Mercurial Repository: p/roundup/code: roundup/cgi/client.py comparison

comparison roundup/cgi/client.py @ 1003:f89b8d32291b

Hack hack hack... . Implemented security assertion idea punted to mailing list (pretty easy to back out if someone comes up with a better idea) so editing "my details" works again. Rationalised and cleaned up the actions in any case. . fixed some more display issues (stuff appearing when it should and shouldn't) . trying a nicer colouring scheme for the top level page . handle no grouping being specified . fixed journaltag so the logged-in user is journalled, not admin!

author	Richard Jones <richard@users.sourceforge.net>
date	Sun, 01 Sep 2002 12:18:41 +0000
parents	1798d2fa9fec
children	5f12d3259f31

comparison

equal deleted inserted replaced

-:1798d2fa9fec
+:f89b8d32291b
-# $Id: client.py,v 1.2 2002-09-01 04:32:30 richard Exp $
+# $Id: client.py,v 1.3 2002-09-01 12:18:40 richard Exp $
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
 """
 if user == 'anonymous':
 self.make_user_anonymous()
 else:
 self.user = user
+# reopen the database as the correct user
+self.opendb(self.user)
 def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')):
 ''' Determine the context of this page:
 home              (default if no url is given)
 classname
 # determine_context
 return self.template(self.template_name)
 # these are the actions that are available
 actions = {
-'edit':     'edititem_action',
+'edit':     'editItemAction',
-'new':      'newitem_action',
+'new':      'newItemAction',
 'login':    'login_action',
 'logout':   'logout_action',
 'register': 'register_action',
-'search':   'search_action',
+'search':   'searchAction',
 }
 def handle_action(self):
 ''' Determine whether there should be an _action called.
 The action is defined by the form variable :action which
 identifies the method on this object to call. The four basic
 actions are defined in the "actions" dictionary on this class:
-"edit"      -> self.edititem_action
+"edit"      -> self.editItemAction
-"new"       -> self.newitem_action
+"new"       -> self.newItemAction
 "login"     -> self.login_action
 "logout"    -> self.logout_action
 "register"  -> self.register_action
-"search"    -> self.search_action
+"search"    -> self.searchAction
 '''
 if not self.form.has_key(':action'):
 return None
 try:
 # construct the logout cookie
 now = Cookie._getdate()
 path = '/'.join((self.env['SCRIPT_NAME'], self.env['INSTANCE_NAME'],
 ''))
 self.header(headers={'Set-Cookie':
 'roundup_user=deleted; Max-Age=0; expires=%s; Path=%s;'%(now, path)})
-#            'Location': self.db.config.DEFAULT_VIEW}, response=301)
+# Let the user know what's going on
-# suboptimal, but will do for now
 self.ok_message.append(_('You are logged out'))
-#raise Redirect, None
 def register_action(self):
 '''Attempt to create a new user based on the contents of the form
 and then set the cookie.
 self.set_cookie(self.user, password)
 # nice message
 self.ok_message.append(_('You are now registered, welcome!'))
-def edititem_action(self):
+def editItemAction(self):
 ''' Perform an edit of an item in the database.
 Some special form elements:
 :link=designator:property
 "files" property. Attach the file to the message created from
 the __note if it's supplied.
 '''
 cl = self.db.classes[self.classname]
+# parse the props from the form
+try:
+props = parsePropsFromForm(self.db, cl, self.form, self.nodeid)
+except (ValueError, KeyError), message:
+self.error_message.append(_('Error: ') + str(message))
+return
 # check permission
-userid = self.db.user.lookup(self.user)
+if not self.editItemPermission(props):
-if not self.db.security.hasPermission('Edit', userid, self.classname):
 self.error_message.append(
-_('You do not have permission to edit %(classname)s' %
+_('You do not have permission to edit %(classname)s'%
 self.__dict__))
 return
 # perform the edit
 try:
-props = parsePropsFromForm(self.db, cl, self.form, self.nodeid)
 # make changes to the node
 props = self._changenode(props)
 # handle linked nodes
 self._post_editnode(self.nodeid)
 except (ValueError, KeyError), message:
 self.error_message.append(_('Error: ') + str(message))
 return
 # commit now that all the tricky stuff is done
 # redirect to the item's edit page
 raise Redirect, '%s/%s%s?:ok_message=%s'%(self.base, self.classname,
 self.nodeid,  urllib.quote(message))
-def newitem_action(self):
+def editItemPermission(self, props):
+''' Determine whether the user has permission to edit this item.
+Base behaviour is to check the user can edit this class. If we're
+editing the "user" class, users are allowed to edit their own
+details. Unless it's the "roles" property, which requires the
+special Permission "Web Roles".
+'''
+# if this is a user node and the user is editing their own node, then
+# we're OK
+has = self.db.security.hasPermission
+if self.classname == 'user':
+# reject if someone's trying to edit "roles" and doesn't have the
+# right permission.
+if props.has_key('roles') and not has('Web Roles', self.userid,
+'user'):
+return 0
+# if the item being edited is the current user, we're ok
+if self.nodeid == self.userid:
+return 1
+if not self.db.security.hasPermission('Edit', self.userid,
+self.classname):
+return 0
+return 1
+def newItemAction(self):
 ''' Add a new item to the database.
-This follows the same form as the edititem_action
+This follows the same form as the editItemAction
 '''
-# check permission
+cl = self.db.classes[self.classname]
-userid = self.db.user.lookup(self.user)
-if not self.db.security.hasPermission('Edit', userid, self.classname):
+# parse the props from the form
+try:
+props = parsePropsFromForm(self.db, cl, self.form, self.nodeid)
+except (ValueError, KeyError), message:
+self.error_message.append(_('Error: ') + str(message))
+return
+if not self.newItemPermission(props):
 self.error_message.append(
 _('You do not have permission to create %s' %self.classname))
 # XXX
 #        cl = self.db.classes[cn]
 #        else:
 #            xtra = ''
 try:
 # do the create
-nid = self._createnode()
+nid = self._createnode(props)
 # handle linked nodes
 self._post_editnode(nid)
 # commit now that all the tricky stuff is done
 # redirect to the new item's page
 raise Redirect, '%s/%s%s?:ok_message=%s'%(self.base, self.classname,
 nid,  urllib.quote(message))
-def genericedit_action(self):
+def newItemPermission(self, props):
+''' Determine whether the user has permission to create (edit) this
+item.
+Base behaviour is to check the user can edit this class. No
+additional property checks are made. Additionally, new user items
+may be created if the user has the "Web Registration" Permission.
+'''
+has = self.db.security.hasPermission
+if self.classname == 'user' and has('Web Registration', self.userid,
+'user'):
+return 1
+if not has('Edit', self.userid, self.classname):
+return 0
+return 1
+def genericEditAction(self):
 ''' Performs an edit of all of a class' items in one go.
 The "rows" CGI var defines the CSV-formatted entries for the
 class. New nodes are identified by the ID 'X' (or any other
 non-existent ID) and removed lines are retired.
 '''
-userid = self.db.user.lookup(self.user)
+# generic edit is per-class only
-if not self.db.security.hasPermission('Edit', userid, self.classname):
+if not self.genericEditPermission():
-raise Unauthorised, _("You do not have permission to access"\
+self.error_message.append(
-" %(action)s.")%{'action': self.classname}
+_('You do not have permission to edit %s' %self.classname))
-cl = self.db.classes[self.classname]
-idlessprops = cl.getprops(protected=0).keys()
-props = ['id'] + idlessprops
 # get the CSV module
 try:
 import csv
 except ImportError:
 self.error_message.append(_(
 'Sorry, you need the csv module to use this function.<br>\n'
 'Get it from: <a href="http://www.object-craft.com.au/projects/csv/">http://www.object-craft.com.au/projects/csv/'))
 return
+cl = self.db.classes[self.classname]
+idlessprops = cl.getprops(protected=0).keys()
+props = ['id'] + idlessprops
 # do the edit
 rows = self.form['rows'].value.splitlines()
 p = csv.parser()
 found = {}
 # redirect to the class' edit page
 raise Redirect, '%s/%s?:ok_message=%s'%(self.base, self.classname,
 urllib.quote(message))
-def _changenode(self, props):
+def genericEditPermission(self):
-''' change the node based on the contents of the form
+''' Determine whether the user has permission to edit this class.
-'''
-cl = self.db.classes[self.classname]
+Base behaviour is to check the user can edit this class.
+'''
-# create the message
+if not self.db.security.hasPermission('Edit', self.userid,
-message, files = self._handle_message()
+self.classname):
-if message:
+return 0
-props['messages'] = cl.get(self.nodeid, 'messages') + [message]
+return 1
-if files:
-props['files'] = cl.get(self.nodeid, 'files') + files
+def searchAction(self):
-# make the changes
-return cl.set(self.nodeid, **props)
-def _createnode(self):
-''' create a node based on the contents of the form
-'''
-cl = self.db.classes[self.classname]
-props = parsePropsFromForm(self.db, cl, self.form)
-# check for messages and files
-message, files = self._handle_message()
-if message:
-props['messages'] = [message]
-if files:
-props['files'] = files
-# create the node and return it's id
-return cl.create(**props)
-def _handle_message(self):
-''' generate an edit message
-'''
-# handle file attachments
-files = []
-if self.form.has_key('__file'):
-file = self.form['__file']
-if file.filename:
-filename = file.filename.split('\\')[-1]
-mime_type = mimetypes.guess_type(filename)[0]
-if not mime_type:
-mime_type = "application/octet-stream"
-# create the new file entry
-files.append(self.db.file.create(type=mime_type,
-name=filename, content=file.file.read()))
-# we don't want to do a message if none of the following is true...
-cn = self.classname
-cl = self.db.classes[self.classname]
-props = cl.getprops()
-note = None
-# in a nutshell, don't do anything if there's no note or there's no
-# NOSY
-if self.form.has_key('__note'):
-note = self.form['__note'].value.strip()
-if not note:
-return None, files
-if not props.has_key('messages'):
-return None, files
-if not isinstance(props['messages'], hyperdb.Multilink):
-return None, files
-if not props['messages'].classname == 'msg':
-return None, files
-if not (self.form.has_key('nosy') or note):
-return None, files
-# handle the note
-if '\n' in note:
-summary = re.split(r'\n\r?', note)[0]
-else:
-summary = note
-m = ['%s\n'%note]
-# handle the messageid
-# TODO: handle inreplyto
-messageid = "<%s.%s.%s@%s>"%(time.time(), random.random(),
-self.classname, self.instance.MAIL_DOMAIN)
-# now create the message, attaching the files
-content = '\n'.join(m)
-message_id = self.db.msg.create(author=self.userid,
-recipients=[], date=date.Date('.'), summary=summary,
-content=content, files=files, messageid=messageid)
-# update the messages property
-return message_id, files
-def _post_editnode(self, nid):
-'''Do the linking part of the node creation.
-If a form element has :link or :multilink appended to it, its
-value specifies a node designator and the property on that node
-to add _this_ node to as a link or multilink.
-This is typically used on, eg. the file upload page to indicated
-which issue to link the file to.
-TODO: I suspect that this and newfile will go away now that
-there's the ability to upload a file using the issue __file form
-element!
-'''
-cn = self.classname
-cl = self.db.classes[cn]
-# link if necessary
-keys = self.form.keys()
-for key in keys:
-if key == ':multilink':
-value = self.form[key].value
-if type(value) != type([]): value = [value]
-for value in value:
-designator, property = value.split(':')
-link, nodeid = hyperdb.splitDesignator(designator)
-link = self.db.classes[link]
-# take a dupe of the list so we're not changing the cache
-value = link.get(nodeid, property)[:]
-value.append(nid)
-link.set(nodeid, **{property: value})
-elif key == ':link':
-value = self.form[key].value
-if type(value) != type([]): value = [value]
-for value in value:
-designator, property = value.split(':')
-link, nodeid = hyperdb.splitDesignator(designator)
-link = self.db.classes[link]
-link.set(nodeid, **{property: nid})
-def search_action(self):
 ''' Mangle some of the form variables.
 Set the form ":filter" variable based on the values of the
 filter variables - if they're set to anything other than
 "dontcare" then add them to :filter.
 '''
+# generic edit is per-class only
+if not self.searchPermission():
+self.error_message.append(
+_('You do not have permission to search %s' %self.classname))
 # add a faked :filter form variable for each filtering prop
 props = self.db.classes[self.classname].getprops()
 for key in self.form.keys():
 if not props.has_key(key): continue
 if not self.form[key].value: continue
 self.form.value.append(cgi.MiniFieldStorage(':filter', key))
-def remove_action(self,  dre=re.compile(r'([^\d]+)(\d+)')):
+def searchPermission(self):
+''' Determine whether the user has permission to search this class.
+Base behaviour is to check the user can view this class.
+'''
+if not self.db.security.hasPermission('View', self.userid,
+self.classname):
+return 0
+return 1
+def XXXremove_action(self,  dre=re.compile(r'([^\d]+)(\d+)')):
+# XXX I believe this could be handled by a regular edit action that
+# just sets the multilink...
 # XXX handle this !
 target = self.index_arg(':target')[0]
 m = dre.match(target)
 if m:
 classname = m.group(1)
 return func()
 else:
 raise NotFound, parent
 else:
 raise NotFound, target
+#
+#  Utility methods for editing
+#
+def _changenode(self, props):
+''' change the node based on the contents of the form
+'''
+cl = self.db.classes[self.classname]
+# create the message
+message, files = self._handle_message()
+if message:
+props['messages'] = cl.get(self.nodeid, 'messages') + [message]
+if files:
+props['files'] = cl.get(self.nodeid, 'files') + files
+# make the changes
+return cl.set(self.nodeid, **props)
+def _createnode(self, props):
+''' create a node based on the contents of the form
+'''
+cl = self.db.classes[self.classname]
+# check for messages and files
+message, files = self._handle_message()
+if message:
+props['messages'] = [message]
+if files:
+props['files'] = files
+# create the node and return it's id
+return cl.create(**props)
+def _handle_message(self):
+''' generate an edit message
+'''
+# handle file attachments
+files = []
+if self.form.has_key('__file'):
+file = self.form['__file']
+if file.filename:
+filename = file.filename.split('\\')[-1]
+mime_type = mimetypes.guess_type(filename)[0]
+if not mime_type:
+mime_type = "application/octet-stream"
+# create the new file entry
+files.append(self.db.file.create(type=mime_type,
+name=filename, content=file.file.read()))
+# we don't want to do a message if none of the following is true...
+cn = self.classname
+cl = self.db.classes[self.classname]
+props = cl.getprops()
+note = None
+# in a nutshell, don't do anything if there's no note or there's no
+# NOSY
+if self.form.has_key('__note'):
+note = self.form['__note'].value.strip()
+if not note:
+return None, files
+if not props.has_key('messages'):
+return None, files
+if not isinstance(props['messages'], hyperdb.Multilink):
+return None, files
+if not props['messages'].classname == 'msg':
+return None, files
+if not (self.form.has_key('nosy') or note):
+return None, files
+# handle the note
+if '\n' in note:
+summary = re.split(r'\n\r?', note)[0]
+else:
+summary = note
+m = ['%s\n'%note]
+# handle the messageid
+# TODO: handle inreplyto
+messageid = "<%s.%s.%s@%s>"%(time.time(), random.random(),
+self.classname, self.instance.MAIL_DOMAIN)
+# now create the message, attaching the files
+content = '\n'.join(m)
+message_id = self.db.msg.create(author=self.userid,
+recipients=[], date=date.Date('.'), summary=summary,
+content=content, files=files, messageid=messageid)
+# update the messages property
+return message_id, files
+def _post_editnode(self, nid):
+'''Do the linking part of the node creation.
+If a form element has :link or :multilink appended to it, its
+value specifies a node designator and the property on that node
+to add _this_ node to as a link or multilink.
+This is typically used on, eg. the file upload page to indicated
+which issue to link the file to.
+TODO: I suspect that this and newfile will go away now that
+there's the ability to upload a file using the issue __file form
+element!
+'''
+cn = self.classname
+cl = self.db.classes[cn]
+# link if necessary
+keys = self.form.keys()
+for key in keys:
+if key == ':multilink':
+value = self.form[key].value
+if type(value) != type([]): value = [value]
+for value in value:
+designator, property = value.split(':')
+link, nodeid = hyperdb.splitDesignator(designator)
+link = self.db.classes[link]
+# take a dupe of the list so we're not changing the cache
+value = link.get(nodeid, property)[:]
+value.append(nid)
+link.set(nodeid, **{property: value})
+elif key == ':link':
+value = self.form[key].value
+if type(value) != type([]): value = [value]
+for value in value:
+designator, property = value.split(':')
+link, nodeid = hyperdb.splitDesignator(designator)
+link = self.db.classes[link]
+link.set(nodeid, **{property: nid})
 def parsePropsFromForm(db, cl, form, nodeid=0, num_re=re.compile('^\d+$')):
 '''Pull properties for the given class out of the form.
 '''

Mercurial > p > roundup > code

comparison roundup/cgi/client.py @ 1003:f89b8d32291b