def get_tiddlers(environ, start_response): """ Get the list of tiddlers produced by this recipe. """ usersign = environ['tiddlyweb.usersign'] store = environ['tiddlyweb.store'] filters = environ['tiddlyweb.filters'] recipe = _determine_recipe(environ) title = 'Tiddlers From Recipe %s' % recipe.name title = environ['tiddlyweb.query'].get('title', [title])[0] # check the recipe can be read recipe.policy.allows(usersign, 'read') # check the bags in the recipe can be read try: template = control.recipe_template(environ) for bag_name, _ in recipe.get_recipe(template): bag = Bag(bag_name) bag = store.get(bag) bag.policy.allows(usersign, 'read') except NoBagError, exc: raise HTTP404('recipe %s lists an unknown bag: %s' % (recipe.name, exc))
def _valid_bag(self, environ, space, container_name): """ Return True if the requested entity is part of the current space's recipe or an ADMIN BAG. Otherwise return False indicating that privileges will be dropped. """ store = environ['tiddlyweb.store'] recipe_name = determine_space_recipe(environ, space.name) space_recipe = store.get(Recipe(recipe_name)) template = recipe_template(environ) recipe_bags = [bag for bag, _ in space_recipe.get_recipe(template)] recipe_bags.extend(space.extra_bags()) if environ['REQUEST_METHOD'] == 'GET': if container_name in recipe_bags: return True if container_name in ADMIN_BAGS: return True else: base_bags = space.list_bags() # add bags in the recipe which may have been added # by the recipe mgt. That is: bags which are not # included and not core. acceptable_bags = [bag for bag in recipe_bags if not ( Space.bag_is_public(bag) or Space.bag_is_private(bag) or Space.bag_is_associate(bag))] acceptable_bags.extend(base_bags) acceptable_bags.extend(ADMIN_BAGS) if container_name in acceptable_bags: return True return False
def _valid_bag(self, environ, space, container_name): """ Return True if the requested entity is part of the current space's recipe or an ADMIN BAG. Otherwise return False indicating that privileges will be dropped. """ store = environ['tiddlyweb.store'] recipe_name = determine_space_recipe(environ, space.name) space_recipe = store.get(Recipe(recipe_name)) template = recipe_template(environ) recipe_bags = [bag for bag, _ in space_recipe.get_recipe(template)] recipe_bags.extend(space.extra_bags()) if environ['REQUEST_METHOD'] == 'GET': if container_name in recipe_bags: return True if container_name in ADMIN_BAGS: return True else: base_bags = space.list_bags() # add bags in the recipe which may have been added # by the recipe mgt. That is: bags which are not # included and not core. acceptable_bags = [ bag for bag in recipe_bags if not (Space.bag_is_public(bag) or Space.bag_is_private(bag) or Space.bag_is_associate(bag)) ] acceptable_bags.extend(base_bags) acceptable_bags.extend(ADMIN_BAGS) if container_name in acceptable_bags: return True return False
def get_tiddlers(environ, start_response): """ Handle ``GET`` on a tiddlers-within-a-recipe URI. Get a list representation of the :py:class:`tiddlers <tiddlyweb.model.tiddler.Tiddler>` generated from a :py:class:`recipe <tiddlyweb.model.recipe.Recipe>`. The information sent is dependent on the serialization chosen via :py:mod:`tiddlyweb.web.negotiate`. """ usersign = environ['tiddlyweb.usersign'] store = environ['tiddlyweb.store'] filters = environ['tiddlyweb.filters'] recipe = _determine_recipe(environ) title = 'Tiddlers From Recipe %s' % recipe.name title = environ['tiddlyweb.query'].get('title', [title])[0] # check the recipe can be read recipe.policy.allows(usersign, 'read') # check the bags in the recipe can be read try: template = control.recipe_template(environ) for bag_name, _ in recipe.get_recipe(template): bag = Bag(bag_name) bag = store.get(bag) bag.policy.allows(usersign, 'read') except NoBagError as exc: raise HTTP404('recipe %s lists an unknown bag: %s' % (recipe.name, exc)) # from this point forward we know the tiddlers are # readable # get the tiddlers from the recipe and uniquify them try: candidate_tiddlers = control.get_tiddlers_from_recipe(recipe, environ) except NoBagError as exc: raise HTTP404('recipe %s lists an unknown bag: %s' % (recipe.name, exc)) except FilterError as exc: raise HTTP400('malformed filter: %s' % exc) tiddlers = Tiddlers(title=title) if not filters: tiddlers.store = store tiddlers.recipe = recipe.name for tiddler in candidate_tiddlers: tiddler.recipe = recipe.name tiddlers.add(tiddler) tiddlers.link = '%s/tiddlers' % web.recipe_url(environ, recipe, full=False) return send_tiddlers(environ, start_response, tiddlers=tiddlers)
def test_get_recipe(): recipe = Recipe('templated') recipe.set_recipe([('common', 'select=topic:{{ id:default }}'), ('{{ user }}', ''), ('system', '')]) stuff = recipe.get_recipe() assert stuff[0][1] == 'select=topic:{{ id:default }}' assert stuff[1][0] == '{{ user }}' filled = recipe.get_recipe(recipe_template(environ)) assert filled[0][1] == 'select=topic:default' assert filled[1][0] == 'JohnSmith'
def test_get_recipe(): recipe = Recipe('templated') recipe.set_recipe([ ('common', 'select=topic:{{ id:default }}'), ('{{ user }}', ''), ('system', '') ]) stuff = recipe.get_recipe() assert stuff[0][1] == 'select=topic:{{ id:default }}' assert stuff[1][0] == '{{ user }}' filled = recipe.get_recipe(recipe_template(environ)) assert filled[0][1] == 'select=topic:default' assert filled[1][0] == 'JohnSmith'
def _handle_dropping_privs(self, environ, req_uri): if environ['tiddlyweb.usersign']['name'] == 'GUEST': return http_host, _ = determine_host(environ) space_name = determine_space(environ, http_host) if space_name == None: return space = Space(space_name) store = environ['tiddlyweb.store'] container_name = req_uri.split('/')[2] if req_uri.startswith('/bags/'): recipe_name = determine_space_recipe(environ, space_name) space_recipe = store.get(Recipe(recipe_name)) template = recipe_template(environ) recipe_bags = [bag for bag, _ in space_recipe.get_recipe(template)] recipe_bags.extend(space.extra_bags()) if environ['REQUEST_METHOD'] == 'GET': if container_name in recipe_bags: return if container_name in ADMIN_BAGS: return else: base_bags = space.list_bags() # add bags in the recipe which may have been added # by the recipe mgt. That is: bags which are not # included and not core. acceptable_bags = [ bag for bag in recipe_bags if not (Space.bag_is_public(bag) or Space.bag_is_private( bag) or Space.bag_is_associate(bag)) ] acceptable_bags.extend(base_bags) acceptable_bags.extend(ADMIN_BAGS) if container_name in acceptable_bags: return if (req_uri.startswith('/recipes/') and container_name in space.list_recipes()): return self._drop_privs(environ) return
def _handle_dropping_privs(self, environ, req_uri): if environ['tiddlyweb.usersign']['name'] == 'GUEST': return http_host, _ = determine_host(environ) space_name = determine_space(environ, http_host) if space_name == None: return space = Space(space_name) store = environ['tiddlyweb.store'] container_name = req_uri.split('/')[2] if req_uri.startswith('/bags/'): recipe_name = determine_space_recipe(environ, space_name) space_recipe = store.get(Recipe(recipe_name)) template = recipe_template(environ) recipe_bags = [bag for bag, _ in space_recipe.get_recipe(template)] recipe_bags.extend(space.extra_bags()) if environ['REQUEST_METHOD'] == 'GET': if container_name in recipe_bags: return if container_name in ADMIN_BAGS: return else: base_bags = space.list_bags() # add bags in the recipe which may have been added # by the recipe mgt. That is: bags which are not # included and not core. acceptable_bags = [bag for bag in recipe_bags if not ( Space.bag_is_public(bag) or Space.bag_is_private(bag) or Space.bag_is_associate(bag))] acceptable_bags.extend(base_bags) acceptable_bags.extend(ADMIN_BAGS) if container_name in acceptable_bags: return if (req_uri.startswith('/recipes/') and container_name in space.list_recipes()): return self._drop_privs(environ) return
def _delete_duplicates(environ, titles, recipe_name, space_name): store = environ['tiddlyweb.store'] try: recipe = store.get(Recipe(recipe_name)) template = control.recipe_template(environ) recipe_list = recipe.get_recipe(template) space_bags = [bag for bag, _ in recipe_list if bag.startswith('%s_' % space_name)] for title in titles: for bag in space_bags: try: tiddler = Tiddler(title, bag) tiddler = store.get(tiddler) except NoTiddlerError: continue store.delete(tiddler) except NoRecipeError, exc: raise HTTP404('space recipe not found while trying safe mode: %s' % exc)
def _handle_core_request(self, environ, req_uri): """ Override a core request, adding filters or sending 404s where necessary to limit the view of entities. filtering can be disabled with a custom HTTP header X-ControlView set to false """ http_host, host_url = determine_host(environ) request_method = environ['REQUEST_METHOD'] disable_ControlView = environ.get('HTTP_X_CONTROLVIEW') == 'false' if http_host != host_url and not disable_ControlView: space_name = determine_space(environ, http_host) if space_name == None: return recipe_name = determine_space_recipe(environ, space_name) store = environ['tiddlyweb.store'] try: recipe = store.get(Recipe(recipe_name)) except NoRecipeError, exc: raise HTTP404('No recipe for space: %s', exc) space = Space(space_name) template = recipe_template(environ) bags = space.extra_bags() for bag, _ in recipe.get_recipe(template): bags.append(bag) bags.extend(ADMIN_BAGS) filter_string = None if req_uri.startswith('/recipes') and req_uri.count('/') == 1: filter_string = 'oom=name:' if recipe_name == space.private_recipe(): filter_parts = space.list_recipes() else: filter_parts = [space.public_recipe()] filter_string += ','.join(filter_parts) elif req_uri.startswith('/bags') and req_uri.count('/') == 1: filter_string = 'oom=name:' filter_parts = bags filter_string += ','.join(filter_parts) elif req_uri.startswith('/search') and req_uri.count('/') == 1: filter_string = 'oom=bag:' filter_parts = bags filter_string += ','.join(filter_parts) else: entity_name = req_uri.split('/')[2] if '/recipes/' in req_uri: valid_recipes = space.list_recipes() if entity_name not in valid_recipes: raise HTTP404('recipe %s not found' % entity_name) else: if entity_name not in bags: raise HTTP404('bag %s not found' % entity_name) if filter_string: filters, _ = parse_for_filters(filter_string) for single_filter in filters: environ['tiddlyweb.filters'].insert(0, single_filter)
def _handle_core_request(self, environ, req_uri, start_response): """ Override a core request, adding filters or sending 404s where necessary to limit the view of entities. filtering can be disabled with a custom HTTP header X-ControlView set to false """ http_host, host_url = determine_host(environ) disable_ControlView = environ.get('HTTP_X_CONTROLVIEW') == 'false' if http_host != host_url and not disable_ControlView: space_name = determine_space(environ, http_host) if space_name == None: return None recipe_name = determine_space_recipe(environ, space_name) store = environ['tiddlyweb.store'] try: recipe = store.get(Recipe(recipe_name)) except NoRecipeError, exc: raise HTTP404('No recipe for space: %s', exc) space = Space(space_name) template = recipe_template(environ) bags = space.extra_bags() for bag, _ in recipe.get_recipe(template): bags.append(bag) bags.extend(ADMIN_BAGS) search_string = None if req_uri.startswith('/recipes') and req_uri.count('/') == 1: serialize_type, mime_type = get_serialize_type(environ) serializer = Serializer(serialize_type, environ) if recipe_name == space.private_recipe(): recipes = space.list_recipes() else: recipes = [space.public_recipe()] def lister(): for recipe in recipes: yield Recipe(recipe) return list_entities(environ, start_response, mime_type, lister, serializer.list_recipes) elif req_uri.startswith('/bags') and req_uri.count('/') == 1: serialize_type, mime_type = get_serialize_type(environ) serializer = Serializer(serialize_type, environ) def lister(): for bag in bags: yield Bag(bag) return list_entities(environ, start_response, mime_type, lister, serializer.list_bags) elif req_uri.startswith('/search') and req_uri.count('/') == 1: search_string = ' OR '.join(['bag:%s' % bag for bag in bags]) else: entity_name = urllib.unquote( req_uri.split('/')[2]).decode('utf-8') if '/recipes/' in req_uri: valid_recipes = space.list_recipes() if entity_name not in valid_recipes: raise HTTP404('recipe %s not found due to ControlView' % entity_name) else: if entity_name not in bags: raise HTTP404('bag %s not found due to ControlView' % entity_name) if search_string: search_query = environ['tiddlyweb.query'].get('q', [''])[0] environ['tiddlyweb.query.original'] = search_query if search_query: search_query = '%s AND (%s)' % (search_query, search_string) environ['tiddlyweb.query']['q'][0] = search_query else: search_query = '(%s)' % search_string environ['tiddlyweb.query']['q'] = [search_query]
def test_get_template_from_recipe_template(): template = recipe_template(environ) assert template['user'] == 'JohnSmith' assert template['foo'] == 'bar'
def _handle_core_request(self, environ, req_uri, start_response): """ Override a core request, adding filters or sending 404s where necessary to limit the view of entities. filtering can be disabled with a custom HTTP header X-ControlView set to false """ http_host, host_url = determine_host(environ) disable_ControlView = environ.get('HTTP_X_CONTROLVIEW') == 'false' if http_host != host_url and not disable_ControlView: space_name = determine_space(environ, http_host) if space_name == None: return None recipe_name = determine_space_recipe(environ, space_name) store = environ['tiddlyweb.store'] try: recipe = store.get(Recipe(recipe_name)) except NoRecipeError, exc: raise HTTP404('No recipe for space: %s', exc) space = Space(space_name) template = recipe_template(environ) bags = space.extra_bags() for bag, _ in recipe.get_recipe(template): bags.append(bag) bags.extend(ADMIN_BAGS) search_string = None if req_uri.startswith('/recipes') and req_uri.count('/') == 1: serialize_type, mime_type = get_serialize_type(environ) serializer = Serializer(serialize_type, environ) if recipe_name == space.private_recipe(): recipes = space.list_recipes() else: recipes = [space.public_recipe()] def lister(): for recipe in recipes: yield Recipe(recipe) return list_entities(environ, start_response, mime_type, lister, serializer.list_recipes) elif req_uri.startswith('/bags') and req_uri.count('/') == 1: serialize_type, mime_type = get_serialize_type(environ) serializer = Serializer(serialize_type, environ) def lister(): for bag in bags: yield Bag(bag) return list_entities(environ, start_response, mime_type, lister, serializer.list_bags) elif req_uri.startswith('/search') and req_uri.count('/') == 1: search_string = ' OR '.join(['bag:%s' % bag for bag in bags]) else: entity_name = urllib.unquote( req_uri.split('/')[2]).decode('utf-8') if '/recipes/' in req_uri: valid_recipes = space.list_recipes() if entity_name not in valid_recipes: raise HTTP404( 'recipe %s not found due to ControlView' % entity_name) else: if entity_name not in bags: raise HTTP404('bag %s not found due to ControlView' % entity_name) if search_string: search_query = environ['tiddlyweb.query'].get('q', [''])[0] environ['tiddlyweb.query.original'] = search_query if search_query: search_query = '%s AND (%s)' % (search_query, search_string) environ['tiddlyweb.query']['q'][0] = search_query else: search_query = '(%s)' % search_string environ['tiddlyweb.query']['q'] = [search_query]
class ControlView(object): """ WSGI Middleware which adapts an incoming request to restrict what entities from the store are visible to the requestor. The effective result is that only those bags and recipes contained in the current space are visible in the HTTP routes. Filtering can be disabled with a custom HTTP header X-ControlView set to the string 'false'. """ def __init__(self, application): self.application = application def __call__(self, environ, start_response): req_uri = environ.get('SCRIPT_NAME', '') + environ.get('PATH_INFO', '') disable_control_view = (environ.get('HTTP_X_CONTROLVIEW', '').lower() == 'false') http_host, host_url = determine_host(environ) if http_host != host_url: space_name = determine_space(environ, http_host) if (space_name is not None and not disable_control_view and (req_uri.startswith('/bags') or req_uri.startswith('/search') or req_uri.startswith('/recipes'))): response = self._handle_core_request(environ, req_uri, space_name, start_response) if response: return response return self.application(environ, start_response) def _handle_core_request(self, environ, req_uri, space_name, start_response): """ Override a core request, adding filters or sending 404s where necessary to limit the visibility of entities. """ recipe_name = determine_space_recipe(environ, space_name) store = environ['tiddlyweb.store'] try: recipe = store.get(Recipe(recipe_name)) except NoRecipeError, exc: raise HTTP404('No recipe for space: %s', exc) space = Space(space_name) visible_bags = space.extra_bags() for bag, _ in recipe.get_recipe(recipe_template(environ)): visible_bags.append(bag) visible_bags.extend(ADMIN_BAGS) if req_uri.startswith('/recipes') and req_uri.count('/') == 1: if recipe_name == space.private_recipe(): recipes = space.list_recipes() else: recipes = [space.public_recipe()] def lister(): """List recipes""" for recipe in recipes: yield Recipe(recipe) return list_entities(environ, start_response, 'list_recipes', store_list=lister) elif req_uri.startswith('/bags') and req_uri.count('/') == 1: def lister(): """List bags""" for bag in visible_bags: yield Bag(bag) return list_entities(environ, start_response, 'list_bags', store_list=lister) elif req_uri.startswith('/search') and req_uri.count('/') == 1: self._handle_search(environ, visible_bags) else: self._handle_descendant(req_uri, space, visible_bags)