def post(self, request, *args, **kwargs): application = get_object_or_404(Application, pk=request.POST.get('applicationId')) if not (application.applicant == request.user or application.proxy_applicant == request.user): return HttpResponseForbidden( 'Application does not belong to user or proxy application') session_application_id = utils.get_session_application(request.session) if session_application_id.id == application.id: utils.delete_session_application(request.session) if application.is_temporary: application.delete() return HttpResponse()
def property_edit(request, pk): """ """ prop = Property.objects.get(pk=pk) if request.session['user'] != prop.owner_id: return HttpResponseForbidden('This property does not belong to you.') template = loader.get_template('interface/property.html') form = PropertyForm(request.POST or None, instance=prop) if form.is_valid(): form.save() props = Property.objects.all() template = loader.get_template('interface/list.html') return HttpResponse( template.render(dict(properties=props, message='Property Updated'), request)) else: return HttpResponse(template.render(dict(form=form), request))
def get(self, request, username): """Returns a list of Project for a specific user. If the requesting user is a super user then we can 'impersonate' another user. Else this is an unauthorized request. """ if not request.user.is_superuser: return HttpResponseForbidden() user = get_user_model().objects.get(username=username) ag = user.agave_oauth.client q = request.GET.get('q', None) if not q: projects = Project.list_projects(agave_client=ag) else: projects = Project.search(q=q, agave_client=ag) return JsonResponse({'projects': projects}, encoder=AgaveJSONEncoder)
def post(self, request, *args, **kwargs): domain = request.GET.get('domain') case_type = request.GET.get('case_type') user_name = request.GET.get('user') properties = json.loads(request.body) case_id = properties['case_id'] properties.pop('case_id') couch_user = CommCareUser.get_by_username(user_name) if not couch_user.is_member_of(domain): return HttpResponseForbidden( "This user does not have access to this domain.") case = get_case_or_404(domain, case_id) if not case.type == case_type: return HttpResponseBadRequest("Case type mismatch")
def event_participants(req, id): e = Event.objects.get(pk=id) try: p = req.user.gotouser.participant except AttributeError: p = None if p: a = p.application_set.filter(event=e) if a.count() > 0 and (a[0].status == 1 or a[0].status == 3): base_context = { 'event': e, 'invited': e.application_set.filter(status=1).all(), 'confirmed': e.application_set.filter(status=3).all() } return render(req, 'events/event_participants.html', base_context) else: return HttpResponseForbidden()
def obj_create(self, bundle, **kwargs): model = bundle.obj.__class__ try: template_id = bundle.data['template_id'] creator = bundle.request.user.username pipeline_instance_kwargs = { 'name': bundle.data.pop('name'), 'creator': creator, 'pipeline_tree': json.loads(bundle.data.pop('pipeline_tree')), } if 'description' in bundle.data: pipeline_instance_kwargs['description'] = bundle.data.pop( 'description') except (KeyError, ValueError) as e: raise BadRequest(e.message) # XSS handle self.handle_task_name_attr(pipeline_instance_kwargs) # validate pipeline tree try: validate_web_pipeline_tree( pipeline_instance_kwargs['pipeline_tree']) except PipelineException as e: raise BadRequest(e.message) try: template = TaskTemplate.objects.get(id=template_id) except TaskTemplate.DoesNotExist: raise BadRequest('template[id=%s] does not exist' % template_id) if not bundle.request.user.has_perm(CREATE_TASK_PERM_NAME, template): raise ImmediateHttpResponse( HttpResponseForbidden( 'You have no permissions to create task')) try: pipeline_instance = model.objects.__class__.create_pipeline_instance( template, **pipeline_instance_kwargs) except PipelineException as e: raise BadRequest(e.message) kwargs['category'] = template.category if bundle.data['flow_type'] == 'common_func': kwargs['current_flow'] = 'func_claim' else: kwargs['current_flow'] = 'execute_task' kwargs['pipeline_instance_id'] = pipeline_instance.id super(TaskFlowInstanceResource, self).obj_create(bundle, **kwargs) return bundle
def view(request, app, cls, pk, tab=None): if not request.user.is_authenticated: return httprr(request, '/admin/login/?next={}'.format(request.get_full_path())) try: _model = apps.get_model(app, cls) except LookupError as e: return page_not_found(request, e, 'error404.html') obj = _model.objects.all(request.user).filter(pk=pk).first() obj.request = request obj._user = request.user if 'one_to_many_count' in request.GET: # TODO create a specific view for this purpose return HttpResponse(getattr2(obj, request.GET['one_to_many_count'])) if not permissions.can_view(request, obj): return HttpResponseForbidden() title = str(obj) parent = request.GET.get('parent', None) printable = get_metadata(_model, 'pdf', False) widget_panel = ModelDashboard(request, obj, tab, parent, printable=printable) widget_panel.process_request() if widget_panel.model_panel.message: return httprr(request, request.get_full_path(), widget_panel.model_panel.message) log_data = get_metadata(obj.__class__, 'log', False) if log_data and request.user.is_superuser and request.user.has_perm( 'admin.list_log'): url = '/log/{}/{}/'.format(app, cls) widget_panel.model_panel.drop_down.add_action( '{} {}'.format(_('View'), _('Log')), url, 'ajax', 'fa fa-history') return render(request, 'default.html', locals())
def authorize(request): code = request.GET.get('code', '') # use state to track user id state = request.GET.get('state', '') config = SiteConf.get_solo() if not config.enable_wechat: return HttpResponseForbidden('没有开启微信登录') client = WeChatOAuth(config.wx_appid, config.wx_appsecret, config.wx_redirect_uri, scope='snsapi_userinfo', state=state) # auth flow if code: try: # may raise access_token = client.fetch_access_token(code) user_info = client.get_user_info() user, _ = User.objects.get_or_create(username='******' + access_token['openid']) # may raise IntegrityError 微信用户已经绑定了关系 at, _ = AccessToken.objects.get_or_create( user=user, openid=access_token['openid']) at.update_token(access_token) # update profile user.profile.update_profile(user_info) token = issue_token(user) return JsonResponse({ 'token': token['token'], 'user': UserSerializer(user).data }) except Exception as e: return JsonResponse({ 'status': 'failed', 'message': str(e) }, status=400) return JsonResponse({'url': client.authorize_url})
def finaid_message(request, pks): """Add a message to some applications""" if not is_reviewer(request.user): return HttpResponseForbidden(_(u"Not authorized for this page")) applications = FinancialAidApplication.objects.filter(pk__in=pks.split(","))\ .select_related('user') if not applications.exists(): messages.add_message(request, messages.ERROR, _(u"No applications selected")) return redirect('finaid_review') if request.method == 'POST': for application in applications: message = FinancialAidMessage(user=request.user, application=application) message_form = ReviewerMessageForm(request.POST, instance=message) if message_form.is_valid(): message = message_form.save() # Send notice to reviewers/pycon-aid alias, and the applicant if visible context = email_context(request, application, message) send_email_message("reviewer/message", # From whoever is logged in clicking the buttons from_=request.user.email, to=[settings.FINANCIAL_AID_EMAIL], context=context, headers={'Reply-To': settings.FINANCIAL_AID_EMAIL} ) # If visible to applicant, notify them as well if message.visible: send_email_message("applicant/message", from_=request.user.email, to=[application.user.email], context=context, headers={'Reply-To': settings.FINANCIAL_AID_EMAIL} ) messages.add_message(request, messages.INFO, _(u"Messages sent")) return redirect(reverse('finaid_review', kwargs=dict(pks=pks))) else: message_form = ReviewerMessageForm() return render(request, "finaid/reviewer_message.html", { 'applications': applications, 'form': message_form, })
def review_proposal(request, conference_slug, slug): conference = get_object_or_404(Conference, slug=conference_slug) proposal = get_object_or_404(Proposal, slug=slug, conference=conference) if not _is_proposal_reviewer(request.user, conference): return HttpResponseForbidden() if request.method == 'GET': comments = ProposalComment.objects.filter( proposal=proposal, deleted=False, ) proposal_review_form = ProposalReviewForm( initial={'review_status': proposal.review_status}) ctx = { 'proposal': proposal, 'proposal_review_form': proposal_review_form, 'reviewers_comments': comments.filter(private=True), 'reviewers_proposal_comment_form': ProposalCommentForm(initial={'private': True}), } return render(request, 'proposals/review.html', ctx) # POST Workflow form = ProposalReviewForm(request.POST) if not form.is_valid(): return render(request, 'proposals/review.html', { 'form': form, 'proposal': proposal, 'errors': form.errors }) # Valid Form proposal.review_status = form.cleaned_data['review_status'] proposal.save() return HttpResponseRedirect( reverse('proposals-list', args=[conference.slug]))
def upload(self, request, path): """ Upload a package to the index. 0. Check if the index allows uploaded packages (live-api-enabled) 1. Check request is in correct format 2. Check if the package is in the repository already 3. If present then reject request 4. Spawn task to add content if no/old session present 5. Add uploads to current session to group into one task """ distro = self.get_distribution(path) if not distro.allow_uploads: return HttpResponseForbidden( reason="Index is not allowing uploads") repo = distro.repository if not repo: return HttpResponseBadRequest( reason="Index is not pointing to a repository") serializer = PackageUploadSerializer(data=request.data) serializer.is_valid(raise_exception=True) artifact, filename = serializer.validated_data["content"] repo_content = self.get_content(self.get_repository_version(distro)) if repo_content.filter(filename=filename).exists(): return HttpResponseBadRequest( reason=f"Package {filename} already exists in index") if settings.PYTHON_GROUP_UPLOADS: return self.upload_package_group(repo, artifact, filename, request.session) result = dispatch(tasks.upload, exclusive_resources=[artifact, repo], kwargs={ "artifact_sha256": artifact.sha256, "filename": filename, "repository_pk": str(repo.pk) }) return Response( data={ "task": reverse('tasks-detail', args=[result.pk], request=None) })
def verify(request): if settings.LOGIN_ATTEMPT_LIMIT > 0 and request.method == 'POST': ip = LoginProtect._get_request_ip(request) next_available_time = LoginProtect.next_available_login.get(ip, datetime.now(tz=get_current_timezone()) - timedelta(seconds=1)) if next_available_time > datetime.now(tz=get_current_timezone()): return HttpResponseForbidden('<html><h2>Too many login failures</h2><h5>Please try again later!!</h5></html>') else: auth_data, auth_success = func(request) if auth_success: if ip in LoginProtect.next_available_login: LoginProtect.next_available_login.pop(ip) if ip in LoginProtect.ip_login_count: LoginProtect.ip_login_count.pop(ip) else: LoginProtect.ip_login_count[ip] = LoginProtect.ip_login_count.get(ip, 0) + 1 if LoginProtect.ip_login_count[ip] >= settings.LOGIN_ATTEMPT_LIMIT: LoginProtect.next_available_login[ip] = datetime.now(tz=get_current_timezone()) + timedelta(seconds=settings.LOGIN_ATTEMPT_TIMEOUT) return auth_data return func(request)[0]
def get(self, request, *args, **kwargs): archive_file: ArchiveFile = self.get_object() if not archive_file.has_download_permission(request.user): return HttpResponseForbidden(""" Downloading of this archived file has been blocked by the administrators. Please contact the collection administrator for more information on this issue. """) filename = archive_file.file.name # url = f'/protected/download/{filename}' url = reverse("protected_download", kwargs={"path": filename}) # url = request.build_absolute_uri(url) response = HttpResponse() response["X-Accel-Redirect"] = url response["Content-Type"] = mimetypes.guess_type(filename)[0] or "" response[ "Content-Disposition"] = f'attachment; filename="{Path(archive_file.original_filename or filename).name}"' return response
def _build_status(request, project_id, build_id): build = Build.objects.get(project_id=project_id, id=build_id) if build.state not in [ Build.STATE_PENDING_REVIEW, Build.STATE_APPROVED, Build.STATE_REJECTED ]: return HttpResponseForbidden() if action == 'approve': build.state = Build.STATE_APPROVED build.date_approved = timezone.now() elif action == 'reject': build.state = Build.STATE_REJECTED build.date_rejected = timezone.now() else: raise Exception('Unknown action {}'.format(action)) build.reviewed_by = request.user.email or request.user.username build.save() build.update_github_status() return redirect('builds:build', project_id, build_id)
def post(self, *args, **kwargs): if not (self.request.user.profile.is_icap() or self.request.user.profile.is_country_administrator() or self.request.user.profile.is_institution_administrator()): return HttpResponseForbidden( 'You are not authorized to deny faculty access.') user = get_object_or_404(User, pk=self.request.POST.get('user_id')) pending = PendingTeachers.objects.get(user_profile=user.profile) user.profile.school = pending.school user.profile.country = pending.school.country user.profile.profile_type = 'TE' user.profile.save() self.send_confirmation_email(user) pending.delete() return self.render_to_json_response({'success': True})
def post(self, *args, **kwargs): pk = self.request.POST.get('pk') group = get_object_or_404(Group, pk=pk) if (self.request.user.profile.is_student() or (self.request.user.profile.is_teacher() and not group.creator == self.request.user)): return HttpResponseForbidden( 'You are not authorized to update this group') start_date = self.request.POST.get('start_date') end_date = self.request.POST.get('end_date') fmt = "%m/%d/%Y" group.start_date = datetime.strptime(start_date, fmt).date() group.end_date = datetime.strptime(end_date, fmt).date() group.name = self.request.POST.get('name') group.save() return HttpResponseRedirect('/dashboard/#user-groups')
def recreate_all_group_widgets(request=None, verbose=False): """ Resets all CosinnusGroup Dashboard Widget Configurations to their default by deleting and recreating them. """ if request and not request.user.is_superuser: return HttpResponseForbidden('Not authenticated') # delete all widget configs WidgetConfig.objects.all().delete() # create all default widgets for all groups groups_ids = [] all_groups = CosinnusGroup.objects.all() for group in all_groups: create_initial_group_widgets(None, group) groups_ids.append(str(group.id)) if verbose: print((">>> recreated widget config for group id", group.id)) return HttpResponse("The following groups were updated:<br/><br/>" + "<br/>".join(groups_ids))
def configure(request): if not request.user.is_authenticated or not request.user.is_staff: return HttpResponseForbidden() if request.method == "POST": for item in SiteConfig.objects.all(): item.value = False item.save() for item in request.POST: print(item) try: it = SiteConfig.objects.get(key=item) it.value = True it.save() except ObjectDoesNotExist: pass return redirect('admin')
def punch_edit(request, punch_id): punch = Punch.objects.get(pk=punch_id) if punch.speaker != request.user: return HttpResponseForbidden() ring = punch.ring template_title = _(u'Edit your opinion') if request.method == 'POST': punch_form = PunchForm(request.POST, instance=punch) if punch_form.is_valid(): punch_updated = punch_form.save(commit=False) save_punch(request, ring, punch_updated) return HttpResponseRedirect(reverse('discuss-topic', kwargs={'ring_id':str(ring.pk), 'slug':ring.slug})) else: if punch.ring.punch_set.all()[:1].get() == punch: punch_form = PunchForm(instance=punch, is_first=True) else: punch_form = PunchForm(instance=punch) variables = {'punch_form':punch_form, 'template_title': template_title, 'reverse':reverse('discuss-topic', kwargs={'ring_id':str(ring.pk), 'slug':ring.slug})} return render(request, 'punch.html', variables)
def oidc_revoke_bearer_tokens(request: HttpRequest) -> HttpResponse: if not request.user.is_authenticated or not isinstance( request.user, OIDCUser): return HttpResponseForbidden() try: data = json.loads(request.body.decode("ascii")) user = cast(OIDCUser, request.user) for token_id in data["token_ids"]: token_data = OIDCUserOfflineTokens.objects.get(id=token_id) secret = get_config()["secret_key"].encode() salt = user.sub.encode() decrypted_token = decrypt_data(token_data.offline_token, secret, salt) oidc_client = get_oidc_client() oidc_client.logout(decrypted_token.decode("ascii")) token_data.delete() return HttpResponse(status=200) except InvalidToken: return HttpResponse(status=401)
def problem(request, user, slug): """ Main problem view with all required forms. """ problem = get_object_or_404(Problem, slug=slug) if not problem.has_view_permission(request, for_user=user): return HttpResponseForbidden() problem_form = ChallengeProblemForm({'problem': problem.statement}) problem_form.helper.form_action = reverse('problem_update', kwargs={'slug': problem.slug}) template_form = ChallengeTemplateForm( {'submission_template': problem.submission_template}) template_form.helper.form_action = reverse('problem_update', kwargs={'slug': problem.slug}) submission, created = Submission.objects.get_or_create( problem=problem, author=user, defaults={"code": ""}) public_submissions = Submission.objects.filter(problem=problem, is_public=True) if created or submission.code.strip() == "": submission.code = problem.statement submission_form = SubmissionForm( { 'author': str(submission.author.id), 'problem': str(submission.problem.id), 'code': submission.code, }, user=user) submission_form.helper.form_action = reverse('submission_test', kwargs={'slug': problem.slug}) public_test_cases = problem.testcase_set.filter(is_public=True) return render_to_response( "dreamcode/problem.html", { "problem_problem_form": problem_form, "problem_template_form": template_form, "submission_form": submission_form, "problem": problem, "public_test_cases": public_test_cases, "public_submissions": public_submissions, }, RequestContext(request), )
def reset_user_tos_flags(request=None): if request and not request.user.is_superuser: return HttpResponseForbidden('Not authenticated') if not request.GET.get('confirm', False) == '1': active_users = filter_active_users(get_user_model().objects.all()) ret = '********** This will reset all %d active users\' ToS accepted flag! Use param ?confirm=1 to delete the flags! ***********' % active_users.count( ) else: count = 0 active_users = filter_active_users(get_user_model().objects.all()) for profile in get_user_profile_model().objects.all().filter( user__in=active_users): del profile.settings['tos_accepted'] profile.save(update_fields=['settings']) count += 1 ret = 'Successfully reset the ToS flag for %d users.' % count return HttpResponse(ret)
def refund(self, request, pk=None): if not request.user.has_perm('payments.refund_orderpayment' ) or not properties.ENABLE_REFUNDS: return HttpResponseForbidden( 'Missing permission: payments.refund_orderpayment') order_payment = OrderPayment.objects.get(pk=pk) service = PaymentService(order_payment) service.refund_payment() self.message_user(request, 'Refund is requested.') order_payment_url = reverse('admin:payments_orderpayment_change', args=(order_payment.id, )) response = HttpResponseRedirect(order_payment_url) return response
def mailgun_webhook(request): """Handle mailgun webhooks to keep track of user emails that have failed""" # pylint: disable=too-many-return-statements def verify(event): """Verify that the message is from mailgun""" token = event.get("token", "") timestamp = event.get("timestamp", "") signature = event.get("signature", "") hmac_digest = hmac.new( key=settings.MAILGUN_ACCESS_KEY.encode("utf8"), msg=f"{timestamp}{token}".encode("utf8"), digestmod=hashlib.sha256, ).hexdigest() match = hmac.compare_digest(signature, str(hmac_digest)) return match and int(timestamp) + 300 > time.time() if request.method != "POST": return HttpResponseNotAllowed(["POST"]) try: event = json.loads(request.body) except ValueError: return HttpResponseBadRequest("JSON decode error") if not verify(event.get("signature", {})): return HttpResponseForbidden() if "event-data" not in event: return HttpResponseBadRequest("Missing event-data") event = event["event-data"] if event.get("event") != "failed": return HttpResponse("OK") if "recipient" not in event: return HttpResponseBadRequest("Missing recipient") email = event["recipient"] User.objects.filter(email=email).update(email_failed=True) ReceiptEmail.objects.filter(email=email).update(failed=True) return HttpResponse("OK")
def dispatch(self, request: HttpRequest, *args, **kwargs): if request.user.is_authenticated: return super().dispatch(request, *args, **kwargs) authenticator = TokenAuthentication() try: auth_result = authenticator.authenticate(request) if not auth_result: return self.handle_no_permission() except exceptions.AuthenticationFailed as e: return HttpResponse(content=str(e), status=e.status_code) except PermissionDenied as e: return HttpResponseForbidden(content=str(e)) user, token = auth_result request.user = user request.auth = token return super().dispatch(request, *args, **kwargs)
def user_dashboard_announcement_activate(request, slug): """ Toggles an announcement active/inactive """ if not check_user_superuser(request.user): return HttpResponseForbidden('Not authenticated') announcement = get_object_or_None(UserDashboardAnnouncement, portal=CosinnusPortal.get_current(), slug=slug) if announcement is None: return HttpResponseNotFound() announcement.is_active = not announcement.is_active announcement.save() if announcement.is_active: messages.success(request, _('Your Announcement was activated successfully.')) else: messages.success(request, _('Your Announcement was deactivated successfully.')) return redirect('cosinnus:user-dashboard-announcement-list')
def tutorial_message(request, pk): tutorial = get_object_or_404(PyConTutorialProposal, pk=pk) presentation = Presentation.objects.get(proposal_base=tutorial) if not request.user.is_staff: if not is_attendee_or_speaker(request.user, presentation): return HttpResponseForbidden(_(u"Not authorized for this page")) message_form = TutorialMessageForm() if request.method == 'POST': message = PyConTutorialMessage(user=request.user, tutorial=tutorial) message_form = TutorialMessageForm(request.POST, instance=message) if message_form.is_valid(): message = message_form.save() context = email_context(request, tutorial, message) sender_email = request.user.email speakers = [ x.email for x in tutorial.speakers() if x.email != sender_email and x.email ] attendees = [ x.email for x in tutorial.registrants.all() if x.email != sender_email and x.email ] recipients = speakers + attendees # Send new message notice to speakers/attendees queue_email_message("message", from_=settings.DEFAULT_FROM_EMAIL, to=[request.user.email], bcc=recipients, context=context) messages.add_message(request, messages.INFO, _(u"Message queued to be sent.")) url = reverse('schedule_presentation_detail', args=[presentation.pk]) return redirect(url) return render(request, "tutorials/message.html", { 'presentation': presentation, 'form': message_form })
def handle_ajax(self, request: HttpRequest, **kwargs): if request.method != "POST": return HttpResponseBadRequest() csrf_token = request.META.get('CSRF_COOKIE', None) if not csrf_token: return HttpResponseForbidden("CSRF token is missing") if "HTTP_CONTENT_RANGE" in request.META: handler = self._handle_chunked else: handler = self._handle_complete result = [] try: for uploaded_file in request.FILES.values(): result.append(handler(request, csrf_token, uploaded_file)) except InvalidRequestException as e: return HttpResponseBadRequest(str(e)) return JsonResponse(result, safe=False)
def question_data(request, question_pk=None): question = QuestionContainer.objects.get(id=question_pk) if not question.has_change_permission(request.user): return HttpResponseForbidden() data = [] if request.GET['type'] == 'SC': for choice in question.choices.all(): data.append([ choice.text, len(choice.answers.all()) * 1.0 / len(question.answers.all()) * 100 ]) elif request.GET['type'] == 'MC': for choice in question.choices.all(): data.append([ choice.text, len(choice.checkanswers.all()) * 1.0 / len(question.answers.all()) * 100 ]) return data
def _update_release_restriction(request, domain, restriction_id, active): if not toggles.MANAGE_RELEASES_PER_LOCATION.enabled_for_request(request): return HttpResponseForbidden() release = AppReleaseByLocation.objects.get(id=restriction_id, domain=domain) try: release.activate() if active else release.deactivate() except ValidationError as e: response_content = { 'message': ','.join(e.messages) } else: response_content = { 'id': restriction_id, 'success': True, 'activated_on': (datetime.strftime(release.activated_on, '%Y-%m-%d %H:%M:%S') if release.activated_on else None), 'deactivated_on': (datetime.strftime(release.deactivated_on, '%Y-%m-%d %H:%M:%S') if release.deactivated_on else None), } return JsonResponse(data=response_content)