def test_xss_arguments(self):
addon = Addon.objects.get()
au = AddonUser(addon=addon, user=self.user)
amo.log(amo.LOG.CHANGE_USER_WITH_ROLE, au.user, au.get_role_display(),
addon)
log = ActivityLog.objects.get()
eq_(log.to_string(),
u'<script src="x.js"> role changed to Owner for '
'<a href="/en-US/firefox/addon/a3615/">Delicious Bookmarks</a>.')
def test_xss_arguments(self):
addon = Addon.objects.get()
au = AddonUser(addon=addon, user=self.user)
amo.log(amo.LOG.CHANGE_USER_WITH_ROLE, au.user, au.get_role_display(),
addon)
log = ActivityLog.objects.get()
eq_(log.to_string(),
u'<script src="x.js"> role changed to Owner for '
'<a href="/en-US/firefox/addon/a3615/">Delicious Bookmarks</a>.')
def test_jinja_escaping(self):
addon = Addon.objects.get()
au = AddonUser(addon=addon, user=self.user)
amo.log(amo.LOG.CHANGE_USER_WITH_ROLE, au.user, au.get_role_display(),
addon)
log = ActivityLog.objects.get()
eq_(jingo.env.from_string('<p>{{ log }}</p>').render(log=log),
'<p><script src="x.js"> role changed to Owner for <a'
' href="/en-US/firefox/addon/a3615/">Delicious Bookmarks</a>.</p>')
def test_jinja_escaping(self):
addon = Addon.objects.get()
au = AddonUser(addon=addon, user=self.user)
amo.log(amo.LOG.CHANGE_USER_WITH_ROLE, au.user, au.get_role_display(),
addon)
log = ActivityLog.objects.get()
eq_(jingo.env.from_string('<p>{{ log }}</p>').render(log=log),
'<p><script src="x.js"> role changed to Owner for <a'
' href="/en-US/firefox/addon/a3615/">Delicious Bookmarks</a>.</p>')
def save(self, commit=False):
from addons.tasks import (create_persona_preview_image,
save_persona_image)
data = self.cleaned_data
addon = Addon.objects.create(id=None,
name=data['name'],
slug=data['slug'],
description=data['summary'],
status=amo.STATUS_PENDING,
type=amo.ADDON_PERSONA)
addon._current_version = Version.objects.create(addon=addon,
version='0')
addon.save()
# Save header, footer, and preview images.
try:
header = data['header_hash']
footer = data['footer_hash']
header = os.path.join(settings.TMP_PATH, 'persona_header', header)
footer = os.path.join(settings.TMP_PATH, 'persona_footer', footer)
dst = os.path.join(settings.PERSONAS_PATH, str(addon.id))
save_persona_image(src=header, dst=dst, img_basename='header.jpg')
save_persona_image(src=footer, dst=dst, img_basename='footer.jpg')
create_persona_preview_image(src=header,
dst=dst,
img_basename='preview.jpg',
set_modified_on=[addon])
except IOError:
addon.delete()
raise IOError
# Save user info.
user = self.request.amo_user
AddonUser(addon=addon, user=user).save()
# Create Persona instance.
p = Persona()
p.persona_id = 0
p.addon = addon
p.header = 'header'
p.footer = 'footer'
if data['accentcolor']:
p.accentcolor = data['accentcolor'].lstrip('#')
if data['textcolor']:
p.textcolor = data['textcolor'].lstrip('#')
p.license_id = data['license']
p.submit = datetime.now()
p.author = user.name
p.display_username = user.username
p.save()
# Save categories.
tb_c, created = Category.objects.get_or_create(
application_id=amo.THUNDERBIRD.id,
name__id=data['category'].name.id,
type=amo.ADDON_PERSONA)
AddonCategory(addon=addon, category=data['category']).save()
AddonCategory(addon=addon, category=tb_c).save()
return addon
def test_xss_arguments_and_escaping(self):
addon = Addon.objects.get()
addon.name = 'Delicious <script src="x.js">Bookmarks'
addon.save()
addon = addon.reload()
au = AddonUser(addon=addon, user=self.user)
amo.log(amo.LOG.CHANGE_USER_WITH_ROLE, au.user, au.get_role_display(),
addon)
log = ActivityLog.objects.get()
log_expected = ('yolo role changed to Owner for <a href="/en-US/'
'firefox/addon/a3615/">Delicious <script src='
'"x.js">Bookmarks</a>.')
eq_(log.to_string(), log_expected)
eq_(jingo.env.from_string('<p>{{ log }}</p>').render({'log': log}),
'<p>%s</p>' % log_expected)
def test_xss_arguments_and_escaping(self):
addon = Addon.objects.get()
addon.name = 'Delicious <script src="x.js">Bookmarks'
addon.save()
addon = addon.reload()
au = AddonUser(addon=addon, user=self.user)
amo.log(amo.LOG.CHANGE_USER_WITH_ROLE, au.user, au.get_role_display(),
addon)
log = ActivityLog.objects.get()
log_expected = ('yolo role changed to Owner for <a href="/en-US/'
'firefox/addon/a3615/">Delicious <script src='
'"x.js">Bookmarks</a>.')
eq_(log.to_string(), log_expected)
eq_(jingo.env.from_string('<p>{{ log }}</p>').render({'log': log}),
'<p>%s</p>' % log_expected)
def package(request):
form = forms.NewWebappForm(request.POST or None, is_packaged=True)
if request.method == 'POST' and form.is_valid():
addon = Addon.from_upload(
form.cleaned_data['upload'],
[Platform.objects.get(id=amo.PLATFORM_ALL.id)],
is_packaged=True)
if addon.has_icon_in_manifest():
# Fetch the icon, do polling.
addon.update(icon_type='image/png')
tasks.fetch_icon.delay(addon)
else:
# In this case there is no need to do any polling.
addon.update(icon_type='')
AddonUser(addon=addon, user=request.amo_user).save()
AppSubmissionChecklist.objects.create(addon=addon,
terms=True,
manifest=True)
return redirect('submit.app.details', addon.app_slug)
return jingo.render(request, 'submit/upload.html', {
'form': form,
'step': 'manifest',
})
def create(self, request):
if not waffle.flag_is_active(request, 'accept-webapps'):
return rc.BAD_REQUEST
form = NewManifestForm(request.POST)
if form.is_valid():
# This feels like an awful lot of work.
# But first upload the file and do the validation.
upload = FileUpload.objects.create()
tasks.fetch_manifest(form.cleaned_data['manifest'], upload.pk)
# We must reget the object here since the above has
# saved changes to the object.
upload = FileUpload.uncached.get(pk=upload.pk)
# Check it validated correctly.
if settings.VALIDATE_ADDONS:
validation = json.loads(upload.validation)
if validation['errors']:
response = rc.BAD_REQUEST
response.write(validation)
return response
# Fetch the addon, the icon and set the user.
addon = Addon.from_upload(upload,
[Platform.objects.get(id=amo.PLATFORM_ALL.id)])
tasks.fetch_icon(addon)
AddonUser(addon=addon, user=request.amo_user).save()
addon.update(status=amo.STATUS_PENDING if
settings.WEBAPPS_RESTRICTED else amo.STATUS_PUBLIC)
else:
return _form_error(form)
return addon
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not request.amo_user.read_dev_agreement:
log.info(u'Attempt to use API without dev agreement: %s'
% request.amo_user.pk)
raise http_error(http.HttpUnauthorized,
'Terms of service not accepted.')
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization()
.is_authorized(request, object=form.obj)):
raise http_error(http.HttpForbidden,
'You do not own that app.')
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Addon.from_upload(form.obj, plats,
is_packaged=form.is_packaged)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
self._icons_and_images(bundle.obj)
record_action('app-submitted', request, {'app-id': bundle.obj.pk})
log.info('App created: %s' % bundle.obj.pk)
return bundle
def manifest(request):
# TODO: Have decorator handle the redirection.
user = UserProfile.objects.get(pk=request.user.id)
if not user.read_dev_agreement:
# And we start back at one...
return redirect('submit.app')
form = forms.NewWebappForm(request.POST or None)
if request.method == 'POST' and form.is_valid():
data = form.cleaned_data
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
addon = Addon.from_upload(data['upload'], plats)
if addon.has_icon_in_manifest():
# Fetch the icon, do polling.
addon.update(icon_type='image/png')
tasks.fetch_icon.delay(addon)
else:
# In this case there is no need to do any polling.
addon.update(icon_type='')
AddonUser(addon=addon, user=request.amo_user).save()
# Checking it once. Checking it twice.
AppSubmissionChecklist.objects.create(addon=addon, terms=True,
manifest=True)
return redirect('submit.app.details', addon.app_slug)
return jingo.render(request, 'submit/manifest.html', {
'step': 'manifest',
'form': form,
})
def save(self, commit=False):
from .tasks import create_persona_preview_image, save_persona_image
# We ignore `commit`, since we need it to be `False` so we can save
# the ManyToMany fields on our own.
addon = super(NewPersonaForm, self).save(commit=False)
addon.status = amo.STATUS_UNREVIEWED
addon.type = amo.ADDON_PERSONA
addon.save()
addon._current_version = Version.objects.create(addon=addon,
version='0')
addon.save()
amo.log(amo.LOG.CREATE_ADDON, addon)
log.debug('New persona %r uploaded' % addon)
data = self.cleaned_data
header = data['header_hash']
footer = data['footer_hash']
header = os.path.join(settings.TMP_PATH, 'persona_header', header)
footer = os.path.join(settings.TMP_PATH, 'persona_footer', footer)
dst = os.path.join(settings.PERSONAS_PATH, str(addon.id))
# Save header, footer, and preview images.
save_persona_image(src=header, dst=dst, img_basename='header.jpg')
save_persona_image(src=footer, dst=dst, img_basename='footer.jpg')
create_persona_preview_image(src=header, dst=dst,
img_basename='preview.jpg',
set_modified_on=[addon])
# Save user info.
user = self.request.amo_user
AddonUser(addon=addon, user=user).save()
p = Persona()
p.persona_id = 0
p.addon = addon
p.header = 'header'
p.footer = 'footer'
if data['accentcolor']:
p.accentcolor = data['accentcolor'].lstrip('#')
if data['textcolor']:
p.textcolor = data['textcolor'].lstrip('#')
p.license_id = data['license']
p.submit = datetime.now()
p.author = user.name
p.display_username = user.username
p.save()
# Save tags.
for t in data['tags']:
Tag(tag_text=t).save_tag(addon)
# Save categories.
tb_c = Category.objects.get(application=amo.THUNDERBIRD.id,
name__id=data['category'].name_id)
AddonCategory(addon=addon, category=data['category']).save()
AddonCategory(addon=addon, category=tb_c).save()
return addon
def test_contribute_multiple_devs(self):
a = Addon.objects.get(pk=592)
u = UserProfile.objects.get(pk=999)
AddonUser(addon=a, user=u).save()
r = self.client.get(reverse('addons.meet', args=['a592']))
# Make sure it has multiple devs.
assert pq(r.content)('.section-teaser')
assert pq(r.content)('#contribute-button')
def manifest(request):
form = forms.NewWebappForm(request.POST or None, request=request)
features_form = forms.AppFeaturesForm(request.POST or None)
features_form_valid = features_form.is_valid()
if (request.method == 'POST' and form.is_valid() and features_form_valid):
with transaction.commit_on_success():
addon = Addon.from_upload(
form.cleaned_data['upload'],
[Platform.objects.get(id=amo.PLATFORM_ALL.id)],
is_packaged=form.is_packaged())
# Set the device type.
for device in form.get_devices():
addon.addondevicetype_set.get_or_create(device_type=device.id)
# Set the premium type, only bother if it's not free.
premium = form.get_paid()
if premium:
addon.update(premium_type=premium)
if addon.has_icon_in_manifest():
# Fetch the icon, do polling.
addon.update(icon_type='image/png')
else:
# In this case there is no need to do any polling.
addon.update(icon_type='')
AddonUser(addon=addon, user=request.amo_user).save()
# Checking it once. Checking it twice.
AppSubmissionChecklist.objects.create(addon=addon,
terms=True,
manifest=True,
details=False)
# Create feature profile.
addon.current_version.features.update(**features_form.cleaned_data)
# Call task outside of `commit_on_success` to avoid it running before
# the transaction is committed and not finding the app.
tasks.fetch_icon.delay(addon)
return redirect('submit.app.details', addon.app_slug)
return render(
request, 'submit/manifest.html', {
'step': 'manifest',
'features_form': features_form,
'form': form,
'DEVICE_LOOKUP': DEVICE_LOOKUP
})
def submit_addon(request, step):
if DEV_AGREEMENT_COOKIE not in request.COOKIES:
return redirect('devhub.submit.1')
form = forms.NewAddonForm(request.POST or None)
if request.method == 'POST':
if form.is_valid():
data = form.cleaned_data
p = (list(data['desktop_platforms']) +
list(data['mobile_platforms']))
addon = Addon.from_upload(data['upload'], p)
AddonUser(addon=addon, user=request.amo_user).save()
SubmitStep.objects.create(addon=addon, step=3)
return redirect('devhub.submit.3', addon.slug)
return jingo.render(request, 'devhub/addons/submit/upload.html',
{'step': step, 'new_addon_form': form})
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization().is_authorized(request, object=form.obj)):
raise ImmediateHttpResponse(response=http.HttpForbidden())
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Webapp.from_upload(form.obj, plats)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
tasks.fetch_icon.delay(bundle.obj)
log.info('App created: %s' % bundle.obj.pk)
return bundle
def create_addon(self, license=None):
data = self.cleaned_data
a = Addon(guid=data['guid'],
name=data['name'],
type=data['type'],
status=amo.STATUS_UNREVIEWED,
homepage=data['homepage'],
summary=data['summary'])
a.save()
AddonUser(addon=a, user=self.request.amo_user).save()
self.addon = a
# Save Version, attach License
self.create_version(license=license)
amo.log(amo.LOG.CREATE_ADDON, a)
log.info('Addon %d saved' % a.id)
return a
def create(self, request, *args, **kwargs):
uuid = request.DATA.get('upload', '')
if uuid:
is_packaged = True
else:
uuid = request.DATA.get('manifest', '')
is_packaged = False
if not uuid:
raise serializers.ValidationError(
'No upload or manifest specified.')
try:
upload = FileUpload.objects.get(uuid=uuid)
except FileUpload.DoesNotExist:
raise exceptions.ParseError('No upload found.')
if not upload.valid:
raise exceptions.ParseError('Upload not valid.')
if not request.amo_user.read_dev_agreement:
log.info(u'Attempt to use API without dev agreement: %s' %
request.amo_user.pk)
raise exceptions.PermissionDenied('Terms of Service not accepted.')
if not (upload.user and upload.user.pk == request.amo_user.pk):
raise exceptions.PermissionDenied('You do not own that app.')
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
obj = Webapp.from_upload(upload, plats, is_packaged=is_packaged)
AddonUser(addon=obj, user=request.amo_user).save()
tasks.fetch_icon.delay(obj)
record_action('app-submitted', request, {'app-id': obj.pk})
log.info('App created: %s' % obj.pk)
data = AppSerializer(
context=self.get_serializer_context()).to_native(obj)
return response.Response(
data,
status=201,
headers={'Location': reverse('app-detail', kwargs={'pk': obj.pk})})
def obj_create(self, bundle, request, **kwargs):
form = UploadForm(bundle.data)
if not form.is_valid():
raise self.form_errors(form)
if not (OwnerAuthorization().is_authorized(request, object=form.obj)):
raise ImmediateHttpResponse(response=http.HttpForbidden())
plats = [Platform.objects.get(id=amo.PLATFORM_ALL.id)]
# Create app, user and fetch the icon.
bundle.obj = Addon.from_upload(form.obj,
plats,
is_packaged=form.is_packaged)
AddonUser(addon=bundle.obj, user=request.amo_user).save()
self._icons_and_images(bundle.obj)
record_action('app-submitted', request, {'app-id': bundle.obj.pk})
log.info('App created: %s' % bundle.obj.pk)
return bundle
def manifest(request):
form = forms.NewWebappForm(request.POST or None)
if request.method == 'POST' and form.is_valid():
addon = Addon.from_upload(
form.cleaned_data['upload'],
[Platform.objects.get(id=amo.PLATFORM_ALL.id)],
is_packaged=form.is_packaged())
# Set the device type.
for device in form.get_devices():
addon.addondevicetype_set.get_or_create(device_type=device.id)
# Set the premium type, only bother if it's not free.
premium = form.get_paid()
if premium:
addon.update(premium_type=premium)
if addon.has_icon_in_manifest():
# Fetch the icon, do polling.
addon.update(icon_type='image/png')
tasks.fetch_icon.delay(addon)
else:
# In this case there is no need to do any polling.
addon.update(icon_type='')
AddonUser(addon=addon, user=request.amo_user).save()
# Checking it once. Checking it twice.
AppSubmissionChecklist.objects.create(addon=addon, terms=True,
manifest=True)
return redirect('submit.app.details', addon.app_slug)
return jingo.render(request, 'submit/manifest.html', {
'step': 'manifest',
'form': form,
'DEVICE_LOOKUP': DEVICE_LOOKUP
})
log.info('[@None] Skipping language pack "%s": '
'not owned by %s' %
(xpi, settings.LANGPACK_OWNER_EMAIL))
continue
version = Version.from_upload(upload, addon, PLATFORMS)
log.info('[@None] Updating language pack "%s" to version %s' %
(xpi, data['version']))
else:
if amo.VERSION_BETA.search(data['version']):
log.error('[@None] Not creating beta version %s for new "%s" '
'language pack' % (data['version'], xpi))
continue
addon = Addon.from_upload(upload, PLATFORMS)
AddonUser(addon=addon, user=owner).save()
version = addon.versions.get()
addon.status = amo.STATUS_PUBLIC
if addon.default_locale.lower() == lang.lower():
addon.target_locale = addon.default_locale
addon.save()
log.info('[@None] Creating new "%s" language pack, version %s' %
(xpi, data['version']))
# Version.from_upload will do this automatically, but only
# if the add-on is already public, which it may not be in
# the case of new add-ons
status = amo.STATUS_PUBLIC
def test_contribute_multiple_devs(self):
a = Addon.objects.get(pk=592)
u = UserProfile.objects.get(pk=999)
AddonUser(addon=a, user=u).save()
r = self.client.get(reverse('addons.meet', args=['a592']))
eq_(pq(r.content)('#contribute-button').length, 1)
def save(self, commit=False):
from addons.tasks import (create_persona_preview_images,
save_persona_image)
data = self.cleaned_data
addon = Addon.objects.create(slug=data.get('slug'),
status=amo.STATUS_PENDING,
type=amo.ADDON_PERSONA)
addon.name = {'en-US': data['name']}
if data.get('summary'):
addon.description = {'en-US': data['summary']}
addon._current_version = Version.objects.create(addon=addon,
version='0')
addon.save()
# Save header, footer, and preview images.
try:
header = data['header_hash']
footer = data['footer_hash']
header = os.path.join(settings.TMP_PATH, 'persona_header', header)
footer = os.path.join(settings.TMP_PATH, 'persona_footer', footer)
dst_root = os.path.join(settings.ADDONS_PATH, str(addon.id))
save_persona_image.delay(src=header,
full_dst=os.path.join(
dst_root, 'header.png'))
save_persona_image.delay(src=footer,
full_dst=os.path.join(
dst_root, 'footer.png'))
create_persona_preview_images.delay(
src=header,
full_dst=[
os.path.join(dst_root, 'preview.png'),
os.path.join(dst_root, 'icon.png')
],
set_modified_on=[addon])
except IOError:
addon.delete()
raise
# Save user info.
user = self.request.amo_user
AddonUser(addon=addon, user=user).save()
# Create Persona instance.
p = Persona()
p.persona_id = 0
p.addon = addon
p.header = 'header.png'
p.footer = 'footer.png'
if data['accentcolor']:
p.accentcolor = data['accentcolor'].lstrip('#')
if data['textcolor']:
p.textcolor = data['textcolor'].lstrip('#')
p.license = data['license']
p.submit = datetime.now()
p.author = user.name
p.display_username = user.username
p.save()
# Save tags.
for t in data['tags']:
Tag(tag_text=t).save_tag(addon)
# Save categories.
AddonCategory(addon=addon, category=data['category']).save()
return addon
