def save_sheet_api(request):
"""
API for listing available sheets
"""
if request.method == "GET":
return jsonResponse({"error": "Unsupported HTTP method."})
# Save a sheet
if request.method == "POST":
if not request.user.is_authenticated:
key = request.POST.get("apikey")
if not key:
return jsonResponse({"error": "You must be logged in or use an API key to save."})
apikey = db.apikeys.find_one({"key": key})
if not apikey:
return jsonResponse({"error": "Unrecognized API key."})
else:
apikey = None
j = request.POST.get("json")
if not j:
return jsonResponse({"error": "No JSON given in post data."})
sheet = json.loads(j)
if apikey:
if "id" in sheet:
sheet["lastModified"] = get_sheet(sheet["id"])["dateModified"] # Usually lastModified gets set on the frontend, so we need to set it here to match with the previous dateModified so that the check in `save_sheet` returns properly
user = User.objects.get(id=apikey["uid"])
else:
user = request.user
if "id" in sheet:
existing = get_sheet(sheet["id"])
if "error" not in existing and \
not can_edit(user, existing) and \
not can_add(request.user, existing) and \
not can_publish(request.user, existing):
return jsonResponse({"error": "You don't have permission to edit this sheet."})
else:
existing = None
cleaned_sources = []
for source in sheet["sources"]:
cleaned_sources.append(clean_source(source))
sheet["sources"] = cleaned_sources
sheet["title"] = bleach_text(sheet["title"])
if "summary" in sheet:
sheet["summary"] = bleach_text(sheet["summary"])
if sheet.get("group", None):
# Quietly enforce group permissions
if sheet["group"] not in [g["name"] for g in get_user_groups(user.id)]:
# Don't allow non Group members to add a sheet to a group
sheet["group"] = None
if not can_publish(user, sheet):
if not existing:
sheet["status"] = "unlisted"
else:
if existing.get("group", None) != sheet["group"]:
# Don't allow non Group publishers to add a new public sheet
sheet["status"] = "unlisted"
elif existing["status"] != sheet["status"]:
# Don't allow non Group publishers from changing status of an existing sheet
sheet["status"] = existing["status"]
rebuild_nodes = request.POST.get('rebuildNodes', False)
responseSheet = save_sheet(sheet, user.id, rebuild_nodes=rebuild_nodes)
if "rebuild" in responseSheet and responseSheet["rebuild"]:
# Don't bother adding user links if this data won't be used to rebuild the sheet
responseSheet["sources"] = annotate_user_links(responseSheet["sources"])
return jsonResponse(responseSheet)
def save_sheet_api(request):
"""
API for listing available sheets
"""
if request.method == "GET":
return jsonResponse({"error": "Unsupported HTTP method."})
# Save a sheet
if request.method == "POST":
if not request.user.is_authenticated:
key = request.POST.get("apikey")
if not key:
return jsonResponse({"error": "You must be logged in or use an API key to save."})
apikey = db.apikeys.find_one({"key": key})
if not apikey:
return jsonResponse({"error": "Unrecognized API key."})
else:
apikey = None
j = request.POST.get("json")
if not j:
return jsonResponse({"error": "No JSON given in post data."})
sheet = json.loads(j)
if apikey:
if "id" in sheet:
sheet["lastModified"] = get_sheet(sheet["id"])["dateModified"] # Usually lastModified gets set on the frontend, so we need to set it here to match with the previous dateModified so that the check in `save_sheet` returns properly
user = User.objects.get(id=apikey["uid"])
else:
user = request.user
if "id" in sheet:
existing = get_sheet(sheet["id"])
if "error" not in existing and \
not can_edit(user, existing) and \
not can_add(request.user, existing) and \
not can_publish(request.user, existing):
return jsonResponse({"error": "You don't have permission to edit this sheet."})
else:
existing = None
cleaned_sources = []
for source in sheet["sources"]:
cleaned_sources.append(clean_source(source))
sheet["sources"] = cleaned_sources
sheet["title"] = bleach_text(sheet["title"])
if "summary" in sheet:
sheet["summary"] = bleach_text(sheet["summary"])
if sheet.get("group", None):
# Quietly enforce group permissions
if sheet["group"] not in [g["name"] for g in get_user_groups(user.id)]:
# Don't allow non Group members to add a sheet to a group
sheet["group"] = None
if not can_publish(user, sheet):
if not existing:
sheet["status"] = "unlisted"
else:
if existing.get("group", None) != sheet["group"]:
# Don't allow non Group publishers to add a new public sheet
sheet["status"] = "unlisted"
elif existing["status"] != sheet["status"]:
# Don't allow non Group publishers from changing status of an existing sheet
sheet["status"] = existing["status"]
responseSheet = save_sheet(sheet, user.id)
if "rebuild" in responseSheet and responseSheet["rebuild"]:
# Don't bother adding user links if this data won't be used to rebuild the sheet
responseSheet["sources"] = annotate_user_links(responseSheet["sources"])
return jsonResponse(responseSheet)