def api_delete_navigation(nid):
if not nid:
raise notfound()
nav = Navigations.get_by_id(nid)
if nav is None:
raise notfound()
nav.delete()
_clear_navigations_cache()
return dict(result=True)
def api_delete_navigation(nid):
if not nid:
raise notfound()
nav = Navigations.get_by_id(nid)
if nav is None:
raise notfound()
nav.delete()
_clear_navigations_cache()
return dict(result=True)
def get_image_url(atta_id, index):
' index = 0 (origin), 1 (large), 2 (medium), 3 (small)... '
a = Attachments.get_by_id(atta_id)
if not a:
raise notfound()
if not a.kind.startswith('image/'):
raise notfound()
rs = Resources.select('where ref_id=?', atta_id)
rs.sort(cmp=_cmp_image)
url = rs[-1].url if index >= len(rs) else rs[index].url
raise redirect(url)
def _manage(app, func):
if ctx.user is None:
raise seeother('/auth/signin')
mod = _apps.get(app, None)
if mod is None:
raise notfound()
fn = getattr(mod, func, None)
if fn is None:
raise notfound()
r = fn()
if isinstance(r, Template):
r.model['__user__'] = ctx.user
r.model['__apps__'] = _apps_list
return r
def _manage(app, func):
if ctx.user is None:
raise seeother('/auth/signin')
mod = _apps.get(app, None)
if mod is None:
raise notfound()
fn = getattr(mod, func, None)
if fn is None:
raise notfound()
r = fn()
if isinstance(r, Template):
r.model['__user__'] = ctx.user
r.model['__apps__'] = _apps_list
return r
def movie(movie_id):
user = ctx.request.user
movie = Movie.get(movie_id)
movie = _get_movie_details(movie)
if movie is None:
raise notfound()
movie.html_summary = markdown2.markdown(movie.summary)
if user:
history = History.find_first('where user_id=? and movie_id=?', user.id,
movie_id)
if not history:
history = History(user_id=user.id, movie_id=movie_id)
history.insert()
else:
history.created_at = time.time()
history.update()
reviews = Review.find_by(
'where movie_id=? order by created_at desc limit 1000', movie_id)
user_review = ''
if user:
user_review = Review.find_first('where user_id=? and movie_id=?',
user.id, movie_id)
return dict(movie=movie,
reviews=reviews,
user=user,
user_review=user_review)
def blog(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
blog.html_content = markdown2.markdown(blog.content)
comments = Comment.find_by('where blog_id=? order by created_at desc limit 1000', blog_id)
return dict(blog=blog, comments=comments, user=ctx.request.user)
def _get_attachment(atta_id, index):
atta = Attachments.get_by_id(atta_id)
if atta:
rs = atta.resource_ids.split(',')
if index >= (-1) and index < len(rs):
return _get_resource(rs[index])
raise notfound()
def api_edit_scan(type, id):
check_admin()
if type == "sqlmap":
sqlmap = Sqlmap.find_by('where id = ?', content_escape(id))
return dict(type=content_escape(type), id=content_escape(id), sqlmap=content_escape(sqlmap))
else:
raise notfound()
def api_update_page(pid):
page = Pages.get_by_id(pid)
if page is None:
raise notfound()
i = ctx.request.input()
update = False
if 'name' in i:
page.name = assert_not_empty(i.name, 'name')
update = True
if 'tags' in i:
page.tags = texts.format_tags(i.tags)
update = True
if 'draft' in i:
draft = i.draft.lower() == 'true'
if draft != page.draft:
page.draft = draft
update = True
if 'content' in i:
content = assert_not_empty(i.content, 'content')
page.content = content
update = True
if hasattr(page, 'content'):
page.content_id = texts.set(page._id, page.content)
if update:
page.update()
return dict(_id=page._id)
def pageviews(page_id):
pageview = Pageviews.get(page_id)
if pageview is None:
raise notfound()
pageview.html_content = markdown2.markdown(pageview.page_value)
#comments = Comment.find_by('where blog_id=? order by created_at desc limit 1000', blog_id)
return dict(pageview=pageview, user=ctx.request.user)
def api_view_request(request_rid):
check_admin()
request = Request.find_by('where rid = ?', request_rid)
response = Response.find_by('where rid = ?', request_rid)
if request is None or response is None:
raise notfound()
return dict(request=content_escape(request), response=html_encode(response))
def api_list_vulns(type):
check_admin()
if type == "xss":
total = Request.count_by('where result_xss = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by(
'where result_xss = ? order by id desc limit ?,?', 'vulnerable',
page.offset, page.limit)
elif type == "sqli":
total = Request.count_by('where result_sqli = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by(
'where result_sqli = ? order by id desc limit ?,?', 'vulnerable',
page.offset, page.limit)
elif type == "fi":
total = Request.count_by('where result_fi = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by(
'where result_fi = ? order by id desc limit ?,?', 'vulnerable',
page.offset, page.limit)
else:
raise notfound()
return dict(type=content_escape(type),
requests=content_escape(requests),
page=page)
def _get_attachment(atta_id, index):
atta = Attachments.get_by_id(atta_id)
if atta:
rs = atta.resource_ids.split(',')
if index >= (-1) and index < len(rs):
return _get_resource(rs[index])
raise notfound()
def api_view_request(request_rid):
check_admin()
request = Request.find_by('where rid = ?', request_rid)
response = Response.find_by('where rid = ?', request_rid)
if request is None or response is None:
raise notfound()
return dict(request=content_escape(request), response=html_encode(response))
def manage_blogs_edit(blog_id):
'''管理_修改日志页 GET VIEW'''
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
print 'GET VIEW /manage/blogs/edit/:blog_id dict = %s' % dict(id=blog.id, name=blog.name, summary=blog.summary, content=blog.content, action='/api/blogs/%s' % blog_id, redirect='/manage/blogs', user=ctx.request.user)
return dict(id=blog.id, name=blog.name, summary=blog.summary, content=blog.content, action='/api/blogs/%s' % blog_id, redirect='/manage/blogs', user=ctx.request.user)
def api_edit_scan(type, id):
check_admin()
if type == "sqlmap":
sqlmap = Sqlmap.find_by('where id = ?', content_escape(id))
return dict(type=content_escape(type), id=content_escape(id), sqlmap=content_escape(sqlmap))
else:
raise notfound()
def blog(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
blog.html_content = markdown2.markdown(blog.content) # change content to html form
comments = Comment.find_by('where blog_id=? order by created_at desc limit 1000', blog_id)
return dict(blog=blog, comments=comments, user=ctx.request.user)
def blog(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
#对从数据库中查出的blog内容进行makedown语法格式化
blog.html_content = markdown2.markdown(blog.content)
comments = Comment.find_by('where blog_id=? order by created_at desc limit 100', blog_id)
return dict(blog=blog, comments=comments, user=ctx.request.user)
def api_delete_article(aid):
a = Articles.get_by_id(aid)
if a is None:
raise notfound()
a.delete()
uploaders.delete_attachment(a.cover_id)
comments.delete_comments(aid)
return dict(result=True)
def manage_movies_edit(movie_id):
movie = Movie.get(movie_id)
if movie is None:
raise notfound()
return dict(id=movie.id,
action='/api/movies/%s' % movie_id,
redirect='/manage/movies',
user=ctx.request.user)
def api_delete_article(aid):
a = Articles.get_by_id(aid)
if a is None:
raise notfound()
a.delete()
uploaders.delete_attachment(a.cover_id)
comments.delete_comments(aid)
return dict(result=True)
def blog(blog_id):
blog = Blogs.get(blog_id)
if not blog:
raise notfound()
if blog.tags:
blog.xtags = blog.tags.split(',')
rps = Blogs.find_by('order by created desc limit ?', 3)
return dict(blog=blog, rps=rps)
def attachment(attachment_id):
u'下载附件'
attachment = Attachment.get(attachment_id)
if attachment is None:
raise notfound()
local_path = get_local_file_path(attachment.local_name)
if not os.path.exists(local_path):
raise notfound()
if not os.path.isfile(local_path):
raise notfound()
file_name_encode = quote(attachment.file_name.encode('utf-8'))
ctx.response.set_header('Content-Length', os.path.getsize(local_path))
ctx.response.set_header('Content-Type', attachment.file_type)
ctx.response.set_header(
'Content-Disposition',
'attachment;filename="%s";filename*=UTF-8\'\'%s' %
(file_name_encode, file_name_encode))
return static_file_generator(local_path)
def _get_resource(rid, url=None):
logging.info('Get resource: %s, %s' % (rid, url))
r = db.select_one('select url, mime, size, data from resources where _id=?', rid)
if url and r.url!=url:
raise notfound()
resp = ctx.response
resp.content_type = r.mime
resp.content_length = r.size
return r.data
def blog(blog_id):
import pdb
pdb.set_trace()
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
blog.html_content = markdown2.markdown(blog.content)
comments = Comment.find_by('where blog_id=? order by created_at desc limit 1000',blog_id)
return dict(blog=blog, comments=comments, user=ctx.request.user)
def _get_site(host):
wss = db.select('select * from websites where domain=?', host)
if wss:
ws = wss[0]
if ws.disabled:
logging.debug('website is disabled: %s' % host)
raise forbidden()
return ws
raise notfound()
def blog(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
blog.html_content = markdown2.markdown(
blog.content, extras=["code-friendly", "fenced-code-blocks"])
comments = Comment.find_by(
'where blog_id=? order by created_at desc limit 1000', blog_id)
return dict(blog=blog, comments=comments, user=ctx.request.user)
def contactlist(id):
contact = Contact.find_first('where id=?',id)
if contact is None:
raise notfound()
contactlist = Contact.find_by('where groupid=?',contact.groupid)
if contactlist:
return dict(contactlist=contactlist,group=contact.groupid)
else:
raise APIResourceNotFoundError(contact.groupid,'failed')
def api_view_scan(type):
check_admin()
if type == "sqlmap":
total = Sqlmap.count_all()
page = Page(total, _get_page_index())
sqlmaps = Sqlmap.find_by('order by update_time desc limit ?,?', page.offset, page.limit)
return dict(type=content_escape(type), sqlmaps=content_escape(sqlmaps), page=page)
else:
raise notfound()
def archives():
years = db.select('select distinct `year` from `blogs` order by created desc')
if not years:
raise notfound()
xblogs = list()
for y in years:
blogs = Blogs.find_by('where `year` = ? order by created desc', y.get('year'))
xblogs.append(blogs)
return dict(xblogs=xblogs)
def web_category(cid):
category = Categories.get_by_id(cid)
if category is None:
raise notfound()
page, articles = page_select(Articles, 'where category_id=? and publish_time<?', 'where category_id=? and publish_time<? order by publish_time desc', cid, time.time())
reads = counters.counts((a._id for a in articles))
for a, r in zip(articles, reads):
a.reads = r
return dict(category=category, page=page, articles=articles)
def _get_site(host):
wss = db.select('select * from websites where domain=?', host)
if wss:
ws = wss[0]
if ws.disabled:
logging.debug('website is disabled: %s' % host)
raise forbidden()
return ws
raise notfound()
def web_wikipage(wid, pid):
page = _get_full_wikipage(pid)
if page.wiki_id != wid:
raise notfound()
wiki = _get_wiki(wid)
tree = _get_wikipages(wiki)
content = texts.md2html(texts.get(page.content_id))
page.reads = counters.incr(pid)
return dict(wiki=wiki, page=page, tree=tree, name=page.name, content=content, comments=comments.get_comments(pid))
def api_view_scan(type):
check_admin()
if type == "sqlmap":
total = Sqlmap.count_all()
page = Page(total, _get_page_index())
sqlmaps = Sqlmap.find_by('order by update_time desc limit ?,?', page.offset, page.limit)
return dict(type=content_escape(type), sqlmaps=content_escape(sqlmaps), page=page)
else:
raise notfound()
def api_create_article_comment(aid):
u = ctx.user
if u is None:
raise APIPermissionError()
i = ctx.request.input(content='')
content = assert_not_empty(i.content, 'content')
a = Articles.get_by_id(aid)
if a is None:
raise notfound()
return comments.create_comment('article', aid, content)
def _get_wikipage(wp_id, wiki_id=None):
'''
get a wiki page by id. If the wiki_id is not None, it check if the page belongs to wiki.
'''
wp = WikiPages.get_by_id(wp_id)
if wp is None:
raise notfound()
if wiki_id and wp.wiki_id != wiki_id:
raise APIValueError('wiki_id', 'bad wiki id.')
return wp
def api_update_navigation(nid):
nav = Navigations.get_by_id(nid)
if nav is None:
raise notfound()
i = ctx.request.input(name='', url='')
nav.name = assert_not_empty(i.name, 'name')
nav.url = assert_not_empty(i.url, 'url')
nav.update()
_clear_navigations_cache()
return dict(result=True)
def edit_navigation():
_id = ctx.request['_id']
nav = Navigations.get_by_id(_id)
if nav is None:
raise notfound()
return dict(menus=_get_menus(),
name=nav.name,
url=nav.url,
form_action='/api/navigations/%s/update' % nav._id,
form_title='Edit Navigation')
def api_create_article_comment(aid):
u = ctx.user
if u is None:
raise APIPermissionError()
i = ctx.request.input(content='')
content = assert_not_empty(i.content, 'content')
a = Articles.get_by_id(aid)
if a is None:
raise notfound()
return comments.create_comment('article', aid, content)
def api_update_navigation(nid):
nav = Navigations.get_by_id(nid)
if nav is None:
raise notfound()
i = ctx.request.input(name='', url='')
nav.name = assert_not_empty(i.name, 'name')
nav.url = assert_not_empty(i.url, 'url')
nav.update()
_clear_navigations_cache()
return dict(result=True)
def _get_resource(rid, url=None):
logging.info('Get resource: %s, %s' % (rid, url))
r = db.select_one(
'select url, mime, size, data from resources where _id=?', rid)
if url and r.url != url:
raise notfound()
resp = ctx.response
resp.content_type = r.mime
resp.content_length = r.size
return r.data
def manage_posts_edit(post_id):
"""
博客编辑页
:param post_id:
:return:
"""
post_data = Posts.get(post_id)
if post_data is None:
raise notfound()
return dict(id=post_id, action='/api/posts/%s' % post_id, redirect='/manage/posts', user=ctx.request.user)
def post_view(post_id):
post_data = Posts.get(post_id)
if post_data is None:
raise notfound()
post_data.post_content = markdown.markdown(post_data.post_content, extensions=['markdown.extensions.nl2br', 'markdown.extensions.fenced_code', 'markdown.extensions.codehilite', 'markdown.extensions.toc'], extension_configs={'markdown.extensions.codehilite':{
'linenums':True
}})
# logging.info(post_data.post_content)
# print post_data.post_content
return dict(post=post_data, user=ctx.request.user)
def api_update_article(aid):
article = Articles.get_by_id(aid)
if article is None:
raise notfound()
i = ctx.request.input()
update = False
if 'name' in i:
article.name = assert_not_empty(i.name, 'name')
update = True
if 'summary' in i:
article.summary = assert_not_empty(i.summary, 'summary')
update = True
if 'category_id' in i:
article.category_id = _check_category_id(i.category_id)
update = True
if 'tags' in i:
article.tags = texts.format_tags(i.tags)
update = True
# update draft first:
if 'draft' in i:
if i.draft.lower()=='true':
if not article.draft: # change False to True:
article.draft = True
if article.publish_time < TIME_FEATURE:
article.publish_time = article.publish_time + TIME_FEATURE
update = True
else:
if article.draft: # change True to False:
article.draft = False
# update publish time:
if 'publish_time' in i and i.publish_time.strip():
article.publish_time = time2timestamp(i.publish_time)
else:
article.publish_time = time.time()
update = True
if 'content' in i:
content = assert_not_empty(i.content, 'content')
article.content = content
update = True
old_cover_id = ''
if 'cover' in i:
f = i.cover
if f:
# update cover:
old_cover_id = article.cover_id
atta = uploaders.upload_cover(article.name, f.file.read())
article.cover_id = atta._id
update = True
if hasattr(article, 'content'):
article.content_id = texts.set(article._id, article.content)
if update:
article.update()
if old_cover_id:
uploaders.delete_attachment(old_cover_id)
return dict(_id=article._id)
def api_update_article(aid):
article = Articles.get_by_id(aid)
if article is None:
raise notfound()
i = ctx.request.input()
update = False
if 'name' in i:
article.name = assert_not_empty(i.name, 'name')
update = True
if 'summary' in i:
article.summary = assert_not_empty(i.summary, 'summary')
update = True
if 'category_id' in i:
article.category_id = _check_category_id(i.category_id)
update = True
if 'tags' in i:
article.tags = texts.format_tags(i.tags)
update = True
# update draft first:
if 'draft' in i:
if i.draft.lower() == 'true':
if not article.draft: # change False to True:
article.draft = True
if article.publish_time < TIME_FEATURE:
article.publish_time = article.publish_time + TIME_FEATURE
update = True
else:
if article.draft: # change True to False:
article.draft = False
# update publish time:
if 'publish_time' in i and i.publish_time.strip():
article.publish_time = time2timestamp(i.publish_time)
else:
article.publish_time = time.time()
update = True
if 'content' in i:
content = assert_not_empty(i.content, 'content')
article.content = content
update = True
old_cover_id = ''
if 'cover' in i:
f = i.cover
if f:
# update cover:
old_cover_id = article.cover_id
atta = uploaders.upload_cover(article.name, f.file.read())
article.cover_id = atta._id
update = True
if hasattr(article, 'content'):
article.content_id = texts.set(article._id, article.content)
if update:
article.update()
if old_cover_id:
uploaders.delete_attachment(old_cover_id)
return dict(_id=article._id)
def manage_blogs_edit(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
return dict(id=blog.id,
name=blog.name,
summary=blog.summary,
content=blog.content,
action='/api/blogs/%s' % blog_id,
redirect='/manage/blogs',
user=ctx.request.user)
def contactlist(id):
contact = Contact.find_first("where id=?", id)
if contact is None:
raise notfound()
contactlist = Contact.find_by("where groupid=? and year=? order by headman desc", contact.groupid, contact.year)
print("------++++++--")
if contactlist:
print("----------------")
return dict(contactlist=contactlist, group=contact.groupid)
else:
print("+++++++++++++++++")
raise APIResourceNotFoundError(contact.groupid, "failed")
def web_category(cid):
category = Categories.get_by_id(cid)
if category is None:
raise notfound()
page, articles = page_select(
Articles, 'where category_id=? and publish_time<?',
'where category_id=? and publish_time<? order by publish_time desc',
cid, time.time())
reads = counters.counts((a._id for a in articles))
for a, r in zip(articles, reads):
a.reads = r
return dict(category=category, page=page, articles=articles)
def archives():
sql = 'SELECT YEAR(`created`) AS `year`, `id`, `title`, `created` FROM `blogs` ORDER BY `created` DESC'
blogs = db.select(sql)
if not blogs:
raise notfound()
xblogs = OrderedDict()
for blog in blogs:
if not blog['year'] in xblogs:
xblogs[blog['year']] = [blog]
else:
xblogs[blog['year']].append(blog)
return dict(xblogs=xblogs)
def edit_page():
page = Pages.get_by_id(ctx.request['_id'])
if page is None:
raise notfound()
return dict( \
form_title = 'Edit Page', \
form_action = '/api/pages/%s/update' % page._id, \
_id = page._id, \
alias = page.alias, \
name = page.name, \
tags = page.tags, \
draft = page.draft, \
content = texts.get(page.content_id))
def blog(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
blog.html_content = markdown2.markdown(blog.content)
blog.created_at = time.strftime('%Y-%m-%d %H:%M:%S %W',
time.localtime(blog.created_at))
comments = Comment.find_by(
'where blog_id=? order by created_at desc limit 1000', blog_id)
for comment in comments:
comment.created_at = time.strftime('%Y-%m-%d %H:%M:%S %W',
time.localtime(comment.created_at))
return dict(blog=blog, comments=comments, user=ctx.request.user)
def manage_blogs_edit(blog_id):
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
return dict(
id=blog.id,
name=blog.name,
summary=blog.summary,
content=blog.content,
action="/api/blogs/%s" % blog_id,
redirect="/manage/blogs",
user=ctx.request.user,
)
def api_view_exclusion(type):
check_admin()
if type == "parse":
exclusion = ExclusionParse.find_all()[0]
elif type == "xss":
exclusion = ExclusionScan.find_by('where type=0')[0]
elif type == "sqli":
exclusion = ExclusionScan.find_by('where type=1')[0]
elif type == "fi":
exclusion = ExclusionScan.find_by('where type=2')[0]
elif type == "cookie":
exclusion = ExclusionCookie.find_all()[0]
else:
raise notfound()
return dict(type=content_escape(type), exclusion=content_escape(exclusion))
def api_view_exclusion(type):
check_admin()
if type == "parse":
exclusion = ExclusionParse.find_all()[0]
elif type == "xss":
exclusion = ExclusionScan.find_by('where type=0')[0]
elif type == "sqli":
exclusion = ExclusionScan.find_by('where type=1')[0]
elif type == "fi":
exclusion = ExclusionScan.find_by('where type=2')[0]
elif type == "cookie":
exclusion = ExclusionCookie.find_all()[0]
else:
raise notfound()
return dict(type=content_escape(type), exclusion=content_escape(exclusion))
def edit_article():
article = Articles.get_by_id(ctx.request['_id'])
if article is None:
raise notfound()
return dict( \
form_title = u'Edit Article', \
form_action = '/api/articles/%s/update' % article._id, \
_id = article._id, \
name = article.name, \
category_id = article.category_id, \
draft = article.draft, \
publish_time = article.publish_time, \
tags = article.tags, \
summary = article.summary, \
cover_id = article.cover_id, \
content = texts.get(article.content_id), \
categories = _get_categories())
def api_list_vulns(type):
check_admin()
if type == "xss":
total = Request.count_by('where result_xss = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by('where result_xss = ? order by id desc limit ?,?', 'vulnerable', page.offset, page.limit)
elif type == "sqli":
total = Request.count_by('where result_sqli = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by('where result_sqli = ? order by id desc limit ?,?', 'vulnerable', page.offset, page.limit)
elif type == "fi":
total = Request.count_by('where result_fi = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by('where result_fi = ? order by id desc limit ?,?', 'vulnerable', page.offset, page.limit)
else:
raise notfound()
return dict(type=content_escape(type), requests=content_escape(requests), page=page)
def manage_blogs_edit(blog_id):
'''管理_修改日志页 GET VIEW'''
blog = Blog.get(blog_id)
if blog is None:
raise notfound()
print 'GET VIEW /manage/blogs/edit/:blog_id dict = %s' % dict(
id=blog.id,
name=blog.name,
summary=blog.summary,
content=blog.content,
action='/api/blogs/%s' % blog_id,
redirect='/manage/blogs',
user=ctx.request.user)
return dict(id=blog.id,
name=blog.name,
summary=blog.summary,
content=blog.content,
action='/api/blogs/%s' % blog_id,
redirect='/manage/blogs',
user=ctx.request.user)