def check_for_write_access(self, request_data):
if not request_data.username:
if request_data.is_trusted_ip:
return
raise HTTPForbidden('Anonymous users are not allowed to make changes')
if self.user_manager.is_readonly(request_data.username):
raise HTTPForbidden('The user {} does not have permission to make changes'.format(request_data.username))
def get_library(self, request_data, library_id=None):
if not request_data.username:
return self.library_broker.get(library_id)
lf = partial(self.user_manager.allowed_library_names, request_data.username)
allowed_libraries = self.library_broker.allowed_libraries(lf)
if not allowed_libraries:
raise HTTPForbidden('The user {} is not allowed to access any libraries on this server'.format(request_data.username))
library_id = library_id or next(iter(allowed_libraries))
if library_id in allowed_libraries:
return self.library_broker.get(library_id)
raise HTTPForbidden('The user {} is not allowed to access the library {}'.format(request_data.username, library_id))
def cdb_add_book(ctx, rd, job_id, add_duplicates, filename, library_id):
'''
Add a file as a new book. The file contents must be in the body of the request.
The response will also have the title/authors/languages read from the
metadata of the file/filename. It will contain a `book_id` field specifying the id of the newly added book,
or if add_duplicates is not specified and a duplicate was found, no book_id will be present. It will also
return the value of `job_id` as the `id` field and `filename` as the `filename` field.
'''
db = get_db(ctx, rd, library_id)
if ctx.restriction_for(rd, db):
raise HTTPForbidden('Cannot use the add book interface with a user who has per library restrictions')
if not filename:
raise HTTPBadRequest('An empty filename is not allowed')
sfilename = sanitize_file_name_unicode(filename)
fmt = os.path.splitext(sfilename)[1]
fmt = fmt[1:] if fmt else None
if not fmt:
raise HTTPBadRequest('An filename with no extension is not allowed')
if isinstance(rd.request_body_file, BytesIO):
raise HTTPBadRequest('A request body containing the file data must be specified')
add_duplicates = add_duplicates in ('y', '1')
path = os.path.join(rd.tdir, sfilename)
rd.request_body_file.name = path
rd.request_body_file.seek(0)
mi = get_metadata(rd.request_body_file, stream_type=fmt, use_libprs_metadata=True)
rd.request_body_file.seek(0)
ids, duplicates = db.add_books([(mi, {fmt: rd.request_body_file})], add_duplicates=add_duplicates)
ans = {'title': mi.title, 'authors': mi.authors, 'languages': mi.languages, 'filename': filename, 'id': job_id}
if ids:
ans['book_id'] = ids[0]
books_added(ids)
return ans
def cdb_run(ctx, rd, which, version):
try:
m = module_for_cmd(which)
except ImportError:
raise HTTPNotFound('No module named: {}'.format(which))
if not getattr(m, 'readonly', False):
ctx.check_for_write_access(rd)
if getattr(m, 'version', 0) != int(version):
raise HTTPNotFound(('The module {} is not available in version: {}.'
'Make sure the version of calibre used for the'
' server and calibredb match').format(which, version))
db = get_library_data(ctx, rd, strict_library_id=True)[0]
if ctx.restriction_for(rd, db):
raise HTTPForbidden('Cannot use the command-line db interface with a user who has per library restrictions')
raw = rd.read()
ct = rd.inheaders.get('Content-Type', all=True)
try:
if MSGPACK_MIME in ct:
args = msgpack_loads(raw)
elif 'application/json' in ct:
args = json_loads(raw)
else:
raise HTTPBadRequest('Only JSON or msgpack requests are supported')
except Exception:
raise HTTPBadRequest('args are not valid encoded data')
if getattr(m, 'needs_srv_ctx', False):
args = [ctx] + list(args)
try:
result = m.implementation(db, partial(ctx.notify_changes, db.backend.library_path), *args)
except Exception as err:
import traceback
return {'err': as_unicode(err), 'tb': traceback.format_exc()}
return {'result': result}
def cdb_set_fields(ctx, rd, book_id, library_id):
db = get_db(ctx, rd, library_id)
if ctx.restriction_for(rd, db):
raise HTTPForbidden('Cannot use the set fields interface with a user who has per library restrictions')
data = load_payload_data(rd)
try:
changes, loaded_book_ids = data['changes'], frozenset(map(int, data.get('loaded_book_ids', ())))
all_dirtied = bool(data.get('all_dirtied'))
if not isinstance(changes, dict):
raise TypeError('changes must be a dict')
except Exception:
raise HTTPBadRequest(
'''Data must be of the form {'changes': {'title': 'New Title', ...}, 'loaded_book_ids':[book_id1, book_id2, ...]'}''')
dirtied = set()
cdata = changes.pop('cover', False)
if cdata is not False:
if cdata is not None:
try:
cdata = standard_b64decode(cdata.split(',', 1)[-1].encode('ascii'))
except Exception:
raise HTTPBadRequest('Cover data is not valid base64 encoded data')
try:
fmt = what(None, cdata)
except Exception:
fmt = None
if fmt not in ('jpeg', 'png'):
raise HTTPBadRequest('Cover data must be either JPEG or PNG')
dirtied |= db.set_cover({book_id: cdata})
for field, value in iteritems(changes):
dirtied |= db.set_field(field, {book_id: value})
ctx.notify_changes(db.backend.library_path, metadata(dirtied))
all_ids = dirtied if all_dirtied else (dirtied & loaded_book_ids)
all_ids |= {book_id}
return {bid: book_as_json(db, bid) for bid in all_ids}
def console_print(ctx, rd):
if not getattr(rd.opts, 'allow_console_print', False):
raise HTTPForbidden('console printing is not allowed')
with print_lock:
print(rd.remote_addr, end=' ')
shutil.copyfileobj(rd.request_body_file, sys.stdout)
return ''
def do_http_auth(self, data, endpoint):
ban_key = data.remote_addr, data.forwarded_for
if self.ban_list.is_banned(ban_key):
raise HTTPForbidden(
'Too many login attempts',
log='Too many login attempts from: %s' %
(ban_key if data.forwarded_for else data.remote_addr))
auth = data.inheaders.get('Authorization')
nonce_is_stale = False
log_msg = None
data.username = None
if auth:
scheme, rest = auth.partition(' ')[::2]
scheme = scheme.lower()
if scheme == 'digest':
da = DigestAuth(rest.strip())
if validate_nonce(self.key_order, da.nonce, self.realm,
self.secret):
pw = self.user_credentials.get(da.username)
if pw and da.validate_request(pw, data, self.log):
nonce_is_stale = is_nonce_stale(
da.nonce, self.max_age_seconds)
if not nonce_is_stale:
data.username = da.username
return
log_msg = 'Failed login attempt from: %s' % data.remote_addr
self.ban_list.failed(ban_key)
elif self.prefer_basic_auth and scheme == 'basic':
try:
un, pw = base64_decode(rest.strip()).partition(':')[::2]
except ValueError:
raise HTTPSimpleResponse(
http_client.BAD_REQUEST,
'The username or password contained non-UTF8 encoded characters'
)
if not un or not pw:
raise HTTPSimpleResponse(
http_client.BAD_REQUEST,
'The username or password was empty')
if self.check(un, pw):
data.username = un
return
log_msg = 'Failed login attempt from: %s' % data.remote_addr
self.ban_list.failed(ban_key)
else:
raise HTTPSimpleResponse(http_client.BAD_REQUEST,
'Unsupported authentication method')
if self.prefer_basic_auth:
raise HTTPAuthRequired('Basic realm="%s"' % self.realm,
log=log_msg)
s = 'Digest realm="%s", nonce="%s", algorithm="MD5", qop="auth"' % (
self.realm,
synthesize_nonce(self.key_order, self.realm, self.secret))
if nonce_is_stale:
s += ', stale="true"'
raise HTTPAuthRequired(s, log=log_msg)
def cdb_set_cover(ctx, rd, book_id, library_id):
db = get_db(ctx, rd, library_id)
if ctx.restriction_for(rd, db):
raise HTTPForbidden('Cannot use the add book interface with a user who has per library restrictions')
rd.request_body_file.seek(0)
dirtied = db.set_cover({book_id: rd.request_body_file})
ctx.notify_changes(db.backend.library_path, metadata(dirtied))
return tuple(dirtied)
def library_info(self, request_data):
if not request_data.username:
return self.library_broker.library_map, self.library_broker.default_library
lf = partial(self.user_manager.allowed_library_names, request_data.username)
allowed_libraries = self.library_broker.allowed_libraries(lf)
if not allowed_libraries:
raise HTTPForbidden('The user {} is not allowed to access any libraries on this server'.format(request_data.username))
return dict(allowed_libraries), next(iter(allowed_libraries))
def cdb_copy_to_library(ctx, rd, target_library_id, library_id):
db_src = get_db(ctx, rd, library_id)
db_dest = get_db(ctx, rd, target_library_id)
if ctx.restriction_for(rd, db_src) or ctx.restriction_for(rd, db_dest):
raise HTTPForbidden(
'Cannot use the copy to library interface with a user who has per library restrictions'
)
data = load_payload_data(rd)
try:
book_ids = {int(x) for x in data['book_ids']}
move_books = bool(data.get('move', False))
preserve_date = bool(data.get('preserve_date', True))
duplicate_action = data.get('duplicate_action') or 'add'
automerge_action = data.get('automerge_action') or 'overwrite'
except Exception:
raise HTTPBadRequest(
'Invalid encoded data, must be of the form: {book_ids: [id1, id2, ..]}'
)
if duplicate_action not in ('add', 'add_formats_to_existing', 'ignore'):
raise HTTPBadRequest(
'duplicate_action must be one of: add, add_formats_to_existing, ignore'
)
if automerge_action not in ('overwrite', 'ignore', 'new record'):
raise HTTPBadRequest(
'automerge_action must be one of: overwrite, ignore, new record')
response = {}
identical_books_data = None
if duplicate_action != 'add':
identical_books_data = db_dest.data_for_find_identical_books()
to_remove = set()
from calibre.db.copy_to_library import copy_one_book
for book_id in book_ids:
try:
rdata = copy_one_book(book_id,
db_src,
db_dest,
duplicate_action=duplicate_action,
automerge_action=automerge_action,
preserve_uuid=move_books,
preserve_date=preserve_date,
identical_books_data=identical_books_data)
if move_books:
to_remove.add(book_id)
response[book_id] = {'ok': True, 'payload': rdata}
except Exception:
import traceback
response[book_id] = {
'ok': False,
'payload': traceback.format_exc()
}
if to_remove:
db_src.remove_books(to_remove, permanent=True)
return response
def cdb_delete_book(ctx, rd, book_ids, library_id):
db = get_db(ctx, rd, library_id)
if ctx.restriction_for(rd, db):
raise HTTPForbidden('Cannot use the delete book interface with a user who has per library restrictions')
try:
ids = {int(x) for x in book_ids.split(',')}
except Exception:
raise HTTPBadRequest('invalid book_ids: {}'.format(book_ids))
db.remove_books(ids)
books_deleted(ids)
return {}
def cdb_set_fields(ctx, rd, book_id, library_id):
db = get_db(ctx, rd, library_id)
if ctx.restriction_for(rd, db):
raise HTTPForbidden(
'Cannot use the set fields interface with a user who has per library restrictions'
)
raw = rd.read()
ct = rd.inheaders.get('Content-Type', all=True)
ct = {x.lower().partition(';')[0] for x in ct}
try:
if MSGPACK_MIME in ct:
data = msgpack_loads(raw)
elif 'application/json' in ct:
data = json_loads(raw)
else:
raise HTTPBadRequest('Only JSON or msgpack requests are supported')
except Exception:
raise HTTPBadRequest('Invalid encoded data')
try:
changes, loaded_book_ids = data['changes'], frozenset(
map(int, data.get('loaded_book_ids', ())))
all_dirtied = bool(data.get('all_dirtied'))
if not isinstance(changes, dict):
raise TypeError('changes must be a dict')
except Exception:
raise HTTPBadRequest(
'''Data must be of the form {'changes': {'title': 'New Title', ...}, 'loaded_book_ids':[book_id1, book_id2, ...]'}'''
)
dirtied = set()
cdata = changes.pop('cover', False)
if cdata is not False:
if cdata is not None:
try:
cdata = standard_b64decode(
cdata.split(',', 1)[-1].encode('ascii'))
except Exception:
raise HTTPBadRequest(
'Cover data is not valid base64 encoded data')
try:
fmt = what(None, cdata)
except Exception:
fmt = None
if fmt not in ('jpeg', 'png'):
raise HTTPBadRequest('Cover data must be either JPEG or PNG')
dirtied |= db.set_cover({book_id: cdata})
for field, value in changes.iteritems():
dirtied |= db.set_field(field, {book_id: value})
ctx.notify_changes(db.backend.library_path, metadata(dirtied))
all_ids = dirtied if all_dirtied else (dirtied & loaded_book_ids)
all_ids |= {book_id}
return {bid: book_as_json(db, book_id) for bid in all_ids}
def change_pw(ctx, rd):
user = rd.username or None
if user is None:
raise HTTPForbidden(
'Anonymous users are not allowed to change passwords')
try:
pw = json.loads(rd.request_body_file.read())
oldpw, newpw = pw['oldpw'], pw['newpw']
except Exception:
raise HTTPBadRequest('No decodable password found')
if oldpw != ctx.user_manager.get(user):
raise HTTPBadRequest(_('Existing password is incorrect'))
err = validate_password(newpw)
if err:
raise HTTPBadRequest(err)
try:
ctx.user_manager.change_password(user, newpw)
except Exception as err:
raise HTTPBadRequest(as_unicode(err))
ctx.log.warn('Changed password for user', user)
return 'password for {} changed'.format(user)
def cdb_set_fields(ctx, rd, book_id, library_id):
db = get_db(ctx, rd, library_id)
if ctx.restriction_for(rd, db):
raise HTTPForbidden('Cannot use the set fields interface with a user who has per library restrictions')
raw = rd.read()
ct = rd.inheaders.get('Content-Type', all=True)
ct = {x.lower().partition(';')[0] for x in ct}
try:
if MSGPACK_MIME in ct:
data = msgpack_loads(raw)
elif 'application/json' in ct:
data = json_loads(raw)
else:
raise HTTPBadRequest('Only JSON or msgpack requests are supported')
changes, loaded_book_ids = data['changes'], frozenset(map(int, data['loaded_book_ids']))
except Exception:
raise HTTPBadRequest('Invalid encoded data')
dirtied = set()
for field, value in changes.iteritems():
dirtied |= db.set_field(field, {book_id: value})
metadata(dirtied)
return {bid: book_as_json(db, book_id) for bid in (dirtied & loaded_book_ids) | {book_id}}
