class WebLogController(RedditController):
on_validation_error = staticmethod(abort_with_error)
@validate(
VRatelimit(rate_user=False, rate_ip=True, prefix='rate_weblog_'),
level=VOneOf('level', ('error',)),
logs=VValidatedJSON('logs',
VValidatedJSON.ArrayOf(VValidatedJSON.Object({
'msg': VPrintable('msg', max_length=256),
'url': VPrintable('url', max_length=256),
}))
),
)
def POST_message(self, level, logs):
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
uid = c.user._id if c.user_is_loggedin else '-'
# only accept a maximum of 3 entries per request
for log in logs[:3]:
g.log.warning('[web frontend] %s: %s | U: %s FP: %s UA: %s',
level, log['msg'], uid, log['url'],
request.user_agent)
VRatelimit.ratelimit(rate_user=False, rate_ip=True,
prefix="rate_weblog_", seconds=10)
class LiveUpdateAdminController(RedditController):
@validate(VAdmin())
def GET_happening_now(self):
featured_event_fullnames = get_all_featured_events()
featured_events = {}
for target, event_id in featured_event_fullnames.iteritems():
event = LiveUpdateEvent._by_fullname(event_id)
featured_events[target] = event
return AdminPage(
content=pages.HappeningNowAdmin(featured_events),
title='live: happening now',
nav_menus=[]
).render()
@validate(
VAdmin(),
VModhash(),
featured_thread=VLiveUpdateEventUrl('url'),
target=VOneOf("target", [country.alpha2 for country in iso3166.countries]),
)
def POST_happening_now(self, featured_thread, target):
if featured_thread:
if not target:
abort(400)
NamedGlobals.set(HAPPENING_NOW_KEY,
{target: featured_thread._fullname})
else:
NamedGlobals.set(HAPPENING_NOW_KEY, None)
self.redirect('/admin/happening-now')
class WebLogController(RedditController):
on_validation_error = staticmethod(abort_with_error)
@csrf_exempt
@validate(
VRatelimit(rate_user=False, rate_ip=True, prefix='rate_weblog_'),
level=VOneOf('level', ('error', )),
logs=VValidatedJSON(
'logs',
VValidatedJSON.ArrayOf(
VValidatedJSON.PartialObject({
'msg':
VPrintable('msg', max_length=256),
'url':
VPrintable('url', max_length=256),
'tag':
VPrintable('tag', max_length=32),
}))),
)
def POST_message(self, level, logs):
# Whitelist tags to keep the frontend from creating too many keys in statsd
valid_frontend_log_tags = {
'unknown',
'jquery-migrate-bad-html',
}
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
uid = c.user._id if c.user_is_loggedin else '-'
# only accept a maximum of 3 entries per request
for log in logs[:3]:
if 'msg' not in log or 'url' not in log:
continue
tag = 'unknown'
if log.get('tag') in valid_frontend_log_tags:
tag = log['tag']
g.stats.simple_event('frontend.error.' + tag)
g.log.warning('[web frontend] %s: %s | U: %s FP: %s UA: %s', level,
log['msg'], uid, log['url'], request.user_agent)
VRatelimit.ratelimit(rate_user=False,
rate_ip=True,
prefix="rate_weblog_",
seconds=10)
class OAuth2AccessController(MinimalController):
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
client_id, client_secret = parse_http_basic(auth)
client = OAuth2Client.get_token(client_id)
require(client)
require(constant_time_compare(client.secret, client_secret))
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
@validate(grant_type=VOneOf(
"grant_type", ("authorization_code", "refresh_token", "password")))
def POST_access_token(self, grant_type):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If an authorization code for a permanent grant was given, a
**refresh_token** will be included. If there is a problem, an **error**
parameter will be returned instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` for the initial access token or
``refresh_token`` for renewing the access token.
**redirect_uri** must exactly match the value that was used in the call
to [/api/v1/authorize](#api_method_authorize) that created this grant.
"""
if grant_type == "authorization_code":
return self._access_token_code()
elif grant_type == "refresh_token":
return self._access_token_refresh()
elif grant_type == "password":
return self._access_token_password()
else:
resp = {"error": "unsupported_grant_type"}
return self.api_wrapper(resp)
def _check_for_errors(self):
resp = {}
if (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return resp
def _make_token_dict(self, access_token, refresh_token=None):
if not access_token:
return {"error": "invalid_grant"}
expires_in = int(access_token._ttl) if access_token._ttl else None
resp = {
"access_token": access_token._id,
"token_type": access_token.token_type,
"expires_in": expires_in,
"scope": access_token.scope,
}
if refresh_token:
resp["refresh_token"] = refresh_token._id
return resp
@validate(code=nop("code"),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI))
def _access_token_code(self, code, redirect_uri):
if not code:
c.errors.add("NO_TEXT", field="code")
if c.errors:
return self.api_wrapper(self._check_for_errors())
access_token = None
refresh_token = None
auth_token = OAuth2AuthorizationCode.use_token(code,
c.oauth2_client._id,
redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id, auth_token.scope)
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id, auth_token.scope,
refresh_token._id if refresh_token else None)
resp = self._make_token_dict(access_token, refresh_token)
return self.api_wrapper(resp)
@validate(refresh_token=VOAuth2RefreshToken("refresh_token"))
def _access_token_refresh(self, refresh_token):
resp = {}
access_token = None
if refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id,
refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
else:
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
else:
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
@validate(user=VThrottledLogin(["username", "password"]),
scope=nop("scope"))
def _access_token_password(self, user, scope):
# username:password auth via OAuth is only allowed for
# private use scripts
client = c.oauth2_client
if client.app_type != "script":
return self.api_wrapper({
"error":
"unauthorized_client",
"error_description":
"Only script apps may use password auth"
})
dev_ids = client._developer_ids
if not user or user._id not in dev_ids:
return self.api_wrapper({"error": "invalid_grant"})
if c.errors:
return self.api_wrapper(self._check_for_errors())
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(client._id, user._id36, scope)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
'name':
VSubredditName('name', allow_language_srs=True),
})
MAX_DESC = 10000
MAX_DISP_NAME = 50
WRITABLE_MULTI_FIELDS = ('visibility', 'description_md', 'display_name',
'key_color', 'weighting_scheme')
multi_json_spec = VValidatedJSON.PartialObject({
'description_md':
VMarkdownLength('description_md', max_length=MAX_DESC, empty_error=None),
'display_name':
VLength('display_name', max_length=MAX_DISP_NAME),
'icon_name':
VOneOf('icon_name', g.multi_icons + ("", None)),
'key_color':
VColor('key_color'),
'visibility':
VOneOf('visibility', ('private', 'public', 'hidden')),
'weighting_scheme':
VOneOf('weighting_scheme', ('classic', 'fresh')),
'subreddits':
VValidatedJSON.ArrayOf(multi_sr_data_json_spec),
})
multi_description_json_spec = VValidatedJSON.Object({
'body_md':
VMarkdownLength('body_md', max_length=MAX_DESC, empty_error=None),
})
class PromoteController(ListingController):
where = 'promoted'
render_cls = PromotePage
@property
def title_text(self):
return _('promoted by you')
@classmethod
@memoize('live_by_subreddit', time=300)
def live_by_subreddit(cls, sr):
if sr == Frontpage:
sr_id = ''
else:
sr_id = sr._id
r = LiveAdWeights.get([sr_id])
return [i.link for i in r[sr_id]]
@classmethod
@memoize('subreddits_with_promos', time=3600)
def subreddits_with_promos(cls):
sr_ids = LiveAdWeights.get_live_subreddits()
srs = Subreddit._byID(sr_ids, return_dict=False)
sr_names = sorted([sr.name for sr in srs], key=lambda s: s.lower())
return sr_names
@property
def menus(self):
filters = [
NamedButton('all_promos', dest=''),
NamedButton('future_promos'),
NamedButton('unpaid_promos'),
NamedButton('rejected_promos'),
NamedButton('pending_promos'),
NamedButton('live_promos'),
]
menus = [
NavMenu(filters,
base_path='/promoted',
title='show',
type='lightdrop')
]
if self.sort == 'live_promos' and c.user_is_sponsor:
sr_names = self.subreddits_with_promos()
buttons = [NavButton(name, name) for name in sr_names]
frontbutton = NavButton('FRONTPAGE',
Frontpage.name,
aliases=[
'/promoted/live_promos/%s' %
urllib.quote(Frontpage.name)
])
buttons.insert(0, frontbutton)
buttons.insert(0, NavButton('all', ''))
menus.append(
NavMenu(buttons,
base_path='/promoted/live_promos',
title='subreddit',
type='lightdrop'))
return menus
def keep_fn(self):
def keep(item):
if item.promoted and not item._deleted:
return True
else:
return False
return keep
def query(self):
if c.user_is_sponsor:
if self.sort == "future_promos":
return queries.get_all_unapproved_links()
elif self.sort == "pending_promos":
return queries.get_all_accepted_links()
elif self.sort == "unpaid_promos":
return queries.get_all_unpaid_links()
elif self.sort == "rejected_promos":
return queries.get_all_rejected_links()
elif self.sort == "live_promos" and self.sr:
return self.live_by_subreddit(self.sr)
elif self.sort == 'live_promos':
return queries.get_all_live_links()
elif self.sort == 'underdelivered':
q = queries.get_underdelivered_campaigns()
campaigns = PromoCampaign._by_fullname(list(q),
data=True,
return_dict=False)
link_ids = [camp.link_id for camp in campaigns]
return [Link._fullname_from_id36(to36(id)) for id in link_ids]
return queries.get_all_promoted_links()
else:
if self.sort == "future_promos":
return queries.get_unapproved_links(c.user._id)
elif self.sort == "pending_promos":
return queries.get_accepted_links(c.user._id)
elif self.sort == "unpaid_promos":
return queries.get_unpaid_links(c.user._id)
elif self.sort == "rejected_promos":
return queries.get_rejected_links(c.user._id)
elif self.sort == "live_promos":
return queries.get_live_links(c.user._id)
return queries.get_promoted_links(c.user._id)
@validate(VSponsor(), sr=nop('sr'))
def GET_listing(self, sr=None, sort="", **env):
if not c.user_is_loggedin or not c.user.email_verified:
return self.redirect("/ad_inq")
self.sort = sort
self.sr = None
if sr and sr == Frontpage.name:
self.sr = Frontpage
elif sr:
try:
self.sr = Subreddit._by_name(sr)
except NotFound:
pass
return ListingController.GET_listing(self, **env)
GET_index = GET_listing
@validate(VSponsor())
def GET_new_promo(self):
return PromotePage('content', content=PromoteLinkNew()).render()
@validate(VSponsor('link'), link=VLink('link'))
def GET_edit_promo(self, link):
if not link or link.promoted is None:
return self.abort404()
rendered = wrap_links(link,
wrapper=promote.sponsor_wrapper,
skip=False)
form = PromoteLinkForm(link, rendered)
page = PromotePage('new_promo', content=form)
return page.render()
# admin only because the route might change
@validate(VSponsorAdmin('campaign'), campaign=VPromoCampaign('campaign'))
def GET_edit_promo_campaign(self, campaign):
if not campaign:
return self.abort404()
link = Link._byID(campaign.link_id)
return self.redirect(promote.promo_edit_url(link))
@json_validate(sr=VSubmitSR('sr', promotion=True),
start=VDate('startdate'),
end=VDate('enddate'))
def GET_check_inventory(self, responder, sr, start, end):
sr = sr or Frontpage
available_by_datestr = inventory.get_available_pageviews(sr,
start,
end,
datestr=True)
return {'inventory': available_by_datestr}
@validate(VSponsor(),
dates=VDateRange(["startdate", "enddate"],
max_range=timedelta(days=28),
required=False))
def GET_graph(self, dates):
start, end, bad_dates = _check_dates(dates)
return PromotePage("graph",
content=Promote_Graph(
start, end, bad_dates=bad_dates)).render()
@validate(VSponsorAdmin(),
dates=VDateRange(["startdate", "enddate"],
max_range=timedelta(days=28),
required=False))
def GET_admingraph(self, dates):
start, end, bad_dates = _check_dates(dates)
content = Promote_Graph(start,
end,
bad_dates=bad_dates,
admin_view=True)
if c.render_style == 'csv':
return content.as_csv()
return PromotePage("admingraph", content=content).render()
# ## POST controllers below
@validatedForm(VSponsorAdmin(),
link=VLink("link_id"),
campaign=VPromoCampaign("campaign_id36"))
def POST_freebie(self, form, jquery, link, campaign):
if campaign_has_oversold_error(form, campaign):
form.set_html(".freebie", "target oversold, can't freebie")
return
if promote.is_promo(link) and campaign:
promote.free_campaign(link, campaign, c.user)
form.redirect(promote.promo_edit_url(link))
@validatedForm(VSponsorAdmin(), link=VByName("link"), note=nop("note"))
def POST_promote_note(self, form, jquery, link, note):
if promote.is_promo(link):
text = PromotionLog.add(link, note)
form.find(".notes").children(":last").after("<p>" + text + "</p>")
@noresponse(VSponsorAdmin(), thing=VByName('id'))
def POST_promote(self, thing):
if promote.is_promo(thing):
promote.accept_promotion(thing)
@noresponse(VSponsorAdmin(), thing=VByName('id'), reason=nop("reason"))
def POST_unpromote(self, thing, reason):
if promote.is_promo(thing):
promote.reject_promotion(thing, reason=reason)
@validate(VSponsorAdmin(),
link=VLink("link"),
campaign=VPromoCampaign("campaign"))
def GET_refund(self, link, campaign):
if campaign.link_id != link._id:
return self.abort404()
content = RefundPage(link, campaign)
return Reddit("refund", content=content, show_sidebar=False).render()
@validatedForm(VSponsorAdmin(),
link=VLink('link'),
campaign=VPromoCampaign('campaign'))
def POST_refund_campaign(self, form, jquery, link, campaign):
billable_impressions = promote.get_billable_impressions(campaign)
billable_amount = promote.get_billable_amount(campaign,
billable_impressions)
refund_amount = campaign.bid - billable_amount
if refund_amount > 0:
promote.refund_campaign(link, campaign, billable_amount)
form.set_html('.status', _('refund succeeded'))
else:
form.set_html('.status', _('refund not needed'))
@validatedForm(VSponsor('link_id'),
VModhash(),
VRatelimit(rate_user=True,
rate_ip=True,
prefix='create_promo_'),
VShamedDomain('url'),
l=VLink('link_id'),
title=VTitle('title'),
url=VUrl('url', allow_self=False, lookup=False),
ip=ValidIP(),
disable_comments=VBoolean("disable_comments"),
media_width=VInt("media-width", min=0),
media_height=VInt("media-height", min=0),
media_embed=VLength("media-embed", 1000),
media_override=VBoolean("media-override"),
domain_override=VLength("domain", 100))
def POST_edit_promo(self, form, jquery, ip, l, title, url,
disable_comments, media_height, media_width,
media_embed, media_override, domain_override):
should_ratelimit = False
if not c.user_is_sponsor:
should_ratelimit = True
if not should_ratelimit:
c.errors.remove((errors.RATELIMIT, 'ratelimit'))
# check for shame banned domains
if form.has_errors("url", errors.DOMAIN_BANNED):
g.stats.simple_event('spam.shame.link')
return
# demangle URL in canonical way
if url:
if isinstance(url, (unicode, str)):
form.set_inputs(url=url)
elif isinstance(url, tuple) or isinstance(url[0], Link):
# there's already one or more links with this URL, but
# we're allowing mutliple submissions, so we really just
# want the URL
url = url[0].url
# users can change the disable_comments on promoted links
if ((not l or not promote.is_promoted(l))
and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG)
or form.has_errors('url', errors.NO_URL, errors.BAD_URL)
or jquery.has_errors('ratelimit', errors.RATELIMIT))):
return
if not l:
l = promote.new_promotion(title, url, c.user, ip)
elif promote.is_promo(l):
changed = False
# live items can only be changed by a sponsor, and also
# pay the cost of de-approving the link
trusted = c.user_is_sponsor or c.user.trusted_sponsor
if not promote.is_promoted(l) or trusted:
if title and title != l.title:
l.title = title
changed = not trusted
if url and url != l.url:
l.url = url
changed = not trusted
# only trips if the title and url are changed by a non-sponsor
if changed and not promote.is_unpaid(l):
promote.unapprove_promotion(l)
if trusted and promote.is_unapproved(l):
promote.accept_promotion(l)
# comment disabling is free to be changed any time.
l.disable_comments = disable_comments
if c.user_is_sponsor or c.user.trusted_sponsor:
if media_embed and media_width and media_height:
l.media_object = dict(height=media_height,
width=media_width,
content=media_embed,
type='custom')
else:
l.media_object = None
l.media_override = media_override
if getattr(l, "domain_override", False) or domain_override:
l.domain_override = domain_override
l._commit()
form.redirect(promote.promo_edit_url(l))
@validate(VSponsorAdmin())
def GET_roadblock(self):
return PromotePage('content', content=Roadblocks()).render()
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
future=1,
reference_date=promote.promo_datetime_now,
business_days=False,
sponsor_override=True),
sr=VSubmitSR('sr', promotion=True))
def POST_add_roadblock(self, form, jquery, dates, sr):
if (form.has_errors('startdate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE)
or form.has_errors('enddate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE,
errors.BAD_DATE_RANGE)):
return
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
return
if dates and sr:
sd, ed = dates
PromotedLinkRoadblock.add(sr, sd, ed)
jquery.refresh()
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
future=1,
reference_date=promote.promo_datetime_now,
business_days=False,
sponsor_override=True),
sr=VSubmitSR('sr', promotion=True))
def POST_rm_roadblock(self, form, jquery, dates, sr):
if dates and sr:
sd, ed = dates
PromotedLinkRoadblock.remove(sr, sd, ed)
jquery.refresh()
@validatedForm(VSponsor('link_id'),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
future=1,
reference_date=promote.promo_datetime_now,
business_days=False,
sponsor_override=True),
link=VLink('link_id'),
bid=VBid('bid',
min=0,
max=g.max_promote_bid,
coerce=False,
error=errors.BAD_BID),
sr=VSubmitSR('sr', promotion=True),
campaign_id36=nop("campaign_id36"),
targeting=VLength("targeting", 10))
def POST_edit_campaign(self, form, jquery, link, campaign_id36, dates, bid,
sr, targeting):
if not link:
return
start, end = dates or (None, None)
author = Account._byID(link.author_id, data=True)
cpm = author.cpm_selfserve_pennies
if (start and end and not promote.is_accepted(link)
and not c.user_is_sponsor):
# if the ad is not approved already, ensure the start date
# is at least 2 days in the future
start = start.date()
end = end.date()
now = promote.promo_datetime_now()
future = make_offset_date(now,
g.min_promote_future,
business_days=True)
if start < future.date():
c.errors.add(errors.BAD_FUTURE_DATE,
msg_params=dict(day=g.min_promote_future),
field="startdate")
if (form.has_errors('startdate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE)
or form.has_errors('enddate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE,
errors.BAD_DATE_RANGE)):
return
# Limit the number of PromoCampaigns a Link can have
# Note that the front end should prevent the user from getting
# this far
existing_campaigns = list(PromoCampaign._by_link(link._id))
if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK:
c.errors.add(errors.TOO_MANY_CAMPAIGNS,
msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK},
field='title')
form.has_errors('title', errors.TOO_MANY_CAMPAIGNS)
return
if form.has_errors('bid', errors.BAD_BID):
return
if campaign_id36:
# you cannot edit the bid of a live ad unless it's a freebie
try:
campaign = PromoCampaign._byID36(campaign_id36)
if (bid != campaign.bid
and campaign.start_date < datetime.now(g.tz)
and not campaign.is_freebie()):
c.errors.add(errors.BID_LIVE, field='bid')
form.has_errors('bid', errors.BID_LIVE)
return
except NotFound:
pass
min_bid = 0 if c.user_is_sponsor else g.min_promote_bid
if bid is None or bid < min_bid:
c.errors.add(errors.BAD_BID,
field='bid',
msg_params={
'min': min_bid,
'max': g.max_promote_bid
})
form.has_errors('bid', errors.BAD_BID)
return
if targeting == 'one':
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
# checking to get the error set in the form, but we can't
# check for rate-limiting if there's no subreddit
return
roadblock = PromotedLinkRoadblock.is_roadblocked(sr, start, end)
if roadblock and not c.user_is_sponsor:
msg_params = {
"start": roadblock[0].strftime('%m/%d/%Y'),
"end": roadblock[1].strftime('%m/%d/%Y')
}
c.errors.add(errors.OVERSOLD,
field='sr',
msg_params=msg_params)
form.has_errors('sr', errors.OVERSOLD)
return
elif targeting == 'none':
sr = None
# Check inventory
campaign_id = campaign._id if campaign_id36 else None
if has_oversold_error(form, campaign_id, start, end, bid, cpm, sr):
return
if campaign_id36 is not None:
campaign = PromoCampaign._byID36(campaign_id36)
promote.edit_campaign(link, campaign, dates, bid, cpm, sr)
r = promote.get_renderable_campaigns(link, campaign)
jquery.update_campaign(r.campaign_id36, r.start_date, r.end_date,
r.duration, r.bid, r.spent, r.cpm, r.sr,
r.status)
else:
campaign = promote.new_campaign(link, dates, bid, cpm, sr)
r = promote.get_renderable_campaigns(link, campaign)
jquery.new_campaign(r.campaign_id36, r.start_date, r.end_date,
r.duration, r.bid, r.spent, r.cpm, r.sr,
r.status)
@validatedForm(VSponsor('link_id'),
VModhash(),
l=VLink('link_id'),
campaign=VPromoCampaign("campaign_id36"))
def POST_delete_campaign(self, form, jquery, l, campaign):
if l and campaign:
promote.delete_campaign(l, campaign)
@validatedForm(VSponsor('container'),
VModhash(),
user=VExistingUname('name'),
thing=VByName('container'))
def POST_traffic_viewer(self, form, jquery, user, thing):
"""
Adds a user to the list of users allowed to view a promoted
link's traffic page.
"""
if not form.has_errors("name", errors.USER_DOESNT_EXIST,
errors.NO_USER):
form.set_inputs(name="")
form.set_html(".status:first", _("added"))
if promote.add_traffic_viewer(thing, user):
user_row = TrafficViewerList(thing).user_row(
'traffic_viewer', user)
jquery(".traffic_viewer-table").show().find(
"table").insert_table_rows(user_row)
# send the user a message
msg = user_added_messages['traffic']['pm']['msg']
subj = user_added_messages['traffic']['pm']['subject']
if msg and subj:
d = dict(url=thing.make_permalink_slow(),
traffic_url=promote.promo_traffic_url(thing),
title=thing.title)
msg = msg % d
item, inbox_rel = Message._new(c.user, user, subj, msg,
request.ip)
queries.new_message(item, inbox_rel)
@validatedForm(VSponsor('container'),
VModhash(),
iuser=VByName('id'),
thing=VByName('container'))
def POST_rm_traffic_viewer(self, form, jquery, iuser, thing):
if thing and iuser:
promote.rm_traffic_viewer(thing, iuser)
@validatedForm(
VSponsor('link'),
link=VByName("link"),
campaign=VPromoCampaign("campaign"),
customer_id=VInt("customer_id", min=0),
pay_id=VInt("account", min=0),
edit=VBoolean("edit"),
address=ValidAddress([
"firstName", "lastName", "company", "address", "city", "state",
"zip", "country", "phoneNumber"
],
allowed_countries=g.allowed_pay_countries),
creditcard=ValidCard(["cardNumber", "expirationDate", "cardCode"]))
def POST_update_pay(self, form, jquery, link, campaign, customer_id,
pay_id, edit, address, creditcard):
# Check inventory
if campaign_has_oversold_error(form, campaign):
return
address_modified = not pay_id or edit
form_has_errors = False
if address_modified:
if (form.has_errors([
"firstName", "lastName", "company", "address", "city",
"state", "zip", "country", "phoneNumber"
], errors.BAD_ADDRESS) or form.has_errors(
["cardNumber", "expirationDate", "cardCode"],
errors.BAD_CARD)):
form_has_errors = True
elif g.authorizenetapi:
pay_id = edit_profile(c.user, address, creditcard, pay_id)
else:
pay_id = 1
# if link is in use or finished, don't make a change
if pay_id and not form_has_errors:
# valid bid and created or existing bid id.
# check if already a transaction
if g.authorizenetapi:
success, reason = promote.auth_campaign(
link, campaign, c.user, pay_id)
else:
success = True
if success:
form.redirect(promote.promo_edit_url(link))
else:
form.set_html(
".status", reason
or _("failed to authenticate card. sorry."))
@validate(VSponsor("link"),
link=VLink("link"),
campaign=VPromoCampaign("campaign"))
def GET_pay(self, link, campaign):
# no need for admins to play in the credit card area
if c.user_is_loggedin and c.user._id != link.author_id:
return self.abort404()
if not campaign.link_id == link._id:
return self.abort404()
if g.authorizenetapi:
data = get_account_info(c.user)
content = PaymentForm(link,
campaign,
customer_id=data.customerProfileId,
profiles=data.paymentProfiles,
max_profiles=PROFILE_LIMIT)
else:
content = None
res = LinkInfoPage(link=link, content=content, show_sidebar=False)
return res.render()
def GET_link_thumb(self, *a, **kw):
"""
See GET_upload_sr_image for rationale
"""
return "nothing to see here."
@validate(VSponsor("link_id"),
link=VByName('link_id'),
file=VLength('file', 500 * 1024),
img_type=VImageType('img_type'))
def POST_link_thumb(self, link=None, file=None, img_type='jpg'):
if link and (not promote.is_promoted(link) or c.user_is_sponsor
or c.user.trusted_sponsor):
errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="")
try:
# thumnails for promoted links can change and therefore expire
force_thumbnail(link, file, file_type=".%s" % img_type)
except cssfilter.BadImage:
# if the image doesn't clean up nicely, abort
errors["IMAGE_ERROR"] = _("bad image")
if any(errors.values()):
return UploadedImage("",
"",
"upload",
errors=errors,
form_id="image-upload").render()
else:
link._commit()
return UploadedImage(_('saved'),
thumbnail_url(link),
"",
errors=errors,
form_id="image-upload").render()
@validate(VSponsorAdmin(),
launchdate=VDate('ondate'),
dates=VDateRange(['startdate', 'enddate']),
query_type=VOneOf('q', ('started_on', 'between'), default=None))
def GET_admin(self, launchdate=None, dates=None, query_type=None):
return PromoAdminTool(query_type=query_type,
launchdate=launchdate,
start=dates[0],
end=dates[1]).render()
@validate(VSponsorAdminOrAdminSecret('secret'),
start=VDate('startdate'),
end=VDate('enddate'),
link_text=nop('link_text'),
owner=VAccountByName('owner'))
def GET_report(self, start, end, link_text=None, owner=None):
now = datetime.now(g.tz).replace(hour=0,
minute=0,
second=0,
microsecond=0)
end = end or now - timedelta(days=1)
start = start or end - timedelta(days=7)
links = []
bad_links = []
owner_name = owner.name if owner else ''
if owner:
promo_weights = PromotionWeights.get_campaigns(start,
end,
author_id=owner._id)
campaign_ids = [pw.promo_idx for pw in promo_weights]
campaigns = PromoCampaign._byID(campaign_ids, data=True)
link_ids = {camp.link_id for camp in campaigns.itervalues()}
links.extend(Link._byID(link_ids, data=True, return_dict=False))
if link_text is not None:
id36s = link_text.replace(',', ' ').split()
try:
links_from_text = Link._byID36(id36s, data=True)
except NotFound:
links_from_text = {}
bad_links = [id36 for id36 in id36s if id36 not in links_from_text]
links.extend(links_from_text.values())
content = PromoteReport(links, link_text, owner_name, bad_links, start,
end)
if c.render_style == 'csv':
return content.as_csv()
else:
return PromotePage('report', content=content).render()
class ApidocsController(RedditController):
@staticmethod
def docs_from_controller(controller, url_prefix='/api', oauth_only=False):
"""
Examines a controller for documentation. A dictionary index of
sections containing dictionaries of URLs is returned. For each URL, a
dictionary of HTTP methods (GET, POST, etc.) is contained. For each
URL/method pair, a dictionary containing the following items is
available:
- `doc`: Markdown-formatted docstring.
- `uri`: Manually-specified URI to list the API method as
- `uri_variants`: Alternate URIs to access the API method from
- `extensions`: URI extensions the API method supports
- `parameters`: Dictionary of possible parameter names and descriptions.
- `extends`: API method from which to inherit documentation
"""
api_docs = defaultdict(lambda: defaultdict(dict))
for name, func in controller.__dict__.iteritems():
method, sep, action = name.partition('_')
if not action:
continue
api_doc = getattr(func, '_api_doc', None)
if api_doc and 'section' in api_doc and method in ('GET', 'POST'):
docs = {}
docs['doc'] = inspect.getdoc(func)
if 'extends' in api_doc:
docs.update(api_doc['extends'])
# parameters are handled separately.
docs['parameters'] = {}
docs.update(api_doc)
uri = docs.get('uri') or '/'.join((url_prefix, action))
if 'extensions' in docs:
# if only one extension was specified, add it to the URI.
if len(docs['extensions']) == 1:
uri += '.' + docs['extensions'][0]
del docs['extensions']
docs['uri'] = uri
oauth_perms = getattr(func, 'oauth2_perms', {})
docs['oauth_scopes'] = oauth_perms.get('allowed_scopes', [])
# add every variant to the index -- the templates will filter
# out variants in the long-form documentation
if oauth_only:
if not docs['oauth_scopes']:
continue
for scope in docs['oauth_scopes']:
for variant in chain([uri],
docs.get('uri_variants', [])):
api_docs[scope][variant][method] = docs
else:
for variant in chain([uri], docs.get('uri_variants', [])):
api_docs[docs['section']][variant][method] = docs
return api_docs
@validate(
mode=VOneOf('mode', options=('methods', 'oauth'), default='methods'))
def GET_docs(self, mode):
# controllers to gather docs from.
from r2.controllers.api import ApiController, ApiminimalController
from r2.controllers.apiv1 import APIv1Controller
from r2.controllers.front import FrontController
from r2.controllers.wiki import WikiApiController
from r2.controllers import listingcontroller
api_controllers = [
(APIv1Controller, '/api/v1'),
(ApiController, '/api'),
(ApiminimalController, '/api'),
(WikiApiController, '/api/wiki'),
(FrontController, '')
]
for name, value in vars(listingcontroller).iteritems():
if name.endswith('Controller'):
api_controllers.append((value, ''))
# merge documentation info together.
api_docs = defaultdict(dict)
oauth_index = defaultdict(set)
for controller, url_prefix in api_controllers:
controller_docs = self.docs_from_controller(controller, url_prefix,
mode == 'oauth')
for section, contents in controller_docs.iteritems():
api_docs[section].update(contents)
for variant, method_dict in contents.iteritems():
for method, docs in method_dict.iteritems():
for scope in docs['oauth_scopes']:
oauth_index[scope].add((section, variant, method))
return BoringPage(
_('api documentation'),
content=ApiHelp(
api_docs=api_docs,
oauth_index=oauth_index,
mode=mode,
),
css_class="api-help",
show_sidebar=False,
show_infobar=False
).render()
class OAuth2AccessController(MinimalController):
handles_csrf = True
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
if request.method != "OPTIONS":
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
client_id, client_secret = parse_http_basic(auth)
require(client_id)
client = OAuth2Client.get_token(client_id)
require(client)
if client.is_confidential():
require(client_secret)
require(constant_time_compare(client.secret, client_secret))
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
@validate(
grant_type=VOneOf("grant_type", (
"authorization_code",
"refresh_token",
"password",
"client_credentials",
"https://oauth.reddit.com/grants/installed_client",
)), )
def POST_access_token(self, grant_type):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If an authorization code for a permanent grant was given, a
**refresh_token** will be included. If there is a problem, an **error**
parameter will be returned instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must be one of:
* ``authorization_code`` for the initial access token ("standard" OAuth2 flow)
* ``refresh_token`` for renewing the access token.
* ``password`` for script-type apps using password auth
* ``client_credentials`` for application-only (signed out) access - confidential clients
* ``https://oauth.reddit.com/grants/installed_client`` extension grant for application-only (signed out)
access - non-confidential (installed) clients
**redirect_uri** must exactly match the value that was used in the call
to [/api/v1/authorize](#api_method_authorize) that created this grant.
See reddit's [OAuth2 wiki](https://github.com/reddit/reddit/wiki/OAuth2) for
more information.
"""
if grant_type == "authorization_code":
return self._access_token_code()
elif grant_type == "refresh_token":
return self._access_token_refresh()
elif grant_type == "password":
return self._access_token_password()
elif grant_type == "client_credentials":
return self._access_token_client_credentials()
elif grant_type == "https://oauth.reddit.com/grants/installed_client":
return self._access_token_extension_client_credentials()
else:
resp = {"error": "unsupported_grant_type"}
return self.api_wrapper(resp)
def _check_for_errors(self):
resp = {}
if (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return resp
@classmethod
def _make_token_dict(cls, access_token, refresh_token=None):
if not access_token:
return {"error": "invalid_grant"}
expires_in = int(access_token._ttl) if access_token._ttl else None
resp = {
"access_token": access_token._id,
"token_type": access_token.token_type,
"expires_in": expires_in,
"scope": access_token.scope,
}
if refresh_token:
resp["refresh_token"] = refresh_token._id
return resp
@validate(code=nop("code"),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI))
def _access_token_code(self, code, redirect_uri):
if not code:
c.errors.add("NO_TEXT", field="code")
if c.errors:
return self.api_wrapper(self._check_for_errors())
access_token = None
refresh_token = None
auth_token = OAuth2AuthorizationCode.use_token(code,
c.oauth2_client._id,
redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id, auth_token.scope)
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id, auth_token.scope,
refresh_token._id if refresh_token else "")
resp = self._make_token_dict(access_token, refresh_token)
return self.api_wrapper(resp)
@validate(refresh_token=VOAuth2RefreshToken("refresh_token"))
def _access_token_refresh(self, refresh_token):
access_token = None
if refresh_token:
if refresh_token.client_id == c.oauth2_client._id:
access_token = OAuth2AccessToken._new(
refresh_token.client_id,
refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
else:
c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
else:
c.errors.add("NO_TEXT", field="refresh_token")
if c.errors:
resp = self._check_for_errors()
response.status = 400
else:
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
@validate(user=VThrottledLogin(["username", "password"]),
scope=nop("scope"))
def _access_token_password(self, user, scope):
# username:password auth via OAuth is only allowed for
# private use scripts
client = c.oauth2_client
if client.app_type != "script":
return self.api_wrapper({
"error":
"unauthorized_client",
"error_description":
"Only script apps may use password auth"
})
dev_ids = client._developer_ids
if not user or user._id not in dev_ids:
return self.api_wrapper({"error": "invalid_grant"})
if c.errors:
return self.api_wrapper(self._check_for_errors())
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(client._id, user._id36, scope)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
@validate(
scope=nop("scope"), )
def _access_token_client_credentials(self, scope):
client = c.oauth2_client
if not client.is_confidential():
return self.api_wrapper({
"error":
"unauthorized_client",
"error_description":
"Only confidential clients may use client_credentials auth"
})
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
"",
scope,
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
@validate(
scope=nop("scope"),
device_id=VLength("device_id", 50, min_length=20),
)
def _access_token_extension_client_credentials(self, scope, device_id):
if ((errors.NO_TEXT, "device_id") in c.errors
or (errors.TOO_SHORT, "device_id") in c.errors
or (errors.TOO_LONG, "device_id") in c.errors):
return self.api_wrapper({
"error": "invalid_request",
"error_description": "bad device_id",
})
client = c.oauth2_client
if scope:
scope = OAuth2Scope(scope)
if not scope.is_valid():
c.errors.add(errors.INVALID_OPTION, "scope")
return self.api_wrapper({"error": "invalid_scope"})
else:
scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
access_token = OAuth2AccessToken._new(
client._id,
"",
scope,
device_id=device_id,
)
resp = self._make_token_dict(access_token)
return self.api_wrapper(resp)
@validate(
VRatelimit(rate_user=False, rate_ip=True, prefix="rate_revoke_token_"),
token_id=nop("token"),
token_hint=VOneOf("token_type_hint",
("access_token", "refresh_token")),
)
def POST_revoke_token(self, token_id, token_hint):
'''Revoke an OAuth2 access or refresh token.
token_type_hint is optional, and hints to the server
whether the passed token is a refresh or access token.
A call to this endpoint is considered a success if
the passed `token_id` is no longer valid. Thus, if an invalid
`token_id` was passed in, a successful 204 response will be returned.
See [RFC7009](http://tools.ietf.org/html/rfc7009)
'''
# In success cases, this endpoint returns no data.
response.status = 204
if not token_id:
return
types = (OAuth2AccessToken, OAuth2RefreshToken)
if token_hint == "refresh_token":
types = reversed(types)
for token_type in types:
try:
token = token_type._byID(token_id)
except tdb_cassandra.NotFound:
continue
else:
break
else:
# No Token found. The given token ID is already gone
# or never existed. Either way, from the client's perspective,
# the passed in token is no longer valid.
return
if constant_time_compare(token.client_id, c.oauth2_client._id):
token.revoke()
else:
# RFC 7009 is not clear on how to handle this case.
# Given that a malicious client could do much worse things
# with a valid token then revoke it, returning an error
# here is best as it may help certain clients debug issues
response.status = 400
return self.api_wrapper({"error": "unauthorized_client"})
class AdzerkApiController(api.ApiController):
@csrf_exempt
@allow_oauth2_access
@validate(
srnames=VPrintable("srnames", max_length=2100),
is_mobile_web=VBoolean('is_mobile_web'),
platform=VOneOf("platform", [
"desktop",
"mobile_web",
"mobile_native",
],
default=None),
loid=nop('loid', None),
is_refresh=VBoolean("is_refresh", default=False),
)
def POST_request_promo(self, srnames, is_mobile_web, platform, loid,
is_refresh):
self.OPTIONS_request_promo()
if not srnames:
return
# backwards compat
if platform is None:
platform = "mobile_web" if is_mobile_web else "desktop"
srnames = srnames.split('+')
# request multiple ads in case some are hidden by the builder due
# to the user's hides/preferences
response = adzerk_request(srnames,
self.get_uid(loid),
platform=platform)
if not response:
g.stats.simple_event('adzerk.request.no_promo')
return
# for adservers, adzerk returns markup so we pass it to the client
if isinstance(response, AdserverResponse):
g.stats.simple_event('adzerk.request.adserver')
return responsive(response.body)
res_by_campaign = {r.campaign: r for r in response}
adserver_click_urls = {r.campaign: r.click_url for r in response}
tuples = [promote.PromoTuple(r.link, 1., r.campaign) for r in response]
builder = CampaignBuilder(tuples,
wrap=default_thing_wrapper(),
keep_fn=promote.promo_keep_fn,
num=1,
skip=True)
listing = LinkListing(builder, nextprev=False).listing()
promote.add_trackers(listing.things,
c.site,
adserver_click_urls=adserver_click_urls)
promote.update_served(listing.things)
if listing.things:
g.stats.simple_event('adzerk.request.valid_promo')
if is_refresh:
g.stats.simple_event('adzerk.request.auto_refresh')
w = listing.things[0]
r = res_by_campaign[w.campaign]
up = UrlParser(r.imp_pixel)
up.hostname = "pixel.redditmedia.com"
w.adserver_imp_pixel = up.unparse()
w.adserver_upvote_pixel = r.upvote_pixel
w.adserver_downvote_pixel = r.downvote_pixel
w.adserver_click_url = r.click_url
w.num = ""
return responsive(w.render(), space_compress=True)
else:
g.stats.simple_event('adzerk.request.skip_promo')
def get_uid(self, loid):
if c.user_is_loggedin:
return c.user._id36
elif loid:
return loid
else:
return None
class WikiApiController(WikiController):
@require_oauth2_scope("wikiedit")
@validate(VModhash(),
pageandprevious=VWikiPageRevise(('page', 'previous'),
restricted=True),
content=nop(('content')),
page_name=VWikiPageName('page'),
reason=VPrintable('reason', 256, empty_error=None))
@api_doc(api_section.wiki, uri='/api/wiki/edit', uses_site=True)
def POST_wiki_edit(self, pageandprevious, content, page_name, reason):
"""Edit a wiki `page`"""
page, previous = pageandprevious
if not page:
error = c.errors.get(('WIKI_CREATE_ERROR', 'page'))
if error:
self.handle_error(403, **(error.msg_params or {}))
if not c.user._spam:
page = WikiPage.create(c.site, page_name)
if c.user._spam:
error = _("You are doing that too much, please try again later.")
self.handle_error(415, 'SPECIAL_ERRORS', special_errors=[error])
renderer = RENDERERS_BY_PAGE.get(page.name, 'wiki')
if renderer in ('wiki', 'reddit'):
content = VMarkdown(('content'), renderer=renderer).run(content)
# Use the raw POST value as we need to tell the difference between
# None/Undefined and an empty string. The validators use a default
# value with both of those cases and would need to be changed.
# In order to avoid breaking functionality, this was done instead.
previous = previous._id if previous else request.POST.get('previous')
try:
# special validation methods
if page.name == 'config/stylesheet':
css_errors, parsed = c.site.parse_css(content, verify=False)
if g.css_killswitch:
self.handle_error(403, 'STYLESHEET_EDIT_DENIED')
if css_errors:
error_items = [CssError(x).message for x in css_errors]
self.handle_error(415,
'SPECIAL_ERRORS',
special_errors=error_items)
elif page.name == "config/automoderator":
try:
rules = Ruleset(content)
except ValueError as e:
error_items = [e.message]
self.handle_error(415,
"SPECIAL_ERRORS",
special_errors=error_items)
# special saving methods
if page.name == "config/stylesheet":
c.site.change_css(content, parsed, previous, reason=reason)
else:
try:
page.revise(content, previous, c.user._id36, reason=reason)
except ContentLengthError as e:
self.handle_error(403,
'CONTENT_LENGTH_ERROR',
max_length=e.max_length)
# continue storing the special pages as data attributes on the subreddit
# object. TODO: change this to minimize subreddit get sizes.
if page.special and page.name in ATTRIBUTE_BY_PAGE:
setattr(c.site, ATTRIBUTE_BY_PAGE[page.name], content)
c.site._commit()
if page.special or c.is_wiki_mod:
description = modactions.get(page.name,
'Page %s edited' % page.name)
ModAction.create(c.site,
c.user,
"wikirevise",
details=description,
description=reason)
except ConflictException as e:
self.handle_error(409,
'EDIT_CONFLICT',
newcontent=e.new,
newrevision=page.revision,
diffcontent=e.htmldiff)
return json.dumps({})
@require_oauth2_scope("modwiki")
@validate(VModhash(),
VWikiModerator(),
page=VWikiPage('page'),
act=VOneOf('act', ('del', 'add')),
user=VExistingUname('username'))
@api_doc(api_section.wiki,
uri='/api/wiki/alloweditor/{act}',
uses_site=True,
uri_variants=[
'/api/wiki/alloweditor/%s' % act for act in ('del', 'add')
])
def POST_wiki_allow_editor(self, act, page, user):
"""Allow/deny `username` to edit this wiki `page`"""
if not user:
self.handle_error(404, 'UNKNOWN_USER')
elif act == 'del':
page.remove_editor(user._id36)
elif act == 'add':
page.add_editor(user._id36)
else:
self.handle_error(400, 'INVALID_ACTION')
return json.dumps({})
@validate(
VModhash(),
VAdmin(),
pv=VWikiPageAndVersion(('page', 'revision')),
deleted=VBoolean('deleted'),
)
def POST_wiki_revision_delete(self, pv, deleted):
page, revision = pv
if not revision:
self.handle_error(400, 'INVALID_REVISION')
if deleted and page.revision == str(revision._id):
self.handle_error(400, 'REVISION_IS_CURRENT')
revision.admin_deleted = deleted
revision._commit()
return json.dumps({'status': revision.admin_deleted})
@require_oauth2_scope("modwiki")
@validate(VModhash(),
VWikiModerator(),
pv=VWikiPageAndVersion(('page', 'revision')))
@api_doc(api_section.wiki, uri='/api/wiki/hide', uses_site=True)
def POST_wiki_revision_hide(self, pv):
"""Toggle the public visibility of a wiki page revision"""
page, revision = pv
if not revision:
self.handle_error(400, 'INVALID_REVISION')
return json.dumps({'status': revision.toggle_hide()})
@require_oauth2_scope("modwiki")
@validate(VModhash(),
VWikiModerator(),
pv=VWikiPageAndVersion(('page', 'revision')))
@api_doc(api_section.wiki, uri='/api/wiki/revert', uses_site=True)
def POST_wiki_revision_revert(self, pv):
"""Revert a wiki `page` to `revision`"""
page, revision = pv
if not revision:
self.handle_error(400, 'INVALID_REVISION')
content = revision.content
reason = 'reverted back %s' % timesince(revision.date)
if page.name == 'config/stylesheet':
css_errors, parsed = c.site.parse_css(content)
if css_errors:
self.handle_error(403, 'INVALID_CSS')
c.site.change_css(content,
parsed,
prev=None,
reason=reason,
force=True)
else:
try:
page.revise(content,
author=c.user._id36,
reason=reason,
force=True)
# continue storing the special pages as data attributes on the subreddit
# object. TODO: change this to minimize subreddit get sizes.
if page.special:
setattr(c.site, ATTRIBUTE_BY_PAGE[page.name], content)
c.site._commit()
except ContentLengthError as e:
self.handle_error(403,
'CONTENT_LENGTH_ERROR',
max_length=e.max_length)
return json.dumps({})
def pre(self):
WikiController.pre(self)
c.render_style = 'api'
set_extension(request.environ, 'json')
class LiveUpdateController(RedditController):
def __before__(self, event):
RedditController.__before__(self)
if event:
try:
c.liveupdate_event = LiveUpdateEvent._byID(event)
except tdb_cassandra.NotFound:
pass
if not c.liveupdate_event:
self.abort404()
if c.user_is_loggedin:
c.liveupdate_permissions = \
c.liveupdate_event.get_permissions(c.user)
# revoke some permissions from everyone after closing
if c.liveupdate_event.state != "live":
c.liveupdate_permissions = (c.liveupdate_permissions
.without("update")
.without("close")
)
if c.user_is_admin:
c.liveupdate_permissions = ContributorPermissionSet.SUPERUSER
else:
c.liveupdate_permissions = ContributorPermissionSet.NONE
if c.liveupdate_event.banned and not c.liveupdate_permissions:
error_page = RedditError(
title=_("this thread has been banned"),
message="",
image="subreddit-banned.png",
)
request.environ["usable_error_content"] = error_page.render()
self.abort403()
if (c.liveupdate_event.nsfw and
not c.over18 and
request.host != g.media_domain and # embeds are special
c.render_style == "html"):
return self.intermediate_redirect("/over18", sr_path=False)
@require_oauth2_scope("read")
@validate(
num=VLimit("limit", default=25, max_limit=100),
after=VLiveUpdateID("after"),
before=VLiveUpdateID("before"),
count=VCount("count"),
is_embed=VBoolean("is_embed", docs={"is_embed": "(internal use only)"}),
style_sr=VSRByName("stylesr"),
)
@api_doc(
section=api_section.live,
uri="/live/{thread}",
supports_rss=True,
notes=[paginated_listing.doc_note],
)
def GET_listing(self, num, after, before, count, is_embed, style_sr):
"""Get a list of updates posted in this thread.
See also: [/api/live/*thread*/update](#POST_api_live_{thread}_update).
"""
# preemptively record activity for clients that don't send pixel pings.
# this won't capture their continued visit, but will at least show a
# correct activity count for short lived connections.
record_activity(c.liveupdate_event._id)
reverse = False
if before:
reverse = True
after = before
query = LiveUpdateStream.query([c.liveupdate_event._id],
count=num, reverse=reverse)
if after:
query.column_start = after
builder = LiveUpdateBuilder(query=query, skip=True,
reverse=reverse, num=num,
count=count)
listing = pages.LiveUpdateListing(builder)
wrapped_listing = listing.listing()
if c.user_is_loggedin:
report_type = LiveUpdateReportsByAccount.get_report(
c.user, c.liveupdate_event)
else:
report_type = None
content = pages.LiveUpdateEventApp(
event=c.liveupdate_event,
listing=wrapped_listing,
show_sidebar=not is_embed,
report_type=report_type,
)
c.js_preload.set_wrapped(
"/live/" + c.liveupdate_event._id + "/about.json",
Wrapped(c.liveupdate_event),
)
c.js_preload.set_wrapped(
"/live/" + c.liveupdate_event._id + ".json",
wrapped_listing,
)
if not is_embed:
return pages.LiveUpdateEventAppPage(
content=content,
page_classes=['liveupdate-app'],
).render()
else:
# ensure we're off the cookie domain before allowing embedding
if request.host != g.media_domain:
abort(404)
c.allow_framing = True
# interstitial redirects and nsfw settings are funky on the media
# domain. just disable nsfw embeds.
if c.liveupdate_event.nsfw:
embed_page = pages.LiveUpdateEventEmbed(
content=pages.LiveUpdateNSFWEmbed(),
)
request.environ["usable_error_content"] = embed_page.render()
abort(403)
embed_page = pages.LiveUpdateEventEmbed(
content=content,
page_classes=['liveupdate-app'],
)
if style_sr and getattr(style_sr, "type", "private") != "private":
c.can_apply_styles = True
c.allow_styles = True
embed_page.subreddit_stylesheet_url = \
Reddit.get_subreddit_stylesheet_url(style_sr)
return embed_page.render()
@require_oauth2_scope("read")
@api_doc(
section=api_section.live,
uri="/live/{thread}/updates/{update_id}",
)
def GET_focus(self, target):
"""Get details about a specific update in a live thread."""
try:
target = uuid.UUID(target)
except (TypeError, ValueError):
self.abort404()
try:
update = LiveUpdateStream.get_update(c.liveupdate_event, target)
except tdb_cassandra.NotFound:
self.abort404()
if update.deleted:
self.abort404()
query = FocusQuery([update])
builder = LiveUpdateBuilder(
query=query, skip=True, reverse=True, num=1, count=0)
listing = pages.LiveUpdateListing(builder)
wrapped_listing = listing.listing()
c.js_preload.set_wrapped(
"/live/" + c.liveupdate_event._id + ".json",
wrapped_listing,
)
content = pages.LiveUpdateFocusApp(
event=c.liveupdate_event,
listing=wrapped_listing,
)
return pages.LiveUpdateEventFocusPage(
content=content,
focused_update=update,
page_classes=["liveupdate-focus"],
).render()
@require_oauth2_scope("read")
@api_doc(
section=api_section.live,
uri="/live/{thread}/about",
)
def GET_about(self):
"""Get some basic information about the live thread.
See also: [/api/live/*thread*/edit](#POST_api_live_{thread}_edit).
"""
if not is_api():
self.abort404()
content = Wrapped(c.liveupdate_event)
return pages.LiveUpdateEventPage(content=content).render()
@require_oauth2_scope("read")
@base_listing
@api_doc(
section=api_section.live,
uri="/live/{thread}/discussions",
supports_rss=True,
)
def GET_discussions(self, num, after, reverse, count):
"""Get a list of reddit submissions linking to this thread."""
builder = url_links_builder(
url="/live/" + c.liveupdate_event._id,
num=num,
after=after,
reverse=reverse,
count=count,
)
listing = LinkListing(builder).listing()
return pages.LiveUpdateEventPage(
content=listing,
).render()
def GET_edit(self):
if not (c.liveupdate_permissions.allow("settings") or
c.liveupdate_permissions.allow("close")):
abort(403)
return pages.LiveUpdateEventPage(
content=pages.LiveUpdateEventConfiguration(),
).render()
@require_oauth2_scope("livemanage")
@validatedForm(
VLiveUpdateContributorWithPermission("settings"),
VModhash(),
**EVENT_CONFIGURATION_VALIDATORS
)
@api_doc(
section=api_section.live,
)
def POST_edit(self, form, jquery, title, description, resources, nsfw):
"""Configure the thread.
Requires the `settings` permission for this thread.
See also: [/live/*thread*/about.json](#GET_live_{thread}_about.json).
"""
if not is_event_configuration_valid(form):
return
changes = {}
if title != c.liveupdate_event.title:
changes["title"] = title
if description != c.liveupdate_event.description:
changes["description"] = description
changes["description_html"] = safemarkdown(description, nofollow=True) or ""
if resources != c.liveupdate_event.resources:
changes["resources"] = resources
changes["resources_html"] = safemarkdown(resources, nofollow=True) or ""
if nsfw != c.liveupdate_event.nsfw:
changes["nsfw"] = nsfw
if changes:
_broadcast(type="settings", payload=changes)
c.liveupdate_event.title = title
c.liveupdate_event.description = description
c.liveupdate_event.resources = resources
c.liveupdate_event.nsfw = nsfw
c.liveupdate_event._commit()
amqp.add_item("liveupdate_event_edited", json.dumps({
"event_fullname": c.liveupdate_event._fullname,
"editor_fullname": c.user._fullname,
}))
form.set_html(".status", _("saved"))
form.refresh()
# TODO: pass listing params on
@require_oauth2_scope("read")
@api_doc(
section=api_section.live,
uri="/live/{thread}/contributors",
)
def GET_contributors(self):
"""Get a list of users that contribute to this thread.
See also: [/api/live/*thread*/invite_contributor]
(#POST_api_live_{thread}_invite_contributor), and
[/api/live/*thread*/rm_contributor]
(#POST_api_live_{thread}_rm_contributor).
"""
editable = c.liveupdate_permissions.allow("manage")
content = [pages.LinkBackToLiveUpdate()]
contributors = c.liveupdate_event.contributors
invites = LiveUpdateContributorInvitesByEvent.get_all(c.liveupdate_event)
contributor_builder = LiveUpdateContributorBuilder(
c.liveupdate_event, contributors, editable)
contributor_listing = pages.LiveUpdateContributorListing(
c.liveupdate_event,
contributor_builder,
has_invite=c.user_is_loggedin and c.user._id in invites,
is_contributor=c.user_is_loggedin and c.user._id in contributors,
).listing()
content.append(contributor_listing)
if editable:
invite_builder = LiveUpdateInvitedContributorBuilder(
c.liveupdate_event, invites, editable)
invite_listing = pages.LiveUpdateInvitedContributorListing(
c.liveupdate_event,
invite_builder,
editable=editable,
).listing()
content.append(invite_listing)
return pages.LiveUpdateEventPage(
content=PaneStack(content),
).render()
@require_oauth2_scope("livemanage")
@validatedForm(
VLiveUpdateContributorWithPermission("manage"),
VModhash(),
user=VExistingUname("name"),
type_and_perms=VLiveUpdatePermissions("type", "permissions"),
)
@api_doc(
section=api_section.live,
)
def POST_invite_contributor(self, form, jquery, user, type_and_perms):
"""Invite another user to contribute to the thread.
Requires the `manage` permission for this thread. If the recipient
accepts the invite, they will be granted the permissions specified.
See also: [/api/live/*thread*/accept_contributor_invite]
(#POST_api_live_{thread}_accept_contributor_invite), and
[/api/live/*thread*/rm_contributor_invite]
(#POST_api_live_{thread}_rm_contributor_invite).
"""
if form.has_errors("name", errors.USER_DOESNT_EXIST,
errors.NO_USER):
return
if form.has_errors("type", errors.INVALID_PERMISSION_TYPE):
return
if form.has_errors("permissions", errors.INVALID_PERMISSIONS):
return
type, permissions = type_and_perms
invites = LiveUpdateContributorInvitesByEvent.get_all(c.liveupdate_event)
if user._id in invites or user._id in c.liveupdate_event.contributors:
c.errors.add(errors.LIVEUPDATE_ALREADY_CONTRIBUTOR, field="name")
form.has_errors("name", errors.LIVEUPDATE_ALREADY_CONTRIBUTOR)
return
if len(invites) >= g.liveupdate_invite_quota:
c.errors.add(errors.LIVEUPDATE_TOO_MANY_INVITES, field="name")
form.has_errors("name", errors.LIVEUPDATE_TOO_MANY_INVITES)
return
LiveUpdateContributorInvitesByEvent.create(
c.liveupdate_event, user, permissions)
queries.add_contributor(c.liveupdate_event, user)
# TODO: make this i18n-friendly when we have such a system for PMs
send_system_message(
user,
subject="invitation to contribute to " + c.liveupdate_event.title,
body=INVITE_MESSAGE % {
"title": c.liveupdate_event.title,
"url": "/live/" + c.liveupdate_event._id,
},
)
amqp.add_item("new_liveupdate_contributor", json.dumps({
"event_fullname": c.liveupdate_event._fullname,
"inviter_fullname": c.user._fullname,
"invitee_fullname": user._fullname,
}))
# add the user to the table
contributor = LiveUpdateContributor(user, permissions)
user_row = pages.InvitedLiveUpdateContributorTableItem(
contributor, c.liveupdate_event, editable=True)
jquery(".liveupdate_contributor_invite-table").show(
).find("table").insert_table_rows(user_row)
@require_oauth2_scope("livemanage")
@validatedForm(
VUser(),
VModhash(),
)
@api_doc(
section=api_section.live,
)
def POST_leave_contributor(self, form, jquery):
"""Abdicate contributorship of the thread.
See also: [/api/live/*thread*/accept_contributor_invite]
(#POST_api_live_{thread}_accept_contributor_invite), and
[/api/live/*thread*/invite_contributor]
(#POST_api_live_{thread}_invite_contributor).
"""
c.liveupdate_event.remove_contributor(c.user)
queries.remove_contributor(c.liveupdate_event, c.user)
@require_oauth2_scope("livemanage")
@validatedForm(
VLiveUpdateContributorWithPermission("manage"),
VModhash(),
user=VByName("id", thing_cls=Account),
)
@api_doc(
section=api_section.live,
)
def POST_rm_contributor_invite(self, form, jquery, user):
"""Revoke an outstanding contributor invite.
Requires the `manage` permission for this thread.
See also: [/api/live/*thread*/invite_contributor]
(#POST_api_live_{thread}_invite_contributor).
"""
LiveUpdateContributorInvitesByEvent.remove(
c.liveupdate_event, user)
queries.remove_contributor(c.liveupdate_event, user)
@require_oauth2_scope("livemanage")
@validatedForm(
VUser(),
VModhash(),
)
@api_doc(
section=api_section.live,
)
def POST_accept_contributor_invite(self, form, jquery):
"""Accept a pending invitation to contribute to the thread.
See also: [/api/live/*thread*/leave_contributor]
(#POST_api_live_{thread}_leave_contributor).
"""
try:
permissions = LiveUpdateContributorInvitesByEvent.get(
c.liveupdate_event, c.user)
except InviteNotFoundError:
c.errors.add(errors.LIVEUPDATE_NO_INVITE_FOUND)
form.set_error(errors.LIVEUPDATE_NO_INVITE_FOUND, None)
return
LiveUpdateContributorInvitesByEvent.remove(
c.liveupdate_event, c.user)
c.liveupdate_event.add_contributor(c.user, permissions)
jquery.refresh()
@require_oauth2_scope("livemanage")
@validatedForm(
VLiveUpdateContributorWithPermission("manage"),
VModhash(),
user=VExistingUname("name"),
type_and_perms=VLiveUpdatePermissions("type", "permissions"),
)
@api_doc(
section=api_section.live,
)
def POST_set_contributor_permissions(self, form, jquery, user, type_and_perms):
"""Change a contributor or contributor invite's permissions.
Requires the `manage` permission for this thread.
See also: [/api/live/*thread*/invite_contributor]
(#POST_api_live_{thread}_invite_contributor) and
[/api/live/*thread*/rm_contributor]
(#POST_api_live_{thread}_rm_contributor).
"""
if form.has_errors("name", errors.USER_DOESNT_EXIST,
errors.NO_USER):
return
if form.has_errors("type", errors.INVALID_PERMISSION_TYPE):
return
if form.has_errors("permissions", errors.INVALID_PERMISSIONS):
return
type, permissions = type_and_perms
if type == "liveupdate_contributor":
if user._id not in c.liveupdate_event.contributors:
c.errors.add(errors.LIVEUPDATE_NOT_CONTRIBUTOR, field="user")
form.has_errors("user", errors.LIVEUPDATE_NOT_CONTRIBUTOR)
return
c.liveupdate_event.update_contributor_permissions(user, permissions)
elif type == "liveupdate_contributor_invite":
try:
LiveUpdateContributorInvitesByEvent.get(
c.liveupdate_event, user)
except InviteNotFoundError:
c.errors.add(errors.LIVEUPDATE_NO_INVITE_FOUND, field="user")
form.has_errors("user", errors.LIVEUPDATE_NO_INVITE_FOUND)
return
else:
LiveUpdateContributorInvitesByEvent.update_invite_permissions(
c.liveupdate_event, user, permissions)
row = form.closest("tr")
editor = row.find(".permissions").data("PermissionEditor")
editor.onCommit(permissions.dumps())
@require_oauth2_scope("livemanage")
@validatedForm(
VLiveUpdateContributorWithPermission("manage"),
VModhash(),
user=VByName("id", thing_cls=Account),
)
@api_doc(
section=api_section.live,
)
def POST_rm_contributor(self, form, jquery, user):
"""Revoke another user's contributorship.
Requires the `manage` permission for this thread.
See also: [/api/live/*thread*/invite_contributor]
(#POST_api_live_{thread}_invite_contributor).
"""
c.liveupdate_event.remove_contributor(user)
queries.remove_contributor(c.liveupdate_event, user)
@require_oauth2_scope("submit")
@validatedForm(
VLiveUpdateContributorWithPermission("update"),
VModhash(),
text=VMarkdownLength("body", max_length=4096),
)
@api_doc(
section=api_section.live,
)
def POST_update(self, form, jquery, text):
"""Post an update to the thread.
Requires the `update` permission for this thread.
See also: [/api/live/*thread*/strike_update]
(#POST_api_live_{thread}_strike_update), and
[/api/live/*thread*/delete_update]
(#POST_api_live_{thread}_delete_update).
"""
if form.has_errors("body", errors.NO_TEXT,
errors.TOO_LONG):
return
# create and store the new update
update = LiveUpdate(data={
"author_id": c.user._id,
"body": text,
"_spam": c.user._spam,
})
hooks.get_hook("liveupdate.update").call(update=update)
LiveUpdateStream.add_update(c.liveupdate_event, update)
# tell the world about our new update
builder = LiveUpdateBuilder(None)
wrapped = builder.wrap_items([update])[0]
rendered = wrapped.render(style="api")
_broadcast(type="update", payload=rendered)
amqp.add_item("new_liveupdate_update", json.dumps({
"event_fullname": c.liveupdate_event._fullname,
"author_fullname": c.user._fullname,
"liveupdate_id": str(update._id),
"body": text,
}))
liveupdate_events.update_event(update, context=c, request=request)
# reset the submission form
t = form.find("textarea")
t.attr('rows', 3).html("").val("")
@require_oauth2_scope("edit")
@validatedForm(
VModhash(),
update=VLiveUpdate("id"),
)
@api_doc(
section=api_section.live,
)
def POST_delete_update(self, form, jquery, update):
"""Delete an update from the thread.
Requires that specified update must have been authored by the user or
that you have the `edit` permission for this thread.
See also: [/api/live/*thread*/update](#POST_api_live_{thread}_update).
"""
if form.has_errors("id", errors.NO_THING_ID):
return
if not (c.liveupdate_permissions.allow("edit") or
(c.user_is_loggedin and update.author_id == c.user._id)):
abort(403)
update.deleted = True
LiveUpdateStream.add_update(c.liveupdate_event, update)
liveupdate_events.update_event(update, context=c, request=request)
_broadcast(type="delete", payload=update._fullname)
@require_oauth2_scope("edit")
@validatedForm(
VModhash(),
update=VLiveUpdate("id"),
)
@api_doc(
section=api_section.live,
)
def POST_strike_update(self, form, jquery, update):
"""Strike (mark incorrect and cross out) the content of an update.
Requires that specified update must have been authored by the user or
that you have the `edit` permission for this thread.
See also: [/api/live/*thread*/update](#POST_api_live_{thread}_update).
"""
if form.has_errors("id", errors.NO_THING_ID):
return
if not (c.liveupdate_permissions.allow("edit") or
(c.user_is_loggedin and update.author_id == c.user._id)):
abort(403)
update.stricken = True
LiveUpdateStream.add_update(c.liveupdate_event, update)
liveupdate_events.update_event(
update, stricken=True, context=c, request=request
)
_broadcast(type="strike", payload=update._fullname)
@require_oauth2_scope("livemanage")
@validatedForm(
VLiveUpdateContributorWithPermission("close"),
VModhash(),
)
@api_doc(
section=api_section.live,
)
def POST_close_thread(self, form, jquery):
"""Permanently close the thread, disallowing future updates.
Requires the `close` permission for this thread.
"""
close_event(c.liveupdate_event)
liveupdate_events.close_event(context=c, request=request)
form.refresh()
@require_oauth2_scope("report")
@validatedForm(
VUser(),
VModhash(),
report_type=VOneOf("type", pages.REPORT_TYPES),
)
@api_doc(
section=api_section.live,
)
def POST_report(self, form, jquery, report_type):
"""Report the thread for violating the rules of reddit."""
if form.has_errors("type", errors.INVALID_OPTION):
return
if c.user._spam or c.user.ignorereports:
return
already_reported = LiveUpdateReportsByAccount.get_report(
c.user, c.liveupdate_event)
if already_reported:
self.abort403()
LiveUpdateReportsByAccount.create(
c.user, c.liveupdate_event, type=report_type)
queries.report_event(c.liveupdate_event)
liveupdate_events.report_event(
report_type, context=c, request=request
)
amqp.add_item("new_liveupdate_report", json.dumps({
"event_fullname": c.liveupdate_event._fullname,
"reporter_fullname": c.user._fullname,
"reason": report_type,
}))
try:
default_subreddit = Subreddit._by_name(g.default_sr)
except NotFound:
pass
else:
not_yet_reported = g.ratelimitcache.add(
"rl:lu_reported_" + str(c.liveupdate_event._id), 1, time=3600)
if not_yet_reported:
send_system_message(
default_subreddit,
subject="live thread reported",
body=REPORTED_MESSAGE % {
"title": c.liveupdate_event.title,
"url": "/live/" + c.liveupdate_event._id,
"reason": pages.REPORT_TYPES[report_type],
},
)
@validatedForm(
VAdmin(),
VModhash(),
)
def POST_approve(self, form, jquery):
c.liveupdate_event.banned = False
c.liveupdate_event._commit()
queries.unreport_event(c.liveupdate_event)
liveupdate_events.ban_event(context=c, request=request)
@validatedForm(
VAdmin(),
VModhash(),
)
def POST_ban(self, form, jquery):
c.liveupdate_event.banned = True
c.liveupdate_event.banned_by = c.user.name
c.liveupdate_event._commit()
queries.unreport_event(c.liveupdate_event)
liveupdate_events.ban_event(context=c, request=request)
class WebLogController(RedditController):
on_validation_error = staticmethod(abort_with_error)
@csrf_exempt
@validate(
VRatelimit(rate_user=False, rate_ip=True, prefix='rate_weblog_'),
level=VOneOf('level', ('error', )),
logs=VValidatedJSON(
'logs',
VValidatedJSON.ArrayOf(
VValidatedJSON.PartialObject({
'msg':
VPrintable('msg', max_length=256),
'url':
VPrintable('url', max_length=256),
'tag':
VPrintable('tag', max_length=32),
}))),
)
def POST_message(self, level, logs):
# Whitelist tags to keep the frontend from creating too many keys in statsd
valid_frontend_log_tags = {
'unknown',
'jquery-migrate-bad-html',
}
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
uid = c.user._id if c.user_is_loggedin else '-'
# only accept a maximum of 3 entries per request
for log in logs[:3]:
if 'msg' not in log or 'url' not in log:
continue
tag = 'unknown'
if log.get('tag') in valid_frontend_log_tags:
tag = log['tag']
g.stats.simple_event('frontend.error.' + tag)
g.log.warning('[web frontend] %s: %s | U: %s FP: %s UA: %s', level,
log['msg'], uid, log['url'], request.user_agent)
VRatelimit.ratelimit(rate_user=False,
rate_ip=True,
prefix="rate_weblog_",
seconds=10)
@csrf_exempt
@validate(
# set default to invalid number so we can ignore it later.
dns_timing=VFloat('dnsTiming', min=0, num_default=-1),
tcp_timing=VFloat('tcpTiming', min=0, num_default=-1),
request_timing=VFloat('requestTiming', min=0, num_default=-1),
response_timing=VFloat('responseTiming', min=0, num_default=-1),
dom_loading_timing=VFloat('domLoadingTiming', min=0, num_default=-1),
dom_interactive_timing=VFloat('domInteractiveTiming',
min=0,
num_default=-1),
dom_content_loaded_timing=VFloat('domContentLoadedTiming',
min=0,
num_default=-1),
action_name=VPrintable('actionName', max_length=256),
verification=VPrintable('verification', max_length=256),
)
def POST_timings(self, action_name, verification, **kwargs):
lookup = {
'dns_timing': 'dns',
'tcp_timing': 'tcp',
'request_timing': 'request',
'response_timing': 'response',
'dom_loading_timing': 'dom_loading',
'dom_interactive_timing': 'dom_interactive',
'dom_content_loaded_timing': 'dom_content_loaded',
}
if not (action_name and verification):
abort(422)
expected_mac = hmac.new(g.secrets["action_name"], action_name,
hashlib.sha1).hexdigest()
if not constant_time_compare(verification, expected_mac):
abort(422)
# action_name comes in the format 'controller.METHOD_action'
stat_tpl = 'service_time.web.{}.frontend'.format(action_name)
stat_aggregate = 'service_time.web.frontend'
for key, name in lookup.iteritems():
val = kwargs[key]
if val >= 0:
g.stats.simple_timing(stat_tpl + '.' + name, val)
g.stats.simple_timing(stat_aggregate + '.' + name, val)
abort(204)
class WebLogController(RedditController):
on_validation_error = staticmethod(abort_with_error)
@csrf_exempt
@validate(
VRatelimit(rate_user=False, rate_ip=True, prefix='rate_weblog_'),
level=VOneOf('level', ('error', )),
logs=VValidatedJSON(
'logs',
VValidatedJSON.ArrayOf(
VValidatedJSON.PartialObject({
'msg':
VPrintable('msg', max_length=256),
'url':
VPrintable('url', max_length=256),
'tag':
VPrintable('tag', max_length=32),
}))),
)
def POST_message(self, level, logs):
# Whitelist tags to keep the frontend from creating too many keys in statsd
valid_frontend_log_tags = {
'unknown',
'jquery-migrate-bad-html',
}
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
uid = c.user._id if c.user_is_loggedin else '-'
# only accept a maximum of 3 entries per request
for log in logs[:3]:
if 'msg' not in log or 'url' not in log:
continue
tag = 'unknown'
if log.get('tag') in valid_frontend_log_tags:
tag = log['tag']
g.stats.simple_event('frontend.error.' + tag)
g.log.warning('[web frontend] %s: %s | U: %s FP: %s UA: %s', level,
log['msg'], uid, log['url'], request.user_agent)
VRatelimit.ratelimit(rate_user=False,
rate_ip=True,
prefix="rate_weblog_",
seconds=10)
def OPTIONS_report_cache_poisoning(self):
"""Send CORS headers for cache poisoning reports."""
if "Origin" not in request.headers:
return
origin = request.headers["Origin"]
parsed_origin = UrlParser(origin)
if not is_subdomain(parsed_origin.hostname, g.domain):
return
response.headers["Access-Control-Allow-Origin"] = origin
response.headers["Access-Control-Allow-Methods"] = "POST"
response.headers["Access-Control-Allow-Headers"] = \
"Authorization, X-Loggit, "
response.headers["Access-Control-Allow-Credentials"] = "false"
response.headers['Access-Control-Expose-Headers'] = \
self.COMMON_REDDIT_HEADERS
@csrf_exempt
@validate(
VRatelimit(rate_user=False, rate_ip=True, prefix='rate_poison_'),
report_mac=VPrintable('report_mac', 255),
poisoner_name=VPrintable('poisoner_name', 255),
poisoner_id=VInt('poisoner_id'),
poisoner_canary=VPrintable('poisoner_canary', 2, min_length=2),
victim_canary=VPrintable('victim_canary', 2, min_length=2),
render_time=VInt('render_time'),
route_name=VPrintable('route_name', 255),
url=VPrintable('url', 2048),
# To differentiate between web and mweb in the future
source=VOneOf('source', ('web', 'mweb')),
cache_policy=VOneOf(
'cache_policy',
('loggedin_www', 'loggedin_www_new', 'loggedin_mweb')),
# JSON-encoded response headers from when our script re-requested
# the poisoned page
resp_headers=nop('resp_headers'),
)
def POST_report_cache_poisoning(
self,
report_mac,
poisoner_name,
poisoner_id,
poisoner_canary,
victim_canary,
render_time,
route_name,
url,
source,
cache_policy,
resp_headers,
):
"""Report an instance of cache poisoning and its details"""
self.OPTIONS_report_cache_poisoning()
if c.errors:
abort(400)
# prevent simple CSRF by requiring a custom header
if not request.headers.get('X-Loggit'):
abort(403)
# Eh? Why are you reporting this if the canaries are the same?
if poisoner_canary == victim_canary:
abort(400)
expected_mac = make_poisoning_report_mac(
poisoner_canary=poisoner_canary,
poisoner_name=poisoner_name,
poisoner_id=poisoner_id,
cache_policy=cache_policy,
source=source,
route_name=route_name,
)
if not constant_time_compare(report_mac, expected_mac):
abort(403)
if resp_headers:
try:
resp_headers = json.loads(resp_headers)
# Verify this is a JSON map of `header_name => [value, ...]`
if not isinstance(resp_headers, dict):
abort(400)
for hdr_name, hdr_vals in resp_headers.iteritems():
if not isinstance(hdr_name, basestring):
abort(400)
if not all(isinstance(h, basestring) for h in hdr_vals):
abort(400)
except ValueError:
abort(400)
if not resp_headers:
resp_headers = {}
poison_info = dict(
poisoner_name=poisoner_name,
poisoner_id=str(poisoner_id),
# Convert the JS timestamp to a standard one
render_time=render_time * 1000,
route_name=route_name,
url=url,
source=source,
cache_policy=cache_policy,
resp_headers=resp_headers,
)
# For immediate feedback when tracking the effects of caching changes
g.stats.simple_event("cache.poisoning.%s.%s" % (source, cache_policy))
# For longer-term diagnosing of caching issues
g.events.cache_poisoning_event(poison_info, request=request, context=c)
VRatelimit.ratelimit(rate_ip=True, prefix="rate_poison_", seconds=10)
return self.api_wrapper({})
class PromoteApiController(ApiController):
@json_validate(sr=VSubmitSR('sr', promotion=True),
location=VLocation(),
start=VDate('startdate'),
end=VDate('enddate'))
def GET_check_inventory(self, responder, sr, location, start, end):
sr = sr or Frontpage
if not location or not location.country:
available = inventory.get_available_pageviews(sr,
start,
end,
datestr=True)
else:
available = inventory.get_available_pageviews_geotargeted(
sr, location, start, end, datestr=True)
return {'inventory': available}
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VLink("link_id36"),
campaign=VPromoCampaign("campaign_id36"))
def POST_freebie(self, form, jquery, link, campaign):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
if campaign_has_oversold_error(form, campaign):
form.set_html(".freebie", "target oversold, can't freebie")
return
if promote.is_promo(link) and campaign:
promote.free_campaign(link, campaign, c.user)
form.redirect(promote.promo_edit_url(link))
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VByName("link"),
note=nop("note"))
def POST_promote_note(self, form, jquery, link, note):
if promote.is_promo(link):
text = PromotionLog.add(link, note)
form.find(".notes").children(":last").after("<p>" + websafe(text) +
"</p>")
@noresponse(VSponsorAdmin(), VModhash(), thing=VByName('id'))
def POST_promote(self, thing):
if promote.is_promo(thing):
promote.accept_promotion(thing)
@noresponse(VSponsorAdmin(),
VModhash(),
thing=VByName('id'),
reason=nop("reason"))
def POST_unpromote(self, thing, reason):
if promote.is_promo(thing):
promote.reject_promotion(thing, reason=reason)
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VLink('link'),
campaign=VPromoCampaign('campaign'))
def POST_refund_campaign(self, form, jquery, link, campaign):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
billable_impressions = promote.get_billable_impressions(campaign)
billable_amount = promote.get_billable_amount(campaign,
billable_impressions)
refund_amount = promote.get_refund_amount(campaign, billable_amount)
if refund_amount > 0:
promote.refund_campaign(link, campaign, billable_amount,
billable_impressions)
form.set_html('.status', _('refund succeeded'))
else:
form.set_html('.status', _('refund not needed'))
@validatedForm(VSponsor('link_id36'),
VModhash(),
VRatelimit(rate_user=True,
rate_ip=True,
prefix='create_promo_'),
VShamedDomain('url'),
username=VLength('username', 100, empty_error=None),
l=VLink('link_id36'),
title=VTitle('title'),
url=VUrl('url', allow_self=False),
selftext=VSelfText('text'),
kind=VOneOf('kind', ['link', 'self']),
ip=ValidIP(),
disable_comments=VBoolean("disable_comments"),
sendreplies=VBoolean("sendreplies"),
media_width=VInt("media-width", min=0),
media_height=VInt("media-height", min=0),
media_embed=VLength("media-embed", 1000),
media_override=VBoolean("media-override"),
domain_override=VLength("domain", 100))
def POST_edit_promo(self, form, jquery, ip, username, l, title, url,
selftext, kind, disable_comments, sendreplies,
media_height, media_width, media_embed, media_override,
domain_override):
should_ratelimit = False
if not c.user_is_sponsor:
should_ratelimit = True
if not should_ratelimit:
c.errors.remove((errors.RATELIMIT, 'ratelimit'))
# check for user override
if not l and c.user_is_sponsor and username:
try:
user = Account._by_name(username)
except NotFound:
c.errors.add(errors.USER_DOESNT_EXIST, field="username")
form.set_error(errors.USER_DOESNT_EXIST, "username")
return
if not user.email:
c.errors.add(errors.NO_EMAIL_FOR_USER, field="username")
form.set_error(errors.NO_EMAIL_FOR_USER, "username")
return
if not user.email_verified:
c.errors.add(errors.NO_VERIFIED_EMAIL, field="username")
form.set_error(errors.NO_VERIFIED_EMAIL, "username")
return
else:
user = c.user
# check for shame banned domains
if form.has_errors("url", errors.DOMAIN_BANNED):
g.stats.simple_event('spam.shame.link')
return
# demangle URL in canonical way
if url:
if isinstance(url, (unicode, str)):
form.set_inputs(url=url)
elif isinstance(url, tuple) or isinstance(url[0], Link):
# there's already one or more links with this URL, but
# we're allowing mutliple submissions, so we really just
# want the URL
url = url[0].url
if kind == 'link':
if form.has_errors('url', errors.NO_URL, errors.BAD_URL):
return
# users can change the disable_comments on promoted links
if ((not l or not promote.is_promoted(l))
and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG)
or jquery.has_errors('ratelimit', errors.RATELIMIT))):
return
if not l:
l = promote.new_promotion(title, url if kind == 'link' else 'self',
selftext if kind == 'self' else '', user,
ip)
elif promote.is_promo(l):
# changing link type is not allowed
if ((l.is_self and kind == 'link')
or (not l.is_self and kind == 'self')):
c.errors.add(errors.NO_CHANGE_KIND, field="kind")
form.set_error(errors.NO_CHANGE_KIND, "kind")
return
changed = False
# live items can only be changed by a sponsor, and also
# pay the cost of de-approving the link
trusted = c.user_is_sponsor or c.user.trusted_sponsor
if not promote.is_promoted(l) or trusted:
if title and title != l.title:
l.title = title
changed = not trusted
if kind == 'link' and url and url != l.url:
l.url = url
changed = not trusted
# only trips if the title and url are changed by a non-sponsor
if changed:
promote.unapprove_promotion(l)
# selftext can be changed at any time
if kind == 'self':
l.selftext = selftext
# comment disabling and sendreplies is free to be changed any time.
l.disable_comments = disable_comments
l.sendreplies = sendreplies
if c.user_is_sponsor or c.user.trusted_sponsor:
if media_embed and media_width and media_height:
l.media_object = dict(height=media_height,
width=media_width,
content=media_embed,
type='custom')
else:
l.media_object = None
l.media_override = media_override
if getattr(l, "domain_override", False) or domain_override:
l.domain_override = domain_override
l._commit()
form.redirect(promote.promo_edit_url(l))
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
reference_date=promote.promo_datetime_now),
sr=VSubmitSR('sr', promotion=True))
def POST_add_roadblock(self, form, jquery, dates, sr):
if (form.has_errors('startdate', errors.BAD_DATE) or form.has_errors(
'enddate', errors.BAD_DATE, errors.BAD_DATE_RANGE)):
return
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
return
if dates and sr:
sd, ed = dates
PromotedLinkRoadblock.add(sr, sd, ed)
jquery.refresh()
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
reference_date=promote.promo_datetime_now),
sr=VSubmitSR('sr', promotion=True))
def POST_rm_roadblock(self, form, jquery, dates, sr):
if dates and sr:
sd, ed = dates
PromotedLinkRoadblock.remove(sr, sd, ed)
jquery.refresh()
@validatedForm(VSponsor('link_id36'),
VModhash(),
dates=VDateRange(
['startdate', 'enddate'],
earliest=timedelta(days=g.min_promote_future),
latest=timedelta(days=g.max_promote_future),
reference_date=promote.promo_datetime_now,
business_days=True,
sponsor_override=True),
link=VLink('link_id36'),
bid=VFloat('bid', coerce=False),
sr=VSubmitSR('sr', promotion=True),
campaign_id36=nop("campaign_id36"),
targeting=VLength("targeting", 10),
priority=VPriority("priority"),
location=VLocation())
def POST_edit_campaign(self, form, jquery, link, campaign_id36, dates, bid,
sr, targeting, priority, location):
if not link:
return
start, end = dates or (None, None)
if location and sr and not c.user_is_sponsor:
# only sponsors can geotarget on subreddits
location = None
if location and location.metro:
cpm = g.cpm_selfserve_geotarget_metro.pennies
elif location:
cpm = g.cpm_selfserve_geotarget_country.pennies
else:
author = Account._byID(link.author_id, data=True)
cpm = author.cpm_selfserve_pennies
if (form.has_errors('startdate', errors.BAD_DATE,
errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE)
or form.has_errors('enddate', errors.BAD_DATE,
errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE,
errors.BAD_DATE_RANGE)):
return
# Limit the number of PromoCampaigns a Link can have
# Note that the front end should prevent the user from getting
# this far
existing_campaigns = list(PromoCampaign._by_link(link._id))
if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK:
c.errors.add(errors.TOO_MANY_CAMPAIGNS,
msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK},
field='title')
form.has_errors('title', errors.TOO_MANY_CAMPAIGNS)
return
campaign = None
if campaign_id36:
try:
campaign = PromoCampaign._byID36(campaign_id36)
except NotFound:
pass
if campaign and link._id != campaign.link_id:
return abort(404, 'not found')
if priority.cpm:
min_bid = 0 if c.user_is_sponsor else g.min_promote_bid
max_bid = None if c.user_is_sponsor else g.max_promote_bid
if bid is None or bid < min_bid or (max_bid and bid > max_bid):
c.errors.add(errors.BAD_BID,
field='bid',
msg_params={
'min': min_bid,
'max': max_bid or g.max_promote_bid
})
form.has_errors('bid', errors.BAD_BID)
return
# you cannot edit the bid of a live ad unless it's a freebie
if (campaign and bid != campaign.bid
and promote.is_live_promo(link, campaign)
and not campaign.is_freebie()):
c.errors.add(errors.BID_LIVE, field='bid')
form.has_errors('bid', errors.BID_LIVE)
return
else:
bid = 0. # Set bid to 0 as dummy value
if targeting == 'one':
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
# checking to get the error set in the form, but we can't
# check for rate-limiting if there's no subreddit
return
roadblock = PromotedLinkRoadblock.is_roadblocked(sr, start, end)
if roadblock and not c.user_is_sponsor:
msg_params = {
"start": roadblock[0].strftime('%m/%d/%Y'),
"end": roadblock[1].strftime('%m/%d/%Y')
}
c.errors.add(errors.OVERSOLD,
field='sr',
msg_params=msg_params)
form.has_errors('sr', errors.OVERSOLD)
return
elif targeting == 'none':
sr = None
# Check inventory
campaign = campaign if campaign_id36 else None
if not priority.inventory_override:
oversold = has_oversold_error(form, campaign, start, end, bid, cpm,
sr, location)
if oversold:
return
if campaign:
promote.edit_campaign(link, campaign, dates, bid, cpm, sr,
priority, location)
else:
campaign = promote.new_campaign(link, dates, bid, cpm, sr,
priority, location)
rc = RenderableCampaign.from_campaigns(link, campaign)
jquery.update_campaign(campaign._fullname, rc.render_html())
@validatedForm(VSponsor('link_id36'),
VModhash(),
l=VLink('link_id36'),
campaign=VPromoCampaign("campaign_id36"))
def POST_delete_campaign(self, form, jquery, l, campaign):
if not campaign or not l or l._id != campaign.link_id:
return abort(404, 'not found')
promote.delete_campaign(l, campaign)
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VLink('link_id36'),
campaign=VPromoCampaign("campaign_id36"))
def POST_terminate_campaign(self, form, jquery, link, campaign):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
promote.terminate_campaign(link, campaign)
rc = RenderableCampaign.from_campaigns(link, campaign)
jquery.update_campaign(campaign._fullname, rc.render_html())
@validatedForm(VSponsor('link'),
VModhash(),
link=VByName("link"),
campaign=VPromoCampaign("campaign"),
customer_id=VInt("customer_id", min=0),
pay_id=VInt("account", min=0),
edit=VBoolean("edit"),
address=ValidAddress([
"firstName", "lastName", "company", "address", "city",
"state", "zip", "country", "phoneNumber"
]),
creditcard=ValidCard(
["cardNumber", "expirationDate", "cardCode"]))
def POST_update_pay(self, form, jquery, link, campaign, customer_id,
pay_id, edit, address, creditcard):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
# Check inventory
if campaign_has_oversold_error(form, campaign):
return
address_modified = not pay_id or edit
form_has_errors = False
if address_modified:
if (form.has_errors([
"firstName", "lastName", "company", "address", "city",
"state", "zip", "country", "phoneNumber"
], errors.BAD_ADDRESS) or form.has_errors(
["cardNumber", "expirationDate", "cardCode"],
errors.BAD_CARD)):
form_has_errors = True
elif g.authorizenetapi:
pay_id = edit_profile(c.user, address, creditcard, pay_id)
else:
pay_id = 1
# if link is in use or finished, don't make a change
if pay_id and not form_has_errors:
# valid bid and created or existing bid id.
# check if already a transaction
if g.authorizenetapi:
success, reason = promote.auth_campaign(
link, campaign, c.user, pay_id)
else:
success = True
if success:
form.redirect(promote.promo_edit_url(link))
else:
form.set_html(
".status", reason
or _("failed to authenticate card. sorry."))
@validate(VSponsor("link_name"),
VModhash(),
link=VByName('link_name'),
file=VUploadLength('file', 500 * 1024),
img_type=VImageType('img_type'))
def POST_link_thumb(self, link=None, file=None, img_type='jpg'):
if link and (not promote.is_promoted(link) or c.user_is_sponsor
or c.user.trusted_sponsor):
errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="")
try:
# thumnails for promoted links can change and therefore expire
force_thumbnail(link, file, file_type=".%s" % img_type)
except cssfilter.BadImage:
# if the image doesn't clean up nicely, abort
errors["IMAGE_ERROR"] = _("bad image")
if any(errors.values()):
return UploadedImage("",
"",
"upload",
errors=errors,
form_id="image-upload").render()
else:
link._commit()
return UploadedImage(_('saved'),
thumbnail_url(link),
"",
errors=errors,
form_id="image-upload").render()
class SponsorController(PromoteController):
@validate(VSponsorAdmin())
def GET_roadblock(self):
return PromotePage(title=_("manage roadblocks"),
content=Roadblocks()).render()
@validate(VSponsorAdminOrAdminSecret('secret'),
start=VDate('startdate'),
end=VDate('enddate'),
link_text=nop('link_text'),
owner=VAccountByName('owner'),
grouping=VOneOf("grouping", ("total", "day"), default="total"))
def GET_report(self, start, end, grouping, link_text=None, owner=None):
now = datetime.now(g.tz).replace(hour=0,
minute=0,
second=0,
microsecond=0)
if not start or not end:
start = promote.promo_datetime_now(offset=1).date()
end = promote.promo_datetime_now(offset=8).date()
c.errors.remove((errors.BAD_DATE, 'startdate'))
c.errors.remove((errors.BAD_DATE, 'enddate'))
end = end or now - timedelta(days=1)
start = start or end - timedelta(days=7)
links = []
bad_links = []
owner_name = owner.name if owner else ''
if owner:
campaign_ids = PromotionWeights.get_campaign_ids(
start, end, author_id=owner._id)
campaigns = PromoCampaign._byID(campaign_ids, data=True)
link_ids = {camp.link_id for camp in campaigns.itervalues()}
links.extend(Link._byID(link_ids, data=True, return_dict=False))
if link_text is not None:
id36s = link_text.replace(',', ' ').split()
try:
links_from_text = Link._byID36(id36s, data=True)
except NotFound:
links_from_text = {}
bad_links = [id36 for id36 in id36s if id36 not in links_from_text]
links.extend(links_from_text.values())
content = PromoteReport(links,
link_text,
owner_name,
bad_links,
start,
end,
group_by_date=grouping == "day")
if c.render_style == 'csv':
return content.as_csv()
else:
return PromotePage(title=_("sponsored link report"),
content=content).render()
@validate(
VSponsorAdmin(),
start=VDate('startdate'),
end=VDate('enddate'),
sr_name=nop('sr_name'),
collection_name=nop('collection_name'),
)
def GET_promote_inventory(self, start, end, sr_name, collection_name):
if not start or not end:
start = promote.promo_datetime_now(offset=1).date()
end = promote.promo_datetime_now(offset=8).date()
c.errors.remove((errors.BAD_DATE, 'startdate'))
c.errors.remove((errors.BAD_DATE, 'enddate'))
target = Target(Frontpage.name)
if sr_name:
try:
sr = Subreddit._by_name(sr_name)
target = Target(sr.name)
except NotFound:
c.errors.add(errors.SUBREDDIT_NOEXIST, field='sr_name')
elif collection_name:
collection = Collection.by_name(collection_name)
if not collection:
c.errors.add(errors.COLLECTION_NOEXIST,
field='collection_name')
else:
target = Target(collection)
content = PromoteInventory(start, end, target)
if c.render_style == 'csv':
return content.as_csv()
else:
return PromotePage(title=_("sponsored link inventory"),
content=content).render()
@validate(
VSponsorAdmin(),
id_user=VByName('name', thing_cls=Account),
email=ValidEmail("email"),
)
def GET_lookup_user(self, id_user, email):
email_users = AccountsByCanonicalEmail.get_accounts(email)
content = SponsorLookupUser(id_user=id_user,
email=email,
email_users=email_users)
return PromotePage(title="look up user", content=content).render()
class ModmailController(OAuth2OnlyController):
def pre(self):
# Set user_is_admin property on context,
# normally set but this controller does not inherit
# from RedditController
super(ModmailController, self).pre()
admin_usernames = [
name.lower() for name in g.live_config['modmail_admins']
]
c.user_is_admin = False
if c.user_is_loggedin:
c.user_is_admin = c.user.name.lower() in admin_usernames
VNotInTimeout().run()
def post(self):
Session.remove()
super(ModmailController, self).post()
@require_oauth2_scope('modmail')
@validate(
srs=VSRByNames('entity', required=False),
after=VModConversation('after', required=False),
limit=VInt('limit', num_default=25),
sort=VOneOf('sort',
options=('recent', 'mod', 'user'),
default='recent'),
state=VOneOf('state',
options=('new', 'inprogress', 'mod', 'notifications',
'archived', 'highlighted', 'all'),
default='all'),
)
def GET_conversations(self, srs, after, limit, sort, state):
"""Get conversations for logged in user or subreddits
Querystring Params:
entity -- name of the subreddit or a comma separated list of
subreddit names (i.e. iama, pics etc)
limit -- number of elements to retrieve (default: 25)
after -- the id of the last item seen
sort -- parameter on how to sort the results, choices:
recent: max(last_user_update, last_mod_update)
mod: last_mod_update
user: last_user_update
state -- this parameter lets users filter messages by state
choices: new, inprogress, mod, notifications,
archived, highlighted, all
"""
# Retrieve subreddits in question, if entities are passed
# check if a user is a moderator for the passed entities.
# If no entities are passed grab all subreddits the logged in
# user moderates and has modmail permissions for
modded_entities = {}
modded_srs = c.user.moderated_subreddits('mail')
modded_srs = {sr._fullname: sr for sr in modded_srs}
if srs:
for sr in srs.values():
if sr._fullname in modded_srs:
modded_entities[sr._fullname] = sr
else:
return self.send_error(403,
errors.BAD_SR_NAME,
fields='entity')
else:
modded_entities = modded_srs
if not modded_entities:
return self.send_error(404, errors.SR_NOT_FOUND, fields='entity')
# Retrieve conversations for given entities
conversations = ModmailConversation.get_mod_conversations(
modded_entities.values(),
viewer=c.user,
limit=limit,
after=after,
sort=sort,
state=state)
conversation_ids = []
conversations_dict = {}
messages_dict = {}
author_ids = []
# Extract author ids to query for all accounts at once
for conversation in conversations:
author_ids.extend(conversation.author_ids)
author_ids.extend(conversation.mod_action_account_ids)
# Query for associated account object of authors and serialize the
# conversation in the correct context
authors = self._try_get_byID(author_ids, Account, ignore_missing=True)
for conversation in conversations:
conversation_ids.append(conversation.id36)
conversations_dict[
conversation.id36] = conversation.to_serializable(
authors,
modded_entities[conversation.owner_fullname],
)
latest_message = conversation.messages[0]
messages_dict[
latest_message.id36] = latest_message.to_serializable(
modded_entities[conversation.owner_fullname],
authors[latest_message.author_id],
c.user,
)
return simplejson.dumps({
'viewerId': c.user._fullname,
'conversationIds': conversation_ids,
'conversations': conversations_dict,
'messages': messages_dict,
})
@require_oauth2_scope('modmail')
@validate(
entity=VSRByName('srName'),
subject=VLength('subject', max_length=100),
body=VMarkdownLength('body'),
is_author_hidden=VBoolean('isAuthorHidden', default=False),
to=VModConvoRecipient('to', required=False),
)
def POST_conversations(self, entity, subject, body, is_author_hidden, to):
"""Creates a new conversation for a particular SR
This endpoint will create a ModmailConversation object as
well as the first ModmailMessage within the ModmailConversation
object.
POST Params:
srName -- the human readable name of the subreddit
subject -- the subject of the first message in the conversation
body -- the body of the first message in the conversation
isAuthorHidden -- boolean on whether the mod name should be hidden
(only mods can use this flag)
to -- name of the user that a mod wants to create a convo
with (only mods can use this flag)
"""
self._feature_enabled_check(entity)
# make sure the user is not muted when creating a new conversation
if entity.is_muted(c.user) and not c.user_is_admin:
return self.send_error(400, errors.USER_MUTED)
# validate post params
if (errors.USER_BLOCKED, to) in c.errors:
return self.send_error(400, errors.USER_BLOCKED, fields='to')
elif (errors.USER_DOESNT_EXIST, to) in c.errors:
return self.send_error(404, errors.USER_DOESNT_EXIST, fields='to')
if to and not isinstance(to, Account):
return self.send_error(
422,
errors.NO_SR_TO_SR_MESSAGE,
fields='to',
)
# only mods can set a 'to' parameter
if (not entity.is_moderator_with_perms(c.user, 'mail') and to):
return self.send_error(403, errors.MOD_REQUIRED, fields='to')
if to and entity.is_muted(to):
return self.send_error(
400,
errors.MUTED_FROM_SUBREDDIT,
fields='to',
)
try:
conversation = ModmailConversation(
entity,
c.user,
subject,
body,
is_author_hidden=is_author_hidden,
to=to,
)
except MustBeAModError:
return self.send_error(403,
errors.MOD_REQUIRED,
fields='isAuthorHidden')
except Exception as e:
g.log.error('Failed to save conversation: {}'.format(e))
return self.send_error(500, errors.CONVERSATION_NOT_SAVED)
# Create copy of the message in the legacy messaging system as well
if to:
message, inbox_rel = Message._new(
c.user,
to,
subject,
body,
request.ip,
sr=entity,
from_sr=is_author_hidden,
create_modmail=False,
)
else:
message, inbox_rel = Message._new(
c.user,
entity,
subject,
body,
request.ip,
create_modmail=False,
)
queries.new_message(message, inbox_rel)
conversation.set_legacy_first_message_id(message._id)
# Get author associated account object for serialization
# of the newly created conversation object
authors = self._try_get_byID(conversation.author_ids,
Account,
ignore_missing=True)
response.status_code = 201
serializable_convo = conversation.to_serializable(authors,
entity,
all_messages=True,
current_user=c.user)
messages = serializable_convo.pop('messages')
mod_actions = serializable_convo.pop('modActions')
g.events.new_modmail_event(
'ss.send_modmail_message',
conversation,
message=conversation.messages[0],
msg_author=c.user,
sr=entity,
request=request,
context=c,
)
return simplejson.dumps({
'conversation': serializable_convo,
'messages': messages,
'modActions': mod_actions,
})
@require_oauth2_scope('modmail')
@validate(
conversation=VModConversation('conversation_id'),
mark_read=VBoolean('markRead', default=False),
)
def GET_mod_messages(self, conversation, mark_read):
"""Returns all messages for a given conversation id
Url Params:
conversation_id -- this is the id of the conversation you would
like to grab messages for
Querystring Param:
markRead -- if passed the conversation will be marked read when the
conversation is returned
"""
self._validate_vmodconversation()
sr = self._try_get_subreddit_access(conversation, admin_override=True)
authors = self._try_get_byID(list(
set(conversation.author_ids)
| set(conversation.mod_action_account_ids)),
Account,
ignore_missing=True)
serializable_convo = conversation.to_serializable(authors,
sr,
all_messages=True,
current_user=c.user)
messages = serializable_convo.pop('messages')
mod_actions = serializable_convo.pop('modActions')
# Get participant user info for conversation
try:
userinfo = self._get_modmail_userinfo(conversation, sr=sr)
except ValueError:
userinfo = {}
except NotFound:
return self.send_error(404, errors.USER_DOESNT_EXIST)
if mark_read:
conversation.mark_read(c.user)
g.events.new_modmail_event(
'ss.modmail_mark_thread',
conversation,
mark_type='read',
request=request,
context=c,
)
return simplejson.dumps({
'conversation': serializable_convo,
'messages': messages,
'modActions': mod_actions,
'user': userinfo,
})
@require_oauth2_scope('modmail')
def GET_modmail_enabled_srs(self):
# sr_name, sr_icon, subsriber_count, most_recent_action
modded_srs = c.user.moderated_subreddits('mail')
enabled_srs = [
modded_sr for modded_sr in modded_srs
if feature.is_enabled('new_modmail', subreddit=modded_sr.name)
]
recent_convos = ModmailConversation.get_recent_convo_by_sr(enabled_srs)
results = {}
for sr in enabled_srs:
results.update({
sr._fullname: {
'id': sr._fullname,
'name': sr.name,
'icon': sr.icon_img,
'subscribers': sr._ups,
'lastUpdated': recent_convos.get(sr._fullname),
}
})
return simplejson.dumps({'subreddits': results})
@require_oauth2_scope('modmail')
@validate(
conversation=VModConversation('conversation_id'),
msg_body=VMarkdownLength('body'),
is_author_hidden=VBoolean('isAuthorHidden', default=False),
is_internal=VBoolean('isInternal', default=False),
)
def POST_mod_messages(self, conversation, msg_body, is_author_hidden,
is_internal):
"""Creates a new message for a particular ModmailConversation
URL Params:
conversation_id -- id of the conversation to post a new message to
POST Params:
body -- this is the message body
isAuthorHidden -- boolean on whether to hide author, i.e. respond as
the subreddit
isInternal -- boolean to signify a moderator only message
"""
self._validate_vmodconversation()
sr = Subreddit._by_fullname(conversation.owner_fullname)
self._feature_enabled_check(sr)
# make sure the user is not muted before posting a message
if sr.is_muted(c.user):
return self.send_error(400, errors.USER_MUTED)
if conversation.is_internal and not is_internal:
is_internal = True
is_mod = sr.is_moderator(c.user)
if not is_mod and is_author_hidden:
return self.send_error(
403,
errors.MOD_REQUIRED,
fields='isAuthorHidden',
)
elif not is_mod and is_internal:
return self.send_error(
403,
errors.MOD_REQUIRED,
fields='isInternal',
)
try:
if not conversation.is_internal and not conversation.is_auto:
participant = conversation.get_participant_account()
if participant and sr.is_muted(participant):
return self.send_error(
400,
errors.MUTED_FROM_SUBREDDIT,
)
except NotFound:
pass
try:
new_message = conversation.add_message(
c.user,
msg_body,
is_author_hidden=is_author_hidden,
is_internal=is_internal,
)
except:
return self.send_error(500, errors.MODMAIL_MESSAGE_NOT_SAVED)
# Add the message to the legacy messaging system as well (unless it's
# an internal message on a non-internal conversation, since we have no
# way to hide specific messages from the external participant)
legacy_incompatible = is_internal and not conversation.is_internal
if (conversation.legacy_first_message_id and not legacy_incompatible):
first_message = Message._byID(conversation.legacy_first_message_id)
subject = conversation.subject
if not subject.startswith('re: '):
subject = 're: ' + subject
# Retrieve the participant to decide whether to send the message
# to the sr or to the participant. If the currently logged in user
# is the same as the participant then address the message to the
# sr.
recipient = sr
if not is_internal:
try:
participant = (
ModmailConversationParticipant.get_participant(
conversation.id))
is_participant = (
(c.user._id == participant.account_id)
and not sr.is_moderator_with_perms(c.user, 'mail'))
if not is_participant:
recipient = Account._byID(participant.account_id)
except NotFound:
pass
message, inbox_rel = Message._new(
c.user,
recipient,
subject,
msg_body,
request.ip,
parent=first_message,
from_sr=is_author_hidden,
create_modmail=False,
)
queries.new_message(message, inbox_rel)
serializable_convo = conversation.to_serializable(
entity=sr,
all_messages=True,
current_user=c.user,
)
messages = serializable_convo.pop('messages')
g.events.new_modmail_event(
'ss.send_modmail_message',
conversation,
message=new_message,
msg_author=c.user,
sr=sr,
request=request,
context=c,
)
response.status_code = 201
return simplejson.dumps({
'conversation': serializable_convo,
'messages': messages,
})
@require_oauth2_scope('modmail')
@validate(conversation=VModConversation('conversation_id'))
def POST_highlight(self, conversation):
"""Marks a conversation as highlighted."""
self._validate_vmodconversation()
self._try_get_subreddit_access(conversation)
conversation.add_action(c.user, 'highlighted')
conversation.add_highlight()
# Retrieve updated conversation to be returned
updated_convo = self._get_updated_convo(conversation.id, c.user)
g.events.new_modmail_event(
'ss.modmail_mark_thread',
conversation,
mark_type='highlight',
request=request,
context=c,
)
return simplejson.dumps(updated_convo)
@require_oauth2_scope('modmail')
@validate(conversation=VModConversation('conversation_id'))
def DELETE_highlight(self, conversation):
"""Removes a highlight from a conversation."""
self._validate_vmodconversation()
self._try_get_subreddit_access(conversation)
conversation.add_action(c.user, 'unhighlighted')
conversation.remove_highlight()
# Retrieve updated conversation to be returned
updated_convo = self._get_updated_convo(conversation.id, c.user)
g.events.new_modmail_event(
'ss.modmail_mark_thread',
conversation,
mark_type='unhighlight',
request=request,
context=c,
)
return simplejson.dumps(updated_convo)
@require_oauth2_scope('modmail')
@validate(ids=VList('conversationIds'))
def POST_unread(self, ids):
"""Marks conversations as unread for the user.
Expects a list of conversation IDs.
"""
if not ids:
return self.send_error(400, 'Must pass an id or list of ids.')
try:
ids = [int(id, base=36) for id in ids]
except:
return self.send_error(422, 'Must pass base 36 ids.')
try:
convos = self._get_conversation_access(ids)
except ValueError:
return self.send_error(
403,
errors.INVALID_CONVERSATION_ID,
fields='conversationIds',
)
ModmailConversationUnreadState.mark_unread(
c.user, [convo.id for convo in convos])
@require_oauth2_scope('modmail')
@validate(ids=VList('conversationIds'))
def POST_read(self, ids):
"""Marks a conversations as read for the user.
Expects a list of conversation IDs.
"""
if not ids:
return self.send_error(400, 'Must pass an id or list of ids.')
try:
ids = [int(id, base=36) for id in ids]
except:
return self.send_error(422, 'Must pass base 36 ids.')
try:
convos = self._get_conversation_access(ids)
except ValueError:
return self.send_error(
403,
errors.INVALID_CONVERSATION_ID,
fields='conversationIds',
)
response.status_code = 204
ModmailConversationUnreadState.mark_read(
c.user, [convo.id for convo in convos])
@require_oauth2_scope('modmail')
@validate(
ids=VList('conversationIds'),
archive=VBoolean('archive', default=True),
)
def POST_archive_status(self, ids, archive):
try:
convos = self._get_conversation_access(
[int(id, base=36) for id in ids])
except ValueError:
return self.send_error(
403,
errors.INVALID_CONVERSATION_ID,
fields='conversationIds',
)
convo_ids = []
for convo in convos:
if convo.is_internal:
return self.send_error(
422,
errors.CONVERSATION_NOT_ARCHIVABLE,
fields='conversationIds',
)
convo_ids.append(convo.id)
if not archive:
ModmailConversation.set_states(
convo_ids, ModmailConversation.STATE['inprogress'])
else:
ModmailConversation.set_states(
convo_ids, ModmailConversation.STATE['archived'])
response.status_code = 204
@require_oauth2_scope('modmail')
@validate(conversation=VModConversation('conversation_id'))
def POST_archive(self, conversation):
self._validate_vmodconversation()
sr = Subreddit._by_fullname(conversation.owner_fullname)
self._feature_enabled_check(sr)
if sr.is_moderator_with_perms(c.user, 'mail'):
if conversation.state == ModmailConversation.STATE['archived']:
response.status_code = 204
return
if conversation.is_internal:
return self.send_error(
422,
errors.CONVERSATION_NOT_ARCHIVABLE,
)
conversation.add_action(c.user, 'archived')
conversation.set_state('archived')
updated_convo = self._get_updated_convo(conversation.id, c.user)
g.events.new_modmail_event(
'ss.modmail_mark_thread',
conversation,
mark_type='archive',
request=request,
context=c,
)
return simplejson.dumps(updated_convo)
else:
return self.send_error(403, errors.INVALID_MOD_PERMISSIONS)
@require_oauth2_scope('modmail')
@validate(conversation=VModConversation('conversation_id'))
def POST_unarchive(self, conversation):
self._validate_vmodconversation()
sr = Subreddit._by_fullname(conversation.owner_fullname)
self._feature_enabled_check(sr)
if sr.is_moderator_with_perms(c.user, 'mail'):
if conversation.state != ModmailConversation.STATE['archived']:
response.status_code = 204
return
if conversation.is_internal:
return self.send_error(
422,
errors.CONVERSATION_NOT_ARCHIVABLE,
)
conversation.add_action(c.user, 'unarchived')
conversation.set_state('inprogress')
updated_convo = self._get_updated_convo(conversation.id, c.user)
g.events.new_modmail_event(
'ss.modmail_mark_thread',
conversation,
mark_type='unarchive',
request=request,
context=c,
)
return simplejson.dumps(updated_convo)
else:
return self.send_error(403, errors.INVALID_MOD_PERMISSIONS)
@require_oauth2_scope('modmail')
def GET_unread_convo_count(self):
"""Endpoint to retrieve the unread conversation count by
category"""
convo_counts = ModmailConversation.unread_convo_count(c.user)
return simplejson.dumps(convo_counts)
@require_oauth2_scope('modmail')
@validate(conversation=VModConversation('conversation_id'))
def GET_modmail_userinfo(self, conversation):
# validate that the currently logged in user is a mod
# of the subreddit associated with the conversation
self._try_get_subreddit_access(conversation, admin_override=True)
try:
userinfo = self._get_modmail_userinfo(conversation)
except (ValueError, NotFound):
return self.send_error(404, errors.USER_DOESNT_EXIST)
return simplejson.dumps(userinfo)
@require_oauth2_scope('identity')
@validate(conversation=VModConversation('conversation_id'))
def POST_mute_participant(self, conversation):
if conversation.is_internal or conversation.is_auto:
return self.send_error(400, errors.CANT_RESTRICT_MODERATOR)
sr = Subreddit._by_fullname(conversation.owner_fullname)
try:
participant = conversation.get_participant_account()
except NotFound:
return self.send_error(404, errors.USER_DOESNT_EXIST)
if not sr.can_mute(c.user, participant):
return self.send_error(400, errors.CANT_RESTRICT_MODERATOR)
if not c.user_is_admin:
if not sr.is_moderator_with_perms(c.user, 'access', 'mail'):
return self.send_error(403, errors.INVALID_MOD_PERMISSIONS)
if sr.use_quotas:
sr_ratelimit = SimpleRateLimit(
name="sr_muted_%s" % sr._id36,
seconds=g.sr_quota_time,
limit=g.sr_muted_quota,
)
if not sr_ratelimit.record_and_check():
return self.send_error(403, errors.SUBREDDIT_RATELIMIT)
# Add the mute record but only if successful create the
# appropriate notifications, this prevents duplicate
# notifications from being sent
added = sr.add_muted(participant)
if not added:
return simplejson.dumps(
self._convo_to_serializable(conversation, all_messages=True))
MutedAccountsBySubreddit.mute(sr, participant, c.user)
permalink = conversation.make_permalink()
# Create the appropriate objects to be displayed on the
# mute moderation log, use the permalink to the new modmail
# system
ModAction.create(sr,
c.user,
'muteuser',
target=participant,
description=permalink)
sr.add_rel_note('muted', participant, permalink)
# Add the muted mod action to the conversation
conversation.add_action(c.user, 'muted', commit=True)
result = self._get_updated_convo(conversation.id, c.user)
result['user'] = self._get_modmail_userinfo(conversation, sr=sr)
return simplejson.dumps(result)
@require_oauth2_scope('identity')
@validate(conversation=VModConversation('conversation_id'))
def POST_unmute_participant(self, conversation):
if conversation.is_internal or conversation.is_auto:
return self.send_error(400, errors.CANT_RESTRICT_MODERATOR)
sr = Subreddit._by_fullname(conversation.owner_fullname)
try:
participant = conversation.get_participant_account()
except NotFound:
abort(404, errors.USER_DOESNT_EXIST)
if not c.user_is_admin:
if not sr.is_moderator_with_perms(c.user, 'access', 'mail'):
return self.send_error(403, errors.INVALID_MOD_PERMISSIONS)
removed = sr.remove_muted(participant)
if not removed:
return simplejson.dumps(
self._convo_to_serializable(conversation, all_messages=True))
MutedAccountsBySubreddit.unmute(sr, participant)
ModAction.create(sr, c.user, 'unmuteuser', target=participant)
conversation.add_action(c.user, 'unmuted', commit=True)
result = self._get_updated_convo(conversation.id, c.user)
result['user'] = self._get_modmail_userinfo(conversation, sr=sr)
return simplejson.dumps(result)
def _get_modmail_userinfo(self, conversation, sr=None):
if conversation.is_internal:
raise ValueError('Cannot get userinfo for internal conversations')
if not sr:
sr = Subreddit._by_fullname(conversation.owner_fullname)
# Retrieve the participant associated with the conversation
try:
account = conversation.get_participant_account()
if not account:
raise ValueError('No account associated with convo')
permatimeout = (account.in_timeout
and account.days_remaining_in_timeout == 0)
if account._deleted or permatimeout:
raise ValueError('User info is inaccessible')
except NotFound:
raise NotFound('Unable to retrieve conversation participant')
# Fetch the mute and ban status of the participant as it relates
# to the subreddit associated with the conversation.
mute_status = sr.is_muted(account)
ban_status = sr.is_banned(account)
# Parse the ban status and retrieve the length of the ban,
# then output the data into a serialiazable dict
ban_result = {
'isBanned': bool(ban_status),
'reason': '',
'endDate': None,
'isPermanent': False
}
if ban_status:
ban_result['reason'] = getattr(ban_status, 'note', '')
ban_duration = sr.get_tempbans('banned', account.name)
ban_duration = ban_duration.get(account.name)
if ban_duration:
ban_result['endDate'] = ban_duration.isoformat()
else:
ban_result['isPermanent'] = True
ban_result['endDate'] = None
# Parse the mute status and retrieve the length of the ban,
# then output the data into the serialiazable dict
mute_result = {
'isMuted': bool(mute_status),
'endDate': None,
'reason': ''
}
if mute_status:
mute_result['reason'] = getattr(mute_status, 'note', '')
muted_items = sr.get_muted_items(account.name)
mute_duration = muted_items.get(account.name)
if mute_duration:
mute_result['endDate'] = mute_duration.isoformat()
# Retrieve the participants post and comment fullnames from cache
post_fullnames = []
comment_fullnames = []
if not account._spam:
post_fullnames = list(queries.get_submitted(account, 'new',
'all'))[:100]
comment_fullnames = list(
queries.get_comments(account, 'new', 'all'))[:100]
# Retrieve the associated link objects for posts and comments
# using the retrieve fullnames, afer the link objects are retrieved
# create a serializable dict with the the necessary information from
# the endpoint.
lookup_fullnames = list(set(post_fullnames) | set(comment_fullnames))
posts = Thing._by_fullname(lookup_fullnames)
serializable_posts = {}
for fullname in post_fullnames:
if len(serializable_posts) == 3:
break
post = posts[fullname]
if post.sr_id == sr._id and not post._deleted:
serializable_posts[fullname] = {
'title': post.title,
'permalink': post.make_permalink(sr, force_domain=True),
'date': post._date.isoformat(),
}
# Extract the users most recent comments associated with the
# subreddit
sr_comments = []
for fullname in comment_fullnames:
if len(sr_comments) == 3:
break
comment = posts[fullname]
if comment.sr_id == sr._id and not comment._deleted:
sr_comments.append(comment)
# Retrieve all associated link objects (combines lookup)
comment_links = Link._byID(
[sr_comment.link_id for sr_comment in sr_comments])
# Serialize all of the user's sr comments
serializable_comments = {}
for sr_comment in sr_comments:
comment_link = comment_links[sr_comment.link_id]
comment_body = sr_comment.body
if len(comment_body) > 140:
comment_body = '{:.140}...'.format(comment_body)
serializable_comments[sr_comment._fullname] = {
'title':
comment_link.title,
'comment':
comment_body,
'permalink':
sr_comment.make_permalink(comment_link, sr, force_domain=True),
'date':
sr_comment._date.isoformat(),
}
return {
'id': account._fullname,
'name': account.name,
'created': account._date.isoformat(),
'banStatus': ban_result,
'isShadowBanned': account._spam,
'muteStatus': mute_result,
'recentComments': serializable_comments,
'recentPosts': serializable_posts,
}
def _get_updated_convo(self, convo_id, user):
# Retrieve updated conversation to be returned
updated_convo = ModmailConversation._byID(convo_id, current_user=user)
return self._convo_to_serializable(updated_convo, all_messages=True)
def _convo_to_serializable(self, conversation, all_messages=False):
serialized_convo = conversation.to_serializable(
all_messages=all_messages, current_user=c.user)
messages = serialized_convo.pop('messages')
mod_actions = serialized_convo.pop('modActions')
return {
'conversations': serialized_convo,
'messages': messages,
'modActions': mod_actions,
}
def _validate_vmodconversation(self):
if (errors.CONVERSATION_NOT_FOUND, 'conversation_id') in c.errors:
return self.send_error(404, errors.CONVERSATION_NOT_FOUND)
def _get_conversation_access(self, ids):
validated_convos = []
conversations = ModmailConversation._byID(ids)
# fetch all srs that a user has modmail permissions to
# transform sr to be a dict with a key being the sr fullname
# and the value being the sr object itself
modded_srs = c.user.moderated_subreddits('mail')
sr_by_fullname = {
sr._fullname: sr
for sr in modded_srs
if feature.is_enabled('new_modmail', subreddit=sr.name)
}
for conversation in tup(conversations):
if sr_by_fullname.get(conversation.owner_fullname):
validated_convos.append(conversation)
else:
raise ValueError('Invalid conversation id(s).')
return validated_convos
def _try_get_byID(self,
ids,
thing_class,
return_dict=True,
ignore_missing=False):
"""Helper method to lookup objects by id for a
given model or return a 404 if not found"""
try:
return thing_class._byID(ids,
return_dict=return_dict,
ignore_missing=ignore_missing)
except NotFound:
return self.send_error(404,
errors.THING_NOT_FOUND,
explanation='{} not found'.format(
thing_class.__name__))
except:
return self.send_error(422, 'Invalid request')
def _try_get_subreddit_access(self, conversation, admin_override=False):
sr = Subreddit._by_fullname(conversation.owner_fullname)
self._feature_enabled_check(sr)
if (not sr.is_moderator_with_perms(c.user, 'mail')
and not (admin_override and c.user_is_admin)):
return self.send_error(
403,
errors.SUBREDDIT_NO_ACCESS,
)
return sr
def _feature_enabled_check(self, sr):
if not feature.is_enabled('new_modmail', subreddit=sr.name):
return self.send_error(403, errors.SR_FEATURE_NOT_ENABLED)
def send_error(self, code, error, fields=None, explanation=None):
abort(
reddit_http_error(
code=code or error.code,
error_name=error,
explanation=explanation,
fields=tup(fields),
))
class OAuth2AccessController(MinimalController):
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
client_id, client_secret = parse_http_basic(auth)
client = OAuth2Client.get_token(client_id)
require(client)
require(constant_time_compare(client.secret, client_secret))
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
@validate(grant_type=VOneOf("grant_type",
("authorization_code", "refresh_token")),
code=nop("code"),
refresh_token=VOAuth2RefreshToken("refresh_token"),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI))
def POST_access_token(self, grant_type, code, refresh_token, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If an authorization code for a permanent grant was given, a
**refresh_token** will be included. If there is a problem, an **error**
parameter will be returned instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` for the initial access token or
``refresh_token`` for renewing the access token. In either case,
**redirect_uri** must exactly match the value that was used in the call
to [/api/v1/authorize](#api_method_authorize) that created this grant.
"""
resp = {}
if not (code or refresh_token):
c.errors.add("NO_TEXT", field=("code", "refresh_token"))
if not c.errors:
access_token = None
if grant_type == "authorization_code":
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope)
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope,
refresh_token._id if refresh_token else None)
elif grant_type == "refresh_token" and refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id,
refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
if access_token:
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = int(
access_token._ttl) if access_token._ttl else None
resp["scope"] = access_token.scope
if refresh_token:
resp["refresh_token"] = refresh_token._id
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)
class WikiApiController(WikiController):
@validate(VModhash(),
pageandprevious=VWikiPageRevise(('page', 'previous'), restricted=True),
content=VMarkdown(('content'), renderer='wiki'),
page_name=VWikiPageName('page'),
reason=VPrintable('reason', 256))
@api_doc(api_section.wiki, uri='/api/wiki/edit')
def POST_wiki_edit(self, pageandprevious, content, page_name, reason):
page, previous = pageandprevious
if not page:
error = c.errors.get(('WIKI_CREATE_ERROR', 'page'))
if error:
self.handle_error(403, **(error.msg_params or {}))
if not c.user._spam:
page = WikiPage.create(c.site, page_name)
if c.user._spam:
error = _("You are doing that too much, please try again later.")
self.handle_error(415, 'SPECIAL_ERRORS', special_errors=[error])
# Use the raw POST value as we need to tell the difference between
# None/Undefined and an empty string. The validators use a default
# value with both of those cases and would need to be changed.
# In order to avoid breaking functionality, this was done instead.
previous = previous._id if previous else request.post.get('previous')
try:
if page.name == 'config/stylesheet':
report, parsed = c.site.parse_css(content, verify=False)
if report is None: # g.css_killswitch
self.handle_error(403, 'STYLESHEET_EDIT_DENIED')
if report.errors:
error_items = [x.message for x in sorted(report.errors)]
self.handle_error(415, 'SPECIAL_ERRORS', special_errors=error_items)
c.site.change_css(content, parsed, previous, reason=reason)
else:
try:
page.revise(content, previous, c.user._id36, reason=reason)
except ContentLengthError as e:
self.handle_error(403, 'CONTENT_LENGTH_ERROR', max_length=e.max_length)
# continue storing the special pages as data attributes on the subreddit
# object. TODO: change this to minimize subreddit get sizes.
if page.special:
setattr(c.site, ATTRIBUTE_BY_PAGE[page.name], content)
setattr(c.site, "prev_" + ATTRIBUTE_BY_PAGE[page.name] + "_id", str(page.revision))
c.site._commit()
if page.special or c.is_wiki_mod:
description = modactions.get(page.name, 'Page %s edited' % page.name)
ModAction.create(c.site, c.user, 'wikirevise', details=description)
except ConflictException as e:
self.handle_error(409, 'EDIT_CONFLICT', newcontent=e.new, newrevision=page.revision, diffcontent=e.htmldiff)
return json.dumps({})
@validate(VModhash(),
VWikiModerator(),
page=VWikiPage('page'),
act=VOneOf('act', ('del', 'add')),
user=VExistingUname('username'))
@api_doc(api_section.wiki, uri='/api/wiki/alloweditor/:act')
def POST_wiki_allow_editor(self, act, page, user):
if not user:
self.handle_error(404, 'UNKNOWN_USER')
elif act == 'del':
page.remove_editor(user._id36)
elif act == 'add':
page.add_editor(user._id36)
else:
self.handle_error(400, 'INVALID_ACTION')
return json.dumps({})
@validate(VModhash(),
VWikiModerator(),
pv=VWikiPageAndVersion(('page', 'revision')))
@api_doc(api_section.wiki, uri='/api/wiki/hide')
def POST_wiki_revision_hide(self, pv):
page, revision = pv
if not revision:
self.handle_error(400, 'INVALID_REVISION')
return json.dumps({'status': revision.toggle_hide()})
@validate(VModhash(),
VWikiModerator(),
pv=VWikiPageAndVersion(('page', 'revision')))
@api_doc(api_section.wiki, uri='/api/wiki/revert')
def POST_wiki_revision_revert(self, pv):
page, revision = pv
if not revision:
self.handle_error(400, 'INVALID_REVISION')
content = revision.content
reason = 'reverted back %s' % timesince(revision.date)
if page.name == 'config/stylesheet':
report, parsed = c.site.parse_css(content)
if report.errors:
self.handle_error(403, 'INVALID_CSS')
c.site.change_css(content, parsed, prev=None, reason=reason, force=True)
else:
try:
page.revise(content, author=c.user._id36, reason=reason, force=True)
# continue storing the special pages as data attributes on the subreddit
# object. TODO: change this to minimize subreddit get sizes.
if page.special:
setattr(c.site, ATTRIBUTE_BY_PAGE[page.name], content)
setattr(c.site, "prev_" + ATTRIBUTE_BY_PAGE[page.name] + "_id", page.revision)
c.site._commit()
except ContentLengthError as e:
self.handle_error(403, 'CONTENT_LENGTH_ERROR', max_length=e.max_length)
return json.dumps({})
def pre(self):
WikiController.pre(self)
c.render_style = 'api'
set_extension(request.environ, 'json')
class OAuth2FrontendController(RedditController):
def check_for_bearer_token(self):
pass
def pre(self):
RedditController.pre(self)
require_https()
def _abort_oauth_error(self, error):
g.stats.simple_event('oauth2.errors.%s' % error)
abort(BadRequestError(error))
def _check_redirect_uri(self, client, redirect_uri):
if (errors.OAUTH2_INVALID_CLIENT, 'client_id') in c.errors:
self._abort_oauth_error(errors.OAUTH2_INVALID_CLIENT)
if not redirect_uri or redirect_uri != client.redirect_uri:
self._abort_oauth_error(errors.OAUTH2_INVALID_REDIRECT_URI)
def _check_response_type_and_scope(self, response_type, scope):
if (errors.INVALID_OPTION, 'response_type') in c.errors:
self._abort_oauth_error(errors.OAUTH2_INVALID_RESPONSE_TYPE)
if (errors.OAUTH2_INVALID_SCOPE, 'scope') in c.errors:
self._abort_oauth_error(errors.OAUTH2_INVALID_SCOPE)
def _check_client_type_and_duration(self, response_type, client, duration):
if response_type == "token" and client.is_confidential():
# Prevent "confidential" clients from distributing tokens
# in a non-confidential manner
self._abort_oauth_error(errors.OAUTH2_CONFIDENTIAL_TOKEN)
if response_type == "token" and duration != "temporary":
# implicit grant -> No refresh tokens allowed
self._abort_oauth_error(errors.OAUTH2_NO_REFRESH_TOKENS_ALLOWED)
def _error_response(self, state, redirect_uri, as_fragment=False):
"""Return an error redirect."""
resp = {"state": state}
if (errors.OAUTH2_ACCESS_DENIED, "authorize") in c.errors:
resp["error"] = "access_denied"
elif (errors.INVALID_MODHASH, None) in c.errors:
resp["error"] = "access_denied"
else:
resp["error"] = "invalid_request"
final_redirect = _update_redirect_uri(redirect_uri, resp, as_fragment)
return self.redirect(final_redirect, code=302)
def _check_employee_grants(self, client, scope):
if not c.user.employee or not client or not scope:
return
if client._id in g.employee_approved_clients:
return
if client._id in g.mobile_auth_allowed_clients:
return
# The identity scope doesn't leak much, and we don't mind if employees
# prove their identity to some external service
if scope.scopes == {"identity"}:
return
error_page = RedditError(
title=_('this app has not been approved for use with employee accounts'),
message="",
)
request.environ["usable_error_content"] = error_page.render()
self.abort403()
@validate(VUser(),
response_type = VOneOf("response_type", ("code", "token")),
client = VOAuth2ClientID(),
redirect_uri = VRequired("redirect_uri", errors.OAUTH2_INVALID_REDIRECT_URI),
scope = VOAuth2Scope(),
state = VRequired("state", errors.NO_TEXT),
duration = VOneOf("duration", ("temporary", "permanent"),
default="temporary"))
def GET_authorize(self, response_type, client, redirect_uri, scope, state,
duration):
"""
First step in [OAuth 2.0](http://oauth.net/2/) authentication.
End users will be prompted for their credentials (username/password)
and asked if they wish to authorize the application identified by
the **client_id** parameter with the permissions specified by the
**scope** parameter. They are then redirected to the endpoint on
the client application's side specified by **redirect_uri**.
If the user granted permission to the application, the response will
contain a **code** parameter with a temporary authorization code
which can be exchanged for an access token at
[/api/v1/access_token](#api_method_access_token).
**redirect_uri** must match the URI configured for the client in the
[app preferences](/prefs/apps). All errors will show a 400 error
page along with some information on what option was wrong.
"""
self._check_employee_grants(client, scope)
# Check redirect URI first; it will ensure client exists
self._check_redirect_uri(client, redirect_uri)
self._check_response_type_and_scope(response_type, scope)
self._check_client_type_and_duration(response_type, client, duration)
if not c.errors:
return OAuth2AuthorizationPage(client, redirect_uri, scope, state,
duration, response_type).render()
else:
self._abort_oauth_error(errors.INVALID_OPTION)
@validate(VUser(),
VModhash(fatal=False),
client = VOAuth2ClientID(),
redirect_uri = VRequired("redirect_uri", errors.OAUTH2_INVALID_REDIRECT_URI),
scope = VOAuth2Scope(),
state = VRequired("state", errors.NO_TEXT),
duration = VOneOf("duration", ("temporary", "permanent"),
default="temporary"),
authorize = VRequired("authorize", errors.OAUTH2_ACCESS_DENIED),
response_type = VOneOf("response_type", ("code", "token"),
default="code"))
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
self._check_employee_grants(client, scope)
self._check_redirect_uri(client, redirect_uri)
self._check_response_type_and_scope(response_type, scope)
self._check_client_type_and_duration(response_type, client, duration)
if c.errors:
return self._error_response(state, redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
g.stats.simple_event('oauth2.POST_authorize.authorization_code_create')
elif response_type == "token":
device_id = get_device_id(client)
token = OAuth2AccessToken._new(
client_id=client._id,
user_id=c.user._id36,
scope=scope,
device_id=device_id,
)
resp = OAuth2AccessController._make_new_token_response(token)
resp["state"] = state
final_redirect = _update_redirect_uri(redirect_uri, resp, as_fragment=True)
g.stats.simple_event('oauth2.POST_authorize.access_token_create')
# If this is the first time the user is logging in with an official
# mobile app, gild them
if (g.live_config.get('mobile_gild_first_login') and
not c.user.has_used_mobile_app and
client._id in g.mobile_auth_gild_clients):
buyer = Account.system_user()
admintools.adjust_gold_expiration(
c.user, days=g.mobile_auth_gild_time)
create_gift_gold(
buyer._id, c.user._id, g.mobile_auth_gild_time,
datetime.now(g.tz), signed=True, note='first_mobile_auth')
subject = 'Let there be gold! Reddit just sent you Reddit gold!'
message = (
"Thank you for using the Reddit mobile app! As a thank you "
"for logging in during launch week, you've been gifted %s of "
"Reddit Gold.\n\n"
"Reddit Gold is Reddit's premium membership program, which "
"grants you: \n"
"An ads-free experience in Reddit's mobile apps, and\n"
"Extra site features on desktop\n\n"
"Discuss and get help on the features and perks at "
"r/goldbenefits."
) % g.mobile_auth_gild_message
message += '\n\n' + strings.gold_benefits_msg
send_system_message(c.user, subject, message, add_to_sent=False)
c.user.has_used_mobile_app = True
c.user._commit()
return self.redirect(final_redirect, code=302)
class StripeController(GoldPaymentController):
name = 'stripe'
webhook_secret = g.STRIPE_WEBHOOK_SECRET
event_type_mappings = {
'charge.succeeded': 'succeeded',
'charge.failed': 'failed',
'charge.refunded': 'refunded',
'charge.dispute.created': 'noop',
'charge.dispute.updated': 'noop',
'charge.dispute.closed': 'noop',
'customer.created': 'noop',
'customer.card.created': 'noop',
'customer.card.deleted': 'noop',
'transfer.created': 'noop',
'transfer.paid': 'noop',
'balance.available': 'noop',
'invoice.created': 'noop',
'invoice.updated': 'noop',
'invoice.payment_succeeded': 'noop',
'invoice.payment_failed': 'failed_subscription',
'invoiceitem.deleted': 'noop',
'customer.subscription.created': 'noop',
'customer.deleted': 'noop',
'customer.updated': 'noop',
'customer.subscription.deleted': 'noop',
'customer.subscription.trial_will_end': 'noop',
'customer.subscription.updated': 'noop',
'dummy': 'noop',
}
@classmethod
def process_response(cls):
event_dict = json.loads(request.body)
event = stripe.Event.construct_from(event_dict, g.STRIPE_SECRET_KEY)
status = event.type
if status == 'invoice.created':
# sent 1 hr before a subscription is charged or immediately for
# a new subscription
invoice = event.data.object
customer_id = invoice.customer
account = account_from_stripe_customer_id(customer_id)
# if the charge hasn't been attempted (meaning this is 1 hr before
# the charge) check that the account can receive the gold
if (not invoice.attempted
and (not account or (account and account._banned))):
# there's no associated account - delete the subscription
# to cancel the charge
g.log.error('no account for stripe invoice: %s', invoice)
try:
customer = stripe.Customer.retrieve(customer_id)
customer.delete()
except stripe.InvalidRequestError:
pass
elif status == 'invoice.payment_failed':
invoice = event.data.object
customer_id = invoice.customer
buyer = account_from_stripe_customer_id(customer_id)
webhook = Webhook(subscr_id=customer_id, buyer=buyer)
return status, webhook
event_type = cls.event_type_mappings.get(status)
if not event_type:
raise ValueError('Stripe: unrecognized status %s' % status)
elif event_type == 'noop':
return status, None
charge = event.data.object
description = charge.description
invoice_id = charge.invoice
transaction_id = 'S%s' % charge.id
pennies = charge.amount
months, days = months_and_days_from_pennies(pennies)
if status == 'charge.failed' and invoice_id:
# we'll get an additional failure notification event of
# "invoice.payment_failed", don't double notify
return 'dummy', None
elif status == 'charge.failed' and not description:
# create_customer can POST successfully but fail to create a
# customer because the card is declined. This will trigger a
# 'charge.failed' notification but without description so we can't
# do anything with it
return 'dummy', None
elif invoice_id:
# subscription charge - special handling
customer_id = charge.customer
buyer = account_from_stripe_customer_id(customer_id)
if not buyer:
charge_date = datetime.fromtimestamp(charge.created, tz=g.tz)
# don't raise exception if charge date is within the past hour
# db replication lag may cause the account lookup to fail
if charge_date < timeago('1 hour'):
raise ValueError('no buyer for charge: %s' % charge.id)
else:
abort(404, "not found")
webhook = Webhook(transaction_id=transaction_id,
subscr_id=customer_id,
pennies=pennies,
months=months,
goldtype='autorenew',
buyer=buyer)
return status, webhook
else:
try:
passthrough, buyer_name = description.split('-', 1)
except (AttributeError, ValueError):
g.log.error('stripe_error on charge: %s', charge)
raise
webhook = Webhook(passthrough=passthrough,
transaction_id=transaction_id,
pennies=pennies,
months=months)
return status, webhook
@classmethod
@handle_stripe_error
def create_customer(cls, form, token):
description = c.user.name
customer = stripe.Customer.create(card=token, description=description)
if (customer['active_card']['address_line1_check'] == 'fail'
or customer['active_card']['address_zip_check'] == 'fail'):
form.set_html('.status', _('error: address verification failed'))
form.find('.stripe-submit').removeAttr('disabled').end()
return None
elif customer['active_card']['cvc_check'] == 'fail':
form.set_html('.status', _('error: cvc check failed'))
form.find('.stripe-submit').removeAttr('disabled').end()
return None
else:
return customer
@classmethod
@handle_stripe_error
def charge_customer(cls, form, customer, pennies, passthrough):
charge = stripe.Charge.create(amount=pennies,
currency="usd",
customer=customer['id'],
description='%s-%s' %
(passthrough, c.user.name))
return charge
@classmethod
@handle_stripe_error
def set_creditcard(cls, form, user, token):
if not user.has_stripe_subscription:
return
customer = stripe.Customer.retrieve(user.gold_subscr_id)
customer.card = token
customer.save()
return customer
@classmethod
@handle_stripe_error
def set_subscription(cls, form, customer, plan_id):
subscription = customer.update_subscription(plan=plan_id)
return subscription
@classmethod
@handle_stripe_error
def cancel_subscription(cls, form, user):
if not user.has_stripe_subscription:
return
customer = stripe.Customer.retrieve(user.gold_subscr_id)
customer.delete()
user.gold_subscr_id = None
user._commit()
subject = _('your gold subscription has been cancelled')
message = _('if you have any questions please email %(email)s')
message %= {'email': g.goldthanks_email}
send_system_message(user, subject, message)
return customer
@validatedForm(VUser(),
token=nop('stripeToken'),
passthrough=VPrintable("passthrough", max_length=50),
pennies=VInt('pennies'),
months=VInt("months"),
period=VOneOf("period", ("monthly", "yearly")))
def POST_goldcharge(self, form, jquery, token, passthrough, pennies,
months, period):
"""
Submit charge to stripe.
Called by GoldPayment form. This submits the charge to stripe, and gold
will be applied once we receive a webhook from stripe.
"""
try:
payment_blob = validate_blob(passthrough)
except GoldException as e:
# This should never happen. All fields in the payment_blob
# are validated on creation
form.set_html('.status',
_('something bad happened, try again later'))
g.log.debug('POST_goldcharge: %s' % e.message)
return
if period:
plan_id = (g.STRIPE_MONTHLY_GOLD_PLAN
if period == 'monthly' else g.STRIPE_YEARLY_GOLD_PLAN)
if c.user.has_gold_subscription:
form.set_html(
'.status',
_('your account already has a gold subscription'))
return
else:
plan_id = None
penny_months, days = months_and_days_from_pennies(pennies)
if not months or months != penny_months:
form.set_html('.status', _('stop trying to trick the form'))
return
customer = self.create_customer(form, token)
if not customer:
return
if period:
subscription = self.set_subscription(form, customer, plan_id)
if not subscription:
return
c.user.gold_subscr_id = customer.id
c.user._commit()
status = _('subscription created')
subject = _('reddit gold subscription')
body = _('Your subscription is being processed and reddit gold '
'will be delivered shortly.')
else:
charge = self.charge_customer(form, customer, pennies, passthrough)
if not charge:
return
status = _('payment submitted')
subject = _('reddit gold payment')
body = _('Your payment is being processed and reddit gold '
'will be delivered shortly.')
form.set_html('.status', status)
body = append_random_bottlecap_phrase(body)
send_system_message(c.user, subject, body, distinguished='gold-auto')
@validatedForm(VUser(), VModhash(), token=nop('stripeToken'))
def POST_modify_subscription(self, form, jquery, token):
customer = self.set_creditcard(form, c.user, token)
if not customer:
return
form.set_html('.status', _('your payment details have been updated'))
@validatedForm(VUser(), VModhash(), user=VByName('user'))
def POST_cancel_subscription(self, form, jquery, user):
if user != c.user and not c.user_is_admin:
self.abort403()
customer = self.cancel_subscription(form, user)
if not customer:
return
form.set_html(".status", _("your subscription has been cancelled"))
class RobinController(RedditController):
def pre(self):
RedditController.pre(self)
if not feature.is_enabled("robin"):
self.abort404()
@validate(
VUser(),
VNotInTimeout(),
)
def GET_join(self):
room = RobinRoom.get_room_for_user(c.user)
if room:
return self.redirect("/robin")
return RobinPage(
title="robin",
content=RobinJoin(
robin_heavy_load=g.live_config.get('robin_heavy_load')),
).render()
@validate(
VAdmin(), )
def GET_all(self):
return RobinPage(
title="robin",
content=RobinAll(),
).render()
@validate(
VAdmin(), )
def GET_admin(self):
return RobinPage(
title="robin",
content=RobinAdmin(),
).render()
@validate(
VUser(),
VNotInTimeout(),
)
def GET_chat(self):
room = RobinRoom.get_room_for_user(c.user)
if not room:
return self.redirect("/robin/join")
return self._get_chat_page(room)
@validate(
VAdmin(),
room=VRobinRoom("room_id", allow_admin=True),
)
def GET_force_room(self, room):
"""Allow admins to view a specific room"""
return self._get_chat_page(room)
@validate(
VAdmin(),
user=VAccountByName("user"),
)
def GET_user_room(self, user):
"""Redirect admins to a user's room"""
room = RobinRoom.get_room_for_user(user)
if not room:
self.abort404()
self.redirect("/robin/" + room.id)
def _get_chat_page(self, room):
path = posixpath.join("/robin", room.id, c.user._id36)
websocket_url = websockets.make_url(path, max_age=3600)
all_user_ids = room.get_all_participants()
all_present_ids = room.get_present_participants()
all_votes = room.get_all_votes()
users = Account._byID(all_user_ids, data=True, stale=True)
user_list = []
for user in users.itervalues():
if user._id in all_votes:
vote = all_votes.get(user._id)
else:
vote = None
user_list.append({
"name": user.name,
"present": user._id in all_present_ids,
"vote": vote,
})
return RobinChatPage(
title="chat in %s" % room.name,
content=RobinChat(room=room),
extra_js_config={
"robin_room_is_continued": room.is_continued,
"robin_room_name": room.name,
"robin_room_id": room.id,
"robin_websocket_url": websocket_url,
"robin_user_list": user_list,
"robin_room_date": js_timestamp(room.date),
"robin_room_reap_time": js_timestamp(get_reap_time(room)),
},
).render()
def _has_exceeded_ratelimit(self, form, room):
# grab the ratelimit (as average events per second) for the room's
# current level, using the highest level configured that's not bigger
# than the room. e.g. if ratelimits are defined for levels 1, 2, and 4
# and the room is level 3, this will give us the ratelimit specified
# for 2.
desired_avg_per_sec = 1
by_level = g.live_config.get("robin_ratelimit_avg_per_sec", {})
for level, avg_per_sec in sorted(by_level.items(),
key=lambda (x, y): int(x)):
if int(level) > room.level:
break
desired_avg_per_sec = avg_per_sec
# now figure out how many events per window that means
window_size = g.live_config.get("robin_ratelimit_window", 10)
allowed_events_per_window = int(desired_avg_per_sec * window_size)
try:
# now figure out how much they've actually used
ratelimit_key = "robin/{}".format(c.user._id36)
time_slice = ratelimit.get_timeslice(window_size)
usage = ratelimit.get_usage(ratelimit_key, time_slice)
# ratelimit them if too much
if usage >= allowed_events_per_window:
g.stats.simple_event("robin.ratelimit.exceeded")
period_end = datetime.datetime.utcfromtimestamp(time_slice.end)
period_end_utc = period_end.replace(tzinfo=pytz.UTC)
until_reset = utils.timeuntil(period_end_utc)
c.errors.add(errors.RATELIMIT, {"time": until_reset},
field="ratelimit",
code=429)
form.has_errors("ratelimit", errors.RATELIMIT)
return True
# or record the usage and move on
ratelimit.record_usage(ratelimit_key, time_slice)
except ratelimit.RatelimitError as exc:
g.log.warning("ratelimit error: %s", exc)
return False
@validatedForm(
VUser(),
VNotInTimeout(),
VModhash(),
room=VRobinRoom("room_id"),
message=VLength("message", max_length=140), # TODO: do we want md?
)
def POST_message(self, form, jquery, room, message):
if self._has_exceeded_ratelimit(form, room):
return
if form.has_errors("message", errors.NO_TEXT, errors.TOO_LONG):
return
websockets.send_broadcast(
namespace="/robin/" + room.id,
type="chat",
payload={
"from": c.user.name,
"body": message,
},
)
events.message(
room=room,
message=message,
sent_dt=datetime.datetime.utcnow(),
context=c,
request=request,
)
@validatedForm(
VUser(),
VNotInTimeout(),
VModhash(),
room=VRobinRoom("room_id"),
vote=VOneOf("vote", VALID_VOTES),
)
def POST_vote(self, form, jquery, room, vote):
if self._has_exceeded_ratelimit(form, room):
return
if not vote:
# TODO: error return?
return
g.stats.simple_event('robin.vote.%s' % vote)
room.set_vote(c.user, vote)
websockets.send_broadcast(
namespace="/robin/" + room.id,
type="vote",
payload={
"from": c.user.name,
"vote": vote,
},
)
events.vote(
room=room,
vote=vote,
sent_dt=datetime.datetime.utcnow(),
context=c,
request=request,
)
@validatedForm(
VUser(),
VNotInTimeout(),
VModhash(),
)
def POST_join_room(self, form, jquery):
if g.live_config.get('robin_heavy_load'):
request.environ["usable_error_content"] = (
"Robin is currently experience high load.")
abort(503)
room = RobinRoom.get_room_for_user(c.user)
if room:
# user is already in a room, they should get redirected by the
# frontend after polling /api/room_assignment.json
return
add_to_waitinglist(c.user)
@validatedForm(
VUser(),
VModhash(),
)
def POST_leave_room(self, form, jquery):
room = RobinRoom.get_room_for_user(c.user)
if not room:
return
room.remove_participants([c.user])
websockets.send_broadcast(
namespace="/robin/" + room.id,
type="users_abandoned",
payload={
"users": [c.user.name],
},
)
@json_validate(
VUser(),
VNotInTimeout(),
)
def GET_room_assignment(self, responder):
room = RobinRoom.get_room_for_user(c.user)
if room:
return {"roomId": room.id}
@validatedForm(
VAdmin(),
VModhash(),
)
def POST_admin_prompt(self, form, jquery):
prompt_for_voting()
@validatedForm(
VAdmin(),
VModhash(),
)
def POST_admin_reap(self, form, jquery):
reap_ripe_rooms()
@validatedForm(
VAdmin(),
VModhash(),
message=VLength("message", max_length=140),
)
def POST_admin_broadcast(self, form, jquery, message):
if form.has_errors("message", errors.NO_TEXT, errors.TOO_LONG):
return
websockets.send_broadcast(
namespace="/robin",
type="system_broadcast",
payload={
"body": message,
},
)
)
from r2.lib.pages.things import wrap_things
from r2.lib.jsontemplates import (
LabeledMultiJsonTemplate,
LabeledMultiDescriptionJsonTemplate,
)
from r2.lib.errors import errors, RedditError
multi_sr_data_json_spec = VValidatedJSON.Object({
'name':
VSubredditName('name', allow_language_srs=True),
})
multi_json_spec = VValidatedJSON.Object({
'visibility':
VOneOf('visibility', ('private', 'public')),
'subreddits':
VValidatedJSON.ArrayOf(multi_sr_data_json_spec),
})
multi_description_json_spec = VValidatedJSON.Object({
'body_md':
VMarkdownLength('body_md', max_length=10000, empty_error=None),
})
class MultiApiController(RedditController):
on_validation_error = staticmethod(abort_with_error)
def pre(self):
set_extension(request.environ, "json")
class PromoteApiController(ApiController):
@json_validate(sr=VSubmitSR('sr', promotion=True),
collection=VCollection('collection'),
location=VLocation(),
start=VDate('startdate'),
end=VDate('enddate'))
def GET_check_inventory(self, responder, sr, collection, location, start,
end):
if collection:
target = Target(collection)
sr = None
else:
sr = sr or Frontpage
target = Target(sr.name)
if not allowed_location_and_target(location, target):
return abort(403, 'forbidden')
available = inventory.get_available_pageviews(target,
start,
end,
location=location,
datestr=True)
return {'inventory': available}
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VLink("link_id36"),
campaign=VPromoCampaign("campaign_id36"))
def POST_freebie(self, form, jquery, link, campaign):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
if campaign_has_oversold_error(form, campaign):
form.set_text(".freebie", _("target oversold, can't freebie"))
return
if promote.is_promo(link) and campaign:
promote.free_campaign(link, campaign, c.user)
form.redirect(promote.promo_edit_url(link))
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VByName("link"),
note=nop("note"))
def POST_promote_note(self, form, jquery, link, note):
if promote.is_promo(link):
text = PromotionLog.add(link, note)
form.find(".notes").children(":last").after("<p>" + websafe(text) +
"</p>")
@noresponse(VSponsorAdmin(), VModhash(), thing=VByName('id'))
def POST_promote(self, thing):
if promote.is_promo(thing):
promote.accept_promotion(thing)
@noresponse(VSponsorAdmin(),
VModhash(),
thing=VByName('id'),
reason=nop("reason"))
def POST_unpromote(self, thing, reason):
if promote.is_promo(thing):
promote.reject_promotion(thing, reason=reason)
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VLink('link'),
campaign=VPromoCampaign('campaign'))
def POST_refund_campaign(self, form, jquery, link, campaign):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
billable_impressions = promote.get_billable_impressions(campaign)
billable_amount = promote.get_billable_amount(campaign,
billable_impressions)
refund_amount = promote.get_refund_amount(campaign, billable_amount)
if refund_amount > 0:
promote.refund_campaign(link, campaign, billable_amount,
billable_impressions)
form.set_text('.status', _('refund succeeded'))
else:
form.set_text('.status', _('refund not needed'))
@validatedForm(
VSponsor('link_id36'),
VModhash(),
VRatelimit(rate_user=True, rate_ip=True, prefix='create_promo_'),
VShamedDomain('url'),
username=VLength('username', 100, empty_error=None),
l=VLink('link_id36'),
title=VTitle('title'),
url=VUrl('url', allow_self=False),
selftext=VMarkdownLength('text', max_length=40000),
kind=VOneOf('kind', ['link', 'self']),
disable_comments=VBoolean("disable_comments"),
sendreplies=VBoolean("sendreplies"),
media_url=VUrl("media_url",
allow_self=False,
valid_schemes=('http', 'https')),
gifts_embed_url=VUrl("gifts_embed_url",
allow_self=False,
valid_schemes=('http', 'https')),
media_url_type=VOneOf("media_url_type", ("redditgifts", "scrape")),
media_autoplay=VBoolean("media_autoplay"),
media_override=VBoolean("media-override"),
domain_override=VLength("domain", 100),
is_managed=VBoolean("is_managed"),
)
def POST_edit_promo(self, form, jquery, username, l, title, url, selftext,
kind, disable_comments, sendreplies, media_url,
media_autoplay, media_override, gifts_embed_url,
media_url_type, domain_override, is_managed):
should_ratelimit = False
if not c.user_is_sponsor:
should_ratelimit = True
if not should_ratelimit:
c.errors.remove((errors.RATELIMIT, 'ratelimit'))
# check for user override
if not l and c.user_is_sponsor and username:
try:
user = Account._by_name(username)
except NotFound:
c.errors.add(errors.USER_DOESNT_EXIST, field="username")
form.set_error(errors.USER_DOESNT_EXIST, "username")
return
if not user.email:
c.errors.add(errors.NO_EMAIL_FOR_USER, field="username")
form.set_error(errors.NO_EMAIL_FOR_USER, "username")
return
if not user.email_verified:
c.errors.add(errors.NO_VERIFIED_EMAIL, field="username")
form.set_error(errors.NO_VERIFIED_EMAIL, "username")
return
else:
user = c.user
# check for shame banned domains
if form.has_errors("url", errors.DOMAIN_BANNED):
g.stats.simple_event('spam.shame.link')
return
# demangle URL in canonical way
if url:
if isinstance(url, (unicode, str)):
form.set_inputs(url=url)
elif isinstance(url, tuple) or isinstance(url[0], Link):
# there's already one or more links with this URL, but
# we're allowing mutliple submissions, so we really just
# want the URL
url = url[0].url
if kind == 'link':
if form.has_errors('url', errors.NO_URL, errors.BAD_URL):
return
# users can change the disable_comments on promoted links
if ((not l or not promote.is_promoted(l))
and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG)
or jquery.has_errors('ratelimit', errors.RATELIMIT))):
return
if kind == 'self' and form.has_errors('text', errors.TOO_LONG):
return
if not l:
# creating a new promoted link
l = promote.new_promotion(title, url if kind == 'link' else 'self',
selftext if kind == 'self' else '', user,
request.ip)
l.domain_override = domain_override or None
if c.user_is_sponsor:
l.managed_promo = is_managed
l._commit()
form.redirect(promote.promo_edit_url(l))
elif not promote.is_promo(l):
return
# changing link type is not allowed
if ((l.is_self and kind == 'link')
or (not l.is_self and kind == 'self')):
c.errors.add(errors.NO_CHANGE_KIND, field="kind")
form.set_error(errors.NO_CHANGE_KIND, "kind")
return
changed = False
# live items can only be changed by a sponsor, and also
# pay the cost of de-approving the link
if not promote.is_promoted(l) or c.user_is_sponsor:
if title and title != l.title:
l.title = title
changed = not c.user_is_sponsor
if kind == 'link' and url and url != l.url:
l.url = url
changed = not c.user_is_sponsor
# only trips if the title and url are changed by a non-sponsor
if changed:
promote.unapprove_promotion(l)
# selftext can be changed at any time
if kind == 'self':
l.selftext = selftext
# comment disabling and sendreplies is free to be changed any time.
l.disable_comments = disable_comments
l.sendreplies = sendreplies
if c.user_is_sponsor:
if (form.has_errors("media_url", errors.BAD_URL)
or form.has_errors("gifts_embed_url", errors.BAD_URL)):
return
scraper_embed = media_url_type == "scrape"
media_url = media_url or None
gifts_embed_url = gifts_embed_url or None
if c.user_is_sponsor and scraper_embed and media_url != l.media_url:
if media_url:
media = _scrape_media(media_url,
autoplay=media_autoplay,
save_thumbnail=False,
use_cache=True)
if media:
l.set_media_object(media.media_object)
l.set_secure_media_object(media.secure_media_object)
l.media_url = media_url
l.gifts_embed_url = None
l.media_autoplay = media_autoplay
else:
c.errors.add(errors.SCRAPER_ERROR, field="media_url")
form.set_error(errors.SCRAPER_ERROR, "media_url")
return
else:
l.set_media_object(None)
l.set_secure_media_object(None)
l.media_url = None
l.gifts_embed_url = None
l.media_autoplay = False
if (c.user_is_sponsor and not scraper_embed
and gifts_embed_url != l.gifts_embed_url):
if gifts_embed_url:
parsed = UrlParser(gifts_embed_url)
if not is_subdomain(parsed.hostname, "redditgifts.com"):
c.errors.add(errors.BAD_URL, field="gifts_embed_url")
form.set_error(errors.BAD_URL, "gifts_embed_url")
return
iframe = """
<iframe class="redditgifts-embed"
src="%(embed_url)s"
width="710" height="500" scrolling="no"
frameborder="0" allowfullscreen>
</iframe>
""" % {
'embed_url': websafe(gifts_embed_url)
}
media_object = {
'oembed': {
'description': 'redditgifts embed',
'height': 500,
'html': iframe,
'provider_name': 'redditgifts',
'provider_url': 'http://www.redditgifts.com/',
'title': 'redditgifts secret santa 2014',
'type': 'rich',
'width': 710
},
'type': 'redditgifts'
}
l.set_media_object(media_object)
l.set_secure_media_object(media_object)
l.media_url = None
l.gifts_embed_url = gifts_embed_url
l.media_autoplay = False
else:
l.set_media_object(None)
l.set_secure_media_object(None)
l.media_url = None
l.gifts_embed_url = None
l.media_autoplay = False
if c.user_is_sponsor:
l.media_override = media_override
l.domain_override = domain_override or None
l.managed_promo = is_managed
l._commit()
form.redirect(promote.promo_edit_url(l))
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
reference_date=promote.promo_datetime_now),
sr=VSubmitSR('sr', promotion=True))
def POST_add_roadblock(self, form, jquery, dates, sr):
if (form.has_errors('startdate', errors.BAD_DATE) or form.has_errors(
'enddate', errors.BAD_DATE, errors.BAD_DATE_RANGE)):
return
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
return
if dates and sr:
sd, ed = dates
PromotedLinkRoadblock.add(sr, sd, ed)
jquery.refresh()
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
reference_date=promote.promo_datetime_now),
sr=VSubmitSR('sr', promotion=True))
def POST_rm_roadblock(self, form, jquery, dates, sr):
if dates and sr:
sd, ed = dates
PromotedLinkRoadblock.remove(sr, sd, ed)
jquery.refresh()
@validatedForm(
VSponsor('link_id36'),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
earliest=timedelta(days=g.min_promote_future),
latest=timedelta(days=g.max_promote_future),
reference_date=promote.promo_datetime_now,
business_days=True,
sponsor_override=True),
link=VLink('link_id36'),
bid=VFloat('bid', coerce=False),
target=VPromoTarget(),
campaign_id36=nop("campaign_id36"),
priority=VPriority("priority"),
location=VLocation(),
)
def POST_edit_campaign(self, form, jquery, link, campaign_id36, dates, bid,
target, priority, location):
if not link:
return
if not target:
# run form.has_errors to populate the errors in the response
form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED)
form.has_errors('collection', errors.COLLECTION_NOEXIST)
form.has_errors('targeting', errors.INVALID_TARGET)
return
start, end = dates or (None, None)
if not allowed_location_and_target(location, target):
return abort(403, 'forbidden')
cpm = PromotionPrices.get_price(target, location)
if (form.has_errors('startdate', errors.BAD_DATE,
errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE)
or form.has_errors('enddate', errors.BAD_DATE,
errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE,
errors.BAD_DATE_RANGE)):
return
# check that start is not so late that authorization hold will expire
if not c.user_is_sponsor:
max_start = promote.get_max_startdate()
if start > max_start:
c.errors.add(
errors.DATE_TOO_LATE,
msg_params={'day': max_start.strftime("%m/%d/%Y")},
field='startdate')
form.has_errors('startdate', errors.DATE_TOO_LATE)
return
# Limit the number of PromoCampaigns a Link can have
# Note that the front end should prevent the user from getting
# this far
existing_campaigns = list(PromoCampaign._by_link(link._id))
if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK:
c.errors.add(errors.TOO_MANY_CAMPAIGNS,
msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK},
field='title')
form.has_errors('title', errors.TOO_MANY_CAMPAIGNS)
return
campaign = None
if campaign_id36:
try:
campaign = PromoCampaign._byID36(campaign_id36)
except NotFound:
pass
if campaign and link._id != campaign.link_id:
return abort(404, 'not found')
if priority.cpm:
min_bid = 0 if c.user_is_sponsor else g.min_promote_bid
max_bid = None if c.user_is_sponsor else g.max_promote_bid
if bid is None or bid < min_bid or (max_bid and bid > max_bid):
c.errors.add(errors.BAD_BID,
field='bid',
msg_params={
'min': min_bid,
'max': max_bid or g.max_promote_bid
})
form.has_errors('bid', errors.BAD_BID)
return
# you cannot edit the bid of a live ad unless it's a freebie
if (campaign and bid != campaign.bid
and promote.is_live_promo(link, campaign)
and not campaign.is_freebie()):
c.errors.add(errors.BID_LIVE, field='bid')
form.has_errors('bid', errors.BID_LIVE)
return
else:
bid = 0. # Set bid to 0 as dummy value
is_frontpage = (not target.is_collection
and target.subreddit_name == Frontpage.name)
if not target.is_collection and not is_frontpage:
# targeted to a single subreddit, check roadblock
sr = target.subreddits_slow[0]
roadblock = PromotedLinkRoadblock.is_roadblocked(sr, start, end)
if roadblock and not c.user_is_sponsor:
msg_params = {
"start": roadblock[0].strftime('%m/%d/%Y'),
"end": roadblock[1].strftime('%m/%d/%Y')
}
c.errors.add(errors.OVERSOLD,
field='sr',
msg_params=msg_params)
form.has_errors('sr', errors.OVERSOLD)
return
# Check inventory
campaign = campaign if campaign_id36 else None
if not priority.inventory_override:
oversold = has_oversold_error(form, campaign, start, end, bid, cpm,
target, location)
if oversold:
return
if campaign:
promote.edit_campaign(link, campaign, dates, bid, cpm, target,
priority, location)
else:
campaign = promote.new_campaign(link, dates, bid, cpm, target,
priority, location)
rc = RenderableCampaign.from_campaigns(link, campaign)
jquery.update_campaign(campaign._fullname, rc.render_html())
@validatedForm(VSponsor('link_id36'),
VModhash(),
l=VLink('link_id36'),
campaign=VPromoCampaign("campaign_id36"))
def POST_delete_campaign(self, form, jquery, l, campaign):
if not campaign or not l or l._id != campaign.link_id:
return abort(404, 'not found')
promote.delete_campaign(l, campaign)
@validatedForm(VSponsorAdmin(),
VModhash(),
link=VLink('link_id36'),
campaign=VPromoCampaign("campaign_id36"))
def POST_terminate_campaign(self, form, jquery, link, campaign):
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
promote.terminate_campaign(link, campaign)
rc = RenderableCampaign.from_campaigns(link, campaign)
jquery.update_campaign(campaign._fullname, rc.render_html())
@validatedForm(VSponsor('link'),
VModhash(),
link=VByName("link"),
campaign=VPromoCampaign("campaign"),
customer_id=VInt("customer_id", min=0),
pay_id=VInt("account", min=0),
edit=VBoolean("edit"),
address=ValidAddress([
"firstName", "lastName", "company", "address", "city",
"state", "zip", "country", "phoneNumber"
]),
creditcard=ValidCard(
["cardNumber", "expirationDate", "cardCode"]))
def POST_update_pay(self, form, jquery, link, campaign, customer_id,
pay_id, edit, address, creditcard):
if not g.authorizenetapi:
return
if not link or not campaign or link._id != campaign.link_id:
return abort(404, 'not found')
# Check inventory
if campaign_has_oversold_error(form, campaign):
return
# check that start is not so late that authorization hold will expire
max_start = promote.get_max_startdate()
if campaign.start_date > max_start:
msg = _("please change campaign start date to %(date)s or earlier")
date = format_date(max_start, format="short", locale=c.locale)
msg %= {'date': date}
form.set_text(".status", msg)
return
# check the campaign start date is still valid (user may have created
# the campaign a few days ago)
now = promote.promo_datetime_now()
min_start = now + timedelta(days=g.min_promote_future)
if campaign.start_date.date() < min_start.date():
msg = _("please change campaign start date to %(date)s or later")
date = format_date(min_start, format="short", locale=c.locale)
msg %= {'date': date}
form.set_text(".status", msg)
return
address_modified = not pay_id or edit
if address_modified:
address_fields = [
"firstName", "lastName", "company", "address", "city", "state",
"zip", "country", "phoneNumber"
]
card_fields = ["cardNumber", "expirationDate", "cardCode"]
if (form.has_errors(address_fields, errors.BAD_ADDRESS)
or form.has_errors(card_fields, errors.BAD_CARD)):
return
pay_id = edit_profile(c.user, address, creditcard, pay_id)
reason = None
if pay_id:
success, reason = promote.auth_campaign(link, campaign, c.user,
pay_id)
if success:
form.redirect(promote.promo_edit_url(link))
return
msg = reason or _("failed to authenticate card. sorry.")
form.set_text(".status", msg)
@validate(VSponsor("link_name"),
VModhash(),
link=VByName('link_name'),
file=VUploadLength('file', 500 * 1024),
img_type=VImageType('img_type'))
def POST_link_thumb(self, link=None, file=None, img_type='jpg'):
if link and (not promote.is_promoted(link) or c.user_is_sponsor):
errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="")
# thumnails for promoted links can change and therefore expire
force_thumbnail(link, file, file_type=".%s" % img_type)
if any(errors.values()):
return UploadedImage("",
"",
"upload",
errors=errors,
form_id="image-upload").render()
else:
link._commit()
return UploadedImage(_('saved'),
thumbnail_url(link),
"",
errors=errors,
form_id="image-upload").render()
class ApidocsController(RedditController):
@staticmethod
def docs_from_controller(controller, url_prefix='/api', oauth_only=False):
"""
Examines a controller for documentation. A dictionary index of
sections containing dictionaries of URLs is returned. For each URL, a
dictionary of HTTP methods (GET, POST, etc.) is contained. For each
URL/method pair, a dictionary containing the following items is
available:
- `doc`: Markdown-formatted docstring.
- `uri`: Manually-specified URI to list the API method as
- `uri_variants`: Alternate URIs to access the API method from
- `supports_rss`: Indicates the URI also supports rss consumption
- `parameters`: Dictionary of possible parameter names and descriptions.
- `extends`: API method from which to inherit documentation
- `json_model`: The JSON model used instead of normal POST parameters
"""
api_docs = defaultdict(lambda: defaultdict(dict))
for name, func in controller.__dict__.iteritems():
method, sep, action = name.partition('_')
if not action:
continue
valid_methods = ('GET', 'POST', 'PUT', 'DELETE', 'PATCH')
api_doc = getattr(func, '_api_doc', None)
if api_doc and 'section' in api_doc and method in valid_methods:
docs = {}
docs['doc'] = inspect.getdoc(func)
if 'extends' in api_doc:
docs.update(api_doc['extends'])
# parameters are handled separately.
docs['parameters'] = {}
docs.update(api_doc)
# hide parameters that don't need to be public
if 'parameters' in api_doc:
docs['parameters'].pop('timeout', None)
# append a message to the docstring if supplied
notes = docs.get("notes")
if notes:
notes = "\n".join(notes)
if docs["doc"]:
docs["doc"] += "\n\n" + notes
else:
docs["doc"] = notes
uri = docs.get('uri') or '/'.join((url_prefix, action))
docs['uri'] = uri
if 'supports_rss' not in docs:
docs['supports_rss'] = False
if api_doc['uses_site']:
docs["in-subreddit"] = True
oauth_perms = getattr(func, 'oauth2_perms', {})
oauth_allowed = oauth_perms.get('oauth2_allowed', False)
if not oauth_allowed:
# Endpoint is not available over OAuth
docs['oauth_scopes'] = []
else:
# [None] signifies to the template to state
# that the endpoint is accessible to any oauth client
docs['oauth_scopes'] = (oauth_perms['required_scopes']
or [None])
# add every variant to the index -- the templates will filter
# out variants in the long-form documentation
if oauth_only:
if not oauth_allowed:
continue
for scope in docs['oauth_scopes']:
for variant in chain([uri],
docs.get('uri_variants', [])):
api_docs[scope][variant][method] = docs
else:
for variant in chain([uri], docs.get('uri_variants', [])):
api_docs[docs['section']][variant][method] = docs
return api_docs
@validate(mode=VOneOf('mode',
options=('methods', 'oauth'),
default='methods'))
def GET_docs(self, mode):
# controllers to gather docs from.
from r2.controllers.api import ApiController, ApiminimalController
from r2.controllers.apiv1.user import APIv1UserController
from r2.controllers.apiv1.gold import APIv1GoldController
from r2.controllers.apiv1.scopes import APIv1ScopesController
from r2.controllers.captcha import CaptchaController
from r2.controllers.front import FrontController
from r2.controllers.wiki import WikiApiController, WikiController
from r2.controllers.multi import MultiApiController
from r2.controllers import listingcontroller
api_controllers = [
(APIv1UserController, '/api/v1'),
(APIv1GoldController, '/api/v1'),
(APIv1ScopesController, '/api/v1'),
(ApiController, '/api'),
(ApiminimalController, '/api'),
(WikiApiController, '/api/wiki'),
(WikiController, '/wiki'),
(MultiApiController, '/api/multi'),
(CaptchaController, ''),
(FrontController, ''),
]
for name, value in vars(listingcontroller).iteritems():
if name.endswith('Controller'):
api_controllers.append((value, ''))
# bring in documented plugin controllers
api_controllers.extend(g.plugins.get_documented_controllers())
# merge documentation info together.
api_docs = defaultdict(dict)
oauth_index = defaultdict(set)
for controller, url_prefix in api_controllers:
controller_docs = self.docs_from_controller(
controller, url_prefix, mode == 'oauth')
for section, contents in controller_docs.iteritems():
api_docs[section].update(contents)
for variant, method_dict in contents.iteritems():
for method, docs in method_dict.iteritems():
for scope in docs['oauth_scopes']:
oauth_index[scope].add((section, variant, method))
return BoringPage(_('api documentation'),
content=ApiHelp(
api_docs=api_docs,
oauth_index=oauth_index,
mode=mode,
),
css_class="api-help",
show_sidebar=False,
show_infobar=False).render()
class OAuth2FrontendController(RedditController):
def check_for_bearer_token(self):
pass
def pre(self):
RedditController.pre(self)
require_https()
def _check_redirect_uri(self, client, redirect_uri):
if not redirect_uri or not client or redirect_uri != client.redirect_uri:
abort(ForbiddenError(errors.OAUTH2_INVALID_REDIRECT_URI))
def _error_response(self, state, redirect_uri, as_fragment=False):
"""Return an error redirect, but only if client_id and redirect_uri are valid."""
resp = {"state": state}
if (errors.OAUTH2_INVALID_CLIENT, "client_id") in c.errors:
resp["error"] = "unauthorized_client"
elif (errors.OAUTH2_ACCESS_DENIED, "authorize") in c.errors:
resp["error"] = "access_denied"
elif (errors.BAD_HASH, None) in c.errors:
resp["error"] = "access_denied"
elif (errors.INVALID_OPTION, "response_type") in c.errors:
resp["error"] = "unsupported_response_type"
elif (errors.OAUTH2_INVALID_SCOPE, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
final_redirect = _update_redirect_uri(redirect_uri, resp, as_fragment)
return self.redirect(final_redirect, code=302)
@validate(VUser(),
response_type=VOneOf("response_type", ("code", "token")),
client=VOAuth2ClientID(),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI),
scope=VOAuth2Scope(),
state=VRequired("state", errors.NO_TEXT),
duration=VOneOf("duration", ("temporary", "permanent"),
default="temporary"))
def GET_authorize(self, response_type, client, redirect_uri, scope, state,
duration):
"""
First step in [OAuth 2.0](http://oauth.net/2/) authentication.
End users will be prompted for their credentials (username/password)
and asked if they wish to authorize the application identified by
the **client_id** parameter with the permissions specified by the
**scope** parameter. They are then redirected to the endpoint on
the client application's side specified by **redirect_uri**.
If the user granted permission to the application, the response will
contain a **code** parameter with a temporary authorization code
which can be exchanged for an access token at
[/api/v1/access_token](#api_method_access_token).
**redirect_uri** must match the URI configured for the client in the
[app preferences](/prefs/apps). If **client_id** or **redirect_uri**
is not valid, or if the call does not take place over SSL, a 403
error will be returned. For all other errors, a redirect to
**redirect_uri** will be returned, with a **error** parameter
indicating why the request failed.
"""
# Check redirect URI first; it will ensure client exists
self._check_redirect_uri(client, redirect_uri)
if response_type == "token" and client.is_confidential():
# Prevent "confidential" clients from distributing tokens
# in a non-confidential manner
c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
if response_type == "token" and duration != "temporary":
# implicit grant -> No refresh tokens allowed
c.errors.add((errors.INVALID_OPTION, "duration"))
if not c.errors:
return OAuth2AuthorizationPage(client, redirect_uri, scope, state,
duration, response_type).render()
else:
return self._error_response(state,
redirect_uri,
as_fragment=(response_type == "token"))
@validate(VUser(),
VModhash(fatal=False),
client=VOAuth2ClientID(),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI),
scope=VOAuth2Scope(),
state=VRequired("state", errors.NO_TEXT),
duration=VOneOf("duration", ("temporary", "permanent"),
default="temporary"),
authorize=VRequired("authorize", errors.OAUTH2_ACCESS_DENIED),
response_type=VOneOf("response_type", ("code", "token"),
default="code"))
def POST_authorize(self, authorize, client, redirect_uri, scope, state,
duration, response_type):
"""Endpoint for OAuth2 authorization."""
if response_type == "token" and client.is_confidential():
# Prevent "confidential" clients from distributing tokens
# in a non-confidential manner
c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
if response_type == "token" and duration != "temporary":
# implicit grant -> No refresh tokens allowed
c.errors.add((errors.INVALID_OPTION, "duration"))
self._check_redirect_uri(client, redirect_uri)
if c.errors:
return self._error_response(state,
redirect_uri,
as_fragment=(response_type == "token"))
if response_type == "code":
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id36, scope,
duration == "permanent")
resp = {"code": code._id, "state": state}
final_redirect = _update_redirect_uri(redirect_uri, resp)
elif response_type == "token":
token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
token_data = OAuth2AccessController._make_token_dict(token)
token_data["state"] = state
final_redirect = _update_redirect_uri(redirect_uri,
token_data,
as_fragment=True)
return self.redirect(final_redirect, code=302)
class PromoteController(ListingController):
where = 'promoted'
render_cls = PromotePage
@property
def title_text(self):
return _('promoted by you')
def keep_fn(self):
def keep(item):
if item.promoted and not item._deleted:
return True
else:
return False
return keep
def query(self):
if c.user_is_sponsor:
if self.sort == "future_promos":
return queries.get_all_unapproved_links()
elif self.sort == "pending_promos":
return queries.get_all_accepted_links()
elif self.sort == "unpaid_promos":
return queries.get_all_unpaid_links()
elif self.sort == "rejected_promos":
return queries.get_all_rejected_links()
elif self.sort == "live_promos":
return queries.get_all_live_links()
return queries.get_all_promoted_links()
else:
if self.sort == "future_promos":
return queries.get_unapproved_links(c.user._id)
elif self.sort == "pending_promos":
return queries.get_accepted_links(c.user._id)
elif self.sort == "unpaid_promos":
return queries.get_unpaid_links(c.user._id)
elif self.sort == "rejected_promos":
return queries.get_rejected_links(c.user._id)
elif self.sort == "live_promos":
return queries.get_live_links(c.user._id)
return queries.get_promoted_links(c.user._id)
@validate(VSponsor())
def GET_listing(self, sort="", **env):
if not c.user_is_loggedin or not c.user.email_verified:
return self.redirect("/ad_inq")
self.sort = sort
return ListingController.GET_listing(self, **env)
GET_index = GET_listing
@validate(VSponsor())
def GET_new_promo(self):
return PromotePage('content', content=PromoteLinkForm()).render()
@validate(VSponsor('link'),
link=VLink('link'))
def GET_edit_promo(self, link):
if not link or link.promoted is None:
return self.abort404()
rendered = wrap_links(link, wrapper=promote.sponsor_wrapper,
skip=False)
form = PromoteLinkForm(link=link,
listing=rendered,
timedeltatext="")
page = PromotePage('new_promo', content=form)
return page.render()
# For development. Should eventually replace GET_edit_promo
@validate(VSponsor('link'),
link=VLink('link'))
def GET_edit_promo_cpm(self, link):
if not link or link.promoted is None:
return self.abort404()
rendered = wrap_links(link, wrapper=promote.sponsor_wrapper,
skip=False)
form = PromoteLinkFormCpm(link=link,
listing=rendered,
timedeltatext="")
page = PromotePage('new_promo', content=form)
return page.render()
# admin only because the route might change
@validate(VSponsorAdmin('campaign'),
campaign=VPromoCampaign('campaign'))
def GET_edit_promo_campaign(self, campaign):
if not campaign:
return self.abort404()
link = Link._byID(campaign.link_id)
return self.redirect(promote.promo_edit_url(link))
@validate(VSponsor(),
dates=VDateRange(["startdate", "enddate"],
max_range=timedelta(days=28),
required=False))
def GET_graph(self, dates):
start, end, bad_dates = _check_dates(dates)
return PromotePage("graph",
content=Promote_Graph(
start, end, bad_dates=bad_dates)
).render()
@validate(VSponsorAdmin(),
dates=VDateRange(["startdate", "enddate"],
max_range=timedelta(days=28),
required=False))
def GET_admingraph(self, dates):
start, end, bad_dates = _check_dates(dates)
content = Promote_Graph(start, end, bad_dates=bad_dates,
admin_view=True)
if c.render_style == 'csv':
return content.as_csv()
return PromotePage("admingraph", content=content).render()
def GET_inventory(self, sr_name):
'''
Return available inventory data as json for use in ajax calls
'''
inv_start_date = promote.promo_datetime_now()
inv_end_date = inv_start_date + timedelta(60)
inventory = promote.get_available_impressions(
sr_name,
inv_start_date,
inv_end_date,
fuzzed=(not c.user_is_admin)
)
dates = []
impressions = []
max_imps = 0
for date, imps in inventory.iteritems():
dates.append(date.strftime("%m/%d/%Y"))
impressions.append(imps)
max_imps = max(max_imps, imps)
return json.dumps({'sr':sr_name,
'dates': dates,
'imps':impressions,
'max_imps':max_imps})
# ## POST controllers below
@validatedForm(VSponsorAdmin(),
link=VLink("link_id"),
campaign=VPromoCampaign("campaign_id36"))
def POST_freebie(self, form, jquery, link, campaign):
if promote.is_promo(link) and campaign:
promote.free_campaign(link, campaign, c.user)
form.redirect(promote.promo_edit_url(link))
@validatedForm(VSponsorAdmin(),
link=VByName("link"),
note=nop("note"))
def POST_promote_note(self, form, jquery, link, note):
if promote.is_promo(link):
text = PromotionLog.add(link, note)
form.find(".notes").children(":last").after(
"<p>" + text + "</p>")
@noresponse(VSponsorAdmin(),
thing=VByName('id'))
def POST_promote(self, thing):
if promote.is_promo(thing):
promote.accept_promotion(thing)
@noresponse(VSponsorAdmin(),
thing=VByName('id'),
reason=nop("reason"))
def POST_unpromote(self, thing, reason):
if promote.is_promo(thing):
promote.reject_promotion(thing, reason=reason)
@validatedForm(VSponsor('link_id'),
VModhash(),
VRatelimit(rate_user=True,
rate_ip=True,
prefix='create_promo_'),
l=VLink('link_id'),
title=VTitle('title'),
url=VUrl('url', allow_self=False, lookup=False),
ip=ValidIP(),
disable_comments=VBoolean("disable_comments"),
set_clicks=VBoolean("set_maximum_clicks"),
max_clicks=VInt("maximum_clicks", min=0),
set_views=VBoolean("set_maximum_views"),
max_views=VInt("maximum_views", min=0),
media_width=VInt("media-width", min=0),
media_height=VInt("media-height", min=0),
media_embed=VLength("media-embed", 1000),
media_override=VBoolean("media-override"),
domain_override=VLength("domain", 100)
)
def POST_edit_promo(self, form, jquery, ip, l, title, url,
disable_comments,
set_clicks, max_clicks,
set_views, max_views,
media_height, media_width, media_embed,
media_override, domain_override):
should_ratelimit = False
if not c.user_is_sponsor:
set_clicks = False
set_views = False
should_ratelimit = True
if not set_clicks:
max_clicks = None
if not set_views:
max_views = None
if not should_ratelimit:
c.errors.remove((errors.RATELIMIT, 'ratelimit'))
# demangle URL in canonical way
if url:
if isinstance(url, (unicode, str)):
form.set_inputs(url=url)
elif isinstance(url, tuple) or isinstance(url[0], Link):
# there's already one or more links with this URL, but
# we're allowing mutliple submissions, so we really just
# want the URL
url = url[0].url
# users can change the disable_comments on promoted links
if ((not l or not promote.is_promoted(l)) and
(form.has_errors('title', errors.NO_TEXT,
errors.TOO_LONG) or
form.has_errors('url', errors.NO_URL, errors.BAD_URL) or
jquery.has_errors('ratelimit', errors.RATELIMIT))):
return
if not l:
l = promote.new_promotion(title, url, c.user, ip)
elif promote.is_promo(l):
changed = False
# live items can only be changed by a sponsor, and also
# pay the cost of de-approving the link
trusted = c.user_is_sponsor or c.user.trusted_sponsor
if not promote.is_promoted(l) or trusted:
if title and title != l.title:
l.title = title
changed = not trusted
if url and url != l.url:
l.url = url
changed = not trusted
# only trips if the title and url are changed by a non-sponsor
if changed and not promote.is_unpaid(l):
promote.unapprove_promotion(l)
if trusted and promote.is_unapproved(l):
promote.accept_promotion(l)
if c.user_is_sponsor:
l.maximum_clicks = max_clicks
l.maximum_views = max_views
# comment disabling is free to be changed any time.
l.disable_comments = disable_comments
if c.user_is_sponsor or c.user.trusted_sponsor:
if media_embed and media_width and media_height:
l.media_object = dict(height=media_height,
width=media_width,
content=media_embed,
type='custom')
else:
l.media_object = None
l.media_override = media_override
if getattr(l, "domain_override", False) or domain_override:
l.domain_override = domain_override
l._commit()
form.redirect(promote.promo_edit_url(l))
@validate(VSponsorAdmin())
def GET_roadblock(self):
return PromotePage('content', content=Roadblocks()).render()
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
future=1,
reference_date=promote.promo_datetime_now,
business_days=False,
sponsor_override=True),
sr=VSubmitSR('sr', promotion=True))
def POST_add_roadblock(self, form, jquery, dates, sr):
if (form.has_errors('startdate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE) or
form.has_errors('enddate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE, errors.BAD_DATE_RANGE)):
return
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
return
if dates and sr:
sd, ed = dates
promote.roadblock_reddit(sr.name, sd.date(), ed.date())
jquery.refresh()
@validatedForm(VSponsorAdmin(),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
future=1,
reference_date=promote.promo_datetime_now,
business_days=False,
sponsor_override=True),
sr=VSubmitSR('sr', promotion=True))
def POST_rm_roadblock(self, form, jquery, dates, sr):
if dates and sr:
sd, ed = dates
promote.unroadblock_reddit(sr.name, sd.date(), ed.date())
jquery.refresh()
@validatedForm(VSponsor('link_id'),
VModhash(),
dates=VDateRange(['startdate', 'enddate'],
future=1,
reference_date=promote.promo_datetime_now,
business_days=False,
sponsor_override=True),
l=VLink('link_id'),
bid=VFloat('bid', min=0, max=g.max_promote_bid,
coerce=False, error=errors.BAD_BID),
sr=VSubmitSR('sr', promotion=True),
campaign_id36=nop("campaign_id36"),
targeting=VLength("targeting", 10))
def POST_edit_campaign(self, form, jquery, l, campaign_id36,
dates, bid, sr, targeting):
if not l:
return
start, end = dates or (None, None)
if (start and end and not promote.is_accepted(l) and
not c.user_is_sponsor):
# if the ad is not approved already, ensure the start date
# is at least 2 days in the future
start = start.date()
end = end.date()
now = promote.promo_datetime_now()
future = make_offset_date(now, g.min_promote_future,
business_days=True)
if start < future.date():
c.errors.add(errors.BAD_FUTURE_DATE,
msg_params=dict(day=g.min_promote_future),
field="startdate")
if (form.has_errors('startdate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE) or
form.has_errors('enddate', errors.BAD_DATE,
errors.BAD_FUTURE_DATE, errors.BAD_DATE_RANGE)):
return
# Limit the number of PromoCampaigns a Link can have
# Note that the front end should prevent the user from getting
# this far
existing_campaigns = list(PromoCampaign._by_link(l._id))
if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK:
c.errors.add(errors.TOO_MANY_CAMPAIGNS,
msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK},
field='title')
form.has_errors('title', errors.TOO_MANY_CAMPAIGNS)
return
duration = max((end - start).days, 1)
if form.has_errors('bid', errors.BAD_BID):
return
# minimum bid depends on user privilege and targeting, checked here
# instead of in the validator b/c current duration is needed
if c.user_is_sponsor:
min_daily_bid = 0
elif targeting == 'one':
min_daily_bid = g.min_promote_bid * 1.5
else:
min_daily_bid = g.min_promote_bid
if campaign_id36:
# you cannot edit the bid of a live ad unless it's a freebie
try:
campaign = PromoCampaign._byID36(campaign_id36)
if (bid != campaign.bid and
campaign.start_date < datetime.now(g.tz)
and not campaign.is_freebie()):
c.errors.add(errors.BID_LIVE, field='bid')
form.has_errors('bid', errors.BID_LIVE)
return
except NotFound:
pass
if bid is None or bid / duration < min_daily_bid:
c.errors.add(errors.BAD_BID, field='bid',
msg_params={'min': min_daily_bid,
'max': g.max_promote_bid})
form.has_errors('bid', errors.BAD_BID)
return
if targeting == 'one':
if form.has_errors('sr', errors.SUBREDDIT_NOEXIST,
errors.SUBREDDIT_NOTALLOWED,
errors.SUBREDDIT_REQUIRED):
# checking to get the error set in the form, but we can't
# check for rate-limiting if there's no subreddit
return
oversold = promote.is_roadblocked(sr.name, start, end)
if oversold and not c.user_is_sponsor:
msg_params = {"start": oversold[0].strftime('%m/%d/%Y'),
"end": oversold[1].strftime('%m/%d/%Y')}
c.errors.add(errors.OVERSOLD, field='sr',
msg_params=msg_params)
form.has_errors('sr', errors.OVERSOLD)
return
if targeting == 'none':
sr = None
if campaign_id36 is not None:
campaign = PromoCampaign._byID36(campaign_id36)
promote.edit_campaign(l, campaign, dates, bid, sr)
r = promote.get_renderable_campaigns(l, campaign)
jquery.update_campaign(r.campaign_id36, r.start_date, r.end_date,
r.duration, r.bid, r.sr, r.status)
else:
campaign = promote.new_campaign(l, dates, bid, sr)
r = promote.get_renderable_campaigns(l, campaign)
jquery.new_campaign(r.campaign_id36, r.start_date, r.end_date,
r.duration, r.bid, r.sr, r.status)
@validatedForm(VSponsor('link_id'),
VModhash(),
l=VLink('link_id'),
campaign=VPromoCampaign("campaign_id36"))
def POST_delete_campaign(self, form, jquery, l, campaign):
if l and campaign:
promote.delete_campaign(l, campaign)
@validatedForm(VSponsor('container'),
VModhash(),
user=VExistingUname('name'),
thing=VByName('container'))
def POST_traffic_viewer(self, form, jquery, user, thing):
"""
Adds a user to the list of users allowed to view a promoted
link's traffic page.
"""
if not form.has_errors("name",
errors.USER_DOESNT_EXIST, errors.NO_USER):
form.set_inputs(name="")
form.set_html(".status:first", _("added"))
if promote.add_traffic_viewer(thing, user):
user_row = TrafficViewerList(thing).user_row('traffic', user)
jquery("#traffic-table").show(
).find("table").insert_table_rows(user_row)
# send the user a message
msg = user_added_messages['traffic']['pm']['msg']
subj = user_added_messages['traffic']['pm']['subject']
if msg and subj:
d = dict(url=thing.make_permalink_slow(),
traffic_url=promote.promo_traffic_url(thing),
title=thing.title)
msg = msg % d
item, inbox_rel = Message._new(c.user, user,
subj, msg, request.ip)
queries.new_message(item, inbox_rel)
@validatedForm(VSponsor('container'),
VModhash(),
iuser=VByName('id'),
thing=VByName('container'))
def POST_rm_traffic_viewer(self, form, jquery, iuser, thing):
if thing and iuser:
promote.rm_traffic_viewer(thing, iuser)
@validatedForm(VSponsor('link'),
link=VByName("link"),
campaign=VPromoCampaign("campaign"),
customer_id=VInt("customer_id", min=0),
pay_id=VInt("account", min=0),
edit=VBoolean("edit"),
address=ValidAddress(
["firstName", "lastName", "company", "address",
"city", "state", "zip", "country", "phoneNumber"],
allowed_countries=g.allowed_pay_countries),
creditcard=ValidCard(["cardNumber", "expirationDate",
"cardCode"]))
def POST_update_pay(self, form, jquery, link, campaign, customer_id, pay_id,
edit, address, creditcard):
address_modified = not pay_id or edit
form_has_errors = False
if address_modified:
if (form.has_errors(["firstName", "lastName", "company", "address",
"city", "state", "zip",
"country", "phoneNumber"],
errors.BAD_ADDRESS) or
form.has_errors(["cardNumber", "expirationDate", "cardCode"],
errors.BAD_CARD)):
form_has_errors = True
elif g.authorizenetapi:
pay_id = edit_profile(c.user, address, creditcard, pay_id)
else:
pay_id = 1
# if link is in use or finished, don't make a change
if pay_id and not form_has_errors:
# valid bid and created or existing bid id.
# check if already a transaction
if g.authorizenetapi:
success, reason = promote.auth_campaign(link, campaign, c.user,
pay_id)
else:
success = True
if success:
form.redirect(promote.promo_edit_url(link))
else:
form.set_html(".status",
reason or
_("failed to authenticate card. sorry."))
@validate(VSponsor("link"),
link=VLink("link"),
campaign=VPromoCampaign("campaign"))
def GET_pay(self, link, campaign):
# no need for admins to play in the credit card area
if c.user_is_loggedin and c.user._id != link.author_id:
return self.abort404()
if not campaign.link_id == link._id:
return self.abort404()
if g.authorizenetapi:
data = get_account_info(c.user)
content = PaymentForm(link, campaign,
customer_id=data.customerProfileId,
profiles=data.paymentProfiles,
max_profiles=PROFILE_LIMIT)
else:
content = None
res = LinkInfoPage(link=link,
content=content,
show_sidebar=False)
return res.render()
def GET_link_thumb(self, *a, **kw):
"""
See GET_upload_sr_image for rationale
"""
return "nothing to see here."
@validate(VSponsor("link_id"),
link=VByName('link_id'),
file=VLength('file', 500 * 1024))
def POST_link_thumb(self, link=None, file=None):
if link and (not promote.is_promoted(link) or
c.user_is_sponsor or c.user.trusted_sponsor):
errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="")
try:
# thumnails for promoted links can change and therefore expire
force_thumbnail(link, file, file_type=".jpg")
except cssfilter.BadImage:
# if the image doesn't clean up nicely, abort
errors["IMAGE_ERROR"] = _("bad image")
if any(errors.values()):
return UploadedImage("", "", "upload", errors=errors,
form_id="image-upload").render()
else:
link._commit()
return UploadedImage(_('saved'), thumbnail_url(link), "",
errors=errors,
form_id="image-upload").render()
@validate(VSponsorAdmin(),
launchdate=VDate('ondate'),
dates=VDateRange(['startdate', 'enddate']),
query_type=VOneOf('q', ('started_on', 'between'), default=None))
def GET_admin(self, launchdate=None, dates=None, query_type=None):
return PromoAdminTool(query_type=query_type,
launchdate=launchdate,
start=dates[0],
end=dates[1]).render()
