'LogoutAction',
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
25 'NewItemAction', 'ExportCSVAction', 'ExportCSVWithIdAction']
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
26
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
27
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
28 class Action:
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
29 loginLimit = None
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
30
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
31 def __init__(self, client):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
32 self.client = client
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
33 self.form = client.form
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
34 self.db = client.db
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
35 self.nodeid = client.nodeid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
36 self.template = client.template
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
37 self.classname = client.classname
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
38 self.userid = client.userid
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
39 self.base = client.base
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
40 self.user = client.user
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
41 self.context = templating.context(client)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
42
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
43 def handle(self):
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
44 """Action handler procedure"""
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
45 raise NotImplementedError
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
46
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
47 def execute(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
48 """Execute the action specified by this object."""
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
49 self.permission()
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
50 return self.handle()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
51
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
52 def examine_url(self, url):
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
53 '''Return URL validated to be under self.base and properly escaped
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
54
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
55 If url not properly escaped or validation fails raise ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
56
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
57 To try to prevent XSS attacks, validate that the url that is
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
58 passed in is under self.base for the tracker. This is used to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
59 clean up "__came_from" and "__redirect_to" form variables used
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
60 by the LoginAction and NewItemAction actions.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
61
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
62 The url that is passed in must be a properly url quoted
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
63 argument. I.E. all characters that are not valid according to
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
64 RFC3986 must be % encoded. Schema should be lower case.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
65
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
66 It parses the passed url into components.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
67
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
68 It verifies that the scheme is http or https (so a redirect can
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
69 force https even if normal access to the tracker is via http).
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
70 Validates that the network component is the same as in self.base.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
71 Validates that the path component in the base url starts the url's
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
72 path component. It not it raises ValueError. If everything
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
73 validates:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
74
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
75 For each component, Appendix A of RFC 3986 says the following
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
76 are allowed:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
77
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
78 pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
79 query = *( pchar / "/" / "?" )
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
80 unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
81 pct-encoded = "%" HEXDIG HEXDIG
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
82 sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
83 / "*" / "+" / "," / ";" / "="
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
84
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
85 Checks all parts with a regexp that matches any run of 0 or
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
86 more allowed characters. If the component doesn't validate,
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
87 raise ValueError. Don't attempt to urllib_.quote it. Either
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
88 it's correct as it comes in or it's a ValueError.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
89
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
90 Finally paste the whole thing together and return the new url.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
91 '''
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
92
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
93 parsed_url_tuple = urllib_.urlparse(url)
5164
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
94 if self.base:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
95 parsed_base_url_tuple = urllib_.urlparse(self.base)
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
96 else:
114d9628fd77 Fixed a couple of failing tests for *LoginRedirect in test_actions.py after url validation. Also raise ValueError from examine_url if base url is None.
John Rouillard <rouilj@ieee.org>
parents: 5162
diff changeset
97 raise ValueError(self._("Base url not set. Check configuration."))
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
98
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
99 info = {'url': url,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
100 'base_url': self.base,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
101 'base_scheme': parsed_base_url_tuple.scheme,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
102 'base_netloc': parsed_base_url_tuple.netloc,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
103 'base_path': parsed_base_url_tuple.path,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
104 'url_scheme': parsed_url_tuple.scheme,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
105 'url_netloc': parsed_url_tuple.netloc,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
106 'url_path': parsed_url_tuple.path,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
107 'url_params': parsed_url_tuple.params,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
108 'url_query': parsed_url_tuple.query,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
109 'url_fragment': parsed_url_tuple.fragment}
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
110
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
111 if parsed_base_url_tuple.scheme == "https":
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
112 if parsed_url_tuple.scheme != "https":
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
113 raise ValueError(self._("Base url %(base_url)s requires https."
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
114 " Redirect url %(url)s uses http.") %
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
115 info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
116 else:
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
117 if parsed_url_tuple.scheme not in ('http', 'https'):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
118 raise ValueError(self._("Unrecognized scheme in %(url)s") %
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
119 info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
120
5382
1556b39fde7c Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
121 if parsed_url_tuple.netloc != parsed_base_url_tuple.netloc:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
122 raise ValueError(self._("Net location in %(url)s does not match "
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
123 "base: %(base_netloc)s") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
124
5382
1556b39fde7c Python 3 preparation: use != instead of <>.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
125 if parsed_url_tuple.path.find(parsed_base_url_tuple.path) != 0:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
126 raise ValueError(self._("Base path %(base_path)s is not a "
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
127 "prefix for url %(url)s") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
128
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
129 # I am not sure if this has to be language sensitive.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
130 # Do ranges depend on the LANG of the user??
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
131 # Is there a newer spec for URI's than what I am referencing?
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
132
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
133 # Also it really should be % HEXDIG HEXDIG that's allowed
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
134 # If %%% passes, the roundup server should be able to ignore/
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
135 # quote it so it doesn't do anything bad otherwise we have a
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
136 # different vector to handle.
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
137 allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''')
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
138
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
139 if not allowed_pattern.match(parsed_url_tuple.path):
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
140 raise ValueError(self._("Path component (%(url_path)s) in %(url)s "
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
141 "is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
142
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
143 if not allowed_pattern.match(parsed_url_tuple.params):
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
144 raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
145
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
146 if not allowed_pattern.match(parsed_url_tuple.query):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
147 raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
148
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
149 if not allowed_pattern.match(parsed_url_tuple.fragment):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
150 raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped") % info)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
151
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
152 return urllib_.urlunparse(parsed_url_tuple)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
153
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
154 name = ''
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
155 permissionType = None
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
156
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
157 def permission(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
158 """Check whether the user has permission to execute this action.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
159
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
160 True by default. If the permissionType attribute is a string containing
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
161 a simple permission, check whether the user has that permission.
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
162 Subclasses must also define the name attribute if they define
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
163 permissionType.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
164
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
165 Despite having this permission, users may still be unauthorised to
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
166 perform parts of actions. It is up to the subclasses to detect this.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
167 """
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
168 if (self.permissionType and
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
169 not self.hasPermission(self.permissionType)):
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
170 info = {'action': self.name, 'classname': self.classname}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
171 raise exceptions.Unauthorised(self._(
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
172 'You do not have permission to '
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
173 '%(action)s the %(classname)s class.') % info)
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
174
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
175 _marker = []
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
176
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
177 def hasPermission(self, permission, classname=_marker, itemid=None,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
178 property=None):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
179 """Check whether the user has 'permission' on the current class."""
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
180 if classname is self._marker:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
181 classname = self.client.classname
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
182 return self.db.security.hasPermission(permission, self.client.userid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
183 classname=classname,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
184 itemid=itemid, property=property)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
185
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
186 def gettext(self, msgid):
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
187 """Return the localized translation of msgid"""
2563
420d5c2a49d9 use client.translator instead of static translationService;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2553
diff changeset
188 return self.client.translator.gettext(msgid)
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
189
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
190 _ = gettext
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
191
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
192
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
193 class ShowAction(Action):
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
194
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
195 typere = re.compile('[@:]type')
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
196 numre = re.compile('[@:]number')
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
197
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
198 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
199 """Show a node of a particular class/id."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
200 t = n = ''
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
201 for key in self.form:
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
202 if self.typere.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
203 t = self.form[key].value.strip()
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
204 elif self.numre.match(key):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
205 n = self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
206 if not t:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
207 raise ValueError(self._('No type specified'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
208 if not n:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
209 raise exceptions.SeriousError(self._('No ID entered'))
2052
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
210 try:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
211 int(n)
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
212 except ValueError:
78e6a1e4984e forward-port from maint branch
Richard Jones <richard@users.sourceforge.net>
parents: 2045
diff changeset
213 d = {'input': n, 'classname': t}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
214 raise exceptions.SeriousError(self._(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
215 '"%(input)s" is not an ID (%(classname)s ID required)') % d)
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
216 url = '%s%s%s' % (self.base, t, n)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
217 raise exceptions.Redirect(url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
218
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
219
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
220 class RetireAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
221 name = 'retire'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
222 permissionType = 'Edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
223
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
224 def handle(self):
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
225 """Retire the context item."""
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
226 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
227 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
228 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
229
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
230 # if we want to view the index template now, then unset the itemid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
231 # context info (a special-case for retire actions on the index page)
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
232 itemid = self.nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
233 if self.template == 'index':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
234 self.client.nodeid = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
235
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
236 # make sure we don't try to retire admin or anonymous
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
237 if self.classname == 'user' and \
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
238 self.db.user.get(itemid, 'username') in ('admin', 'anonymous'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
239 raise ValueError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
240 'You may not retire the admin or anonymous user'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
241
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
242 # check permission
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
243 if not self.hasPermission('Retire', classname=self.classname,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
244 itemid=itemid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
245 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
246 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
247 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
248
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
249 # do the retire
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
250 self.db.getclass(self.classname).retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
251 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
252
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
253 self.client.add_ok_message(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
254 self._('%(classname)s %(itemid)s has been retired') % {
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
255 'classname': self.classname.capitalize(), 'itemid': itemid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
256
3473
370bb8f3c4d1 fix permission check on RetireAction [SF#1407342]
Richard Jones <richard@users.sourceforge.net>
parents: 3469
diff changeset
257
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
258 class RestoreAction(Action):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
259 name = 'restore'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
260 permissionType = 'Edit'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
261
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
262 def handle(self):
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
263 """Restore the context item."""
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
264 # ensure modification comes via POST
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
265 if self.client.env['REQUEST_METHOD'] != 'POST':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
266 raise Reject(self._('Invalid request'))
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
267
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
268 # if we want to view the index template now, then unset the itemid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
269 # context info (a special-case for retire actions on the index page)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
270 itemid = self.nodeid
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
271 if self.template == 'index':
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
272 self.client.nodeid = None
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
273
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
274 # check permission
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
275 if not self.hasPermission('Restore', classname=self.classname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
276 itemid=itemid):
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
277 raise exceptions.Unauthorised(self._(
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
278 'You do not have permission to restore %(class)s'
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
279 ) % {'class': self.classname})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
280
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
281 # do the restore
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
282 self.db.getclass(self.classname).restore(itemid)
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
283 self.db.commit()
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
284
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
285 self.client.add_ok_message(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
286 self._('%(classname)s %(itemid)s has been restored') % {
5119
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
287 'classname': self.classname.capitalize(), 'itemid': itemid})
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
288
748ba87e1aca Added a new cgi action restore. The opposite of (and a clone of) the existing retire action.
John Rouillard <rouilj@ieee.org>
parents: 5097
diff changeset
289
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
290 class SearchAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
291 name = 'search'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
292 permissionType = 'View'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
293
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
294 def handle(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
295 """Mangle some of the form variables.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
296
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
297 Set the form ":filter" variable based on the values of the filter
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
298 variables - if they're set to anything other than "dontcare" then add
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
299 them to :filter.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
300
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
301 Handle the ":queryname" variable and save off the query to the user's
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
302 query list.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
303
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
304 Split any String query values on whitespace and comma.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
305
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
306 """
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
307 self.fakeFilterVars()
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
308 queryname = self.getQueryName()
3913
00896a2acaa5 clean up query display of "Private to you" items
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3855
diff changeset
309
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
310 # editing existing query name?
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
311 old_queryname = self.getFromForm('old-queryname')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
312
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
313 # handle saving the query params
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
314 if queryname:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
315 # parse the environment and figure what the query _is_
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
316 req = templating.HTMLRequest(self.client)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
317
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
318 url = self.getCurrentURL(req)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
319
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
320 key = self.db.query.getkey()
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
321 if key:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
322 # edit the old way, only one query per name
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
323 # Note that use of queryname as key will automatically
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
324 # raise an error if there are duplicate names.
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
325 try:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
326 qid = self.db.query.lookup(old_queryname)
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
327 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
328 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
329 "You do not have permission to edit queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
330 self.db.query.set(qid, klass=self.classname, url=url)
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
331 except KeyError:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
332 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
333 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
334 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
335 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
336 qid = self.db.query.create(name=queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
337 klass=self.classname, url=url)
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
338 else:
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
339 uid = self.db.getuid()
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
340
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
341 # if the queryname is being changed from the old
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
342 # (original) value, make sure new queryname is not
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
343 # already in use by user.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
344 # if in use, return to edit/search screen and let
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
345 # user change it.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
346
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
347 if old_queryname != queryname:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
348 # we have a name change
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
349 qids = self.db.query.filter(None, {'name': queryname,
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
350 'creator': uid})
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
351 for qid in qids:
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
352 # require an exact name match
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
353 if queryname != self.db.query.get(qid, 'name'):
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
354 continue
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
355 # whoops we found a duplicate; report error and return
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
356 message = _(
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
357 "You already own a query named '%s'. "
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
358 "Please choose another name.") % (queryname)
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
359
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
360 self.client.add_error_message(message)
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
361 return
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
362
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
363 # edit the new way, query name not a key any more
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
364 # see if we match an existing private query
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
365 qids = self.db.query.filter(None, {'name': old_queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
366 'private_for': uid})
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
367 if not qids:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
368 # ok, so there's not a private query for the current user
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
369 # - see if there's one created by them
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
370 qids = self.db.query.filter(None, {'name': old_queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
371 'creator': uid})
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
372
3581
d10008f756a4 fix saving of queries [SF#1436169]
Richard Jones <richard@users.sourceforge.net>
parents: 3549
diff changeset
373 if qids and old_queryname:
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
374 # edit query - make sure we get an exact match on the name
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
375 for qid in qids:
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
376 if old_queryname != self.db.query.get(qid, 'name'):
2362
10fc45eea226 fix SearchAction use of Class.filter(), and clarify API docs for same
Richard Jones <richard@users.sourceforge.net>
parents: 2291
diff changeset
377 continue
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
378 if not self.hasPermission('Edit', 'query', itemid=qid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
379 raise exceptions.Unauthorised(self._(
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
380 "You do not have permission to edit queries"))
3518
7fb8cfe3c737 enable editing of public queries [SF#966144]
Richard Jones <richard@users.sourceforge.net>
parents: 3499
diff changeset
381 self.db.query.set(qid, klass=self.classname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
382 url=url, name=queryname)
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
383 else:
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
384 # create a query
3073
7fefb1e29ed0 fix permission lookup in query editing
Richard Jones <richard@users.sourceforge.net>
parents: 3012
diff changeset
385 if not self.hasPermission('Create', 'query'):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
386 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
387 "You do not have permission to store queries"))
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
388 qid = self.db.query.create(name=queryname,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
389 klass=self.classname, url=url,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
390 private_for=uid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
391
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
392 # and add it to the user's query multilink
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
393 queries = self.db.user.get(self.userid, 'queries')
2061
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
394 if qid not in queries:
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
395 queries.append(qid)
0eeecaac008a query saving fix
Richard Jones <richard@users.sourceforge.net>
parents: 2052
diff changeset
396 self.db.user.set(self.userid, queries=queries)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
397
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
398 # commit the query change to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
399 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
400
5192
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
401 # This redirects to the index page. Add the @dispname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
402 # url param to the request so that the query name
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
403 # is displayed.
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
404 req.form.list.append(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
405 cgi.MiniFieldStorage(
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
406 "@dispname", queryname
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
407 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
408 )
302e3a1a7190 Three sets of changes:
rouilj@uland
parents: 5173
diff changeset
409
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
410 def fakeFilterVars(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
411 """Add a faked :filter form variable for each filtering prop."""
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
412 cls = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
413 for key in self.form:
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
414 prop = cls.get_transitive_prop(key)
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
415 if not prop:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
416 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
417 if isinstance(self.form[key], type([])):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
418 # search for at least one entry which is not empty
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
419 for minifield in self.form[key]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
420 if minifield.value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
421 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
422 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
423 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
424 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
425 if not self.form[key].value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
426 continue
3635
53987aa153d2 Transitive-property support.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3604
diff changeset
427 if isinstance(prop, hyperdb.String):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
428 v = self.form[key].value
5245
bc16d91b7a50 Fix token_split() so its one error throws ValueError w/out extra arg.
Eric S. Raymond <esr@thyrsus.com>
parents: 5217
diff changeset
429 # If this ever has unbalanced quotes, hilarity will ensue
7178
db06d4aeb978 unshadow stdlib token from roundup's token.
John Rouillard <rouilj@ieee.org>
parents: 7165
diff changeset
430 tokens = token_r.token_split(v)
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
431 if len(tokens) != 1 or tokens[0] != v:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
432 self.form.value.remove(self.form[key])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
433 # replace the single value with the split list
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
434 for v in tokens:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
435 self.form.value.append(cgi.MiniFieldStorage(key, v))
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
436 elif isinstance(prop, hyperdb.Number):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
437 try:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
438 float(self.form[key].value)
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
439 except ValueError:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
440 raise exceptions.FormError(_("Invalid number: ") +
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
441 self.form[key].value)
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
442 elif isinstance(prop, hyperdb.Integer):
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
443 try:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
444 val = self.form[key].value
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
445 if (str(int(val)) == val):
5097
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
446 pass
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
447 else:
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
448 raise ValueError
156cbc1d182c Validate values for Integer and Numeric type filter parameters rather than
John Rouillard <rouilj@ieee.org>
parents: 5093
diff changeset
449 except ValueError:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
450 raise exceptions.FormError(_("Invalid integer: ") +
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
451 val)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
452
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
453 self.form.value.append(cgi.MiniFieldStorage('@filter', key))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
454
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
455 def getCurrentURL(self, req):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
456 """Get current URL for storing as a query.
3805
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
457
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
458 Note: We are removing the first character from the current URL,
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
459 because the leading '?' is not part of the query string.
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
460
f86d9531c8db comment update
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3804
diff changeset
461 Implementation note:
5173
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
462 We now store the template with the query if the template name is
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
463 different from 'index'
4f99aad7e8e8 Store template name with saved query
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5165
diff changeset
464 """
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
465 template = self.getFromForm('template')
6574
20d4ca71d458 Fix unwanted redirect from search index to edit on login error
John Rouillard <rouilj@ieee.org>
parents: 6468
diff changeset
466 if template and template not in ['index', 'index|search']:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
467 return req.indexargs_url('', {'@template': template})[1:]
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
468 return req.indexargs_url('', {})[1:]
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
469
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
470 def getFromForm(self, name):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
471 for key in ('@' + name, ':' + name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
472 if key in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
473 return self.form[key].value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
474 return ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
475
3804
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
476 def getQueryName(self):
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
477 return self.getFromForm('queryname')
5445ff8c442b factor getCurrentURL into its own method:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3673
diff changeset
478
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
479
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
480 class EditCSVAction(Action):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
481 name = 'edit'
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
482 permissionType = 'Edit'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
483
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
484 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
485 """Performs an edit of all of a class' items in one go.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
486
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
487 The "rows" CGI var defines the CSV-formatted entries for the class. New
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
488 nodes are identified by the ID 'X' (or any other non-existent ID) and
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
489 removed lines are retired.
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
490 """
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
491 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
492 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
493 raise Reject(self._('Invalid request'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
494
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
495 # figure the properties list for the class
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
496 cl = self.db.classes[self.classname]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
497 props_without_id = list(cl.getprops(protected=0))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
498
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
499 # the incoming CSV data will always have the properties in colums
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
500 # sorted and starting with the "id" column
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
501 props_without_id.sort()
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
502 props = ['id'] + props_without_id
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
503
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
504 # do the edit
5452
b50a4c85c270 fixed incorrect usage of BytesIO
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5395
diff changeset
505 rows = StringIO(self.form['rows'].value)
3179
88dbe6b3d891 merge removal of rcsv
Richard Jones <richard@users.sourceforge.net>
parents: 3145
diff changeset
506 reader = csv.reader(rows)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
507 found = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
508 line = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
509 for values in reader:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
510 line += 1
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
511 if line == 1: continue # noqa: E701
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
512 # skip property names header
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
513 if values == props:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
514 continue
6435
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
515 # skip blank lines. Can be in the middle
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
516 # of the data or a newline at end of file.
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
517 if len(values) == 0:
ada96db8ec62 Ignore blank lines when editing class via CSV
John Rouillard <rouilj@ieee.org>
parents: 6375
diff changeset
518 continue
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
519
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
520 # extract the itemid
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
521 itemid, values = values[0], values[1:]
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
522 found[itemid] = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
523
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
524 # see if the node exists
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
525 if itemid in ('x', 'X') or not cl.hasnode(itemid):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
526 exists = 0
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
527
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
528 # check permission to create this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
529 if not self.hasPermission('Create', classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
530 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
531 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
532 ) % {'class': self.classname})
4293
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
533 elif cl.hasnode(itemid) and cl.is_retired(itemid):
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
534 # If a CSV line just mentions an id and the corresponding
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
535 # item is retired, then the item is restored.
9b9ab6109254 Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Richard Jones <richard@users.sourceforge.net>
parents: 4146
diff changeset
536 cl.restore(itemid)
5515
cd0ceb2afdb8 fixed issue2550993 and added test case
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5503
diff changeset
537 exists = 1
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
538 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
539 exists = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
540
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
541 # confirm correct weight
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
542 if len(props_without_id) != len(values):
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
543 self.client.add_error_message(
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
544 self._('Not enough values on line %(line)s') % {
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
545 'line': line})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
546 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
547
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
548 # extract the new values
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
549 d = {}
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
550 for name, value in zip(props_without_id, values):
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
551 # check permission to edit this property on this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
552 if exists and not self.hasPermission('Edit', itemid=itemid,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
553 classname=self.classname,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
554 property=name):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
555 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
556 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
557 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
558
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
559 prop = cl.properties[name]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
560 value = value.strip()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
561 # only add the property if it has a value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
562 if value:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
563 # if it's a multilink, split it
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
564 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
565 value = value.split(':')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
566 elif isinstance(prop, hyperdb.Password):
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
567 value = password.Password(value, config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
568 elif isinstance(prop, hyperdb.Interval):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
569 value = date.Interval(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
570 elif isinstance(prop, hyperdb.Date):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
571 value = date.Date(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
572 elif isinstance(prop, hyperdb.Boolean):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
573 value = value.lower() in ('yes', 'true', 'on', '1')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
574 elif isinstance(prop, hyperdb.Number):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
575 value = float(value)
5067
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
576 elif isinstance(prop, hyperdb.Integer):
e424987d294a Add support for an integer type to join the existing number type.
John Rouillard <rouilj@ieee.org>
parents: 5044
diff changeset
577 value = int(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
578 d[name] = value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
579 elif exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
580 # nuke the existing value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
581 if isinstance(prop, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
582 d[name] = []
5814
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
583 elif isinstance(prop, hyperdb.Password):
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
584 # create empty password entry
bd6d41f21a5a More extensive EditCSV testing.
John Rouillard <rouilj@ieee.org>
parents: 5800
diff changeset
585 d[name] = password.Password("", config=self.db.config)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
586 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
587 d[name] = None
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
588
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
589 # perform the edit
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
590 if exists:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
591 # edit existing
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
592 cl.set(itemid, **d)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
593 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
594 # new node
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
595 found[cl.create(**d)] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
596
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
597 # retire the removed entries
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
598 for itemid in cl.list():
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
599 if itemid not in found:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
600 # check permission to retire this item
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
601 if not self.hasPermission('Retire', itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
602 classname=self.classname):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
603 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
604 'You do not have permission to retire %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
605 ) % {'class': self.classname})
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
606 cl.retire(itemid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
607
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
608 # all OK
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
609 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
610
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
611 self.client.add_ok_message(self._('Items edited OK'))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
612
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
613
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
614 class EditCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
615 '''Utility methods for editing.'''
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
616
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
617 def _editnodes(self, all_props, all_links):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
618 ''' Use the props in all_props to perform edit and creation, then
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
619 use the link specs in all_links to do linking.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
620 '''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
621 # figure dependencies and re-work links
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
622 deps = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
623 links = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
624 for cn, nodeid, propname, vlist in all_links:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
625 numeric_id = int(nodeid or 0)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
626 if not (numeric_id > 0 or (cn, nodeid) in all_props):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
627 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
628 continue
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
629
3852
0dd05c9e5fff New test for linking of non-existing and existing properties via a form.
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3851
diff changeset
630 for value in vlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
631 if value not in all_props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
632 # link item to link to doesn't (and won't) exist
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
633 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
634 deps.setdefault((cn, nodeid), []).append(value)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
635 links.setdefault(value, []).append((cn, nodeid, propname))
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
636
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
637 # figure chained dependencies ordering
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
638 order = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
639 done = {}
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
640 # loop detection
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
641 change = 0
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
642 while len(all_props) != len(done):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
643 for needed in all_props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
644 if needed in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
645 continue
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
646 tlist = deps.get(needed, [])
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
647 for target in tlist:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
648 if target not in done:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
649 break
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
650 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
651 done[needed] = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
652 order.append(needed)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
653 change = 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
654 if not change:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
655 raise ValueError('linking must not loop!')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
656
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
657 # now, edit / create
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
658 m = []
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
659 for needed in order:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
660 props = all_props[needed]
3851
5fe1f30f7f30 Bug-fix: In case we have a @link@ to an existing node...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 3850
diff changeset
661 cn, nodeid = needed
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
662 if props:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
663 if nodeid is not None and int(nodeid) > 0:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
664 # make changes to the node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
665 props = self._changenode(cn, nodeid, props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
666
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
667 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
668 if props:
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
669 info = ', '.join(map(self._, props))
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
670 m.append(
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
671 self._('%(class)s %(id)s %(properties)s edited ok')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
672 % {'class': cn, 'id': nodeid, 'properties': info})
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
673 else:
5251
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
674 # this used to produce a message like:
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
675 # issue34 - nothing changed
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
676 # which is confusing if only quiet properties
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
677 # changed for the class/id. So don't report
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
678 # anything if the user didn't explicitly change
5251
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
679 # a visible (non-quiet) property.
35b30ce991d0 Suppress the "... - nothing changed" status banner presented when a
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
680 pass
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
681 else:
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
682 # make a new node
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
683 newid = self._createnode(cn, props)
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
684 if nodeid is None:
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
685 self.nodeid = newid
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
686 nodeid = newid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
687
3850
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
688 # and some nice feedback for the user
326269886c32 Fix form handling of editing existing hyperdb items from a new item page.
Richard Jones <richard@users.sourceforge.net>
parents: 3847
diff changeset
689 m.append(self._('%(class)s %(id)s created')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
690 % {'class': cn, 'id': newid})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
691
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
692 # fill in new ids in links
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
693 if needed in links:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
694 for linkcn, linkid, linkprop in links[needed]:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
695 props = all_props[(linkcn, linkid)]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
696 cl = self.db.classes[linkcn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
697 propdef = cl.getprops()[linkprop]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
698 if linkprop not in props:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
699 if linkid is None or linkid.startswith('-'):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
700 # linking to a new item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
701 if isinstance(propdef, hyperdb.Multilink):
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
702 props[linkprop] = [nodeid]
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
703 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
704 props[linkprop] = nodeid
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
705 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
706 # linking to an existing item
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
707 if isinstance(propdef, hyperdb.Multilink):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
708 existing = cl.get(linkid, linkprop)[:]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
709 existing.append(nodeid)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
710 props[linkprop] = existing
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
711 else:
4304
df7a4400c2ce Fix linking of an existing item to a newly created item...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4293
diff changeset
712 props[linkprop] = nodeid
4992
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
713 elif isinstance(propdef, hyperdb.Multilink):
b562df8a5056 Fix form-parsing for multilinks
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4880
diff changeset
714 props[linkprop].append(nodeid)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
715
4623
4f9c3858b671 Fix another XSS with the ok- and error message, see issue2550724.
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4521
diff changeset
716 return '\n'.join(m)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
717
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
718 def _changenode(self, cn, nodeid, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
719 """Change the node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
720 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
721 if not self.editItemPermission(props, classname=cn, itemid=nodeid):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
722 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
723 'You do not have permission to edit %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
724 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
725
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
726 # make the changes
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
727 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
728 return cl.set(nodeid, **props)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
729
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
730 def _createnode(self, cn, props):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
731 """Create a node based on the contents of the form."""
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
732 # check for permission
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
733 if not self.newItemPermission(props, classname=cn):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
734 raise exceptions.Unauthorised(self._(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
735 'You do not have permission to create %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
736 ) % {'class': cn})
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
737
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
738 # create the node and return its id
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
739 cl = self.db.classes[cn]
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
740 return cl.create(**props)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
741
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
742 def isEditingSelf(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
743 """Check whether a user is editing his/her own details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
744 return (self.nodeid == self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
745 and self.db.user.get(self.nodeid, 'username') != 'anonymous')
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
746
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
747 _cn_marker = []
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
748
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
749 def editItemPermission(self, props, classname=_cn_marker, itemid=None):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
750 """Determine whether the user has permission to edit this item."""
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
751 if itemid is None:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
752 itemid = self.nodeid
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
753 if classname is self._cn_marker:
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
754 classname = self.classname
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
755 # The user must have permission to edit each of the properties
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
756 # being changed.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
757 for p in props:
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
758 if not self.hasPermission('Edit', itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
759 classname=classname, property=p):
4030
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
760 return 0
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
761 # Since the user has permission to edit all of the properties,
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
762 # the edit is OK.
b140d76c1cc8 fix issue2550502
Stefan Seefeld <stefan@seefeld.name>
parents: 3989
diff changeset
763 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
764
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
765 def newItemPermission(self, props, classname=None):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
766 """Determine whether the user has permission to create this item.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
767
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
768 Base behaviour is to check the user can edit this class. No additional
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
769 property checks are made.
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
770 """
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
771
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
772 if not classname:
3468
6f3b30925975 fix permission checks in cgi interface [SF#1289557]
Richard Jones <richard@users.sourceforge.net>
parents: 3466
diff changeset
773 classname = self.client.classname
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
774
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
775 if not self.hasPermission('Create', classname=classname):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
776 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
777
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
778 # Check Create permission for each property, to avoid being able
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
779 # to set restricted ones on new item creation
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
780 for key in props:
4310
8e0d350ce644 Proper handling of 'Create' permissions in both mail gateway...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4304
diff changeset
781 if not self.hasPermission('Create', classname=classname,
4126
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
782 property=key):
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
783 return 0
e67379669e11 Make sure user has edit permission on all properties when creating items.
Stefan Seefeld <stefan@seefeld.name>
parents: 4118
diff changeset
784 return 1
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
785
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
786
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
787 class EditItemAction(EditCommon):
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
788 def lastUserActivity(self):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
789 if ':lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
790 d = date.Date(self.form[':lastactivity'].value)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
791 elif '@lastactivity' in self.form:
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
792 d = date.Date(self.form['@lastactivity'].value)
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
793 else:
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
794 return None
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
795 d.second = int(d.second)
2264
9b34f41507ed *** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents: 2260
diff changeset
796 return d
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
797
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
798 def lastNodeActivity(self):
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
799 cl = getattr(self.client.db, self.classname)
2260
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
800 activity = cl.get(self.nodeid, 'activity').local(0)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
801 activity.second = int(activity.second)
46d9cc1e4fc4 collision detection only at second granularity
Richard Jones <richard@users.sourceforge.net>
parents: 2248
diff changeset
802 return activity
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
803
2143
b29323f75718 wow, I broke that good
Richard Jones <richard@users.sourceforge.net>
parents: 2136
diff changeset
804 def detectCollision(self, user_activity, node_activity):
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
805 '''Check for a collision and return the list of props we edited
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
806 that conflict.'''
3188
7faae85e1e33 merge from branch
Richard Jones <richard@users.sourceforge.net>
parents: 3179
diff changeset
807 if user_activity and user_activity < node_activity:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
808 props, links = self.client.parsePropsFromForm()
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
809 key = (self.classname, self.nodeid)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
810 # we really only collide for direct prop edit conflicts
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
811 return list(props[key])
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
812 else:
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
813 return []
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
814
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
815 def handleCollision(self, props):
6301
45ba6b71f1cf actions.py translation. Using mapping rather than tuple for args.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
816 message = self._(
45ba6b71f1cf actions.py translation. Using mapping rather than tuple for args.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
817 'Edit Error: someone else has edited this %(klass)s (%(props)s). '
45ba6b71f1cf actions.py translation. Using mapping rather than tuple for args.
John Rouillard <rouilj@ieee.org>
parents: 6190
diff changeset
818 'View <a target="_blank" href="%(klass)s%(id)s">their changes</a> '
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
819 'in a new window.') % {"klass": self.classname,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
820 "props": ', '.join(props),
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
821 "id": self.nodeid}
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
822 self.client.add_error_message(message, escape=False)
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
823 return
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
824
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
825 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
826 """Perform an edit of an item in the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
827
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
828 See parsePropsFromForm and _editnodes for special variables.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
829
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
830 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
831 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
832 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
833 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
834
2148
2490d26c88df Line 485, lastUserActivity misspelled as lastUserActvity.
Brian Kelley <wc2so1@users.sourceforge.net>
parents: 2143
diff changeset
835 user_activity = self.lastUserActivity()
3145
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
836 if user_activity:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
837 props = self.detectCollision(user_activity, self.lastNodeActivity())
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
838 if props:
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
839 self.handleCollision(props)
9aa9436a81e0 better edit conflict handling
Richard Jones <richard@users.sourceforge.net>
parents: 3130
diff changeset
840 return
2014
366d3bbce982 Simple version of collision detection...
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2012
diff changeset
841
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
842 props, links = self.client.parsePropsFromForm()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
843
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
844 # handle the props
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
845 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
846 message = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
847 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
848 escape = not isinstance(message, RejectRaw)
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
849 self.client.add_error_message(
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
850 self._('Edit Error: %s') % str(message), escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
851 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
852
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
853 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
854 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
855
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
856 # redirect to the item's edit page
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
857 # redirect to finish off
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
858 url = self.base + self.classname
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
859 # note that this action might have been called by an index page, so
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
860 # we will want to include index-page args in this URL too
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
861 if self.nodeid is not None:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
862 url += self.nodeid
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
863 url += '?@ok_message=%s&@template=%s' % (urllib_.quote(message),
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
864 urllib_.quote(self.template))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
865 if self.nodeid is None:
2136
ee3cf6a44f29 queries on a per-user basis, and public queries [SF#891798] :)
Richard Jones <richard@users.sourceforge.net>
parents: 2130
diff changeset
866 req = templating.HTMLRequest(self.client)
3130
7308c3c5a943 docs editing from Jean Jordaan
Richard Jones <richard@users.sourceforge.net>
parents: 3073
diff changeset
867 url += '&' + req.indexargs_url('', {})[1:]
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
868 raise exceptions.Redirect(url)
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
869
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
870
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
871 class NewItemAction(EditCommon):
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
872 def handle(self):
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
873 ''' Add a new item to the database.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
874
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
875 This follows the same form as the EditItemAction, with the same
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
876 special form values.
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
877 '''
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
878 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
879 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
880 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
881
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
882 # parse the props from the form
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
883 try:
2107
b7404a96b58a minor pre-release / test fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2082
diff changeset
884 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
885 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
886 self.client.add_error_message(self._('Error: %s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
887 % str(message))
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
888 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
889
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
890 # handle the props - edit or create
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
891 try:
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
892 # when it hits the None element, it'll set self.nodeid
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
893 messages = self._editnodes(props, links)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
894 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
895 escape = not isinstance(message, RejectRaw)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
896 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
897 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
898 escape=escape)
2012
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
899 return
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
900
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
901 # commit now that all the tricky stuff is done
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
902 self.db.commit()
9cc7b7d0ca3f Fix last commit to make editing/creating items work again.
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2010
diff changeset
903
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
904 # Allow an option to stay on the page to create new things
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
905 if '__redirect_to' in self.form:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
906 raise exceptions.Redirect('%s&@ok_message=%s' % (
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
907 self.examine_url(self.form['__redirect_to'].value),
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
908 urllib_.quote(messages)))
5158
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
909
63294ed25e84 issue1842687: Keywords: After creating, stay in "Create New" mode.
John Rouillard <rouilj@ieee.org>
parents: 5121
diff changeset
910 # otherwise redirect to the new item's page
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
911 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % (
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
912 self.base, self.classname, self.nodeid, urllib_.quote(messages),
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
913 urllib_.quote(self.template)))
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
914
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
915
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
916 class PassResetAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
917 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
918 """Handle password reset requests.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
919
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
920 Presence of either "name" or "address" generates email. Presence of
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
921 "otk" performs the reset.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
922
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
923 """
2291
90cca653ef3d otks manager missing [SF#952931]
Richard Jones <richard@users.sourceforge.net>
parents: 2264
diff changeset
924 otks = self.db.getOTKManager()
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
925 if 'otk' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
926 # pull the rego information out of the otk database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
927 otk = self.form['otk'].value
3673
94b905502d26 removed traceback with OTK is used multiple times [SF#1240539]
Richard Jones <richard@users.sourceforge.net>
parents: 3635
diff changeset
928 uid = otks.get(otk, 'uid', default=None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
929 if uid is None:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
930 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
931 self._("Invalid One Time Key!\n"
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
932 "(a Mozilla bug may cause this message "
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
933 "to show up erroneously, please check your email)"))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
934 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
935
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
936 # pull the additional email address if exist
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
937 uaddress = otks.get(otk, 'uaddress', default=None)
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
938
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
939 # re-open the database as "admin"
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
940 if self.user != 'admin':
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
941 self.client.opendb('admin')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
942 self.db = self.client.db
2372
c26bb78d2f0c couple of bugfixes
Richard Jones <richard@users.sourceforge.net>
parents: 2362
diff changeset
943 otks = self.db.getOTKManager()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
944
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
945 # change the password
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
946 newpw = password.generatePassword()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
947
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
948 cl = self.db.user
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
949 # XXX we need to make the "default" page be able to display errors!
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
950 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
951 # set the password
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
952 cl.set(uid, password=password.Password(newpw,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
953 config=self.db.config))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
954 # clear the props from the otk database
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
955 otks.destroy(otk)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5256
diff changeset
956 otks.commit()
5340
ed6153d3ee6a Fix password reset
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5322
diff changeset
957 # commit the password change
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
958 self.db.commit()
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
959 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
960 self.client.add_error_message(str(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
961 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
962
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
963 # user info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
964 name = self.db.user.get(uid, 'username')
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
965 if uaddress is None:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
966 address = self.db.user.get(uid, 'address')
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
967 else:
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
968 address = uaddress
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
969
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
970 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
971 tracker_name = self.db.config.TRACKER_NAME
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
972 subject = self._('Password reset for %s') % tracker_name
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
973 body = self._('''
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
974 The password has been reset for username "%(name)s".
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
975
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
976 Your password is now: %(password)s
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
977 ''') % {'name': name, 'password': newpw}
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
978 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
979 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
980
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
981 self.client.add_ok_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
982 self._('Password reset and email sent to %s') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
983 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
984
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
985 # no OTK, so now figure the user
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
986 if 'username' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
987 name = self.form['username'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
988 try:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
989 uid = self.db.user.lookup(name)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
990 except KeyError:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
991 self.client.add_error_message(self._('Unknown username'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
992 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
993 address = self.db.user.get(uid, 'address')
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
994 elif 'address' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
995 address = self.form['address'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
996 uid = uidFromAddress(self.db, ('', address), create=0)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
997 if not uid:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
998 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
999 self._('Unknown email address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1000 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1001 name = self.db.user.get(uid, 'username')
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1002 else:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1003 self.client.add_error_message(
2531
f8c6a09ef485 translate web ui messages in _EditAction, PassResetAction
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2391
diff changeset
1004 self._('You need to specify a username or address'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1005 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1006
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1007 # generate the one-time-key and store the props for later
6823
fe0091279f50 Refactor session db logging and key generation for sessions/otks
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1008 otk = otks.getUniqueKey(length=32)
fe0091279f50 Refactor session db logging and key generation for sessions/otks
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1009
5092
fc03c1381690 issue564 from meta tracker
Chau Nguyen <dangchau1991@gmail.com>
parents: 4880
diff changeset
1010 otks.set(otk, uid=uid, uaddress=address)
5319
62de601bdf6f Fix commits although a Reject exception is raised
Ralf Schlatterbeck <rsc@runtux.com>
parents: 5256
diff changeset
1011 otks.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1012
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1013 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1014 tracker_name = self.db.config.TRACKER_NAME
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1015 subject = self._('Confirm reset of password for %s') % tracker_name
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1016 body = self._('''
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1017 Someone, perhaps you, has requested that the password be changed for your
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1018 username, "%(name)s". If you wish to proceed with the change, please follow
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1019 the link below:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1020
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1021 %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1022
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1023 You should then receive another email with the new password.
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1024 ''') % {'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk}
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1025 if not self.client.standard_message([address], subject, body):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1026 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1027
5253
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1028 if 'username' in self.form:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1029 self.client.add_ok_message(self._('Email sent to primary notification address for %s.') % name)
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1030 else:
2d61e39b89c8 Issue2550716 Email address displayed after password reset request (fix)
John Rouillard <rouilj@ieee.org>
parents: 5217
diff changeset
1031 self.client.add_ok_message(self._('Email sent to %s.') % address)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1032
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1033
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1034 class RegoCommon(Action):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1035 def finishRego(self):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1036 # log the new user in
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1037 self.client.userid = self.userid
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1038 user = self.client.user = self.db.user.get(self.userid, 'username')
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1039 # re-open the database for real, using the user
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1040 self.client.opendb(user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1041
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1042 # update session data
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1043 self.client.session_api.set(user=user)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1044
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1045 # nice message
2391
3a0a248289dd action objects got 'context' attribute containing dictionary...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2372
diff changeset
1046 message = self._('You are now registered, welcome!')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1047 url = '%suser%s?@ok_message=%s' % (self.base, self.userid,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1048 urllib_.quote(message))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1049
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1050 # redirect to the user's page (but not 302, as some email clients seem
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1051 # to want to reload the page, or something)
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1052 return '''<html><head><title>%s</title></head>
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1053 <body><p><a href="%s">%s</a></p>
5217
17b213eab274 Add nonce to embedded script references.
John Rouillard <rouilj@ieee.org>
parents: 5201
diff changeset
1054 <script nonce="%s" type="text/javascript">
2045
d124af927369 Forward-porting of fixes from the maintenance branch.
Richard Jones <richard@users.sourceforge.net>
parents: 2032
diff changeset
1055 window.setTimeout('window.location = "%s"', 1000);
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1056 </script>''' % (message, url, message,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1057 self.client.client_nonce, url)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1058
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1059
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1060 class ConfRegoAction(RegoCommon):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1061 def handle(self):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1062 """Grab the OTK, use it to load up the new user details."""
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1063 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1064 # pull the rego information out of the otk database
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1065 self.userid = self.db.confirm_registration(self.form['otk'].value)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1066 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1067 self.client.add_error_message(str(message))
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1068 return
3847
1a44e4bb2b54 Fix missing return value.
Stefan Seefeld <stefan@seefeld.name>
parents: 3805
diff changeset
1069 return self.finishRego()
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1070
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1071
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1072 class RegisterAction(RegoCommon, EditCommon, Timestamped):
2018
96a1bf48efdd Remove duplication in permission handling:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents: 2014
diff changeset
1073 name = 'register'
4146
42331c201b02 Fix issue2550553.
Stefan Seefeld <stefan@seefeld.name>
parents: 4127
diff changeset
1074 permissionType = 'Register'
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1075
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1076 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1077 """Attempt to create a new user based on the contents of the form
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1078 and then remember it in session.
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1079
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1080 Return 1 on successful login.
2032
5a7ec0c63095 fixes to some unit tests, and a cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 2031
diff changeset
1081 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1082 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1083 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1084 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1085
5973
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1086 # try to make sure user is not a bot by checking the
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1087 # hidden field opaqueregister to make sure it's at least
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1088 # WEB_REGISTRATION_DELAY seconds. If set to 0,
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1089 # disable the check.
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1090 delaytime = self.db.config['WEB_REGISTRATION_DELAY']
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1091
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1092 if delaytime > 0:
fe334430ca07 issue2550919 - Anti-bot signup using 4 second delay
John Rouillard <rouilj@ieee.org>
parents: 5937
diff changeset
1093 self.timecheck('opaqueregister', delaytime)
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1094
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1095 # parse the props from the form
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1096 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1097 props, links = self.client.parsePropsFromForm(create=1)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1098 except (ValueError, KeyError) as message:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1099 self.client.add_error_message(self._('Error: %s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1100 % str(message))
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1101 return
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1102
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1103 # skip the confirmation step?
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1104 if self.db.config['INSTANT_REGISTRATION']:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1105 # handle the create now
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1106 try:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1107 # when it hits the None element, it'll set self.nodeid
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1108 # execute for side effect
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1109 messages = self._editnodes(props, links) # noqa: F841
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1110 except (ValueError, KeyError, IndexError, Reject) as message:
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1111 escape = not isinstance(message, RejectRaw)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1112 # these errors might just be indicative of user dumbness
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1113 self.client.add_error_message(_('Error: %s') % str(message),
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1114 escape=escape)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1115 return
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1116
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1117 # fix up the initial roles
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1118 self.db.user.set(self.nodeid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1119 roles=self.db.config['NEW_WEB_USER_ROLES'])
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1120
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1121 # commit now that all the tricky stuff is done
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1122 self.db.commit()
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1123
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1124 # finish off by logging the user in
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1125 self.userid = self.nodeid
3466
0ecd0062abfb fix redirect after instant registration [SF#1381676]
Richard Jones <richard@users.sourceforge.net>
parents: 3418
diff changeset
1126 return self.finishRego()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1127
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1128 # generate the one-time-key and store the props for later
4334
1aef7a4e4e39 fix non-instant rego
Richard Jones <richard@users.sourceforge.net>
parents: 4329
diff changeset
1129 user_props = props[('user', None)]
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1130 # check that admin has requested username available check
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1131 check_user = self.db.config['WEB_REGISTRATION_PREVALIDATE_USERNAME']
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1132 if check_user:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1133 try:
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1134 # verify user exists
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1135 user_found = self.db.user.lookup(user_props['username']) \
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1136 # noqa: F841
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1137 # if user is found reject the request.
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1138 raise Reject(
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1139 _("Username '%s' is already used.") % user_props['username'])
5976
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1140 except KeyError:
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1141 # user not found this is what we want.
71c68961d9f4 - issue2550920 - Optionally detect duplicate username at registration.
John Rouillard <rouilj@ieee.org>
parents: 5973
diff changeset
1142 pass
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1143
5395
23b8e6067f7c Python 3 preparation: update calls to dict methods.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5382
diff changeset
1144 for propname, proptype in self.db.user.getprops().items():
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1145 value = user_props.get(propname, None)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1146 if value is None:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1147 pass
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1148 elif isinstance(proptype, hyperdb.Date):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1149 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1150 elif isinstance(proptype, hyperdb.Interval):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1151 user_props[propname] = str(value)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1152 elif isinstance(proptype, hyperdb.Password):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1153 user_props[propname] = str(value)
2082
c091cacdc505 Finished implementation of session and one-time-key stores for RDBMS backends.
Richard Jones <richard@users.sourceforge.net>
parents: 2061
diff changeset
1154 otks = self.db.getOTKManager()
6823
fe0091279f50 Refactor session db logging and key generation for sessions/otks
John Rouillard <rouilj@ieee.org>
parents: 6814
diff changeset
1155 otk = otks.getUniqueKey(length=32)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1156 otks.set(otk, **user_props)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1157
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1158 # send the email
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1159 tracker_name = self.db.config.TRACKER_NAME
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1160 tracker_email = self.db.config.TRACKER_EMAIL
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1161 if self.db.config['EMAIL_REGISTRATION_CONFIRMATION']:
7057
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1162 subject = _(
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1163 'Complete your registration to %(tracker_name)s -- key %(key)s') % {
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1164 'tracker_name': tracker_name,
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1165 'key': otk}
9fe29682dca2 Fix internationalized strings with multiple unlabeled % replacements.
John Rouillard <rouilj@ieee.org>
parents: 6938
diff changeset
1166
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1167 body = _("""To complete your registration of the user "%(name)s" with
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1168 %(tracker)s, please do one of the following:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1169
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1170 - send a reply to %(tracker_email)s and maintain the subject line as is (the
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1171 reply's additional "Re:" is ok),
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1172
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1173 - or visit the following URL:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1174
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1175 %(url)s?@action=confrego&otk=%(otk)s
2108
54815ca493a5 add line to rego email to help URL detection [SF#906247]
Richard Jones <richard@users.sourceforge.net>
parents: 2107
diff changeset
1176
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1177 """) % {'name': user_props['username'], 'tracker': tracker_name,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1178 'url': self.base, 'otk': otk, 'tracker_email': tracker_email} \
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1179 # noqa: E122
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1180 else:
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1181 subject = _('Complete your registration to %s') % (tracker_name)
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1182 body = _("""To complete your registration of the user "%(name)s" with
3469
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1183 %(tracker)s, please visit the following URL:
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1184
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1185 %(url)s?@action=confrego&otk=%(otk)s
d3b02352484f enable registration confirmation by web only [SF#1381675]
Richard Jones <richard@users.sourceforge.net>
parents: 3468
diff changeset
1186
6676
b336cc98d9d2 Mark strings for password reset and registration for translation
John Rouillard <rouilj@ieee.org>
parents: 6593
diff changeset
1187 """) % {'name': user_props['username'], 'tracker': tracker_name,
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1188 'url': self.base, 'otk': otk} # noqa: E122
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2592
diff changeset
1189 if not self.client.standard_message([user_props['address']], subject,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1190 body,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1191 (tracker_name, tracker_email)):
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1192 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1193
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1194 # commit changes to the database
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1195 self.db.commit()
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1196
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1197 # redirect to the "you're almost there" page
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1198 raise exceptions.Redirect('%suser?@template=rego_progress' % self.base)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1199
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1200 def newItemPermission(self, props, classname=None):
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1201 """Just check the "Register" permission.
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1202 """
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1203 # registration isn't allowed to supply roles
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1204 if 'roles' in props:
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1205 raise exceptions.Unauthorised(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1206 "It is not permitted to supply roles at registration."))
4329
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1207
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1208 # technically already checked, but here for clarity
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1209 return self.hasPermission('Register', classname=classname)
58b7ba47af87 fixes to make registration work again
Richard Jones <richard@users.sourceforge.net>
parents: 4310
diff changeset
1210
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1211
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1212 class LogoutAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1213 def handle(self):
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1214 """Make us really anonymous - nuke the session too."""
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1215 # log us out
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1216 self.client.make_user_anonymous()
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1217 self.client.session_api.destroy()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1218
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1219 # Let the user know what's going on
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1220 self.client.add_ok_message(self._('You are logged out'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1221
3264
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1222 # reset client context to render tracker home page
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1223 # instead of last viewed page (may be inaccessibe for anonymous)
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1224 self.client.classname = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1225 self.client.nodeid = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1226 self.client.template = None
6fc18923f837 LogoutAction: reset client context to render tracker home page...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3188
diff changeset
1227
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1228 # Redirect to a new page on logout. This regenerates
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1229 # CSRF tokens so they are associated with the
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1230 # anonymous user and not the user who logged out. If
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1231 # we don't the user gets an invalid CSRF token error
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1232 # As above choose the home page since everybody can
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1233 # see that.
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
1234 raise exceptions.Redirect(self.base)
5201
a9ace22e0a2f issue 2550690 - Adding anti-csrf measures to roundup following
John Rouillard <rouilj@ieee.org>
parents: 5192
diff changeset
1235
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1236
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1237 class LoginAction(Action):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1238 def handle(self):
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1239 """Attempt to log a user in.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1240
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1241 Sets up a session for the user which contains the login credentials.
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1242
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1243 """
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1244 # ensure modification comes via POST
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1245 if self.client.env['REQUEST_METHOD'] != 'POST':
5004
494d255043c9 Display errors containing HTML with RejectRaw (issue2550847)
John Kristensen <john@jerrykan.com>
parents: 4992
diff changeset
1246 raise Reject(self._('Invalid request'))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1247
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1248 # we need the username at a minimum
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1249 if '__login_name' not in self.form:
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1250 self.client.add_error_message(self._('Username required'))
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1251 return
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1252
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1253 # get the login info
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1254 self.client.user = self.form['__login_name'].value
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1255 if '__login_password' in self.form:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1256 password = self.form['__login_password'].value
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1257 else:
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1258 password = ''
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1259
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1260 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1261 # On valid or invalid login, redirect the user back to the page
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1262 # the started on. Searches, issue and other pages
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1263 # are all preserved in __came_from. Clean out any old feedback
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1264 # @error_message, @ok_message from the __came_from url.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1265 #
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1266 # 1. Split the url into components.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1267 # 2. Split the query string into parts.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1268 # 3. Delete @error_message and @ok_message if present.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1269 # 4. Define a new redirect_url missing the @...message entries.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1270 # This will be redefined if there is a login error to include
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1271 # a new error message
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1272
5162
3ee79a2d95d4 rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
John Rouillard <rouilj@ieee.org>
parents: 5161
diff changeset
1273 clean_url = self.examine_url(self.form['__came_from'].value)
5161
12190efa30d4 I realized that the __came_from and __redirect_to url parameters I
John Rouillard <rouilj@ieee.org>
parents: 5158
diff changeset
1274 redirect_url_tuple = urllib_.urlparse(clean_url)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1275 # now I have a tuple form for the __came_from url
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1276 try:
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1277 query = urllib_.parse_qs(redirect_url_tuple.query)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1278 if "@error_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1279 del query["@error_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1280 if "@ok_message" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1281 del query["@ok_message"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1282 if "@action" in query:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1283 # also remove the logout action from the redirect
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1284 # there is only ever one @action value.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1285 if query['@action'] == ["logout"]:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1286 del query["@action"]
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1287 except AttributeError:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1288 # no query param so nothing to remove. Just define.
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1289 query = {}
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1290 pass
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1291
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1292 redirect_url = urllib_.urlunparse(
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1293 (redirect_url_tuple.scheme,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1294 redirect_url_tuple.netloc,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1295 redirect_url_tuple.path,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1296 redirect_url_tuple.params,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1297 urllib_.urlencode(list(sorted(query.items())), doseq=True),
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1298 redirect_url_tuple.fragment))
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1299
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1300 try:
5772
8dbe307bdb57 Finish up login rate limit code. Set config item to 0 disables, make
John Rouillard <rouilj@ieee.org>
parents: 5722
diff changeset
1301 self.verifyLogin(self.client.user, password)
5248
198b6e810c67 Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents: 5245
diff changeset
1302 except exceptions.LoginError as err:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1303 self.client.make_user_anonymous()
4880
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1304 for arg in err.args:
ca692423e401 Different approach to fix XSS in issue2550817
Ralf Schlatterbeck <rsc@runtux.com>
parents: 4624
diff changeset
1305 self.client.add_error_message(arg)
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1306
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1307 if '__came_from' in self.form:
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1308 # set a new error
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1309 query['@error_message'] = err.args
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1310 redirect_url = urllib_.urlunparse(
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1311 (redirect_url_tuple.scheme,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1312 redirect_url_tuple.netloc,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1313 redirect_url_tuple.path,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1314 redirect_url_tuple.params,
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1315 urllib_.urlencode(list(sorted(query.items())), doseq=True),
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1316 redirect_url_tuple.fragment))
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1317 raise exceptions.Redirect(redirect_url)
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1318 # if no __came_from, send back to base url with error
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1319 return
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1320 except RateLimitExceeded as err:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1321 self.client.make_user_anonymous()
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1322 for arg in err.args:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1323 self.client.add_error_message(arg)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1324
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1325 if '__came_from' in self.form:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1326 # usually web only. If API uses this they will get
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1327 # confused as the 429 isn't returned. Without this
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1328 # a web user will get redirected back to the home
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1329 # page rather than stay on the page where they tried
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1330 # to login.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1331 # set a new error message
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1332 query['@error_message'] = err.args
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1333 redirect_url = urllib_.urlunparse(
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1334 (redirect_url_tuple.scheme,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1335 redirect_url_tuple.netloc,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1336 redirect_url_tuple.path,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1337 redirect_url_tuple.params,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1338 urllib_.urlencode(list(sorted(query.items())), doseq=True),
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1339 redirect_url_tuple.fragment))
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1340 raise exceptions.Redirect(redirect_url)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1341 raise
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1342
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1343 # now we're OK, re-open the database for real, using the user
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1344 self.client.opendb(self.client.user)
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1345
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1346 # save user in session
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1347 self.client.session_api.set(user=self.client.user)
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1348 if 'remember' in self.form:
3989
0112e9e1d068 improvements to session management
Richard Jones <richard@users.sourceforge.net>
parents: 3987
diff changeset
1349 self.client.session_api.update(set_cookie=True, expire=24*3600*365)
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1350
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1351 # If we came from someplace, go back there
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1352 if '__came_from' in self.form:
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1353 # add welcome message to user when logged in
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1354 query['@ok_message'] = _("Welcome %(username)s!") % {
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1355 "username": self.client.user, }
6468
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1356 redirect_url = urllib_.urlunparse((redirect_url_tuple.scheme,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1357 redirect_url_tuple.netloc,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1358 redirect_url_tuple.path,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1359 redirect_url_tuple.params,
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1360 urllib_.urlencode(list(sorted(query.items())), doseq=True),
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1361 redirect_url_tuple.fragment))
37b57da3374f issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login.
aburke
parents: 6435
diff changeset
1362
5121
894aa07be6cb issue2550785: Using login from search (or logout) fails. when
John Rouillard <rouilj@ieee.org>
parents: 5119
diff changeset
1363 raise exceptions.Redirect(redirect_url)
3418
9b8019f28158 remember where we came from when logging in (patch [SF#1312889])
Richard Jones <richard@users.sourceforge.net>
parents: 3382
diff changeset
1364
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1365 def rateLimitLogin(self, username, is_api=False, update=True):
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1366 """Implement rate limiting of logins by login name.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1367
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1368 username - username attempting to log in. May or may not
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1369 be valid.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1370 is_api - set to False for login via html page
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1371 set to "xmlrpc" for xmlrpc api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1372 set to "rest" for rest api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1373 update - if False will raise RateLimitExceeded without
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1374 updating the stored value. Default is True
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1375 which updates stored value. Used to deny access
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1376 when user successfully logs in but the user
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1377 doesn't have a valid attempt available.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1378
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1379 Login rates for a user are split based on html vs api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1380 login.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1381
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1382 Set self.client.db.config.WEB_LOGIN_ATTEMPTS_MIN to 0
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1383 to disable for web interface. Set
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1384 self.client.db.config.API_LOGIN_ATTEMPTS to 0
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1385 to disable for web interface.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1386
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1387 By setting LoginAction.limitLogin, the admin can override
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1388 the HTML web page rate limiter if they need to change the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1389 interval from 1 minute.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1390 """
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1391 config = self.client.db.config
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1392
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1393 if not is_api:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1394 # HTML web login. Period is fixed at 1 minute.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1395 # Override by setting self.loginLimit. Yech.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1396 allowed_attempts = config.WEB_LOGIN_ATTEMPTS_MIN
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1397 per_period = 60
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1398 rlkey = "LOGIN-" + username
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1399 else:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1400 # api login. Both Rest and XMLRPC use this.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1401 allowed_attempts = config.WEB_API_FAILED_LOGIN_LIMIT
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1402 per_period = config.WEB_API_FAILED_LOGIN_INTERVAL_IN_SEC
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1403 rlkey = "LOGIN-API" + username
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1404
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1405 if not allowed_attempts: # if allowed_attempt == 0 - off
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1406 return
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1407
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1408 if self.loginLimit and not is_api:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1409 # provide a way for user (via interfaces.py) to
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1410 # change the interval on the html login limit.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1411 limit = self.loginLimit
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1412 else:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1413 limit = RateLimit(allowed_attempts,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1414 timedelta(seconds=per_period))
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1415
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1416 gcra = Gcra()
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1417 otk = self.client.db.Otk
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1418
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1419 try:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1420 val = otk.getall(rlkey)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1421 gcra.set_tat_as_string(rlkey, val['tat'])
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1422 except KeyError:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1423 # ignore if tat not set, tat is 1970-1-1 by default.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1424 pass
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1425
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1426 # see if rate limit exceeded and we need to reject
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1427 # the attempt
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1428 reject = gcra.update(rlkey, limit)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1429
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1430 # Calculate a timestamp that will make OTK expire the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1431 # unused entry in twice the period defined for the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1432 # rate limiter.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1433 if update:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1434 ts = otk.lifetime(per_period*2)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1435 otk.set(rlkey, tat=gcra.get_tat_as_string(rlkey),
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1436 __timestamp=ts)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1437 otk.commit()
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1438
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1439 # User exceeded limits: find out how long to wait
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1440 limitStatus = gcra.status(rlkey, limit)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1441
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1442 if not reject:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1443 return
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1444
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1445 for header, value in limitStatus.items():
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1446 self.client.setHeader(header, value)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1447
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1448 # User exceeded limits: tell humans how long to wait
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1449 # Headers above will do the right thing for api
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1450 # aware clients.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1451 try:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1452 retry_after = limitStatus['Retry-After']
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1453 except KeyError:
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1454 # handle race condition. If the time between
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1455 # the call to grca.update and grca.status
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1456 # is sufficient to reload the bucket by 1
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1457 # item, Retry-After will be missing from
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1458 # limitStatus. So report a 1 second delay back
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1459 # to the client. We treat update as sole
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1460 # source of truth for exceeded rate limits.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1461 retry_after = 1
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1462 self.client.setHeader('Retry-After', '1')
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1463
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1464 # make rate limiting headers available to javascript
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1465 # even for non-api calls.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1466 self.client.setHeader(
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1467 "Access-Control-Expose-Headers",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1468 ", ".join([
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1469 "X-RateLimit-Limit",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1470 "X-RateLimit-Remaining",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1471 "X-RateLimit-Reset",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1472 "X-RateLimit-Limit-Period",
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1473 "Retry-After"
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1474 ])
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1475 )
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1476
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1477 raise RateLimitExceeded(_("Logins occurring too fast. Please wait: %s seconds.") % retry_after)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1478
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1479 def verifyLogin(self, username, password, is_api=False):
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1480 """Authenticate the user with rate limits.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1481
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1482 All logins (valid and failing) from a web page calling the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1483 LoginAction method are rate limited to the config.ini
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1484 configured value in 1 minute. (Interval can be changed see
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1485 rateLimitLogin method.)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1486
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1487 API logins are only rate limited if they fail. Successful
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1488 api logins are rate limited using the
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1489 api_calls_per_interval and api_interval_in_sec settings in
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1490 config.ini.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1491
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1492 Once a user receives a rate limit notice, they must
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1493 wait the recommended time to try again as the account is
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1494 locked out for the recommended time. If a user tries to
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1495 log in while locked out, they will get a 429 rejection
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1496 even if the username and password are correct.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1497 """
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1498 # make sure the user exists
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1499 try:
7179
804cc66692ac Add comment. lookup on a username doesn't return retired users.
John Rouillard <rouilj@ieee.org>
parents: 7178
diff changeset
1500 # Note: lookup only searches non-retired items.
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1501 self.client.userid = self.db.user.lookup(username)
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1502 except KeyError:
6375
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1503 # Perform password check against anonymous user.
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1504 # Prevents guessing of valid usernames by detecting
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1505 # delay caused by checking password only on valid
c4371ec7d1c0 Call verifyPassword even if user does not exist.
John Rouillard <rouilj@ieee.org>
parents: 6301
diff changeset
1506 # users.
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1507 _discard = self.verifyPassword("2", password) # noqa: F841
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1508
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1509 # limit logins to an acceptable rate. Do it for
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1510 # invalid usernames so attempts to break
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1511 # an invalid user will also be rate limited.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1512 self.rateLimitLogin(username, is_api=is_api)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1513
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1514 # this is not hit if rate limit is exceeded
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1515 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1516
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1517 # if we are rate limited and the user tries again,
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1518 # reject the login. update=false so we don't count
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1519 # a potentially valid login.
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1520 self.rateLimitLogin(username, is_api=is_api, update=False)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1521
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1522 # verify the password
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1523 if not self.verifyPassword(self.client.userid, password):
7556
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1524 self.rateLimitLogin(username, is_api=is_api)
273c8c2b5042 fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
John Rouillard <rouilj@ieee.org>
parents: 7179
diff changeset
1525 # this is not hit if rate limit is exceeded
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1526 raise exceptions.LoginError(self._('Invalid login'))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1527
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1528 # Determine whether the user has permission to log in.
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1529 # Base behaviour is to check the user has "Web Access".
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1530 if not self.hasPermission("Web Access"):
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1531 raise exceptions.LoginError(self._(
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1532 "You do not have permission to login"))
2927
9ecca789544f applied patch [SF#1067690]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2657
diff changeset
1533
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1534 def verifyPassword(self, userid, givenpw):
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1535 '''Verify the password that the user has supplied.
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1536 Optionally migrate to new password scheme if configured
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1537 '''
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1538 db = self.db
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1539 stored = db.user.get(userid, 'password')
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1540 if givenpw == stored:
7165
970cd6d2b8ea issue2551251 - migrate pbkdf2 passwords if more rounds configured
John Rouillard <rouilj@ieee.org>
parents: 7163
diff changeset
1541 if (db.config.WEB_MIGRATE_PASSWORDS and
970cd6d2b8ea issue2551251 - migrate pbkdf2 passwords if more rounds configured
John Rouillard <rouilj@ieee.org>
parents: 7163
diff changeset
1542 stored.needs_migration(config=db.config)):
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1543 newpw = password.Password(givenpw, config=db.config)
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
1544 db.user.set(userid, password=newpw)
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4416
diff changeset
1545 db.commit()
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1546 return 1
6684
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6676
diff changeset
1547 # allow blank password
9ca5cbffa0c4 Switch off using blank passwords for login
John Rouillard <rouilj@ieee.org>
parents: 6676
diff changeset
1548 if db.config.WEB_LOGIN_EMPTY_PASSWORDS and not givenpw and not stored:
2004
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1549 return 1
1782fe36e7b8 Move out parts of client.py to new modules:
Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
parents:
diff changeset
1550 return 0
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1551
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1552
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1553 class ExportCSVAction(Action):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1554 name = 'export'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1555 permissionType = 'View'
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1556 list_sep = ';' # Separator for list types
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1557
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1558 def handle(self):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1559 ''' Export the specified search query as CSV. '''
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1560 # figure the request
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1561 request = templating.HTMLRequest(self.client)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1562 filterspec = request.filterspec
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1563 sort = request.sort
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1564 group = request.group
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1565 columns = request.columns
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1566 klass = self.db.getclass(request.classname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1567
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1568 # check if all columns exist on class
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1569 # the exception must be raised before sending header
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1570 props = klass.getprops()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1571 for cname in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1572 if cname not in props:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1573 # use error code 400: Bad Request. Do not use
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1574 # error code 404: Not Found.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1575 self.client.response_code = 400
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1576 raise exceptions.NotFound(
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1577 self._('Column "%(column)s" not found in %(class)s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1578 % {'column': html_escape(cname),
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1579 'class': request.classname})
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1580
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1581 # full-text search
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1582 if request.search_text:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1583 indexer = self.db.indexer
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1584 if self.db.indexer.query_language:
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1585 try:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1586 matches = indexer.search(
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1587 [request.search_text], klass)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1588 except Exception as e:
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1589 error = " ".join(e.args)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1590 self.client.add_error_message(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1591 self.client.response_code = 400
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1592 # trigger error reporting. NotFound isn't right but...
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1593 raise exceptions.NotFound(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1594 else:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1595 matches = indexer.search(
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1596 re.findall(r'\b\w{%s,%s}\b' % (indexer.minlength,
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1597 indexer.maxlength),
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1598 request.search_text), klass)
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1599 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1600 matches = None
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1601
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1602 header = self.client.additional_headers
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1603 header['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1604 # some browsers will honor the filename here...
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1605 header['Content-Disposition'] = 'inline; filename=query.csv'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1606
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1607 self.client.header()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1608
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1609 if self.client.env['REQUEST_METHOD'] == 'HEAD':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1610 # all done, return a dummy string
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1611 return 'dummy'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1612
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1613 wfile = self.client.request.wfile
6083
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1614 if sys.version_info[0] > 2:
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1615 wfile = codecs.getwriter(self.client.charset)(wfile, 'replace')
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1616 elif self.client.charset != self.client.STORAGE_CHARSET:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1617 wfile = codecs.EncodedFile(wfile,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1618 self.client.STORAGE_CHARSET,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1619 self.client.charset, 'replace')
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1620
6190
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6083
diff changeset
1621 writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1622
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1623 # handle different types of columns.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1624 def repr_no_right(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1625 """User doesn't have the right to see the value of col."""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1626 def fct(arg):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1627 return "[hidden]"
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1628 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1629
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1630 def repr_link(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1631 """Generate a function which returns the string representation of
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1632 a link depending on `cls` and `col`."""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1633 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1634 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1635 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1636 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1637 return str(cls.get(arg, col))
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1638 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1639
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1640 def repr_list(cls, col):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1641 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1642 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1643 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1644 elif type(arg) is list:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1645 seq = [str(cls.get(val, col)) for val in arg]
5652
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1646 # python2/python 3 have different order in lists
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1647 # sort to not break tests
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1648 seq.sort()
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1649 return self.list_sep.join(seq)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1650 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1651
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1652 def repr_date():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1653 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1654 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1655 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1656 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1657 if (arg.local(self.db.getUserTimezone()).pretty('%H:%M') ==
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1658 '00:00'):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1659 fmt = '%Y-%m-%d'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1660 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1661 fmt = '%Y-%m-%d %H:%M'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1662 return arg.local(self.db.getUserTimezone()).pretty(fmt)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1663 return fct
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1664
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1665 def repr_val():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1666 def fct(arg):
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1667 if arg is None:
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1668 return ""
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1669 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1670 return str(arg)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1671 return fct
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1672
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1673 props = klass.getprops()
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1674
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1675 # Determine translation map.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1676 ncols = []
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1677 represent = {}
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1678 for col in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1679 ncols.append(col)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1680 represent[col] = repr_val()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1681 if isinstance(props[col], hyperdb.Multilink):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1682 cname = props[col].classname
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1683 cclass = self.db.getclass(cname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1684 represent[col] = repr_list(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1685 if not self.hasPermission(self.permissionType, classname=cname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1686 represent[col] = repr_no_right(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1687 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1688 if 'name' in cclass.getprops():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1689 represent[col] = repr_list(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1690 elif cname == 'user':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1691 represent[col] = repr_list(cclass, 'realname')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1692 if isinstance(props[col], hyperdb.Link):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1693 cname = props[col].classname
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1694 cclass = self.db.getclass(cname)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1695 if not self.hasPermission(self.permissionType, classname=cname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1696 represent[col] = repr_no_right(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1697 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1698 if 'name' in cclass.getprops():
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1699 represent[col] = repr_link(cclass, 'name')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1700 elif cname == 'user':
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1701 represent[col] = repr_link(cclass, 'realname')
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1702 if isinstance(props[col], hyperdb.Date):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1703 represent[col] = repr_date()
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1704
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1705 columns = ncols
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1706 # generate the CSV output
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1707 self.client._socket_op(writer.writerow, columns)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1708 # and search
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1709 for itemid in klass.filter(matches, filterspec, sort, group):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1710 row = []
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1711 # don't put out a row of [hidden] fields if the user has
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1712 # no access to the issue.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1713 if not self.hasPermission(self.permissionType, itemid=itemid,
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1714 classname=request.classname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1715 continue
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1716 for name in columns:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1717 # check permission for this property on this item
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1718 # TODO: Permission filter doesn't work for the 'user' class
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1719 if not self.hasPermission(self.permissionType, itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1720 classname=request.classname,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1721 property=name):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1722 repr_function = repr_no_right(request.classname, name)
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1723 else:
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1724 repr_function = represent[name]
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1725 row.append(repr_function(klass.get(itemid, name)))
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1726 self.client._socket_op(writer.writerow, row)
8040
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1727
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1728 # force close of connection since we can't send a
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1729 # Content-Length header.
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1730 self.client.request.close_connection = True
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1731
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1732 return '\n'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1733
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1734
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1735 class ExportCSVWithIdAction(Action):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1736 ''' A variation of ExportCSVAction that returns ID number rather than
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1737 names. This is the original csv export function.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1738 '''
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1739 name = 'export'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1740 permissionType = 'View'
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1741
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1742 def handle(self):
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1743 ''' Export the specified search query as CSV. '''
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1744 # figure the request
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1745 request = templating.HTMLRequest(self.client)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1746 filterspec = request.filterspec
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1747 sort = request.sort
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1748 group = request.group
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1749 columns = request.columns
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1750 klass = self.db.getclass(request.classname)
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1751
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1752 # check if all columns exist on class
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1753 # the exception must be raised before sending header
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1754 props = klass.getprops()
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1755 for cname in columns:
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1756 if cname not in props:
5165
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1757 # use error code 400: Bad Request. Do not use
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1758 # error code 404: Not Found.
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1759 self.client.response_code = 400
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1760 raise exceptions.NotFound(
a86860224d80 issue2550755: exceptions.NotFound(msg) msg is not reported to user in cgi.
John Rouillard <rouilj@ieee.org>
parents: 5164
diff changeset
1761 self._('Column "%(column)s" not found in %(class)s')
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1762 % {'column': html_escape(cname),
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1763 'class': request.classname})
4624
21705126dafa Committed edited fix for issue2550712 by Cedric Krier.
Bernhard Reiter <bernhard@intevation.de>
parents: 4623
diff changeset
1764
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1765 # full-text search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1766 if request.search_text:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1767 indexer = self.db.indexer
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1768 if indexer.query_language:
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1769 try:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1770 matches = indexer.search(
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1771 [request.search_text], klass)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1772 except Exception as e:
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1773 error = " ".join(e.args)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1774 self.client.add_error_message(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1775 self.client.response_code = 400
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1776 # trigger error reporting. NotFound isn't right but...
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1777 raise exceptions.NotFound(error)
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1778 else:
6593
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1779 matches = indexer.search(
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1780 re.findall(r'\b\w{%s,%s}\b' % (indexer.minlength,
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1781 indexer.maxlength),
e70e2789bc2c issue2551189 - increase text search maxlength
John Rouillard <rouilj@ieee.org>
parents: 6588
diff changeset
1782 request.search_text),
6588
91ab3e0ffcd0 Summary: Add test cases for sqlite fts
John Rouillard <rouilj@ieee.org>
parents: 6574
diff changeset
1783 klass)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1784 else:
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1785 matches = None
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1786
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1787 h = self.client.additional_headers
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1788 h['Content-Type'] = 'text/csv; charset=%s' % self.client.charset
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1789 # some browsers will honor the filename here...
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1790 h['Content-Disposition'] = 'inline; filename=query.csv'
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1791
2163
791c66a3b738 fixed CSV export and CGI actions returning results
Richard Jones <richard@users.sourceforge.net>
parents: 2160
diff changeset
1792 self.client.header()
2592
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1793
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1794 if self.client.env['REQUEST_METHOD'] == 'HEAD':
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1795 # all done, return a dummy string
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1796 return 'dummy'
5a8d9465827e implement the HTTP HEAD command [SF#992544]
Richard Jones <richard@users.sourceforge.net>
parents: 2563
diff changeset
1797
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1798 wfile = self.client.request.wfile
6083
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1799 if sys.version_info[0] > 2:
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1800 wfile = codecs.getwriter(self.client.charset)(wfile, 'replace')
f74d078cfd9a issue2551019 needs to be handled in the action code itself, not the WSGI handler
Christof Meerwald <cmeerw@cmeerw.org>
parents: 6066
diff changeset
1801 elif self.client.charset != self.client.STORAGE_CHARSET:
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1802 wfile = codecs.EncodedFile(wfile,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1803 self.client.STORAGE_CHARSET,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1804 self.client.charset, 'replace')
3499
230fb5d49c19 CSV encoding support [SF#1240848]
Richard Jones <richard@users.sourceforge.net>
parents: 3484
diff changeset
1805
6190
15fd91fd3c4c Quote all exported CSV data
John Rouillard <rouilj@ieee.org>
parents: 6083
diff changeset
1806 writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)
3987
c4f7b3817d3d Prevent broken pipe errors in csv export (patch [SF#911449)
Richard Jones <richard@users.sourceforge.net>
parents: 3913
diff changeset
1807 self.client._socket_op(writer.writerow, columns)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1808
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1809 # and search
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1810 for itemid in klass.filter(matches, filterspec, sort, group):
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1811 row = []
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1812 # FIXME should this code raise an exception if an item
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1813 # is included that can't be accessed? Enabling this
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1814 # check will just skip the row for the inaccessible item.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1815 # This makes it act more like the web interface.
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1816 # if not self.hasPermission(self.permissionType, itemid=itemid,
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1817 # classname=request.classname):
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1818 # continue
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1819 for name in columns:
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1820 # check permission to view this property on this item
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1821 if not self.hasPermission(self.permissionType, itemid=itemid,
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1822 classname=request.classname,
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1823 property=name):
5614
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1824 # FIXME: is this correct, or should we just
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1825 # emit a '[hidden]' string. Note that this may
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1826 # allow an attacker to figure out hidden schema
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1827 # properties.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1828 # A bad property name will result in an exception.
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1829 # A valid property results in a column of '[hidden]'
be99aa02c616 issue2550833 enhance the export csv action to include the keys for
John Rouillard <rouilj@ieee.org>
parents: 5515
diff changeset
1830 # values.
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1831 raise exceptions.Unauthorised(self._(
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1832 'You do not have permission to view %(class)s'
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1833 ) % {'class': request.classname})
5652
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1834 value = klass.get(itemid, name)
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1835 try:
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1836 # python2/python 3 have different order in lists
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1837 # sort to not break tests
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1838 value.sort()
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1839 except AttributeError:
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1840 pass # value is not sortable, probably str
9689d1bf9bb0 python2/python3 normalization. When exporting CSV, sort lists as they
John Rouillard <rouilj@ieee.org>
parents: 5614
diff changeset
1841 row.append(str(value))
4088
34434785f308 Plug a number of security holes:
Richard Jones <richard@users.sourceforge.net>
parents: 4083
diff changeset
1842 self.client._socket_op(writer.writerow, row)
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1843
8040
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1844 # force close of connection since we can't send a
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1845 # Content-Length header.
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1846 self.client.request.close_connection = True
19cef1e285b0 fix: remove delay when using csv export actions.
John Rouillard <rouilj@ieee.org>
parents: 7582
diff changeset
1847
2112
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1848 return '\n'
b86f0627b07c added CSV download of index / search results
Richard Jones <richard@users.sourceforge.net>
parents: 2108
diff changeset
1849
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1850
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1851 class Bridge(BaseAction):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1852 """Make roundup.actions.Action executable via CGI request.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1853
6066
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1854 Using this allows users to write actions executable from multiple
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1855 frontends. CGI Form content is translated into a dictionary, which
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1856 then is passed as argument to 'handle()'. XMLRPC requests have to
b011e5ac06d5 Flake8 whitespace; add translate; change use 'is None' not =
John Rouillard <rouilj@ieee.org>
parents: 5999
diff changeset
1857 pass this dictionary directly.
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1858 """
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1859
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1860 def __init__(self, *args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1861
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1862 # As this constructor is callable from multiple frontends, each with
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1863 # different Action interfaces, we have to look at the arguments to
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1864 # figure out how to complete construction.
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1865 if (len(args) == 1 and
6938
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1866 hasattr(args[0], '__class__') and
075d8c6626b0 flake8 fixes
John Rouillard <rouilj@ieee.org>
parents: 6823
diff changeset
1867 args[0].__class__.__name__ == 'Client'):
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1868 self.cgi = True
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1869 self.execute = self.execute_cgi
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1870 self.client = args[0]
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1871 self.form = self.client.form
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1872 else:
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1873 self.cgi = False
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1874
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1875 def execute_cgi(self):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1876 args = {}
4362
74476eaac38a more modernisation
Richard Jones <richard@users.sourceforge.net>
parents: 4334
diff changeset
1877 for key in self.form:
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1878 args[key] = self.form.getvalue(key)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1879 self.permission(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1880 return self.handle(args)
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1881
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1882 def permission(self, args):
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1883 """Raise Unauthorised if the current user is not allowed to execute
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1884 this action. Users may override this method."""
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
1885
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1886 pass
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1887
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1888 def handle(self, args):
4118
878767b75e1d fix the fix for ensuring POST
Richard Jones <richard@users.sourceforge.net>
parents: 4112
diff changeset
1889
4083
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1890 raise NotImplementedError
bbab97f8ffb2 XMLRPC improvements:
Stefan Seefeld <stefan@seefeld.name>
parents: 4037
diff changeset
1891
2934
c8ee5907f1e2 pychecker cleanup
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2927
diff changeset
1892 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/