def change_pass(request): form = auth_forms.ChangePassForm(request.form) user = request.user if request.method == 'POST' and form.validate(): if not tools.bcrypt_check_password( form.old_password.data, user.pw_hash): form.old_password.errors.append( _('Wrong password')) return render_to_response( request, 'mediagoblin/plugins/recaptcha/change_pass.html', {'form': form, 'user': user}) # Password matches user.pw_hash = tools.bcrypt_gen_password_hash( form.new_password.data) user.save() messages.add_message( request, messages.SUCCESS, _('Your password was changed successfully')) return redirect(request, 'mediagoblin.edit.account') return render_to_response( request, 'mediagoblin/plugins/recaptcha/change_pass.html', {'form': form, 'user': user})
def add(request): if request.method == 'GET': return redirect(request, 'mediagoblin.plugins.persona.edit') email = _get_response(request) if email: query = PersonaUserEmails.query.filter_by( persona_email=email ).first() user_exists = query.user if query else None if user_exists: messages.add_message( request, messages.WARNING, _('Sorry, an account is already registered with that Persona' ' email address.')) return redirect(request, 'mediagoblin.plugins.persona.edit') else: # Save the Persona Email to the user new_entry = PersonaUserEmails() new_entry.persona_email = email new_entry.user_id = request.user.id new_entry.save() messages.add_message( request, messages.SUCCESS, _('Your Persona email address was saved successfully.')) return redirect(request, 'mediagoblin.edit.account')
def test_messages(test_app): """ Added messages should show up in the request.session, fetched messages should be the same as the added ones, and fetching should clear the message list. """ # Aquire a request object test_app.get('/') context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/root.html'] request = context['request'] # The message queue should be empty assert request.session.get('messages', []) == [] # First of all, we should clear the messages queue messages.clear_add_message() # Adding a message should modify the session accordingly messages.add_message(request, 'herp_derp', 'First!') test_msg_queue = [{'text': 'First!', 'level': 'herp_derp'}] # Alternative tests to the following, test divided in two steps: # assert request.session['messages'] == test_msg_queue # 1. Tests if add_message worked assert messages.ADD_MESSAGE_TEST[-1] == test_msg_queue # 2. Tests if add_message updated session information assert messages.ADD_MESSAGE_TEST[-1] == request.session['messages'] # fetch_messages should return and empty the queue assert messages.fetch_messages(request) == test_msg_queue assert request.session.get('messages') == []
def edit_blog_post(request): """ First view for submitting a file. """ form = forms.BlogPostEditForm(request.form, license=request.user.license_preference) if request.method == 'POST' and form.validate(): media_type = 'blogpost' entry = request.db.MediaEntry() entry.media_type = unicode(media_type) entry.title = unicode(form.title.data) entry.description = unicode(form.description.data) entry.license = unicode(form.license.data) or None entry.uploader = request.user.id entry.tags = convert_to_tag_list_of_dicts(form.tags.data) entry.generate_slug() entry.save() add_message(request, SUCCESS, _('Woohoo! Submitted!')) return redirect(request, "mediagoblin.plugins.blog.blog.view", user=request.user.username) return render_to_response( request, 'blog/blogpost_edit.html', {'form': form, 'app_config': mg_globals.app_config, 'user': request.user})
def register(request): """The registration view. Note that usernames will always be lowercased. Email domains are lowercased while the first part remains case-sensitive. """ # Redirects to indexpage if registrations are disabled if not mg_globals.app_config["allow_registration"]: messages.add_message( request, messages.WARNING, _('Sorry, registration is disabled on this instance.')) return redirect(request, "index") register_form = auth_forms.RegistrationForm(request.form) if request.method == 'POST' and register_form.validate(): # TODO: Make sure the user doesn't exist already users_with_username = User.query.filter_by(username=register_form.data['username']).count() users_with_email = User.query.filter_by(email=register_form.data['email']).count() extra_validation_passes = True if users_with_username: register_form.username.errors.append( _(u'Sorry, a user with that name already exists.')) extra_validation_passes = False if users_with_email: register_form.email.errors.append( _(u'Sorry, a user with that email address already exists.')) extra_validation_passes = False if extra_validation_passes: # Create the user user = User() user.username = register_form.data['username'] user.email = register_form.data['email'] user.pw_hash = auth_lib.bcrypt_gen_password_hash( register_form.password.data) user.verification_key = unicode(uuid.uuid4()) user.save() # log the user in request.session['user_id'] = unicode(user.id) request.session.save() # send verification email email_debug_message(request) send_verification_email(user, request) # redirect the user to their homepage... there will be a # message waiting for them to verify their email return redirect( request, 'mediagoblin.user_pages.user_home', user=user.username) return render_to_response( request, 'mediagoblin/auth/register.html', {'register_form': register_form})
def delete_account(request): """Delete a user completely""" user = request.user if request.method == 'POST': if request.form.get(u'confirmed'): # Form submitted and confirmed. Actually delete the user account # Log out user and delete cookies etc. # TODO: Should we be using MG.auth.views.py:logout for this? request.session.delete() # Delete user account and all related media files etc.... request.user.delete() # We should send a message that the user has been deleted # successfully. But we just deleted the session, so we # can't... return redirect(request, 'index') else: # Did not check the confirmation box... messages.add_message( request, messages.WARNING, _('You need to confirm the deletion of your account.')) # No POST submission or not confirmed, just show page return render_to_response( request, 'mediagoblin/edit/delete_account.html', {'user': user})
def edit_account(request): user = request.user form = forms.EditAccountForm( request.form, wants_comment_notification=user.wants_comment_notification, license_preference=user.license_preference, wants_notifications=user.wants_notifications) if request.method == 'POST' and form.validate(): user.wants_comment_notification = form.wants_comment_notification.data user.wants_notifications = form.wants_notifications.data user.license_preference = form.license_preference.data user.save() messages.add_message(request, messages.SUCCESS, _("Account settings saved")) return redirect(request, 'mediagoblin.user_pages.user_home', user=user.username) return render_to_response(request, 'mediagoblin/edit/edit_account.html', { 'user': user, 'form': form })
def subscribe_comments(request, media): add_comment_subscription(request.user, media) messages.add_message(request, messages.SUCCESS, _("Subscribed to comments on %s!") % media.title) return redirect(request, location=media.url_for_self(request.urlgen))
def edit_account(request): user = request.user form = forms.EditAccountForm( request.form, wants_comment_notification=user.wants_comment_notification, license_preference=user.license_preference, ) if request.method == "POST": form_validated = form.validate() if form_validated and form.wants_comment_notification.validate(form): user.wants_comment_notification = form.wants_comment_notification.data if form_validated and form.new_password.data or form.old_password.data: password_matches = auth_lib.bcrypt_check_password(form.old_password.data, user.pw_hash) if password_matches: # the entire form validates and the password matches user.pw_hash = auth_lib.bcrypt_gen_password_hash(form.new_password.data) else: form.old_password.errors.append(_("Wrong password")) if form_validated and form.license_preference.validate(form): user.license_preference = form.license_preference.data if form_validated and not form.errors: user.save() messages.add_message(request, messages.SUCCESS, _("Account settings saved")) return redirect(request, "mediagoblin.user_pages.user_home", user=user.username) return render_to_response(request, "mediagoblin/edit/edit_account.html", {"user": user, "form": form})
def finish_edit(request): """Finishes the process of adding an openid url to a user""" response = _finish_verification(request) if not response: # Verification failed, redirect to add openid page. return redirect(request, 'mediagoblin.plugins.openid.edit') # Verification was successfull query = OpenIDUserURL.query.filter_by( openid_url=response.identity_url, ).first() user_exists = query.user if query else None if user_exists: # user exists with that openid url, redirect back to edit page messages.add_message( request, messages.WARNING, _('Sorry, an account is already registered to that OpenID.')) return redirect(request, 'mediagoblin.plugins.openid.edit') else: # Save openid to user user = User.query.filter_by(id=request.session['user_id']).first() new_entry = OpenIDUserURL() new_entry.openid_url = response.identity_url new_entry.user_id = user.id new_entry.save() messages.add_message(request, messages.SUCCESS, _('Your OpenID url was saved successfully.')) return redirect(request, 'mediagoblin.edit.account')
def edit_profile(request, url_user=None): # admins may edit any user profile if request.user.username != url_user.username: if not request.user.is_admin: raise Forbidden(_("You can only edit your own profile.")) # No need to warn again if admin just submitted an edited profile if request.method != "POST": messages.add_message( request, messages.WARNING, _("You are editing a user's profile. Proceed with caution.") ) user = url_user form = forms.EditProfileForm(request.form, url=user.url, bio=user.bio) if request.method == "POST" and form.validate(): user.url = unicode(form.url.data) user.bio = unicode(form.bio.data) user.save() messages.add_message(request, messages.SUCCESS, _("Profile changes saved")) return redirect(request, "mediagoblin.user_pages.user_home", user=user.username) return render_to_response(request, "mediagoblin/edit/edit_profile.html", {"user": user, "form": form})
def change_pass(request): form = forms.ChangePassForm(request.form) user = request.user if request.method == 'POST' and form.validate(): if not tools.bcrypt_check_password(form.old_password.data, user.pw_hash): form.old_password.errors.append(_('Wrong password')) return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_pass.html', { 'form': form, 'user': user }) # Password matches user.pw_hash = tools.bcrypt_gen_password_hash(form.new_password.data) user.save() messages.add_message(request, messages.SUCCESS, _('Your password was changed successfully')) return redirect(request, 'mediagoblin.edit.account') return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_pass.html', { 'form': form, 'user': user })
def edit_account(request): user = request.user form = forms.EditAccountForm(request.form, wants_comment_notification=user.get("wants_comment_notification")) if request.method == "POST": form_validated = form.validate() # if the user has not filled in the new or old password fields if not form.new_password.data and not form.old_password.data: if form.wants_comment_notification.validate(form): user.wants_comment_notification = form.wants_comment_notification.data user.save() messages.add_message(request, messages.SUCCESS, _("Account settings saved")) return redirect(request, "mediagoblin.user_pages.user_home", user=user.username) # so the user has filled in one or both of the password fields else: if form_validated: password_matches = auth_lib.bcrypt_check_password(form.old_password.data, user.pw_hash) if password_matches: # the entire form validates and the password matches user.pw_hash = auth_lib.bcrypt_gen_password_hash(form.new_password.data) user.wants_comment_notification = form.wants_comment_notification.data user.save() messages.add_message(request, messages.SUCCESS, _("Account settings saved")) return redirect(request, "mediagoblin.user_pages.user_home", user=user.username) else: form.old_password.errors.append(_("Wrong password")) return render_to_response(request, "mediagoblin/edit/edit_account.html", {"user": user, "form": form})
def edit_profile(request): # admins may edit any user profile given a username in the querystring edit_username = request.GET.get("username") if request.user.is_admin and request.user.username != edit_username: user = request.db.User.find_one({"username": edit_username}) # No need to warn again if admin just submitted an edited profile if request.method != "POST": messages.add_message( request, messages.WARNING, _("You are editing a user's profile. Proceed with caution.") ) else: user = request.user form = forms.EditProfileForm(request.form, url=user.get("url"), bio=user.get("bio")) if request.method == "POST" and form.validate(): user.url = unicode(request.form["url"]) user.bio = unicode(request.form["bio"]) user.save() messages.add_message(request, messages.SUCCESS, _("Profile changes saved")) return redirect(request, "mediagoblin.user_pages.user_home", user=user.username) return render_to_response(request, "mediagoblin/edit/edit_profile.html", {"user": user, "form": form})
def delete_account(request): """Delete a user completely""" user = request.user if request.method == 'POST': if request.form.get(u'confirmed'): # Form submitted and confirmed. Actually delete the user account # Log out user and delete cookies etc. # TODO: Should we be using MG.auth.views.py:logout for this? request.session.delete() # Delete user account and all related media files etc.... request.user.delete() # We should send a message that the user has been deleted # successfully. But we just deleted the session, so we # can't... return redirect(request, 'index') else: # Did not check the confirmation box... messages.add_message( request, messages.WARNING, _('You need to confirm the deletion of your account.')) # No POST submission or not confirmed, just show page return render_to_response(request, 'mediagoblin/edit/delete_account.html', {'user': user})
def _finish_verification(request): """ Complete OpenID Verification Process. If the verification failed, will return false, otherwise, will return the response """ c = consumer.Consumer(request.session, SQLAlchemyOpenIDStore()) # Check the response from the provider response = c.complete(request.args, request.base_url) if response.status == consumer.FAILURE: messages.add_message( request, messages.WARNING, _('Verification of %s failed: %s' % (response.getDisplayIdentifier(), response.message))) elif response.status == consumer.SUCCESS: # Verification was successfull return response elif response.status == consumer.CANCEL: # Verification canceled messages.add_message( request, messages.WARNING, _('Verification cancelled')) return False
def verify_email(request): """ Email verification view validates GET parameters against database and unlocks the user account, if you are lucky :) """ # If we don't have userid and token parameters, we can't do anything; 404 if not 'userid' in request.GET or not 'token' in request.GET: return render_404(request) user = request.db.User.find_one( {'_id': ObjectId(unicode(request.GET['userid']))}) if user and user.verification_key == unicode(request.GET['token']): user.status = u'active' user.email_verified = True user.verification_key = None user.save() messages.add_message( request, messages.SUCCESS, _("Your email address has been verified. " "You may now login, edit your profile, and submit images!")) else: messages.add_message( request, messages.ERROR, _('The verification key or user id is incorrect')) return redirect( request, 'mediagoblin.user_pages.user_home', user=user.username)
def register_client(request): ''' Register an OAuth client ''' form = ClientRegistrationForm(request.form) if request.method == 'POST' and form.validate(): client = OAuthClient() client.name = unicode(request.form['name']) client.description = unicode(request.form['description']) client.type = unicode(request.form['type']) client.owner_id = request.user.id client.redirect_uri = unicode(request.form['redirect_uri']) client.generate_identifier() client.generate_secret() client.save() add_message(request, SUCCESS, _('The client {0} has been registered!')\ .format( client.name)) return redirect(request, 'mediagoblin.plugins.oauth.list_clients') return render_to_response( request, 'oauth/client/register.html', {'form': form})
def _finish_verification(request): """ Complete OpenID Verification Process. If the verification failed, will return false, otherwise, will return the response """ c = consumer.Consumer(request.session, SQLAlchemyOpenIDStore()) # Check the response from the provider response = c.complete(request.args, request.base_url) if response.status == consumer.FAILURE: messages.add_message( request, messages.WARNING, _('Verification of %s failed: %s' % (response.getDisplayIdentifier(), response.message))) elif response.status == consumer.SUCCESS: # Verification was successfull return response elif response.status == consumer.CANCEL: # Verification canceled messages.add_message(request, messages.WARNING, _('Verification cancelled')) return False
def add(request): if request.method == 'GET': return redirect(request, 'mediagoblin.plugins.persona.edit') email = _get_response(request) if email: query = PersonaUserEmails.query.filter_by(persona_email=email).first() user_exists = query.user if query else None if user_exists: messages.add_message( request, messages.WARNING, _('Sorry, an account is already registered with that Persona' ' email address.')) return redirect(request, 'mediagoblin.plugins.persona.edit') else: # Save the Persona Email to the user new_entry = PersonaUserEmails() new_entry.persona_email = email new_entry.user_id = request.user.id new_entry.save() request.session['persona_login_email'] = email messages.add_message( request, messages.SUCCESS, _('Your Persona email address was saved successfully.')) return redirect(request, 'mediagoblin.edit.account')
def change_pass(request): # If no password authentication, no need to change your password if 'pass_auth' not in request.template_env.globals: return redirect(request, 'index') form = forms.ChangePassForm(request.form) user = request.user if request.method == 'POST' and form.validate(): if not auth.check_password(form.old_password.data, user.pw_hash): form.old_password.errors.append(_('Wrong password')) return render_to_response(request, 'mediagoblin/edit/change_pass.html', { 'form': form, 'user': user }) # Password matches user.pw_hash = auth.gen_password_hash(form.new_password.data) user.save() messages.add_message(request, messages.SUCCESS, _('Your password was changed successfully')) return redirect(request, 'mediagoblin.edit.account') return render_to_response(request, 'mediagoblin/edit/change_pass.html', { 'form': form, 'user': user })
def login(request): if request.method == 'GET': return redirect(request, 'mediagoblin.auth.login') email = _get_response(request) if email: query = PersonaUserEmails.query.filter_by(persona_email=email).first() user = query.user if query else None if user: request.session['user_id'] = unicode(user.id) request.session['persona_login_email'] = email request.session.save() return redirect(request, "index") else: if not mg_globals.app.auth: messages.add_message( request, messages.WARNING, _('Sorry, authentication is disabled on this instance.')) return redirect(request, 'index') register_form = forms.RegistrationForm(email=email, persona_email=email) return render_to_response( request, 'mediagoblin/auth/register.html', { 'register_form': register_form, 'post_url': request.urlgen('mediagoblin.plugins.persona.register') }) return redirect(request, 'mediagoblin.auth.login')
def deauthorize_applications(request): """ Deauthroize OAuth applications """ if request.method == 'POST' and "application" in request.form: token = request.form["application"] access_token = AccessToken.query.filter_by(token=token).first() if access_token is None: messages.add_message( request, messages.ERROR, _("Unknown application, not able to deauthorize") ) else: access_token.delete() messages.add_message( request, messages.SUCCESS, _("Application has been deauthorized") ) access_tokens = AccessToken.query.filter_by(user=request.user.id) applications = [(a.get_requesttoken, a) for a in access_tokens] return render_to_response( request, 'mediagoblin/edit/deauthorize_applications.html', {'applications': applications} )
def media_post_comment(request, media): """ recieves POST from a MediaEntry() comment form, saves the comment. """ assert request.method == 'POST' comment = request.db.MediaComment() comment.media_entry = media.id comment.author = request.user.id comment.content = unicode(request.form['comment_content']) if not comment.content.strip(): messages.add_message( request, messages.ERROR, _("Oops, your comment was empty.")) else: comment.save() messages.add_message( request, messages.SUCCESS, _('Your comment has been posted!')) media_uploader = media.get_uploader #don't send email if you comment on your own post if (comment.author != media_uploader and media_uploader.wants_comment_notification): send_comment_email(media_uploader, comment, media, request) return redirect(request, location=media.url_for_self(request.urlgen))
def edit_account(request): user = request.user form = forms.EditAccountForm(request.form, wants_comment_notification=user.wants_comment_notification, license_preference=user.license_preference, wants_notifications=user.wants_notifications) if request.method == 'POST' and form.validate(): user.wants_comment_notification = form.wants_comment_notification.data user.wants_notifications = form.wants_notifications.data user.license_preference = form.license_preference.data user.save() messages.add_message(request, messages.SUCCESS, _("Account settings saved")) return redirect(request, 'mediagoblin.user_pages.user_home', user=user.username) return render_to_response( request, 'mediagoblin/edit/edit_account.html', {'user': user, 'form': form})
def register_client(request): ''' Register an OAuth client ''' form = ClientRegistrationForm(request.form) if request.method == 'POST' and form.validate(): client = OAuthClient() client.name = six.text_type(form.name.data) client.description = six.text_type(form.description.data) client.type = six.text_type(form.type.data) client.owner_id = request.user.id client.redirect_uri = six.text_type(form.redirect_uri.data) client.save() add_message(request, SUCCESS, _('The client {0} has been registered!')\ .format( client.name)) return redirect(request, 'mediagoblin.plugins.oauth.list_clients') return render_to_response( request, 'oauth/client/register.html', {'form': form})
def edit_profile(request, url_user=None): # admins may edit any user profile if request.user.username != url_user.username: if not request.user.has_privilege(u'admin'): raise Forbidden(_("You can only edit your own profile.")) # No need to warn again if admin just submitted an edited profile if request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing a user's profile. Proceed with caution.")) user = url_user form = forms.EditProfileForm(request.form, url=user.url, bio=user.bio) if request.method == 'POST' and form.validate(): user.url = unicode(form.url.data) user.bio = unicode(form.bio.data) user.save() messages.add_message(request, messages.SUCCESS, _("Profile changes saved")) return redirect(request, 'mediagoblin.user_pages.user_home', user=user.username) return render_to_response(request, 'mediagoblin/edit/edit_profile.html', { 'user': user, 'form': form })
def wrapper(request, *args, **kwargs): if not mgg.app.auth: messages.add_message( request, messages.WARNING, _('Sorry, authentication is disabled on this instance.')) return redirect(request, 'index') return controller(request, *args, **kwargs)
def subscribe_comments(request, media): add_comment_subscription(request.user, media) messages.add_message(request, messages.SUCCESS, _('Subscribed to comments on %s!') % media.title) return redirect(request, location=media.url_for_self(request.urlgen))
def silence_comments(request, media): silence_comment_subscription(request.user, media) messages.add_message( request, messages.SUCCESS, _("You will not receive notifications for comments on" " %s.") % media.title ) return redirect(request, location=media.url_for_self(request.urlgen))
def wrapper(request, *args, **kwargs): if not mgg.app_config["allow_registration"]: messages.add_message( request, messages.WARNING, _('Sorry, registration is disabled on this instance.')) return redirect(request, "index") return controller(request, *args, **kwargs)
def edit_subtitles(request, media): allowed_extensions = ['aqt','gsub','jss','sub','ttxt','pjs','psb', 'rt','smi','stl','ssf','srt','ssa','ass','usf','vtt','lrc'] form = forms.EditSubtitlesForm(request.form) # Add any subtitles if 'subtitle_file' in request.files \ and request.files['subtitle_file']: if mimetypes.guess_type( request.files['subtitle_file'].filename)[0] in \ UNSAFE_MIMETYPES: public_filename = secure_filename('{0}.notsafe'.format( request.files['subtitle_file'].filename)) else: public_filename = secure_filename( request.files['subtitle_file'].filename) filepath = request.files['subtitle_file'].filename if filepath.split('.')[-1] not in allowed_extensions : messages.add_message( request, messages.ERROR, ("Invalid subtitle file")) return redirect(request, location=media.url_for_self(request.urlgen)) subtitle_public_filepath = mg_globals.public_store.get_unique_filepath( ['media_entries', six.text_type(media.id), 'subtitle', public_filename]) with mg_globals.public_store.get_file( subtitle_public_filepath, 'wb') as subtitle_public_file: subtitle_public_file.write( request.files['subtitle_file'].stream.read()) request.files['subtitle_file'].stream.close() media.subtitle_files.append(dict( name=form.subtitle_language.data \ or request.files['subtitle_file'].filename, filepath=subtitle_public_filepath, created=datetime.utcnow(), )) media.save() messages.add_message( request, messages.SUCCESS, ("You added the subtitle %s!") % (form.subtitle_language.data or request.files['subtitle_file'].filename)) return redirect(request, location=media.url_for_self(request.urlgen)) return render_to_response( request, 'mediagoblin/plugins/subtitles/subtitles.html', {'media': media, 'form': form})
def silence_comments(request, media): silence_comment_subscription(request.user, media) messages.add_message(request, messages.SUCCESS, _('You will not receive notifications for comments on' ' %s.') % media.title) return redirect(request, location=media.url_for_self(request.urlgen))
def wrapper(request, *args, **kwargs): if not mgg.app_config["allow_reporting"]: messages.add_message( request, messages.WARNING, _('Sorry, reporting is disabled on this instance.')) return redirect(request, 'index') return controller(request, *args, **kwargs)
def edit_subtitles(request, media): # This was originally quite a long list of allowed extensions, but as far as # I understand, Video.js only supports WebVTT format subtitles: # https://docs.videojs.com/docs/guides/text-tracks.html allowed_extensions = ['vtt'] form = forms.EditSubtitlesForm(request.form) # Add any subtitles if 'subtitle_file' in request.files \ and request.files['subtitle_file']: if mimetypes.guess_type( request.files['subtitle_file'].filename)[0] in \ UNSAFE_MIMETYPES: public_filename = secure_filename('{}.notsafe'.format( request.files['subtitle_file'].filename)) else: public_filename = secure_filename( request.files['subtitle_file'].filename) filepath = request.files['subtitle_file'].filename if filepath.split('.')[-1] not in allowed_extensions: messages.add_message(request, messages.ERROR, ("Invalid subtitle file")) return redirect(request, location=media.url_for_self(request.urlgen)) subtitle_public_filepath = mg_globals.public_store.get_unique_filepath( ['media_entries', str(media.id), 'subtitle', public_filename]) with mg_globals.public_store.get_file(subtitle_public_filepath, 'wb') as subtitle_public_file: subtitle_public_file.write( request.files['subtitle_file'].stream.read()) request.files['subtitle_file'].stream.close() media.subtitle_files.append(dict( name=form.subtitle_language.data \ or request.files['subtitle_file'].filename, filepath=subtitle_public_filepath, created=datetime.utcnow(), )) media.save() messages.add_message(request, messages.SUCCESS, ("You added the subtitle %s!") % (form.subtitle_language.data or request.files['subtitle_file'].filename)) return redirect(request, location=media.url_for_self(request.urlgen)) return render_to_response(request, 'mediagoblin/plugins/subtitles/subtitles.html', { 'media': media, 'form': form })
def register(request): # if request.method == 'GET': # return redirect( # request, # 'mediagoblin.plugins.recaptcha.register') register_form = auth_forms.RegistrationForm(request.form) config = pluginapi.get_config('mediagoblin.plugins.recaptcha') recaptcha_protocol = '' if config['RECAPTCHA_USE_SSL']: recaptcha_protocol = 'https' else: recaptcha_protocol = 'http' _log.debug("Connecting to reCAPTCHA service via %r", recaptcha_protocol) if register_form.validate(): recaptcha_challenge = request.form['recaptcha_challenge_field'] recaptcha_response = request.form['recaptcha_response_field'] _log.debug("response field is: %r", recaptcha_response) _log.debug("challenge field is: %r", recaptcha_challenge) response = captcha.submit( recaptcha_challenge, recaptcha_response, config.get('RECAPTCHA_PRIVATE_KEY'), request.remote_addr, ) goblin = response.is_valid if response.error_code: _log.warning("reCAPTCHA error: %r", response.error_code) if goblin: user = register_user(request, register_form) if user: # redirect the user to their homepage... there will be a # message waiting for them to verify their email return redirect( request, 'mediagoblin.user_pages.user_home', user=user.username) else: messages.add_message( request, messages.WARNING, _('Sorry, captcha was incorrect. Please try again.')) return render_to_response( request, 'mediagoblin/plugins/recaptcha/register.html', {'register_form': register_form, 'post_url': request.urlgen('mediagoblin.plugins.recaptcha.register'), 'recaptcha_public_key': config.get('RECAPTCHA_PUBLIC_KEY'), 'recaptcha_protocol' : recaptcha_protocol})
def edit_attachments(request, media): if mg_globals.app_config["allow_attachments"]: form = forms.EditAttachmentsForm() # Add any attachements if "attachment_file" in request.files and request.files["attachment_file"]: # Security measure to prevent attachments from being served as # text/html, which will be parsed by web clients and pose an XSS # threat. # # TODO # This method isn't flawless as some browsers may perform # content-sniffing. # This method isn't flawless as we do the mimetype lookup on the # machine parsing the upload form, and not necessarily the machine # serving the attachments. if mimetypes.guess_type(request.files["attachment_file"].filename)[0] in UNSAFE_MIMETYPES: public_filename = secure_filename("{0}.notsafe".format(request.files["attachment_file"].filename)) else: public_filename = secure_filename(request.files["attachment_file"].filename) attachment_public_filepath = mg_globals.public_store.get_unique_filepath( ["media_entries", unicode(media.id), "attachment", public_filename] ) attachment_public_file = mg_globals.public_store.get_file(attachment_public_filepath, "wb") try: attachment_public_file.write(request.files["attachment_file"].stream.read()) finally: request.files["attachment_file"].stream.close() media.attachment_files.append( dict( name=form.attachment_name.data or request.files["attachment_file"].filename, filepath=attachment_public_filepath, created=datetime.utcnow(), ) ) media.save() messages.add_message( request, messages.SUCCESS, _("You added the attachment %s!") % (form.attachment_name.data or request.files["attachment_file"].filename), ) return redirect(request, location=media.url_for_self(request.urlgen)) return render_to_response(request, "mediagoblin/edit/attachments.html", {"media": media, "form": form}) else: raise Forbidden("Attachments are disabled")
def email_debug_message(request): """ If the server is running in email debug mode (which is the current default), give a debug message to the user so that they have an idea where to find their email. """ if mg_globals.app_config['email_debug_mode']: # DEBUG message, no need to translate messages.add_message(request, messages.DEBUG, u"This instance is running in email debug mode. " u"The email will be on the console of the server process.")
def edit_profile(request, url_user=None): # admins may edit any user profile if request.user.username != url_user.username: if not request.user.has_privilege(u'admin'): raise Forbidden(_("You can only edit your own profile.")) # No need to warn again if admin just submitted an edited profile if request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing a user's profile. Proceed with caution.")) user = url_user # Get the location name if user.location is None: location = "" else: location = user.get_location.name form = forms.EditProfileForm(request.method == 'POST' and request.form or None, url=user.url, bio=user.bio, location=location) if request.method == 'POST' and form.validate(): user.url = six.text_type(form.url.data) user.bio = six.text_type(form.bio.data) # Save location if form.location.data and user.location is None: user.get_location = Location( name=six.text_type(form.location.data)) elif form.location.data: location = user.get_location location.name = six.text_type(form.location.data) location.save() else: user.location = None user.save() messages.add_message(request, messages.SUCCESS, _("Profile changes saved")) return redirect(request, 'mediagoblin.user_pages.user_home', user=user.username) return render_to_response(request, 'mediagoblin/edit/edit_profile.html', { 'user': user, 'form': form })
def email_debug_message(request): """ If the server is running in email debug mode (which is the current default), give a debug message to the user so that they have an idea where to find their email. """ if mg_globals.app_config['email_debug_mode']: # DEBUG message, no need to translate messages.add_message( request, messages.DEBUG, u"This instance is running in email debug mode. " u"The email will be on the console of the server process.")
def login(request): login_form = forms.LoginForm(request.form) login_failed = False if request.method == 'POST' and login_form.validate(): l = LDAP() username, email = l.login(login_form.username.data, login_form.password.data) if username: user = LocalUser.query.filter( LocalUser.username==username ).first() if user: # set up login in session request.session['user_id'] = six.text_type(user.id) request.session.save() if request.form.get('next'): return redirect(request, location=request.form['next']) else: return redirect(request, "index") else: if not mg_globals.app.auth: messages.add_message( request, messages.WARNING, _('Sorry, authentication is disabled on this ' 'instance.')) return redirect(request, 'index') register_form = forms.RegisterForm(username=username, email=email) return render_to_response( request, 'mediagoblin/auth/register.html', {'register_form': register_form, 'post_url': request.urlgen('mediagoblin.plugins.ldap.register')}) login_failed = True return render_to_response( request, 'mediagoblin/auth/login.html', {'login_form': login_form, 'next': request.GET.get('next') or request.form.get('next'), 'login_failed': login_failed, 'post_url': request.urlgen('mediagoblin.plugins.ldap.login'), 'allow_registration': mg_globals.app_config["allow_registration"]})
def edit_collection(request, collection): defaults = dict( title=collection.title, slug=collection.slug, description=collection.description) form = forms.EditCollectionForm( request.form, **defaults) if request.method == 'POST' and form.validate(): # Make sure there isn't already a Collection with such a slug # and userid. slug_used = check_collection_slug_used(request.db, collection.creator, request.form['slug'], collection.id) # Make sure there isn't already a Collection with this title existing_collection = request.db.Collection.find_one({ 'creator': request.user._id, 'title':request.form['title']}) if existing_collection and existing_collection.id != collection.id: messages.add_message( request, messages.ERROR, _('You already have a collection called "%s"!') % \ request.form['title']) elif slug_used: form.slug.errors.append( _(u'A collection with that slug already exists for this user.')) else: collection.title = unicode(request.form['title']) collection.description = unicode(request.form.get('description')) collection.slug = unicode(request.form['slug']) collection.save() return redirect(request, "mediagoblin.user_pages.user_collection", user=collection.get_creator.username, collection=collection.slug) if request.user.is_admin \ and collection.creator != request.user._id \ and request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing another user's collection. Proceed with caution.")) return render_to_response( request, 'mediagoblin/edit/edit_collection.html', {'collection': collection, 'form': form})
def login(request): login_form = forms.LoginForm(request.form) login_failed = False if request.method == 'POST' and login_form.validate(): l = LDAP() username, email = l.login(login_form.username.data, login_form.password.data) if username: user = LocalUser.query.filter( LocalUser.username == username).first() if user: # set up login in session request.session['user_id'] = six.text_type(user.id) request.session.save() if request.form.get('next'): return redirect(request, location=request.form['next']) else: return redirect(request, "index") else: if not mg_globals.app.auth: messages.add_message( request, messages.WARNING, _('Sorry, authentication is disabled on this ' 'instance.')) return redirect(request, 'index') register_form = forms.RegisterForm(username=username, email=email) return render_to_response( request, 'mediagoblin/auth/register.html', { 'register_form': register_form, 'post_url': request.urlgen('mediagoblin.plugins.ldap.register') }) login_failed = True return render_to_response( request, 'mediagoblin/auth/login.html', { 'login_form': login_form, 'next': request.GET.get('next') or request.form.get('next'), 'login_failed': login_failed, 'post_url': request.urlgen('mediagoblin.plugins.ldap.login'), 'allow_registration': mg_globals.app_config["allow_registration"] })
def edit_profile(request, url_user=None): # admins may edit any user profile if request.user.username != url_user.username: if not request.user.has_privilege(u'admin'): raise Forbidden(_("You can only edit your own profile.")) # No need to warn again if admin just submitted an edited profile if request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing a user's profile. Proceed with caution.")) user = url_user # Get the location name if user.location is None: location = "" else: location = user.get_location.name form = forms.EditProfileForm(request.form, url=user.url, bio=user.bio, location=location) if request.method == 'POST' and form.validate(): user.url = six.text_type(form.url.data) user.bio = six.text_type(form.bio.data) # Save location if form.location.data and user.location is None: user.get_location = Location(name=unicode(form.location.data)) elif form.location.data: location = user.get_location location.name = unicode(form.location.data) location.save() user.save() messages.add_message(request, messages.SUCCESS, _("Profile changes saved")) return redirect(request, 'mediagoblin.user_pages.user_home', user=user.username) return render_to_response( request, 'mediagoblin/edit/edit_profile.html', {'user': user, 'form': form})
def verify_forgot_password(request): """ Check the forgot-password verification and possibly let the user change their password because of it. """ # get form data variables, and specifically check for presence of token formdata = _process_for_token(request) if not formdata['has_userid_and_token']: return render_404(request) formdata_token = formdata['vars']['token'] formdata_userid = formdata['vars']['userid'] formdata_vars = formdata['vars'] # check if it's a valid Id try: user = request.db.User.find_one( {'_id': ObjectId(unicode(formdata_userid))}) except InvalidId: return render_404(request) # check if we have a real user and correct token if ((user and user.fp_verification_key and user.fp_verification_key == unicode(formdata_token) and datetime.datetime.now() < user.fp_token_expire and user.email_verified and user.status == 'active')): cp_form = auth_forms.ChangePassForm(formdata_vars) if request.method == 'POST' and cp_form.validate(): user.pw_hash = auth_lib.bcrypt_gen_password_hash( request.form['password']) user.fp_verification_key = None user.fp_token_expire = None user.save() messages.add_message( request, messages.INFO, _("You can now log in using your new password.")) return redirect(request, 'mediagoblin.auth.login') else: return render_to_response( request, 'mediagoblin/auth/change_fp.html', {'cp_form': cp_form}) # in case there is a valid id but no user whit that id in the db # or the token expired else: return render_404(request)
def edit_media(request, media): if not may_edit_media(request, media): return exc.HTTPForbidden() defaults = dict( title=media.title, slug=media.slug, description=media.description, tags=media_tags_as_string(media.tags), license=media.license) form = forms.EditForm( request.form, **defaults) if request.method == 'POST' and form.validate(): # Make sure there isn't already a MediaEntry with such a slug # and userid. slug_used = check_media_slug_used(request.db, media.uploader, request.form['slug'], media.id) if slug_used: form.slug.errors.append( _(u'An entry with that slug already exists for this user.')) else: media.title = unicode(request.form['title']) media.description = unicode(request.form.get('description')) media.tags = convert_to_tag_list_of_dicts( request.form.get('tags')) media.license = unicode(request.form.get('license', '')) or None media.slug = unicode(request.form['slug']) media.save() return exc.HTTPFound( location=media.url_for_self(request.urlgen)) if request.user.is_admin \ and media.uploader != request.user._id \ and request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing another user's media. Proceed with caution.")) return render_to_response( request, 'mediagoblin/edit/edit.html', {'media': media, 'form': form})
def edit_collection(request, collection): defaults = dict( title=collection.title, slug=collection.slug, description=collection.description) form = forms.EditCollectionForm( request.form, **defaults) if request.method == 'POST' and form.validate(): # Make sure there isn't already a Collection with such a slug # and userid. slug_used = check_collection_slug_used(collection.creator, form.slug.data, collection.id) # Make sure there isn't already a Collection with this title existing_collection = request.db.Collection.query.filter_by( creator=request.user.id, title=form.title.data).first() if existing_collection and existing_collection.id != collection.id: messages.add_message( request, messages.ERROR, _('You already have a collection called "%s"!') % \ form.title.data) elif slug_used: form.slug.errors.append( _(u'A collection with that slug already exists for this user.')) else: collection.title = unicode(form.title.data) collection.description = unicode(form.description.data) collection.slug = unicode(form.slug.data) collection.save() return redirect_obj(request, collection) if request.user.has_privilege(u'admin') \ and collection.creator != request.user.id \ and request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing another user's collection. Proceed with caution.")) return render_to_response( request, 'mediagoblin/edit/edit_collection.html', {'collection': collection, 'form': form})
def edit_collection(request, collection): defaults = dict( title=collection.title, slug=collection.slug, description=collection.description) form = forms.EditCollectionForm( request.form, **defaults) if request.method == 'POST' and form.validate(): # Make sure there isn't already a Collection with such a slug # and userid. slug_used = check_collection_slug_used(collection.creator, form.slug.data, collection.id) # Make sure there isn't already a Collection with this title existing_collection = request.db.Collection.query.filter_by( creator=request.user.id, title=form.title.data).first() if existing_collection and existing_collection.id != collection.id: messages.add_message( request, messages.ERROR, _('You already have a collection called "%s"!') % \ form.title.data) elif slug_used: form.slug.errors.append( _(u'A collection with that slug already exists for this user.')) else: collection.title = six.text_type(form.title.data) collection.description = six.text_type(form.description.data) collection.slug = six.text_type(form.slug.data) collection.save() return redirect_obj(request, collection) if request.user.has_privilege(u'admin') \ and collection.creator != request.user.id \ and request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing another user's collection. Proceed with caution.")) return render_to_response( request, 'mediagoblin/edit/edit_collection.html', {'collection': collection, 'form': form})
def edit_media(request, media): # If media is not processed, return NotFound. if not media.state == 'processed': return render_404(request) if not may_edit_media(request, media): raise Forbidden("User may not edit this media") defaults = dict(title=media.title, slug=media.slug, description=media.description, tags=media_tags_as_string(media.tags), license=media.license) form = forms.EditForm(request.method == 'POST' and request.form or None, **defaults) if request.method == 'POST' and form.validate(): # Make sure there isn't already a MediaEntry with such a slug # and userid. slug = slugify(form.slug.data) slug_used = check_media_slug_used(media.actor, slug, media.id) if slug_used: form.slug.errors.append( _('An entry with that slug already exists for this user.')) else: media.title = form.title.data media.description = form.description.data media.tags = convert_to_tag_list_of_dicts(form.tags.data) media.license = str(form.license.data) or None media.slug = slug media.save() return redirect_obj(request, media) if request.user.has_privilege('admin') \ and media.actor != request.user.id \ and request.method != 'POST': messages.add_message( request, messages.WARNING, _("You are editing another user's media. Proceed with caution.")) return render_to_response(request, 'mediagoblin/edit/edit.html', { 'media': media, 'form': form })
def finish_login(request): """Complete OpenID Login Process""" response = _finish_verification(request) if not response: # Verification failed, redirect to login page. return redirect(request, 'mediagoblin.plugins.openid.login') # Verification was successfull query = OpenIDUserURL.query.filter_by( openid_url=response.identity_url, ).first() user = query.user if query else None if user: # Set up login in session request.session['user_id'] = str(user.id) request.session.save() if request.session.get('next'): return redirect(request, location=request.session.pop('next')) else: return redirect(request, "index") else: # No user, need to register if not mg_globals.app_config['allow_registration']: messages.add_message( request, messages.WARNING, _('Sorry, registration is disabled on this instance.')) return redirect(request, 'index') # Get email and nickname from response email = _response_email(response) username = _response_nickname(response) register_form = auth_forms.RegistrationForm( request.form, openid=response.identity_url, email=email, username=username) return render_to_response( request, 'mediagoblin/auth/register.html', { 'register_form': register_form, 'post_url': request.urlgen('mediagoblin.plugins.openid.register') })
def delete_subtitles(request, media): id = request.matchdict['id'] delete_container = None index = 0 for subtitle in media.subtitle_files: if subtitle["id"] == id: path = subtitle["filepath"] mg_globals.public_store.delete_file(path) delete_container = index media.subtitle_files.pop(delete_container) media.save() break index += 1 messages.add_message(request, messages.SUCCESS, ("Subtitle file deleted!!!")) return redirect(request, location=media.url_for_self(request.urlgen))
def blogpost_create(request): form = blog_forms.BlogPostEditForm(request.form, license=request.user.license_preference) if request.method == 'POST' and form.validate(): blog_slug = request.matchdict.get('blog_slug') blog = request.db.Blog.query.filter_by(slug=blog_slug, author=request.user.id).first() if not blog: return render_404(request) blogpost = request.db.MediaEntry() blogpost.media_type = 'mediagoblin.media_types.blogpost' blogpost.title = unicode(form.title.data) blogpost.description = unicode( cleaned_markdown_conversion((form.description.data))) blogpost.tags = convert_to_tag_list_of_dicts(form.tags.data) blogpost.license = unicode(form.license.data) or None blogpost.uploader = request.user.id blogpost.generate_slug() set_blogpost_state(request, blogpost) blogpost.save() # connect this blogpost to its blog blog_post_data = request.db.BlogPostData() blog_post_data.blog = blog.id blog_post_data.media_entry = blogpost.id blog_post_data.save() add_message(request, SUCCESS, _('Woohoo! Submitted!')) add_comment_subscription(request.user, blogpost) return redirect(request, "mediagoblin.media_types.blog.blog-dashboard", user=request.user.username, blog_slug=blog.slug) return render_to_response( request, 'mediagoblin/blog/blog_post_edit_create.html', { 'form': form, 'app_config': mg_globals.app_config, 'user': request.user.username })
def add_collection(request, media=None): """ View to create a new collection """ submit_form = submit_forms.AddCollectionForm(request.form) if request.method == 'POST' and submit_form.validate(): collection = request.db.Collection() collection.title = str(submit_form.title.data) collection.description = str(submit_form.description.data) collection.actor = request.user.id collection.type = request.db.Collection.USER_DEFINED_TYPE collection.generate_slug() # Make sure this user isn't duplicating an existing collection existing_collection = request.db.Collection.query.filter_by( actor=request.user.id, type=request.db.Collection.USER_DEFINED_TYPE, title=collection.title).first() if existing_collection: messages.add_message( request, messages.ERROR, _('You already have a collection called "%s"!') % collection.title) else: collection.save() messages.add_message( request, messages.SUCCESS, _('Collection "%s" added!') % collection.title) return redirect(request, "mediagoblin.user_pages.user_home", user=request.user.username) return render_to_response( request, 'mediagoblin/submit/collection.html', {'submit_form': submit_form, 'app_config': mg_globals.app_config})
def blogpost_edit(request): blog_slug = request.matchdict.get('blog_slug', None) blog_post_slug = request.matchdict.get('blog_post_slug', None) blogpost = request.db.MediaEntry.query.filter_by( slug=blog_post_slug, uploader=request.user.id).first() blog = get_blog_by_slug(request, blog_slug, author=request.user.id) if not blogpost or not blog: return render_404(request) defaults = dict(title=blogpost.title, description=cleaned_markdown_conversion( blogpost.description), tags=media_tags_as_string(blogpost.tags), license=blogpost.license) form = blog_forms.BlogPostEditForm(request.form, **defaults) if request.method == 'POST' and form.validate(): blogpost.title = six.text_type(form.title.data) blogpost.description = six.text_type( cleaned_markdown_conversion((form.description.data))) blogpost.tags = convert_to_tag_list_of_dicts(form.tags.data) blogpost.license = six.text_type(form.license.data) set_blogpost_state(request, blogpost) blogpost.generate_slug() blogpost.save() add_message(request, SUCCESS, _('Woohoo! edited blogpost is submitted')) return redirect(request, "mediagoblin.media_types.blog.blog-dashboard", user=request.user.username, blog_slug=blog.slug) return render_to_response( request, 'mediagoblin/blog/blog_post_edit_create.html', { 'form': form, 'app_config': mg_globals.app_config, 'user': request.user.username, 'blog_post_slug': blog_post_slug })
def media_post_comment(request): """ recieves POST from a MediaEntry() comment form, saves the comment. """ comment = request.db.MediaComment() comment['media_entry'] = ObjectId(request.matchdict['media']) comment['author'] = request.user['_id'] comment['content'] = request.POST['comment'] comment['content_html'] = cleaned_markdown_conversion(comment['content']) comment.save() messages.add_message(request, messages.SUCCESS, 'Comment posted!') return redirect(request, 'mediagoblin.user_pages.media_home', media=request.matchdict['media'], user=request.matchdict['user'])
def blog_delete(request, **kwargs): """ Deletes a blog and media entries, tags associated with it. """ url_user = request.matchdict.get('user') owner_user = request.db.LocalUser.query.filter( LocalUser.username == url_user).first() blog_slug = request.matchdict.get('blog_slug', None) blog = get_blog_by_slug(request, blog_slug, author=owner_user.id) if not blog: return render_404(request) form = blog_forms.ConfirmDeleteForm(request.form) if request.user.id == blog.author or request.user.has_privilege(u'admin'): if request.method == 'POST' and form.validate(): if form.confirm.data is True: blog.delete() messages.add_message(request, messages.SUCCESS, _('You deleted the Blog.')) return redirect( request, "mediagoblin.media_types.blog.blog_admin_dashboard", user=request.user.username) else: messages.add_message( request, messages.ERROR, _("The media was not deleted because you didn't check " "that you were sure.")) return redirect( request, "mediagoblin.media_types.blog.blog_admin_dashboard", user=request.user.username) else: if request.user.has_privilege(u'admin'): messages.add_message( request, messages.WARNING, _("You are about to delete another user's Blog. " "Proceed with caution.")) return render_to_response( request, 'mediagoblin/blog/blog_confirm_delete.html', { 'blog': blog, 'form': form }) else: messages.add_message( request, messages.ERROR, _("The blog was not deleted because you have no rights.")) return redirect(request, "mediagoblin.media_types.blog.blog_admin_dashboard", user=request.user.username)
def resend_activation(request): """ The reactivation view Resend the activation email. """ if request.user is None: messages.add_message( request, messages.ERROR, _('You must be logged in so we know who to send the email to!')) return redirect(request, 'mediagoblin.auth.login') if request.user.has_privilege(u'active'): messages.add_message(request, messages.ERROR, _("You've already verified your email address!")) return redirect(request, "mediagoblin.user_pages.user_home", user=request.user.username) email_debug_message(request) send_verification_email(request.user, request) messages.add_message(request, messages.INFO, _('Resent your verification email.')) return redirect(request, 'mediagoblin.user_pages.user_home', user=request.user.username)