def serve(self, id, download=False, **kwargs):
"""Serve a :class:`~mediacore.model.media.MediaFile` binary.
:param id: File ID
:type id: ``int``
:param bool download: If true, serve with an Content-Disposition that
makes the file download to the users computer instead of playing
in the browser.
:raises webob.exc.HTTPNotFound: If no file exists with this ID.
:raises webob.exc.HTTPNotAcceptable: If an Accept header field
is present, and if the mimetype of the requested file doesn't
match, then a 406 (not acceptable) response is returned.
"""
file = fetch_row(MediaFile, id=id)
request.perm.assert_permission(u'view', file.media.resource)
file_type = file.mimetype.encode('utf-8')
file_name = file.display_name.encode('utf-8')
file_path = helpers.file_path(file)
if file_path is None:
log.warn('No path exists for requested media file: %r', file)
raise HTTPNotFound()
file_path = file_path.encode('utf-8')
if not os.path.exists(file_path):
log.warn('No such file or directory: %r', file_path)
raise HTTPNotFound()
# Ensure the request accepts files with this container
accept = request.environ.get('HTTP_ACCEPT', '*/*')
if not mimeparse.best_match([file_type], accept):
raise HTTPNotAcceptable() # 406
method = config.get('file_serve_method', None)
headers = []
# Serving files with this header breaks playback on iPhone
if download:
headers.append(('Content-Disposition',
'attachment; filename="%s"' % file_name))
if method == 'apache_xsendfile':
# Requires mod_xsendfile for Apache 2.x
# XXX: Don't send Content-Length or Etag headers,
# Apache handles them for you.
response.headers['X-Sendfile'] = file_path
response.body = ''
elif method == 'nginx_redirect':
# Requires NGINX server configuration:
# NGINX must have a location block configured that matches
# the __mediacore_serve__ path below. It should also be
# configured as an "internal" location to prevent people from
# surfing directly to it.
# For more information see: http://wiki.nginx.org/XSendfile
redirect_filename = '/__mediacore_serve__/%s' % os.path.basename(
file_path)
response.headers['X-Accel-Redirect'] = redirect_filename
else:
app = FileApp(file_path, headers, content_type=file_type)
return forward(app)
response.headers['Content-Type'] = file_type
for header, value in headers:
response.headers[header] = value
return None
def serve(self, id, download=False, **kwargs):
"""Serve a :class:`~mediacore.model.media.MediaFile` binary.
:param id: File ID
:type id: ``int``
:param bool download: If true, serve with an Content-Disposition that
makes the file download to the users computer instead of playing
in the browser.
:raises webob.exc.HTTPNotFound: If no file exists with this ID.
:raises webob.exc.HTTPNotAcceptable: If an Accept header field
is present, and if the mimetype of the requested file doesn't
match, then a 406 (not acceptable) response is returned.
"""
file = fetch_row(MediaFile, id=id)
file_type = file.mimetype.encode('utf-8')
file_name = file.display_name.encode('utf-8')
file_path = helpers.file_path(file)
if file_path is None:
log.warn('No path exists for requested media file: %r', file)
raise HTTPNotFound().exception
file_path = file_path.encode('utf-8')
if not os.path.exists(file_path):
log.warn('No such file or directory: %r', file_path)
raise HTTPNotFound().exception
# Ensure the request accepts files with this container
accept = request.environ.get('HTTP_ACCEPT', '*/*')
if not mimeparse.best_match([file_type], accept):
raise HTTPNotAcceptable().exception # 406
method = config.get('file_serve_method', None)
headers = []
# Serving files with this header breaks playback on iPhone
if download:
headers.append(('Content-Disposition',
'attachment; filename="%s"' % file_name))
if method == 'apache_xsendfile':
# Requires mod_xsendfile for Apache 2.x
# XXX: Don't send Content-Length or Etag headers,
# Apache handles them for you.
response.headers['X-Sendfile'] = file_path
response.body = ''
elif method == 'nginx_redirect':
raise NotImplementedError, 'This is only a placeholder'
response.headers['X-Accel-Redirect'] = '../relative/path'
else:
app = FileApp(file_path, headers, content_type=file_type)
return forward(app)
response.headers['Content-Type'] = file_type
for header, value in headers:
response.headers[header] = value
return None
def _handle_request(self, environ, start_response):
if not is_mercurial(environ):
return self.application(environ, start_response)
if not self._check_ssl(environ, start_response):
return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
ip_addr = self._get_ip_addr(environ)
username = None
# skip passing error to error controller
environ['pylons.status_code_redirect'] = True
#======================================================================
# EXTRACT REPOSITORY NAME FROM ENV
#======================================================================
try:
repo_name = environ['REPO_NAME'] = self.__get_repository(environ)
log.debug('Extracted repo name is %s' % repo_name)
except Exception:
return HTTPInternalServerError()(environ, start_response)
# quick check if that dir exists...
if not is_valid_repo(repo_name, self.basepath, 'hg'):
return HTTPNotFound()(environ, start_response)
#======================================================================
# GET ACTION PULL or PUSH
#======================================================================
action = self.__get_action(environ)
#======================================================================
# CHECK ANONYMOUS PERMISSION
#======================================================================
if action in ['pull', 'push']:
anonymous_user = self.__get_user('default')
username = anonymous_user.username
anonymous_perm = self._check_permission(action, anonymous_user,
repo_name, ip_addr)
if not anonymous_perm or not anonymous_user.active:
if not anonymous_perm:
log.debug('Not enough credentials to access this '
'repository as anonymous user')
if not anonymous_user.active:
log.debug('Anonymous access is disabled, running '
'authentication')
#==============================================================
# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
#==============================================================
# Attempting to retrieve username from the container
username = get_container_username(environ, self.config)
# If not authenticated by the container, running basic auth
if not username:
self.authenticate.realm = \
safe_str(self.config['rhodecode_realm'])
result = self.authenticate(environ)
if isinstance(result, str):
AUTH_TYPE.update(environ, 'basic')
REMOTE_USER.update(environ, result)
username = result
else:
return result.wsgi_application(environ, start_response)
#==============================================================
# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
#==============================================================
try:
user = self.__get_user(username)
if user is None or not user.active:
return HTTPForbidden()(environ, start_response)
username = user.username
except Exception:
log.error(traceback.format_exc())
return HTTPInternalServerError()(environ, start_response)
#check permissions for this repository
perm = self._check_permission(action, user, repo_name, ip_addr)
if not perm:
return HTTPForbidden()(environ, start_response)
# extras are injected into mercurial UI object and later available
# in hg hooks executed by rhodecode
from rhodecode import CONFIG
server_url = get_server_url(environ)
extras = {
'ip': ip_addr,
'username': username,
'action': action,
'repository': repo_name,
'scm': 'hg',
'config': CONFIG['__file__'],
'server_url': server_url,
'make_lock': None,
'locked_by': [None, None]
}
#======================================================================
# MERCURIAL REQUEST HANDLING
#======================================================================
str_repo_name = safe_str(repo_name)
repo_path = os.path.join(safe_str(self.basepath), str_repo_name)
log.debug('Repository path is %s' % repo_path)
# CHECK LOCKING only if it's not ANONYMOUS USER
if username != User.DEFAULT_USER:
log.debug('Checking locking on repository')
(make_lock, locked,
locked_by) = self._check_locking_state(environ=environ,
action=action,
repo=repo_name,
user_id=user.user_id)
# store the make_lock for later evaluation in hooks
extras.update({'make_lock': make_lock, 'locked_by': locked_by})
fix_PATH()
log.debug('HOOKS extras is %s' % extras)
baseui = make_ui('db')
self.__inject_extras(repo_path, baseui, extras)
try:
log.info('%s action on HG repo "%s" by "%s" from %s' %
(action, str_repo_name, safe_str(username), ip_addr))
app = self.__make_app(repo_path, baseui, extras)
return app(environ, start_response)
except RepoError, e:
if str(e).find('not found') != -1:
return HTTPNotFound()(environ, start_response)
def _handle_request(self, environ, start_response):
if not self._check_ssl(environ, start_response):
reason = ('SSL required, while RhodeCode was unable '
'to detect this as SSL request')
log.debug('User not allowed to proceed, %s', reason)
return HTTPNotAcceptable(reason)(environ, start_response)
ip_addr = get_ip_addr(environ)
username = None
# skip passing error to error controller
environ['pylons.status_code_redirect'] = True
# ======================================================================
# EXTRACT REPOSITORY NAME FROM ENV
# ======================================================================
environ['PATH_INFO'] = self._get_by_id(environ['PATH_INFO'])
repo_name = self._get_repository_name(environ)
environ['REPO_NAME'] = repo_name
log.debug('Extracted repo name is %s', repo_name)
# check for type, presence in database and on filesystem
if not self.is_valid_and_existing_repo(repo_name, self.basepath,
self.SCM):
return HTTPNotFound()(environ, start_response)
# ======================================================================
# GET ACTION PULL or PUSH
# ======================================================================
action = self._get_action(environ)
# ======================================================================
# CHECK ANONYMOUS PERMISSION
# ======================================================================
if action in ['pull', 'push']:
anonymous_user = User.get_default_user()
username = anonymous_user.username
if anonymous_user.active:
# ONLY check permissions if the user is activated
anonymous_perm = self._check_permission(
action, anonymous_user, repo_name, ip_addr)
else:
anonymous_perm = False
if not anonymous_user.active or not anonymous_perm:
if not anonymous_user.active:
log.debug('Anonymous access is disabled, running '
'authentication')
if not anonymous_perm:
log.debug('Not enough credentials to access this '
'repository as anonymous user')
username = None
# ==============================================================
# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
# ==============================================================
# try to auth based on environ, container auth methods
log.debug(
'Running PRE-AUTH for container based authentication')
pre_auth = authenticate('', '', environ, VCS_TYPE)
if pre_auth and pre_auth.get('username'):
username = pre_auth['username']
log.debug('PRE-AUTH got %s as username', username)
# If not authenticated by the container, running basic auth
if not username:
self.authenticate.realm = \
safe_str(self.config['rhodecode_realm'])
try:
result = self.authenticate(environ)
except (UserCreationError,
NotAllowedToCreateUserError) as e:
log.error(e)
reason = safe_str(e)
return HTTPNotAcceptable(reason)(environ,
start_response)
if isinstance(result, str):
AUTH_TYPE.update(environ, 'basic')
REMOTE_USER.update(environ, result)
username = result
else:
return result.wsgi_application(environ, start_response)
# ==============================================================
# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
# ==============================================================
user = User.get_by_username(username)
if not self.valid_and_active_user(user):
return HTTPForbidden()(environ, start_response)
username = user.username
user.update_lastactivity()
meta.Session().commit()
# check user attributes for password change flag
user_obj = user
if user_obj and user_obj.username != User.DEFAULT_USER and \
user_obj.user_data.get('force_password_change'):
reason = 'password change required'
log.debug('User not allowed to authenticate, %s', reason)
return HTTPNotAcceptable(reason)(environ, start_response)
# check permissions for this repository
perm = self._check_permission(action, user, repo_name, ip_addr)
if not perm:
return HTTPForbidden()(environ, start_response)
# extras are injected into UI object and later available
# in hooks executed by rhodecode
check_locking = _should_check_locking(environ.get('QUERY_STRING'))
extras = vcs_operation_context(environ,
repo_name=repo_name,
username=username,
action=action,
scm=self.SCM,
check_locking=check_locking)
# ======================================================================
# REQUEST HANDLING
# ======================================================================
str_repo_name = safe_str(repo_name)
repo_path = os.path.join(safe_str(self.basepath), str_repo_name)
log.debug('Repository path is %s', repo_path)
fix_PATH()
log.info('%s action on %s repo "%s" by "%s" from %s', action, self.SCM,
str_repo_name, safe_str(username), ip_addr)
return self._generate_vcs_response(environ, start_response, repo_path,
repo_name, extras, action)
