def remove_module(request, revision_id):
"""
Remove module from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to remove a module from package (%s) "
"by non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
filenames = request.POST.get('filename').split(',')
revision.add_commit_message('module removed')
try:
removed_modules, removed_dirs = revision.modules_remove_by_path(
filenames)
except Module.DoesNotExist:
log_msg = 'Attempt to delete a non existing module(s) %s from %s.' % (
str(filenames), revision_id)
log.warning(log_msg)
return HttpResponseForbidden('There is no such module in %s' %
escape(revision.package.full_name))
return render_json(
request, "json/module_removed.json", {
'revision': revision,
'removed_modules': simplejson.dumps(removed_modules),
'removed_dirs': simplejson.dumps(removed_dirs)
})
def remove_attachment(request, revision_id):
"""
Remove attachment from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ('[security] Attempt to remove attachment from revision '
'(%s) by non-owner (%s)' % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
uid = request.POST.get('uid', '').strip()
attachment = get_object_with_related_or_404(Attachment,
pk=uid,
revisions=revision)
if not attachment:
log_msg = ('Attempt to remove a non existing attachment. attachment: '
'%s, revision: %s.' % (uid, revision_id))
log.warning(log_msg)
return HttpResponseForbidden('There is no such attachment in %s' %
escape(revision.package.full_name))
revision.attachment_remove(attachment)
return render_json(request, "json/attachment_removed.json", {
'revision': revision,
'attachment': attachment
})
def remove_module(request, revision_id):
"""
Remove module from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to remove a module from package (%s) "
"by non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
filenames = request.POST.get('filename').split(',')
revision.add_commit_message('module removed')
try:
removed_modules, removed_dirs = revision.modules_remove_by_path(
filenames)
except Module.DoesNotExist:
log_msg = 'Attempt to delete a non existing module(s) %s from %s.' % (
str(filenames), revision_id)
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such module in %s' % escape(
revision.package.full_name))
return render_json(request,
"json/module_removed.json",
{'revision': revision,
'removed_modules': simplejson.dumps(removed_modules),
'removed_dirs': simplejson.dumps(removed_dirs)})
def remove_attachment(request, revision_id):
"""
Remove attachment from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ('[security] Attempt to remove attachment from revision '
'(%s) by non-owner (%s)' % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
uid = request.POST.get('uid', '').strip()
attachment = get_object_with_related_or_404(Attachment,
pk=uid, revisions=revision)
if not attachment:
log_msg = ('Attempt to remove a non existing attachment. attachment: '
'%s, revision: %s.' % (uid, revision_id))
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such attachment in %s' % escape(
revision.package.full_name))
revision.attachment_remove(attachment)
return render_json(request,
"json/attachment_removed.json",
{'revision': revision, 'attachment': attachment})
def rmdir(request, pk, target, path):
"""
Remove attachment from PackageRevision
"""
revision = get_object_or_404(PackageRevision, pk=pk)
if target not in ["data", "lib"]:
return HttpResponseForbidden
if target == "lib":
return HttpResponseForbidden("not supported yet")
revision.attachment_rmdir(path) if target == "data" else revision.modules_rmdir(path)
return render_json(request, "%s_rmdir.json" % target, {"revision": revision, "path": path})
def remove_folder(request, revision_id):
" removes an EmptyDir from a revision "
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to remove a folder from revision (%s) "
"by non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
foldername, root = (pathify(request.POST.get('name', '')),
request.POST.get('root_dir'))
try:
folder = revision.folders.get(name=foldername, root_dir=root)
except EmptyDir.DoesNotExist:
response = None
if root == 'data':
response = revision.attachment_rmdir(foldername)
if not response:
log_msg = 'Attempt to delete a non existing folder %s from %s.' % (
foldername, revision_id)
log.warning(log_msg)
return HttpResponseForbidden('There is no such folder in %s' %
escape(revision.package.full_name))
revision, removed_attachments, removed_emptydirs = response
return render_json(
request, 'json/%s_rmdir.json' % root, {
'revision': revision,
'path': foldername,
'removed_attachments': simplejson.dumps(removed_attachments),
'removed_dirs': simplejson.dumps(removed_emptydirs),
'foldername': foldername
})
else:
revision.folder_remove(folder)
return render_json(request, "json/folder_removed.json", {
'revision': revision,
'folder': folder
})
def disable(request, pk):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = "User %s wanted to disable not his own Package %s." % (request.user, pk)
log.warning(log_msg)
return HttpResponseForbidden("You are not the author of this %s" % escape(package.get_type_name()))
package.disable()
return render_json(request, "json/package_disabled.json", {"package": package})
def delete(request, pk):
"""
Delete Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = "[security] Attempt to delete package (%s) by " "non-owner (%s)" % (pk, request.user)
log.warning(log_msg)
return HttpResponseForbidden("You are not the author of this %s" % escape(package.get_type_name()))
package.delete()
return render_json(request, "json/package_deleted.json")
def remove_folder(request, revision_id):
" removes an EmptyDir from a revision "
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to remove a folder from revision (%s) "
"by non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
foldername, root = (
pathify(request.POST.get('name', '')),
request.POST.get('root_dir'))
try:
folder = revision.folders.get(name=foldername, root_dir=root)
except EmptyDir.DoesNotExist:
response = None
if root == 'data':
response = revision.attachment_rmdir(foldername)
if not response:
log_msg = 'Attempt to delete a non existing folder %s from %s.' % (
foldername, revision_id)
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such folder in %s' % escape(
revision.package.full_name))
revision, removed_attachments, removed_emptydirs = response
return render_json(request,
'json/%s_rmdir.json' % root, {
'revision': revision, 'path': foldername,
'removed_attachments': simplejson.dumps(removed_attachments),
'removed_dirs': simplejson.dumps(removed_emptydirs),
'foldername': foldername})
else:
revision.folder_remove(folder)
return render_json(request,
"json/folder_removed.json",
{'revision': revision, 'folder': folder})
def remove_folder(request, revision_id):
" removes an EmptyDir from a revision "
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = "[security] Attempt to remove a folder from revision (%s) " "by non-owner (%s)" % (
revision_id,
request.user,
)
log.warning(log_msg)
return HttpResponseForbidden("You are not the author of this Package")
foldername, root = (pathify(request.POST.get("name", "")), request.POST.get("root_dir"))
try:
folder = revision.folders.get(name=foldername, root_dir=root)
except EmptyDir.DoesNotExist:
response = None
if root == "data":
response = revision.attachment_rmdir(foldername)
if not response:
log_msg = "Attempt to delete a non existing folder %s from %s." % (foldername, revision_id)
log.warning(log_msg)
return HttpResponseForbidden("There is no such folder in %s" % escape(revision.package.full_name))
revision, removed_attachments, removed_emptydirs = response
return render_json(
request,
"json/%s_rmdir.json" % root,
{
"revision": revision,
"path": foldername,
"removed_attachments": simplejson.dumps(removed_attachments),
"removed_dirs": simplejson.dumps(removed_emptydirs),
"foldername": foldername,
},
)
else:
revision.folder_remove(folder)
return render_json(request, "json/folder_removed.json", {"revision": revision, "folder": folder})
def rmdir(request, pk, target, path):
"""
Remove attachment from PackageRevision
"""
revision = get_object_or_404(PackageRevision, pk=pk)
if target not in ['data', 'lib']:
return HttpResponseForbidden
if target == 'lib':
return HttpResponseForbidden('not supported yet')
revision.attachment_rmdir(path) if target == 'data' else \
revision.modules_rmdir(path)
return render_json(request,
'%s_rmdir.json' % target, {'revision': revision, 'path': path})
def delete(request, pk):
"""
Delete Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = ("[security] Attempt to delete package (%s) by "
"non-owner (%s)" % (pk, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this %s' %
escape(package.get_type_name()))
package.delete()
return render_json(request, "json/package_deleted.json")
def rename_module(request, revision_id):
"""
Rename a module in a PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to rename a module to package (%s) by "
"non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
old_name = request.POST.get('old_filename')
new_name = request.POST.get('new_filename')
if old_name == 'main':
return HttpResponseForbidden(
'Sorry, you cannot change the name of the main module.'
)
if not revision.validate_module_filename(new_name):
return HttpResponseForbidden(
('Sorry, there is already a module in your add-on '
'with the name "%s". Each module in your add-on '
'needs to have a unique name.') % new_name
)
modules = revision.modules.all()
module = None
for mod in modules:
if mod.filename == old_name:
module = mod
if not module:
log_msg = 'Attempt to rename a non existing module %s from %s.' % (
old_name, revision_id)
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such module in %s' % escape(
revision.package.full_name))
module.filename = new_name
revision.add_commit_message('module renamed')
revision.update(module)
return render_json(request,
"json/module_renamed.json",
{'revision': revision, 'module': module})
def library_autocomplete(request):
"""
'Live' search by name
"""
try:
query = request.GET.get('q')
limit = request.GET.get('limit', settings.LIBRARY_AUTOCOMPLETE_LIMIT)
found = Package.objects.libraries().exclude(
name='jetpack-core').filter(
Q(name__icontains=query) | Q(full_name__icontains=query)
)[:limit]
except:
found = []
return render_json(request,
'json/library_autocomplete.json', {'libraries': found})
def disable(request, pk):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = 'User %s wanted to disable not his own Package %s.' % (
request.user, pk)
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this %s' %
escape(package.get_type_name()))
package.disable()
return render_json(request, "json/package_disabled.json",
{'package': package})
def rmdir(request, pk, target, path):
"""
Remove attachment from PackageRevision
"""
revision = get_object_or_404(PackageRevision, pk=pk)
if target not in ['data', 'lib']:
return HttpResponseForbidden
if target == 'lib':
return HttpResponseForbidden('not supported yet')
revision.attachment_rmdir(path) if target == 'data' else \
revision.modules_rmdir(path)
return render_json(request, '%s_rmdir.json' % target, {
'revision': revision,
'path': path
})
def rename_module(request, revision_id):
"""
Rename a module in a PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to rename a module to package (%s) by "
"non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
old_name = request.POST.get('old_filename')
new_name = request.POST.get('new_filename')
if old_name == 'main':
return HttpResponseForbidden(
'Sorry, you cannot change the name of the main module.')
if not revision.validate_module_filename(new_name):
return HttpResponseForbidden(
('Sorry, there is already a module in your add-on '
'with the name "%s". Each module in your add-on '
'needs to have a unique name.') % new_name)
modules = revision.modules.all()
module = None
for mod in modules:
if mod.filename == old_name:
module = mod
if not module:
log_msg = 'Attempt to rename a non existing module %s from %s.' % (
old_name, revision_id)
log.warning(log_msg)
return HttpResponseForbidden('There is no such module in %s' %
escape(revision.package.full_name))
module.filename = new_name
revision.add_commit_message('module renamed')
revision.update(module)
return render_json(request, "json/module_renamed.json", {
'revision': revision,
'module': module
})
def activate(request, id_number):
"""
Undelete Package and return confirmation
"""
package = get_object_or_404(Package, id_number=id_number)
if request.user.pk != package.author.pk:
log_msg = ("[security] Attempt to activate package (%s) by "
"non-owner (%s)" % (id_number, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
package.get_type_name()))
package.enable()
return render_json(request,
"json/package_activated.json",
{'package': package})
def disable(request, id_number):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, id_number=id_number)
if request.user.pk != package.author.pk:
log_msg = 'User %s wanted to disable not his own Package %s.' % (
request.user, id_number)
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
package.get_type_name()))
package.disable()
return render_json(request,
"json/package_disabled.json",
{'package': package})
def switch_sdk(request, revision_id):
" switch SDK used to create XPI - sdk_id from POST "
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
return HttpResponseForbidden('You are not the author of this Add-on')
sdk_id = request.POST.get('id', None)
sdk = get_object_or_404(SDK, id=sdk_id)
old_sdk = revision.sdk
log.info('Addon %s (%s) switched from Add-on Kit version %s to %s' % (
revision.package.full_name, revision.package.id_number,
old_sdk.version, sdk.version))
revision.sdk = sdk
revision.add_commit_message('Switched to Add-on Kit %s' % sdk.version)
revision.save()
return render_json(request,
"json/sdk_switched.json",
{'revision': revision, 'sdk': sdk,
'sdk_lib': revision.get_sdk_revision()})
def switch_sdk(request, revision_id):
" switch SDK used to create XPI - sdk_id from POST "
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
return HttpResponseForbidden('You are not the author of this Add-on')
sdk_id = request.POST.get('id', None)
sdk = get_object_or_404(SDK, id=sdk_id)
old_sdk = revision.sdk
log.info('Addon %s (%s) switched from Add-on Kit version %s to %s' %
(revision.package.full_name, revision.package.id_number,
old_sdk.version, sdk.version))
revision.sdk = sdk
revision.add_commit_message('Switched to Add-on Kit %s' % sdk.version)
revision.save()
return render_json(request, "json/sdk_switched.json", {
'revision': revision,
'sdk': sdk,
'sdk_lib': revision.get_sdk_revision()
})
def rename_attachment(request, id_number, type_id, revision_number):
"""
Rename an attachment in a PackageRevision
"""
revision = get_package_revision(id_number, type_id, revision_number)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to rename attachment in package (%s) "
"by non-owner (%s)" % (id_number, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
uid = request.POST.get('uid', '').strip()
try:
attachment = revision.attachments.get(pk=uid)
except:
log_msg = ('Attempt to rename a non existing attachment. attachment: '
'%s, package: %s.' % (uid, id_number))
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such attachment in %s' % escape(
revision.package.full_name))
new_name = request.POST.get('new_filename')
new_ext = request.POST.get('new_ext') or attachment.ext
if not revision.validate_attachment_filename(new_name, new_ext):
return HttpResponseForbidden(
('Sorry, there is already an attachment in your add-on '
'with the name "%s.%s". Each attachment in your add-on '
'needs to have a unique name.') % (new_name, attachment.ext)
)
attachment.filename = new_name
attachment.ext = new_ext
attachment = revision.update(attachment)
return render_json(request,
"json/attachment_renamed.json",
{'revision': revision, 'attachment': attachment})
def copy(request, id_number, type_id,
revision_number=None, version_name=None):
"""
Copy package - create a duplicate of the Package, set user as author
"""
source = get_package_revision(id_number, type_id, revision_number,
version_name)
try:
package = Package.objects.get(
full_name=source.package.get_copied_full_name(),
author__username=request.user.username
)
except Package.DoesNotExist:
package = source.package.copy(request.user)
source.save_new_revision(package)
return render_json(request,
"json/%s_copied.json" % package.get_type_name(),
{'revision': source})
return HttpResponseForbidden('You already have a %s with that name' %
escape(source.package.get_type_name()))
def remove_attachment(request, revision_id):
"""
Remove attachment from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = "[security] Attempt to remove attachment from revision " "(%s) by non-owner (%s)" % (
revision_id,
request.user,
)
log.warning(log_msg)
return HttpResponseForbidden("You are not the author of this Package")
uid = request.POST.get("uid", "").strip()
attachment = get_object_with_related_or_404(Attachment, pk=uid, revisions=revision)
if not attachment:
log_msg = "Attempt to remove a non existing attachment. attachment: " "%s, revision: %s." % (uid, revision_id)
log.warning(log_msg)
return HttpResponseForbidden("There is no such attachment in %s" % escape(revision.package.full_name))
revision.attachment_remove(attachment)
return render_json(request, "json/attachment_removed.json", {"revision": revision, "attachment": attachment})
log.debug("[copy: %s] Copying started from (%s)" % (revision_id, source))
# save package
try:
package = source.package.copy(request.user)
except IntegrityError, err:
log.critical(("[copy: %s] Package copy failed") % revision_id)
return HttpResponseForbidden("You already have a %s with that name" % escape(source.package.get_type_name()))
# save revision with all dependencies
source.save_new_revision(package)
copied = source
del source
log.info("[copy: %s] Copied to %s, (%s)" % (revision_id, copied.pk, copied.full_name))
return render_json(request, "json/%s_copied.json" % package.get_type_name(), {"revision": copied})
@login_required
def disable(request, pk):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = "User %s wanted to disable not his own Package %s." % (request.user, pk)
log.warning(log_msg)
return HttpResponseForbidden("You are not the author of this %s" % escape(package.get_type_name()))
package.disable()
try:
package = source.package.copy(request.user)
except IntegrityError, err:
log.critical(("[copy: %s] Package copy failed") % revision_id)
return HttpResponseForbidden('You already have a %s with that name' %
escape(source.package.get_type_name()))
# save revision with all dependencies
source.save_new_revision(package)
copied = source
del source
log.info('[copy: %s] Copied to %s, (%s)' %
(revision_id, copied.pk, copied.full_name))
return render_json(request,
"json/%s_copied.json" % package.get_type_name(),
{'revision': copied})
@login_required
def disable(request, pk):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = 'User %s wanted to disable not his own Package %s.' % (
request.user, pk)
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this %s' %
escape(package.get_type_name()))
def latest_dependencies(request, revision_id):
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
out_of_date = revision.get_outdated_dependency_versions()
return render_json(request, 'json/latest_dependencies.json',
{'revisions': out_of_date})
mod = Module(
filename=filename,
author=request.user,
code="""// %s.js - %s's module
// author: %s""" % (filename, revision.package.full_name,
request.user.get_profile())
)
try:
mod.save()
revision.module_add(mod)
except FilenameExistException, err:
mod.delete()
return HttpResponseForbidden(escape(str(err)))
return render_json(request,
"json/module_added.json",
{'revision': revision, 'module': mod})
@require_POST
@login_required
def rename_module(request, id_number, type_id, revision_number):
"""
Rename a module in a PackageRevision
"""
revision = get_package_revision(id_number, type_id, revision_number)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to rename a module to package (%s) by "
"non-owner (%s)" % (id_number, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
def latest_dependencies(request, id_number, type_id, revision_number):
revision = get_package_revision(id_number, type_id, revision_number)
out_of_date = revision.get_outdated_dependency_versions()
return render_json(request,
'json/latest_dependencies.json', {'revisions': out_of_date})
try:
package = source.package.copy(request.user)
except IntegrityError, err:
log.critical(("[copy: %s] Package copy failed") % revision_id)
return HttpResponseForbidden('You already have a %s with that name' %
escape(source.package.get_type_name()))
# save revision with all dependencies
source.save_new_revision(package)
copied = source
del source
log.info('[copy: %s] Copied to %s, (%s)' % (revision_id, copied.pk,
copied.full_name))
return render_json(request,
"json/%s_copied.json" % package.get_type_name(),
{'revision': copied})
@login_required
def disable(request, pk):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = 'User %s wanted to disable not his own Package %s.' % (
request.user, pk)
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
def latest_dependencies(request, revision_id):
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
out_of_date = revision.get_outdated_dependency_versions()
return render_json(request,
'json/latest_dependencies.json', {'revisions': out_of_date})
