def getBill(self, key, *args, **kwargs):
"""
Returns the Bill for the given order.
"""
skel = self.viewSkel()
if "canView" in dir(self):
if not self.canView(key):
raise errors.Unauthorized()
else:
queryObj = self.viewSkel().all().mergeExternalFilter({"key": key})
queryObj = self.listFilter(queryObj) # Access control
if queryObj is None:
raise errors.Unauthorized()
bill = self.getBillPdf(key)
if not bill:
raise errors.NotFound()
request.current.get(
).response.headers['Content-Type'] = "application/pdf"
return (bill)
def view(self, *args, **kwargs):
"""
Prepares and renders the singleton entry for viewing.
The function performs several access control checks on the requested entity before it is rendered.
.. seealso:: :func:`viewSkel`, :func:`canView`, :func:`onViewed`
:returns: The rendered representation of the entity.
:raises: :exc:`server.errors.NotFound`, if there is no singleton entry existing, yet.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
"""
skel = self.viewSkel()
if not self.canView():
raise errors.Unauthorized()
key = db.Key(self.editSkel().kindName, self.getKey())
if not skel.fromDB(key):
raise errors.NotFound()
self.onViewed(skel)
return self.render.view(skel)
def setIndex(self, item, index, skey, *args, **kwargs):
"""
Changes the order of the elements in the current level by changing the index of *item*.
.. seealso:: :func:`canSetIndex`
:param item: URL-safe key of the item which index should be changed.
:type item: str
:param index: New index for this item. This value must be cast-able to float.
:type index: str
:returns: A rendered success result generated by the default renderer.
:raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
if not self.canSetIndex(item, index):
raise errors.Unauthorized()
fromItem = db.Get(item)
fromItem["sortindex"] = float(index)
db.Put(fromItem)
skel = self.editSkel()
assert skel.fromDB(item)
self.onItemSetIndex(skel)
self.onItemChanged(skel)
return self.render.setIndexSuccess(obj=fromItem)
def list(self, parent, *args, **kwargs):
"""
List the entries which are direct children of the given *parent*.
Any other supplied parameters are interpreted as filters for the elements displayed.
.. seealso:: :func:`canList`, :func:`server.db.mergeExternalFilter`
:param parent: URL-safe key of the parent.
:type parent: str
:returns: The rendered list objects for the matching entries.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.NotFound`, if *parent* could not be found.
"""
if not parent or not self.canList(parent):
raise errors.Unauthorized()
parentSkel = self.viewSkel()
if not parentSkel.fromDB(parent):
if not str(parent) in [
str(x["key"]) for x in self.getAvailableRootNodes()
]:
# It isn't a rootNode either
raise errors.NotFound()
else:
parentSkel = None
query = self.viewSkel().all()
query.mergeExternalFilter(kwargs)
query.filter("parententry", parent)
return self.render.list(query.fetch(),
parent=parent,
parentSkel=parentSkel)
def view(self, skelType, key, *args, **kwargs):
"""
Prepares and renders a single entry for viewing.
The entry is fetched by its *key* and its *skelType*.
The function performs several access control checks on the requested entity before it is rendered.
.. seealso:: :func:`canView`, :func:`onView`
:returns: The rendered representation of the requested entity.
:param skelType: May either be "node" or "leaf".
:type skelType: str
:param node: URL-safe key of the parent.
:type node: str
:raises: :exc:`server.errors.NotAcceptable`, when an incorrect *skelType* is provided.
:raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
"""
if not self._checkSkelType(skelType):
raise errors.NotAcceptable()
skel = self.viewSkel(skelType)
if not key:
raise errors.NotAcceptable()
# We return a single entry for viewing
if not skel.fromDB(key):
raise errors.NotFound()
if not self.canView(skelType, skel):
raise errors.Unauthorized()
self.onView(skel)
return self.render.view(skel)
def list(self, skelType, *args, **kwargs):
"""
Prepares and renders a list of entries.
All supplied parameters are interpreted as filters for the elements displayed.
Unlike other ViUR BasicApplications, the access control in this function is performed
by calling the function :func:`listFilter`, which updates the query-filter to match only
elements which the user is allowed to see.
.. seealso:: :func:`listFilter`, :func:`server.db.mergeExternalFilter`
:returns: The rendered list objects for the matching entries.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
"""
if not self._checkSkelType(skelType):
raise errors.NotAcceptable()
skel = self.viewSkel(skelType)
query = self.listFilter(
skel.all().mergeExternalFilter(kwargs)) # Access control
if query is None:
raise errors.Unauthorized()
res = query.fetch()
return self.render.list(res)
def logout(self, skey="", *args, **kwargs):
"""
Implements the logout action. It also terminates the current session (all keys not listed
in viur.session.persistentFieldsOnLogout will be lost).
"""
user = session.current.get("user")
if not user:
raise errors.Unauthorized()
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
self.onLogout(user)
oldSession = {k: v
for k, v in session.current.items()
} # Store all items in the current session
session.current.reset()
# Copy the persistent fields over
for k in conf["viur.session.persistentFieldsOnLogout"]:
if k in oldSession:
session.current[k] = oldSession[k]
del oldSession
return self.render.logoutSuccess()
def delete(self, key, skey, *args, **kwargs):
"""
Delete an entry.
The function runs several access control checks on the data before it is deleted.
.. seealso:: :func:`canDelete`, :func:`editSkel`, :func:`onDeleted`
:returns: The rendered, deleted object of the entry.
:raises: :exc:`viur.core.errors.NotFound`, when no entry with the given *key* was found.
:raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`viur.core.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
skel = self.editSkel()
if not skel.fromDB(key):
raise errors.NotFound()
if not self.canDelete(skel):
raise errors.Unauthorized()
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
self.onDelete(skel)
skel.delete()
self.onDeleted(skel)
return self.render.deleteSuccess(skel)
def add(self, skelType, node, *args, **kwargs):
"""
Add a new entry with the given parent *node*, and render the entry, eventually with error notes
on incorrect data. Data is taken by any other arguments in *kwargs*.
The function performs several access control checks on the requested entity before it is added.
.. seealso:: :func:`onItemAdded`, :func:`canAdd`
:param skelType: Defines the type of the new entry and may either be "node" or "leaf".
:type skelType: str
:param node: URL-safe key of the parent.
:type node: str
:returns: The rendered, added object of the entry, eventually with error hints.
:raises: :exc:`server.errors.NotAcceptable`, when no valid *skelType* was provided.
:raises: :exc:`server.errors.NotFound`, when no valid *node* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if skelType == "node":
skel = self.viewSkel(TreeType.Node)
elif skelType == "leaf" and self.hasDistinctLeafs:
skel = self.viewSkel(TreeType.Leaf)
else:
raise errors.NotAcceptable()
# FIXME: IsValidParent?
#parentNodeSkel = self.editNodeSkel()
#if not parentNodeSkel.fromDB(node):
# raise errors.NotFound()
if not self.canAdd(skelType, node):
raise errors.Unauthorized()
if (len(kwargs) == 0 # no data supplied
or skey == "" # no security key
# or not request.current.get().isPostRequest fixme: POST-method check missing? # failure if not using POST-method
or not skel.fromClient(kwargs) # failure on reading into the bones
or ("bounce" in kwargs and kwargs["bounce"] == "1") # review before adding
):
return self.render.add(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel["parentdir"] = str(node)
skel["parentrepo"] = parentNodeSkel["parentrepo"] or str(node)
skel.toDB()
self.onItemAdded(skel)
return self.render.addItemSuccess(skel)
def reparent(self, item, dest, skey, *args, **kwargs):
"""
Moves an entry *item* (and everything beneath it) to another parent-node *dest*.
.. seealso:: :func:`canReparent`
:param item: URL-safe key of the item which will be moved.
:type item: str
:param dest: URL-safe key of the new parent for this item.
:type dest: str
:returns: A rendered success result generated by the default renderer.
:raises: :exc:`server.errors.NotFound`, when no entry with the given *id* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
if not self.canReparent(item, dest):
raise errors.Unauthorized()
if not self.isValidParent(dest) or item == dest:
raise errors.NotAcceptable()
## Test for recursion
isValid = False
currLevel = db.Get(dest)
for x in range(0, 99):
if str(currLevel.key()) == item:
break
if currLevel.key().kind(
) == self.viewSkel().kindName + "_rootNode":
# We reached a rootNode
isValid = True
break
currLevel = db.Get(currLevel["parententry"])
if not isValid:
raise errors.NotAcceptable()
## Update entry
fromItem = db.Get(item)
fromItem["parententry"] = dest
fromItem["parentrepo"] = str(self.getRootNode(dest).key())
db.Put(fromItem)
skel = self.editSkel()
assert skel.fromDB(item)
self.onItemReparent(skel)
self.onItemChanged(skel)
return self.render.reparentSuccess(obj=fromItem)
def edit(self, *args, **kwargs):
"""
Modify an existing entry, and render the entry, eventually with error notes on incorrect data.
Data is taken by any other arguments in *kwargs*.
The entry is fetched by its entity key, which either is provided via *kwargs["key"]*,
or as the first parameter in *args*. The function performs several access control checks
on the requested entity before it is modified.
.. seealso:: :func:`editSkel`, :func:`onItemEdited`, :func:`canEdit`
:returns: The rendered, edited object of the entry, eventually with error hints.
:raises: :exc:`server.errors.NotAcceptable`, when no *key* is provided.
:raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if len(args) == 1:
key = args[0]
elif "key" in kwargs:
key = kwargs["key"]
else:
raise errors.NotAcceptable()
skel = self.editSkel()
if not skel.fromDB(key):
raise errors.NotAcceptable()
if not self.canEdit(skel):
raise errors.Unauthorized()
if (len(kwargs) == 0 # no data supplied
or skey == "" # no security key
or not request.current.get().
isPostRequest # failure if not using POST-method
or not skel.fromClient(
kwargs) # failure on reading into the bones
or ("bounce" in kwargs and kwargs["bounce"] == "1"
) # review before changing
):
return self.render.edit(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel.toDB() # write it!
self.onItemEdited(skel)
self.onItemChanged(skel)
return self.render.editItemSuccess(skel)
def structure(self, *args, **kwargs): """ :returns: Returns the structure of our skeleton as used in list/view. Values are the defaultValues set in each bone. :raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions. """ skel = self.viewSkel() if not self.canView(): raise errors.Unauthorized() return self.render.view(skel)
def view(self, key, *args, **kwargs): """ Allow a special key "self" to reference always the current user """ if key == "self": user = self.getCurrentUser() if user: return super(User, self).view(str(user["key"].id_or_name), *args, **kwargs) else: raise errors.Unauthorized() return super(User, self).view(key, *args, **kwargs)
def view(self, skelType, key, *args, **kwargs): """ Prepares and renders a single entry for viewing. The entry is fetched by its *key* and its *skelType*. The function performs several access control checks on the requested entity before it is rendered. .. seealso:: :func:`canView`, :func:`onItemViewed` :returns: The rendered representation of the requested entity. :param skelType: May either be "node" or "leaf". :type skelType: str :param node: URL-safe key of the parent. :type node: str :raises: :exc:`server.errors.NotAcceptable`, when an incorrect *skelType* is provided. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. """ if skelType == "node": skel = self.viewSkel(TreeType.Node) elif skelType == "leaf" and self.hasDistinctLeafs: skel = self.viewSkel(TreeType.Leaf) else: raise errors.NotAcceptable() if not key: raise errors.NotAcceptable() if key == u"structure": # We dump just the structure of that skeleton, including it's default values if not self.canView(skelType, None): raise errors.Unauthorized() else: # We return a single entry for viewing if not skel.fromDB(key): raise errors.NotFound() if not self.canView(skelType, skel): raise errors.Unauthorized() self.onItemViewed(skel) return self.render.view(skel)
def add(self, skelType, node, *args, **kwargs):
"""
Add a new entry with the given parent *node*, and render the entry, eventually with error notes
on incorrect data. Data is taken by any other arguments in *kwargs*.
The function performs several access control checks on the requested entity before it is added.
.. seealso:: :func:`canAdd`, :func:`onAdd`, , :func:`onAdded`
:param skelType: Defines the type of the new entry and may either be "node" or "leaf".
:type skelType: str
:param node: URL-safe key of the parent.
:type node: str
:returns: The rendered, added object of the entry, eventually with error hints.
:raises: :exc:`server.errors.NotAcceptable`, when no valid *skelType* was provided.
:raises: :exc:`server.errors.NotFound`, when no valid *node* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if not self._checkSkelType(skelType):
raise errors.NotAcceptable()
skel = self.addSkel(skelType)
parentNodeSkel = self.editSkel("node")
if not parentNodeSkel.fromDB(node):
raise errors.NotFound()
if not self.canAdd(skelType, parentNodeSkel):
raise errors.Unauthorized()
if (len(kwargs) == 0 # no data supplied
or skey == "" # no security key
or not skel.fromClient(
kwargs) # failure on reading into the bones
or not currentRequest.get().isPostRequest
or ("bounce" in kwargs and kwargs["bounce"] == "1"
) # review before adding
):
return self.render.add(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel["parententry"] = parentNodeSkel["key"]
# parentrepo may not exist of parentNodeSkel as it may be an rootNode
skel["parentrepo"] = parentNodeSkel["parentrepo"] or parentNodeSkel[
"key"]
self.onAdd(skel)
skel.toDB()
self.onAdded(skel)
return self.render.addSuccess(skel)
def clone(self,
fromRepo,
toRepo,
fromParent=None,
toParent=None,
*args,
**kwargs):
"""
Clones a hierarchy recursively.
This function only initiates the cloning process, which is performed in the background.
It states only a successful result when the clone action has been correctly initiated.
:param fromRepo: URL-safe key of the key to the repository (=root-node Key) to clone from.
:type fromRepo: str
:param toRepo: URL-safe key of the key to the repository (=root-node Key) to clone to.
:type toRepo: str
:param fromParent: URL-safe key of the parent to clone from; for root nodes, this is equal \
to fromRepo, and can be omitted.
:type fromParent: str
:param toParent: URL-safe key of the parent to clone to; for root nodes, this is equal to \
toRepo, and can be omitted.
:type toParent: str
:returns: A rendered success result generated by the default renderer.
:raises: :exc:`server.errors.NotAcceptable`, when no valid *parent* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if fromParent is None:
fromParent = fromRepo
if toParent is None:
toParent = toRepo
if not (self.isValidParent(fromParent)
and self.isValidParent(toParent)): # Ensure the parents exists
raise errors.NotAcceptable()
if not self.canAdd(toParent):
raise errors.Unauthorized()
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
self._clone(fromRepo, toRepo, fromParent, toParent)
return self.render.cloneSuccess()
def structure(self, *args, **kwargs): """ :returns: Returns the structure of our skeleton as used in list/view. Values are the defaultValues set in each bone. :raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions. """ skel = self.viewSkel() if not self.canAdd(): # We can't use canView here as it would require passing a skeletonInstance. # As a fallback, we'll check if the user has the permissions to view at least one entry qry = self.listFilter(skel.all()) if not qry or not qry.getEntry(): raise errors.Unauthorized() return self.render.view(skel)
def edit(self, skelType, key, *args, **kwargs):
"""
Modify an existing entry, and render the entry, eventually with error notes on incorrect data.
Data is taken by any other arguments in *kwargs*.
The function performs several access control checks on the requested entity before it is added.
.. seealso:: :func:`onAdded`, :func:`canEdit`
:param skelType: Defines the type of the entry that should be modified and may either be "node" or "leaf".
:type skelType: str
:param key: URL-safe key of the item to be edited.
:type key: str
:returns: The rendered, modified object of the entry, eventually with error hints.
:raises: :exc:`server.errors.NotAcceptable`, when no valid *skelType* was provided.
:raises: :exc:`server.errors.NotFound`, when no valid *node* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if skelType == "node":
skelType = TreeType.Node
elif skelType == "leaf" and self.leafSkelCls:
skelType = TreeType.Leaf
else:
raise errors.NotAcceptable()
skel = self.addSkel(skelType)
if not skel.fromDB(key):
raise errors.NotFound()
if not self.canEdit(skelType, skel):
raise errors.Unauthorized()
if (len(kwargs) == 0 # no data supplied
or skey == "" # no security key
or not skel.fromClient(
kwargs) # failure on reading into the bones
or not currentRequest.get().isPostRequest
or ("bounce" in kwargs and kwargs["bounce"] == "1"
) # review before adding
):
return self.render.edit(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel.toDB()
self.onEdited(skel)
return self.render.editSuccess(skel)
def view(self, *args, **kwargs):
"""
Prepares and renders a single entry for viewing.
The entry is fetched by its entity key, which either is provided via *kwargs["key"]*,
or as the first parameter in *args*. The function performs several access control checks
on the requested entity before it is rendered.
.. seealso:: :func:`viewSkel`, :func:`canView`, :func:`onItemViewed`
:returns: The rendered representation of the requested entity.
:raises: :exc:`server.errors.NotAcceptable`, when no *key* is provided.
:raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
"""
if "key" in kwargs:
key = kwargs["key"]
elif len(args) >= 1:
key = args[0]
else:
raise errors.NotAcceptable()
if not len(key):
raise errors.NotAcceptable()
skel = self.viewSkel()
if key == u"structure":
# We dump just the structure of that skeleton, including it's default values
if not self.canView(None):
raise errors.Unauthorized()
else:
# We return a single entry for viewing
if not skel.fromDB(key):
raise errors.NotFound()
if not self.canView(skel):
raise errors.Unauthorized()
self.onItemViewed(skel)
return self.render.view(skel)
def markCanceled(self, key, skey, *args, **kwargs):
"""
Exposed function for marking an order as cancelled.
:param key: The key of the order to be marked.
:type key: str
"""
if not self.canEdit(key):
raise errors.Unauthorized()
if not securitykey.validate(skey):
raise errors.PreconditionFailed()
self.setCanceled(key)
return "OKAY"
def edit(self, *args, **kwargs):
"""
Modify the existing entry, and render the entry, eventually with error notes on incorrect data.
The entry is fetched by its entity key, which either is provided via *kwargs["key"]*,
or as the first parameter in *args*. The function performs several access control checks
on the singleton's entity before it is modified.
.. seealso:: :func:`editSkel`, :func:`onItemEdited`, :func:`canEdit`
:returns: The rendered, edited object of the entry, eventually with error hints.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
skel = self.editSkel()
if not self.canEdit():
raise errors.Unauthorized()
key = db.Key.from_path(self.editSkel().kindName, self.getKey())
if not skel.fromDB(
str(key)): # Its not there yet; we need to set the key again
skel["key"] = str(key)
if (len(kwargs) == 0 # no data supplied
or skey == "" # no skey provided
or not skel.fromClient(
kwargs) # failure on reading into the bones
or ("bounce" in kwargs
and kwargs["bounce"] == "1")): # review before changing
return self.render.edit(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel.toDB()
self.onItemEdited(skel)
return self.render.editItemSuccess(skel)
def add(self, parent, *args, **kwargs):
"""
Add a new entry with the given parent, and render the entry, eventually with error notes on incorrect data.
Data is taken by any other arguments in *kwargs*.
The function performs several access control checks on the requested entity before it is added.
.. seealso:: :func:`addSkel`, :func:`onItemAdded`, :func:`canAdd`
:param parent: URL-safe key of the parent.
:type parent: str
:returns: The rendered, added object of the entry, eventually with error hints.
:raises: :exc:`server.errors.NotAcceptable`, when no valid *parent* was found.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if not self.isValidParent(parent): # Ensure the parent exists
raise errors.NotAcceptable()
if not self.canAdd(parent):
raise errors.Unauthorized()
skel = self.addSkel()
if (len(kwargs) == 0 or skey == ""
or not request.current.get().isPostRequest
or not skel.fromClient(kwargs)
or ("bounce" in kwargs and kwargs["bounce"] == "1")):
return self.render.add(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel["parententry"] = str(parent)
skel["parentrepo"] = str(self.getRootNode(parent).key())
key = skel.toDB()
self.onItemAdded(skel)
self.onItemChanged(skel)
return self.render.addItemSuccess(skel)
def delete(self, skelType, key, *args, **kwargs): """ Deletes an entry or an directory (including its contents). The function runs several access control checks on the data before it is deleted. .. seealso:: :func:`canDelete`, :func:`onItemDeleted` :param skelType: Defines the type of the entry that should be deleted and may either be "node" or "leaf". :type skelType: str :param key: URL-safe key of the item to be deleted. :type key: str :returns: The rendered, deleted object of the entry. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if skelType == "node": skel = self.viewSkel(TreeType.Node) elif skelType == "leaf" and self.hasDistinctLeafs: skel = self.viewSkel(TreeType.Leaf) else: raise errors.NotAcceptable() if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if not skel.fromDB(key): raise errors.NotFound() if not self.canDelete(skelType, skel): raise errors.Unauthorized() if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() if skelType == "node": self.deleteRecursive(key) skel.delete() self.onItemDeleted(skel) return self.render.deleteSuccess(skel, skelType=skelType)
def add(self, *args, **kwargs):
"""
Allows guests to register a new account if self.registrationEnabled is set to true
.. seealso:: :func:`addSkel`, :func:`onAdded`, :func:`canAdd`
:returns: The rendered, added object of the entry, eventually with error hints.
:raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if not self.canAdd():
raise errors.Unauthorized()
skel = self.addSkel()
if (len(kwargs) == 0 # no data supplied
or skey == "" # no skey supplied
or not currentRequest.get().
isPostRequest # bail out if not using POST-method
or not skel.fromClient(
kwargs) # failure on reading into the bones
or ("bounce" in kwargs
and kwargs["bounce"] == "1")): # review before adding
# render the skeleton in the version it could as far as it could be read.
return self.userModule.render.add(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel.toDB()
if self.registrationEmailVerificationRequired and str(
skel["status"]) == "1":
# The user will have to verify his email-address. Create an skey and send it to his address
skey = securitykey.create(duration=60 * 60 * 24 * 7,
userKey=utils.normalizeKey(skel["key"]),
name=skel["name"])
skel.skey = baseBone(descr="Skey")
skel["skey"] = skey
email.sendEMail(dests=[skel["name"]],
tpl=self.userModule.verifyEmailAddressMail,
skel=skel)
self.userModule.onAdded(skel) # Call onAdded on our parent user module
return self.userModule.render.addSuccess(skel)
def preview(self, skey, *args, **kwargs):
"""
Renders data for the entry, without reading it from the database.
This function allows to preview the entry without writing it to the database.
Any entity values are provided via *kwargs*.
The function uses the viewTemplate of the application.
:returns: The rendered representation of the supplied data.
"""
if not self.canPreview():
raise errors.Unauthorized()
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
skel = self.viewSkel()
skel.fromClient(kwargs)
return self.render.view(skel)
def add(self, *args, **kwargs):
"""
Add a new entry, and render the entry, eventually with error notes on incorrect data.
Data is taken by any other arguments in *kwargs*.
The function performs several access control checks on the requested entity before it is added.
.. seealso:: :func:`addSkel`, :func:`onAdd`, :func:`onAdded`, :func:`canAdd`
:returns: The rendered, added object of the entry, eventually with error hints.
:raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions.
:raises: :exc:`viur.core.errors.PreconditionFailed`, if the *skey* could not be verified.
"""
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if not self.canAdd():
raise errors.Unauthorized()
skel = self.addSkel()
if (len(kwargs) == 0 # no data supplied
or skey == "" # no skey supplied
or not currentRequest.get().
isPostRequest # failure if not using POST-method
or not skel.fromClient(
kwargs) # failure on reading into the bones
or ("bounce" in kwargs and kwargs["bounce"] == "1"
) # review before adding
):
# render the skeleton in the version it could as far as it could be read.
return self.render.add(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
self.onAdd(skel)
skel.toDB()
self.onAdded(skel)
return self.render.addSuccess(skel)
def execute(self, taskID, *args, **kwargs):
"""Queues a specific task for the next maintenance run"""
global _callableTasks
from viur.core import securitykey
if taskID in _callableTasks:
task = _callableTasks[taskID]()
else:
return
if not task.canCall():
raise errors.Unauthorized()
skel = task.dataSkel()
if "skey" in kwargs:
skey = kwargs["skey"]
else:
skey = ""
if len(kwargs) == 0 or skey == "" or not skel.fromClient(kwargs) or (
"bounce" in kwargs and kwargs["bounce"] == "1"):
return self.render.add(skel)
if not securitykey.validate(skey, useSessionKey=True):
raise errors.PreconditionFailed()
task.execute(**skel.accessedValues)
return self.render.addSuccess(skel)
def findAndCall(self, path: str, *args, **kwargs):
"""
Does the actual work of sanitizing the parameter, determine which @exposed (or @internalExposed) function
to call (and with witch parameters)
"""
# Prevent Hash-collision attacks
kwargs = {}
stopCount = conf["viur.maxPostParamsCount"]
try:
for key, value in self.request.params.iteritems():
key = unicodedata.normalize("NFC", key)
value = unicodedata.normalize("NFC", value)
if key.startswith(
"_"
): # Ignore keys starting with _ (like VI's _unused_time_stamp)
continue
if key in kwargs:
if isinstance(kwargs[key], list):
kwargs[key].append(value)
else: # Convert that key to a list
kwargs[key] = [kwargs[key], value]
else:
kwargs[key] = value
stopCount -= 1
if not stopCount: # We reached zero; maximum PostParamsCount exceeded
raise errors.NotAcceptable()
except UnicodeError:
# We received invalid unicode data (usually happens when someone tries to exploit unicode normalisation bugs)
raise errors.BadRequest()
if "self" in kwargs or "return" in kwargs: # self or return is reserved for bound methods
raise errors.BadRequest()
# Parse the URL
path = parse.urlparse(path).path
self.pathlist = [
unicodedata.normalize("NFC", parse.unquote(x))
for x in path.strip("/").split("/")
]
caller = conf["viur.mainResolver"]
idx = 0 # Count how may items from *args we'd have consumed (so the rest can go into *args of the called func
for currpath in self.pathlist:
if "canAccess" in caller and not caller["canAccess"]():
# We have a canAccess function guarding that object,
# and it returns False...
raise (errors.Unauthorized())
idx += 1
currpath = currpath.replace("-", "_").replace(".", "_")
if currpath in caller:
caller = caller[currpath]
if (("exposed" in dir(caller) and caller.exposed) or
("internalExposed" in dir(caller)
and caller.internalExposed
and self.internalRequest)) and hasattr(
caller, '__call__'):
args = self.pathlist[idx:] + [
x for x in args
] # Prepend the rest of Path to args
break
elif "index" in caller:
caller = caller["index"]
if (("exposed" in dir(caller) and caller.exposed) or
("internalExposed" in dir(caller)
and caller.internalExposed
and self.internalRequest)) and hasattr(
caller, '__call__'):
args = self.pathlist[idx - 1:] + [x for x in args]
break
else:
raise (errors.NotFound(
"The path %s could not be found" % "/".join([("".join([
y for y in x if y.lower() in
"0123456789abcdefghijklmnopqrstuvwxyz"
])) for x in self.pathlist[:idx]])))
else:
raise (errors.NotFound(
"The path %s could not be found" % "/".join([("".join([
y for y in x
if y.lower() in "0123456789abcdefghijklmnopqrstuvwxyz"
])) for x in self.pathlist[:idx]])))
if (not callable(caller)
or ((not "exposed" in dir(caller) or not caller.exposed)) and
(not "internalExposed" in dir(caller) or not caller.internalExposed
or not self.internalRequest)):
if "index" in caller \
and (callable(caller["index"]) \
and ("exposed" in dir(caller["index"]) and caller["index"].exposed) \
or ("internalExposed" in dir(
caller["index"]) and caller["index"].internalExposed and self.internalRequest)):
caller = caller["index"]
else:
raise (errors.MethodNotAllowed())
# Check for forceSSL flag
if not self.internalRequest \
and "forceSSL" in dir(caller) \
and caller.forceSSL \
and not self.request.host_url.lower().startswith("https://") \
and not self.isDevServer:
raise (errors.PreconditionFailed(
"You must use SSL to access this ressource!"))
# Check for forcePost flag
if "forcePost" in dir(
caller) and caller.forcePost and not self.isPostRequest:
raise (errors.MethodNotAllowed(
"You must use POST to access this ressource!"))
self.args = args
self.kwargs = kwargs
# Check if this request should bypass the caches
if self.request.headers.get("X-Viur-Disable-Cache"):
from viur.core import utils
# No cache requested, check if the current user is allowed to do so
user = utils.getCurrentUser()
if user and "root" in user["access"]:
logging.debug(
"Caching disabled by X-Viur-Disable-Cache header")
self.disableCache = True
try:
annotations = typing.get_type_hints(caller)
if annotations and not self.internalRequest:
newKwargs = {
} # The dict of new **kwargs we'll pass to the caller
newArgs = [] # List of new *args we'll pass to the caller
argsOrder = list(
caller.__code__.co_varnames)[1:caller.__code__.co_argcount]
# Map args in
for idx in range(0, min(len(self.args), len(argsOrder))):
paramKey = argsOrder[idx]
if paramKey in annotations: # We have to enforce a type-annotation for this *args parameter
_, newTypeValue = self.processTypeHint(
annotations[paramKey], self.args[idx], True)
newArgs.append(newTypeValue)
else:
newArgs.append(self.args[idx])
newArgs.extend(self.args[min(len(self.args), len(argsOrder)):])
# Last, we map the kwargs in
for k, v in kwargs.items():
if k in annotations:
newStrValue, newTypeValue = self.processTypeHint(
annotations[k], v, False)
self.kwargs[k] = newStrValue
newKwargs[k] = newTypeValue
else:
newKwargs[k] = v
else:
newArgs = self.args
newKwargs = self.kwargs
if (conf["viur.debug.traceExternalCallRouting"]
and not self.internalRequest
) or conf["viur.debug.traceInternalCallRouting"]:
logging.debug("Calling %s with args=%s and kwargs=%s" %
(str(caller), str(newArgs), str(newKwargs)))
res = caller(*newArgs, **newKwargs)
res = str(res).encode("UTF-8") if not isinstance(res,
bytes) else res
self.response.write(res)
except TypeError as e:
if self.internalRequest: # We provide that "service" only for requests originating from outside
raise
if "viur/core/request.py\", line 5" in traceback.format_exc(
).splitlines()[-3]:
# Don't raise NotAcceptable for type-errors raised deep somewhere inside caller.
# We check if the last line in traceback originates from viur/core/request.py and a line starting with
# 5 and only raise NotAcceptable then. Otherwise a "normal" 500 Server error will be raised.
# This is kinda hackish, however this is much faster than reevaluating the args and kwargs passed
# to caller as we did in ViUR2.
raise errors.NotAcceptable()
raise
def findAndCall(self, path, *args,
**kwargs): # Do the actual work: process the request
# Prevent Hash-collision attacks
kwargs = {}
stopCount = conf["viur.maxPostParamsCount"]
for key, value in self.request.params.iteritems():
if key in kwargs:
if isinstance(kwargs[key], list):
kwargs[key].append(value)
else:
kwargs[key] = [kwargs[key], value]
else:
kwargs[key] = value
stopCount -= 1
if not stopCount: # We reached zero; maximum PostParamsCount exceeded
raise errors.NotAcceptable()
if "self" in kwargs: # self is reserved for bound methods
raise errors.BadRequest()
# Parse the URL
path = parse.urlparse(path).path
self.pathlist = [parse.unquote(x) for x in path.strip("/").split("/")]
caller = conf["viur.mainResolver"]
idx = 0 # Count how may items from *args we'd have consumed (so the rest can go into *args of the called func
for currpath in self.pathlist:
if "canAccess" in caller and not caller["canAccess"]():
# We have a canAccess function guarding that object,
# and it returns False...
raise (errors.Unauthorized())
idx += 1
currpath = currpath.replace("-", "_").replace(".", "_")
if currpath in caller:
caller = caller[currpath]
if (("exposed" in dir(caller) and caller.exposed) or
("internalExposed" in dir(caller)
and caller.internalExposed
and self.internalRequest)) and hasattr(
caller, '__call__'):
args = self.pathlist[idx:] + [
x for x in args
] # Prepend the rest of Path to args
break
elif "index" in caller:
caller = caller["index"]
if (("exposed" in dir(caller) and caller.exposed) or
("internalExposed" in dir(caller)
and caller.internalExposed
and self.internalRequest)) and hasattr(
caller, '__call__'):
args = self.pathlist[idx - 1:] + [x for x in args]
break
else:
raise (errors.NotFound(
"The path %s could not be found" % "/".join([("".join([
y for y in x if y.lower() in
"0123456789abcdefghijklmnopqrstuvwxyz"
])) for x in self.pathlist[:idx]])))
else:
raise (errors.NotFound(
"The path %s could not be found" % "/".join([("".join([
y for y in x
if y.lower() in "0123456789abcdefghijklmnopqrstuvwxyz"
])) for x in self.pathlist[:idx]])))
if (not callable(caller)
or ((not "exposed" in dir(caller) or not caller.exposed)) and
(not "internalExposed" in dir(caller) or not caller.internalExposed
or not self.internalRequest)):
if "index" in caller \
and (callable(caller["index"]) \
and ("exposed" in dir(caller["index"]) and caller["index"].exposed) \
or ("internalExposed" in dir(
caller["index"]) and caller["index"].internalExposed and self.internalRequest)):
caller = caller["index"]
else:
raise (errors.MethodNotAllowed())
# Check for forceSSL flag
if not self.internalRequest \
and "forceSSL" in dir(caller) \
and caller.forceSSL \
and not self.request.host_url.lower().startswith("https://") \
and not self.isDevServer:
raise (errors.PreconditionFailed(
"You must use SSL to access this ressource!"))
# Check for forcePost flag
if "forcePost" in dir(
caller) and caller.forcePost and not self.isPostRequest:
raise (errors.MethodNotAllowed(
"You must use POST to access this ressource!"))
self.args = []
for arg in args:
if isinstance(arg, str):
self.args.append(arg)
else:
try:
self.args.append(arg.decode("UTF-8"))
except:
pass
self.kwargs = kwargs
# Check if this request should bypass the caches
if self.request.headers.get("X-Viur-Disable-Cache"):
from viur.core import utils
# No cache requested, check if the current user is allowed to do so
user = utils.getCurrentUser()
if user and "root" in user["access"]:
logging.debug(
"Caching disabled by X-Viur-Disable-Cache header")
self.disableCache = True
try:
if (conf["viur.debug.traceExternalCallRouting"]
and not self.internalRequest
) or conf["viur.debug.traceInternalCallRouting"]:
logging.debug("Calling %s with args=%s and kwargs=%s" %
(str(caller), str(args), str(kwargs)))
res = caller(*self.args, **self.kwargs)
res = str(res).encode("UTF-8") if not isinstance(res,
bytes) else res
self.response.write(res)
except TypeError as e:
if self.internalRequest: # We provide that "service" only for requests originating from outside
raise
# Check if the function got too few arguments and raise a NotAcceptable error
tmpRes = {}
argsOrder = list(
caller.__code__.co_varnames)[1:caller.__code__.co_argcount]
# Map default values in
reversedArgsOrder = argsOrder[::-1]
for defaultValue in list(caller.__defaults__ or [])[::-1]:
tmpRes[reversedArgsOrder.pop(0)] = defaultValue
del reversedArgsOrder
# Map args in
setArgs = [] # Store a list of args already set by *args
for idx in range(0, min(len(args), len(argsOrder))):
setArgs.append(argsOrder[idx])
tmpRes[argsOrder[idx]] = args[idx]
# Last, we map the kwargs in
for k, v in kwargs.items():
if k in setArgs: # This key has already been set by *args
raise (
errors.NotAcceptable()
) # We reraise that exception as we got duplicate arguments
tmpRes[k] = v
# Last check, that every parameter is satisfied:
if not all([x in tmpRes.keys() for x in argsOrder]):
raise (errors.NotAcceptable())
raise
def checkout(self, step=None, key=None, skey=None, *args, **kwargs):
"""
Performs the checkout process trough the state machine provided by self.steps.
:param step: The current step index, None for beginning a new checkout
:param key: Key of the current checkout
:param skey: Server security key
:return: Returns the rendered template or throws redirection exceptions.
"""
myKindName = self.viewSkel().kindName
if step is None:
logging.info("Starting new checkout process")
billObj = db.Entity(myKindName)
billObj["idx"] = "0000000"
for state in self.states:
billObj["state_%s" % state] = "0"
db.Put(billObj)
key = str(billObj.key())
# Copy the Cart
if "amountSkel" in dir(self):
cart = session.current.get("cart_products") or {}
s = self.amountSkel()
products = []
for prod, atts in cart.items():
for i in range(0, atts["amount"]):
products.append(str(prod))
s.fromClient({"product": products})
s.toDB()
session.current["order_" + myKindName] = {
"key": str(key),
"completedSteps": []
}
session.current.markChanged()
raise errors.Redirect("?step=0&key=%s" % str(key))
elif key:
try:
orderKey = db.Key(key)
step = int(step)
assert (step >= 0)
assert (step < len(self.steps))
except:
raise errors.NotAcceptable()
sessionInfo = session.current.get("order_" + myKindName)
if not sessionInfo or not sessionInfo.get("key") == str(orderKey):
raise errors.Unauthorized()
if step in sessionInfo["completedSteps"]:
session.current["order_" + myKindName]["completedSteps"] = [
x for x in sessionInfo["completedSteps"] if x < step
]
session.current.markChanged()
# Make sure that no steps can be skipped
if step != 0 and not step - 1 in sessionInfo["completedSteps"]:
raise errors.Redirect("?step=0&key=%s" % str(str(orderKey)))
currentStep = self.steps[step]
if "preHandler" in currentStep.keys():
try:
if isinstance(currentStep["preHandler"], list):
for handler in currentStep["preHandler"]:
handler(self, step, str(orderKey), *args, **kwargs)
else:
currentStep["preHandler"](self,
step,
str(orderKey),
refkwargs=kwargs,
*args,
**kwargs)
except SkipStepException:
session.current["order_" +
myKindName]["completedSteps"].append(step)
session.current.markChanged()
raise errors.Redirect("?step=%s&key=%s" %
(str(step + 1), str(orderKey)))
except ReturnHtmlException as e:
return (e.html)
if "requiresSecurityKey" in currentStep and currentStep[
"requiresSecurityKey"]:
if not securitykey.validate(skey):
raise errors.PreconditionFailed()
pass
if "mainHandler" in currentStep:
if currentStep["mainHandler"]["action"] == "edit":
skel = self.getSkelByName(
currentStep["mainHandler"]["skeleton"], str(orderKey))
skel.fromDB(str(orderKey))
if not len(kwargs.keys()) or not skel.fromClient(kwargs):
return (self.render.edit(
skel,
tpl=currentStep["mainHandler"]["template"],
step=step))
skel.toDB()
if currentStep["mainHandler"]["action"] == "view":
if not "complete" in kwargs or not kwargs[
"complete"] == u"1":
skel = self.getSkelByName(
currentStep["mainHandler"]["skeleton"],
str(orderKey))
skel.fromDB(str(orderKey))
return (self.render.view(
skel,
tpl=currentStep["mainHandler"]["template"],
step=step))
elif currentStep["mainHandler"]["action"] == "function":
res = currentStep["mainHandler"]["function"](self, step,
str(orderKey),
*args,
**kwargs)
if res:
return res
if "postHandler" in currentStep:
currentStep["postHandler"](self, step, str(orderKey), *args,
**kwargs)
session.current["order_" +
myKindName]["completedSteps"].append(step)
session.current.markChanged()
logging.info("next ?step=%s&key=%s" %
(str(step + 1), str(orderKey)))
raise errors.Redirect("?step=%s&key=%s" %
(str(step + 1), str(orderKey)))