def process_view(self, request, view_func, view_args, view_kwargs): if settings.DEBUG_SECURE: return secure_request = request.is_secure() secure_view = isinstance(view_func, SecureView) # If the non-secure session is marked secure, refuse the request. # Likewise, if the secure session isn't marked secure, refuse the # request and delete the cookie. if request.session.get('is_secure'): return HttpResponseForbidden('Invalid session_id', mimetype='text/plain') if request.secure_session and not request.secure_session.get('is_secure'): resp = HttpResponseForbidden('Invalid secure_session_id', mimetype='text/plain') resp.delete_cookie('secure_session_id') return resp if secure_view and not secure_request: uri = request.build_absolute_uri().split(':', 1) uri = 'https:' + uri[1] return view_func.redirect(uri, request, 'secure') if not secure_view and secure_request: uri = request.build_absolute_uri().split(':', 1) uri = 'http:' + uri[1] if uri == 'http://%s/' % request.META.get('HTTP_HOST', ''): uri += '?preview=true' if isinstance(view_func, BaseView): return view_func.redirect(uri, request, 'secure') else: return HttpResponsePermanentRedirect(uri)
def submit_vote(request): authenticate(request, VALID_FACTORS) admin = ('admin' == authenticate(request, VALID_FACTORS)) if request.method != 'POST': raise Http404 fp = get_fp() if not check_status(fp,DURING_V) and not admin: return HttpResponse403() d = request.POST query = d.copy() voter = request.user try: FundingPollVote.objects.save_fp_data_list(FundingPollOrganization, fp, voter, query) except IntegrityError: if not admin: r = HttpResponseForbidden() r.write('<p>Error, you may not vote twice in fundingpoll.</p>') return r return render_to_response('fundingpoll/voting_success.html', context_instance=RequestContext(request))
def wrapper(self, request, *args, **kwargs): user = request.user if user: if isinstance(user, Account): return func(self, request, *args, **kwargs) response = HttpResponseForbidden('403 Forbidden') # Added back bit required by django-piston response._is_string = True return response
def put(self, args): plan = Plan() if not self.request.user.is_authenticated(): if not 'captcha-id' in args: return HttpResponseBadRequest('Weird') if not 'captcha-value' in args: return HttpResponseBadRequest('Please enter a value') captcha_id = args['captcha-id'] captcha_value = args['captcha-value'] if not captcha_value.isdigit(): return HttpResponseBadRequest('Please enter a number') captcha_value = int(captcha_value) answer = CaptchaRequest.validate(captcha_id, captcha_value) if answer != CAPTCHA_ANSWER_OK: captcha = generate_sum_captcha() response = HttpResponseForbidden('Wrong answer') response['location'] = captcha.uid return response if 'title' in args: plan.title = args['title'] if 'instructions' in args: plan.instructions = args['instructions'] if 'expires' in args: expires = args['expires'] if not isinstance(expires, int): if expires.isdigit(): expires = int(expires) else: return HttpResponseBadRequest() expires = min(max(expires,1),6) else: expires = 1 today = datetime.date.today() delta = relativedelta(months=+expires) plan.expires = today + delta plan.save() response = HttpResponseCreated('/rpc/%s' % plan.hash) data = { 'id': plan.hash, 'title': plan.title, 'instructions': plan.instructions, 'expires': str(plan.expires), } response.content = simplejson.dumps(data) response['Content-type'] = 'application/json' return response
def Forbidden(msg): error = { 'success': False, 'data': { 'code': 403, 'message': msg } } resp = HttpResponseForbidden() resp.content = json.dumps(error) return resp
def process_exception(self, request, exception): if isinstance(exception, BearerTokenError): response = HttpResponseForbidden() auth_fields = [ 'error="{}"'.format(exception.code), 'error_description="{}"'.format(exception.description) ] if 'scope' in request.POST: auth_fields = ['Bearer realm="{}"'.format(request.POST['scope'])] + auth_fields response.__setitem__('WWW-Authenticate', ', '.join(auth_fields)) return response
def srt(request, id, layer, index=None): item = get_object_or_404(models.Item, itemId=id) if not item.access(request.user): response = HttpResponseForbidden() else: response = HttpResponse() filename = u"%s.srt" % item.get('title') response['Content-Disposition'] = "attachment; filename*=UTF-8''%s" % quote(filename.encode('utf-8')) response['Content-Type'] = 'text/x-srt' response.write(item.srt(layer)) return response
def register_metaman(request): ''' view function to handle the MetaMan file upload ''' if request.method == 'POST': form = RegisterMetamanForm(request.POST, request.FILES) if form.is_valid(): username = form.cleaned_data['username'] password = form.cleaned_data['password'] epn = form.cleaned_data['epn'] logger.info('=== ingestion request for epn %s' % epn) user = authenticate(username=username, password=password) if user is None: logger.debug('authorisation failed') response = HttpResponseForbidden() response.write('authorization failed') return response elif user.is_active is False: logger.debug('user account %s is inactive' % user.username) response = HttpResponseForbidden() response.write('authorization failed') return response else: login(request, user) try: logger.info('calling _parse_metaman for epn %s' % epn) expid = _parse_metaman(request, form.cleaned_data) logger.info('_parse_metaman SUCCESS,' ' experiment id = %i' % expid) except: logger.exception('exception') logger.error('=== ingesting for epn %s FAILED' % epn) return HttpResponseServerError() logger.info('=== ingestion FINISHED for epn %s' % epn) logout(request) return HttpResponse(str(expid)) c = Context({'form': form, 'error': True, 'header': 'Register Metaman File'}) render_to_response('tardis_portal/form_template.html', c) else: form = RegisterMetamanForm() c = Context({'form': form, 'header': 'Register Metaman File'}) return render_to_response('tardis_portal/form_template.html', c)
def get_upload_params(request): """Authorises user and validates given file properties.""" file_name = request.POST['name'] file_type = request.POST['type'] file_size = int(request.POST['size']) key_args = request.POST.get('keyArgs') dest = get_s3direct_destinations().get(request.POST.get('dest', None), None) if not dest: resp = json.dumps({'error': 'File destination does not exist.'}) return HttpResponseNotFound(resp, content_type='application/json') auth = dest.get('auth') if auth and not auth(request.user): resp = json.dumps({'error': 'Permission denied.'}) return HttpResponseForbidden(resp, content_type='application/json') allowed = dest.get('allowed') if (allowed and file_type not in allowed) and allowed != '*': resp = json.dumps({'error': 'Invalid file type (%s).' % file_type}) return HttpResponseBadRequest(resp, content_type='application/json') cl_range = dest.get('content_length_range') if (cl_range and not cl_range[0] <= file_size <= cl_range[1]): msg = 'Invalid file size (must be between %s and %s bytes).' resp = json.dumps({'error': (msg % cl_range)}) return HttpResponseBadRequest(resp, content_type='application/json') key = dest.get('key') if not key: resp = json.dumps({'error': 'Missing destination path.'}) return HttpResponseServerError(resp, content_type='application/json') if key_args: try: key_args = json.loads(key_args) except Exception: resp = json.dumps({ 'error': 'Malformed key_args override defined on widget, make sure it\'s json serializable' }) return HttpResponseServerError(resp, content_type='application/json') bucket = dest.get('bucket', getattr(settings, 'AWS_STORAGE_BUCKET_NAME', None)) if not bucket: resp = json.dumps({'error': 'S3 bucket config missing.'}) return HttpResponseServerError(resp, content_type='application/json') region = dest.get('region', getattr(settings, 'AWS_S3_REGION_NAME', None)) if not region: resp = json.dumps({'error': 'S3 region config missing.'}) return HttpResponseServerError(resp, content_type='application/json') endpoint = dest.get('endpoint', getattr(settings, 'AWS_S3_ENDPOINT_URL', None)) if not endpoint: resp = json.dumps({'error': 'S3 endpoint config missing.'}) return HttpResponseServerError(resp, content_type='application/json') aws_credentials = get_aws_credentials() if not aws_credentials.secret_key or not aws_credentials.access_key: resp = json.dumps({'error': 'AWS credentials config missing.'}) return HttpResponseServerError(resp, content_type='application/json') upload_data = { 'object_key': get_key(key, file_name, dest, key_args), 'access_key_id': aws_credentials.access_key, 'session_token': aws_credentials.token, 'region': region, 'bucket': bucket, 'endpoint': endpoint, 'acl': dest.get('acl') or 'public-read', 'allow_existence_optimization': dest.get('allow_existence_optimization', False) } optional_params = [ 'content_disposition', 'cache_control', 'server_side_encryption' ] for optional_param in optional_params: if optional_param in dest: option = dest.get(optional_param) if hasattr(option, '__call__'): upload_data[optional_param] = option(file_name) else: upload_data[optional_param] = option resp = json.dumps(upload_data) return HttpResponse(resp, content_type='application/json')
def put(self, request, pk): try: odlc = find_odlc(request, int(pk)) except Odlc.DoesNotExist: return HttpResponseNotFound('Odlc %s not found' % pk) except ValueError as e: return HttpResponseForbidden(str(e)) try: data = json.loads(request.body) except ValueError: return HttpResponseBadRequest('Request body is not valid JSON.') # Must be a json dictionary. if not isinstance(data, dict): return HttpResponseBadRequest('Request body not a JSON dict.') # Cannot submit JSON with actionable_override if not superuser. if 'actionable_override' in data and not request.user.is_superuser: return HttpResponseForbidden( 'Non-admin users cannot submit actionable override.') try: data = normalize_data(data) except ValueError as e: return HttpResponseBadRequest(str(e)) # We update any of the included values, except id and user if 'type' in data: odlc.odlc_type = data['type'] if 'orientation' in data: odlc.orientation = data['orientation'] if 'shape' in data: odlc.shape = data['shape'] if 'background_color' in data: odlc.background_color = data['background_color'] if 'alphanumeric' in data: odlc.alphanumeric = data['alphanumeric'] if 'alphanumeric_color' in data: odlc.alphanumeric_color = data['alphanumeric_color'] if 'description' in data: odlc.description = data['description'] if 'autonomous' in data: odlc.autonomous = data['autonomous'] if 'actionable_override' in data: odlc.actionable_override = data['actionable_override'] # Location is special because it is in a GpsPosition model # If lat/lon exist and are None, the user wants to clear them. # If they exist and are not None, the user wants to update/add them. # If they don't exist, the user wants to leave them alone. clear_lat = False clear_lon = False update_lat = False update_lon = False if 'latitude' in data: if data['latitude'] is None: clear_lat = True else: update_lat = True if 'longitude' in data: if data['longitude'] is None: clear_lon = True else: update_lon = True if (clear_lat and not clear_lon) or (not clear_lat and clear_lon): # Location must be cleared entirely, we can't clear just lat or # just lon. return HttpResponseBadRequest( 'Only none or both of latitude and longitude can be cleared.') if clear_lat and clear_lon: odlc.location = None elif update_lat or update_lon: if odlc.location is not None: # We can directly update individual components if update_lat: odlc.location.latitude = data['latitude'] if update_lon: odlc.location.longitude = data['longitude'] odlc.location.save() else: # We need a new GpsPosition, this requires both lat and lon if not update_lat or not update_lon: return HttpResponseBadRequest( 'Either none or both of latitude and longitude required.' ) l = GpsPosition( latitude=data['latitude'], longitude=data['longitude']) l.save() odlc.location = l odlc.save() return JsonResponse(odlc.json(is_superuser=request.user.is_superuser))
def problem_submit(request, problem=None, submission=None): if submission is not None and not request.user.has_perm('judge.resubmit_other') and \ get_object_or_404(Submission, id=int(submission)).user.user != request.user: raise PermissionDenied() profile = request.user.profile if request.method == 'POST': form = ProblemSubmitForm(request.POST, instance=Submission(user=profile)) if form.is_valid(): if (not request.user.has_perm('judge.spam_submission') and Submission.objects.filter(user=profile, is_being_rejudged=False).exclude( status__in=['D', 'IE', 'CE', 'AB']).count() > 2): return HttpResponse('<h1>You submitted too many submissions.</h1>', status=503) if not form.cleaned_data['problem'].allowed_languages.filter( id=form.cleaned_data['language'].id).exists(): raise PermissionDenied() if not form.cleaned_data['problem'].is_accessible_by(request.user): user_logger.info('Naughty user %s wants to submit to %s without permission', request.user.username, form.cleaned_data['problem'].code) return HttpResponseForbidden('<h1>Do you want me to ban you?</h1>') if not request.user.is_superuser and form.cleaned_data['problem'].banned_users.filter( id=profile.id).exists(): return generic_message(request, _('Banned from Submitting'), _('You have been declared persona non grata for this problem. ' 'You are permanently barred from submitting this problem.')) model = form.save() profile.update_contest() if profile.current_contest is not None: try: contest_problem = model.problem.contests.get(contest=profile.current_contest.contest) except ContestProblem.DoesNotExist: pass else: contest = ContestSubmission(submission=model, problem=contest_problem, participation=profile.current_contest) contest.save() model.judge() return HttpResponseRedirect(reverse('submission_status', args=[str(model.id)])) else: form_data = form.cleaned_data else: initial = {'language': profile.language} if problem is not None: initial['problem'] = get_object_or_404(Problem, code=problem) if not initial['problem'].is_accessible_by(request.user): raise Http404() if submission is not None: try: sub = get_object_or_404(Submission, id=int(submission)) initial['source'] = sub.source initial['language'] = sub.language except ValueError: raise Http404() form = ProblemSubmitForm(initial=initial) form_data = initial if 'problem' in form_data: form.fields['language'].queryset = (form_data['problem'].usable_languages.order_by('name', 'key') .prefetch_related( Prefetch('runtimeversion_set', RuntimeVersion.objects.order_by('priority')))) if 'language' in form_data: form.fields['source'].widget.mode = form_data['language'].ace form.fields['source'].widget.theme = profile.ace_theme return render(request, 'problem/submit.jade', { 'form': form, 'title': _('Submit'), 'langs': Language.objects.all(), 'no_judges': not form.fields['language'].queryset, 'ACE_URL': ACE_URL })
def post(self, request, *args, **kwargs): if request.user.is_authenticated and not request.user.is_staff: Resume.objects.create(author=request.user, description=request.POST["description"]) return redirect('home/') return HttpResponseForbidden()
def http_response_forbidden(message, content_type): if django.VERSION[:2] > (1, 3): kwargs = {'content_type': content_type} else: kwargs = {'mimetype': content_type} return HttpResponseForbidden(message, **kwargs)
def data_export(request, username, id_string, export_type): owner = get_object_or_404(User, username=username) xform = get_object_or_404(XForm, id_string=id_string, user=owner) helper_auth_helper(request) if not has_permission(xform, owner, request): return HttpResponseForbidden(_(u'Not shared.')) query = request.GET.get("query") extension = export_type # check if we should force xlsx force_xlsx = request.GET.get('xls') != 'true' if export_type == Export.XLS_EXPORT and force_xlsx: extension = 'xlsx' elif export_type in [Export.CSV_ZIP_EXPORT, Export.SAV_ZIP_EXPORT]: extension = 'zip' audit = { "xform": xform.id_string, "export_type": export_type } # check if we need to re-generate, # we always re-generate if a filter is specified if should_create_new_export(xform, export_type) or query or\ 'start' in request.GET or 'end' in request.GET: format_date_for_mongo = lambda x, datetime: datetime.strptime( x, '%y_%m_%d_%H_%M_%S').strftime('%Y-%m-%dT%H:%M:%S') # check for start and end params if 'start' in request.GET or 'end' in request.GET: if not query: query = '{}' query = json.loads(query) query[SUBMISSION_TIME] = {} try: if request.GET.get('start'): query[SUBMISSION_TIME]['$gte'] = format_date_for_mongo( request.GET['start'], datetime) if request.GET.get('end'): query[SUBMISSION_TIME]['$lte'] = format_date_for_mongo( request.GET['end'], datetime) except ValueError: return HttpResponseBadRequest( _("Dates must be in the format YY_MM_DD_hh_mm_ss")) else: query = json.dumps(query) try: export = generate_export( export_type, extension, username, id_string, None, query) audit_log( Actions.EXPORT_CREATED, request.user, owner, _("Created %(export_type)s export on '%(id_string)s'.") % { 'id_string': xform.id_string, 'export_type': export_type.upper() }, audit, request) except NoRecordsFoundError: return HttpResponseNotFound(_("No records found to export")) else: export = newset_export_for(xform, export_type) # log download as well audit_log( Actions.EXPORT_DOWNLOADED, request.user, owner, _("Downloaded %(export_type)s export on '%(id_string)s'.") % { 'id_string': xform.id_string, 'export_type': export_type.upper() }, audit, request) if not export.filename: # tends to happen when using newset_export_for. return HttpResponseNotFound("File does not exist!") # get extension from file_path, exporter could modify to # xlsx if it exceeds limits path, ext = os.path.splitext(export.filename) ext = ext[1:] if request.GET.get('raw'): id_string = None response = response_with_mimetype_and_name( Export.EXPORT_MIMES[ext], id_string, extension=ext, file_path=export.filepath) return response
def finish_authorize(request: HttpRequest) -> HttpResponse: """ Set parameter secret to something valid. The external service redirects here after _we_ redirect to _it_ in start_authorize(). We cannot include pk in the URL (since the external service -- e.g., Google -- requires a fixed URL), so we store the pk in the session. """ try: flow = request.session['oauth-flow'] except KeyError: return HttpResponseForbidden( 'Missing auth session. Please try connecting again.') try: scope = Scope(**flow) except TypeError: # This would _normally_ be a crash-worthy exception. But there might # be sessions in progress as we deploy, [2018-12-21]. TODO nix this # `except` to keep our code clean. logger.exception('Malformed auth session. Data: %r', flow) return HttpResponseForbidden( 'Malformed auth session. Please try connecting again.') service = oauth.OAuthService.lookup_or_none(scope.service_id) if not service: return HttpResponseNotFound('Service not configured') offline_token = service.acquire_refresh_token_or_str_error( request.GET, scope.state) if isinstance(offline_token, str): return HttpResponseForbidden(offline_token) username = service.extract_username_from_token(offline_token) try: with Workflow.authorized_lookup_and_cooperative_lock( 'owner', # only owner can modify params request.user, request.session, pk=scope.workflow_id) as workflow: # raises WfModule.DoesNotExist, ModuleVersion.DoesNotExist wf_module, _ = _load_wf_module_and_service(workflow, scope.wf_module_id, scope.param) wf_module.secrets = { **wf_module.secrets, scope.param: { 'name': username, 'secret': offline_token, } } wf_module.save(update_fields=['secrets']) delta_json = { 'updateWfModules': { str(wf_module.id): { 'secrets': wf_module.secret_metadata, } } } except Workflow.DoesNotExist as err: # Possibilities: # str(err) = 'owner access denied' # str(err) = 'Workflow matching query does not exist' return HttpResponseForbidden(str(err)) except (ModuleVersion.DoesNotExist, WfModule.DoesNotExist): return HttpResponseNotFound('Step or parameter was deleted.') async_to_sync(websockets.ws_client_send_delta_async)(workflow.id, delta_json) response = HttpResponse( b"""<!DOCTYPE html> <html lang="en-US"> <head> <title>Authorized</title> </head> <body> <p class="success"> You have logged in. You may close this window now. </p> </body> </html> """, content_type='text/html; charset=utf-8', ) response['Cache-Control'] = 'no-cache' return response
def stats(request): if not request.user.is_superuser: return HttpResponseForbidden() before = request.GET.get('before', timezone.now()) after = request.GET.get('after', timezone.now() - timedelta(days=1)) period = request.GET.get('period', 'day') is_csv = (request.GET.get('csv', False) == 'true') def toWeek(dt): sunday = dt.strftime('%Y-%U-0') return datetime.strptime(sunday, '%Y-%U-%w').strftime('%Y-%m-%d') def toDay(dt): return dt.strftime('%Y-%m-%d') def toMonth(dt): return dt.strftime('%Y-%m') if period == 'day': period_fn = toDay elif period == 'week': period_fn = toWeek elif period == 'month': period_fn = toMonth users = User.objects.only('date_joined').filter( date_joined__gte=after, date_joined__lte=before).order_by('-date_joined') grouped_users_by_period = {} for gu in itertools.groupby(users, lambda u: period_fn(u.date_joined)): grouped_users_by_period[gu[0]] = len(list(gu[1])) queryset = Job.objects.only('created_at', 'the_geom').order_by('-created_at') if before: queryset = queryset.filter(Q(created_at__lte=before)) if after: queryset = queryset.filter(Q(created_at__gte=after)) grouped_jobs = itertools.groupby(queryset, lambda j: period_fn(j.created_at)) geoms = [] periods = [] for x in grouped_jobs: top_regions = Counter() jobs_in_group = list(x[1]) for j in jobs_in_group: centroid = j.the_geom.centroid geoms.append([centroid.x, centroid.y]) result = next( idx.nearest((centroid.x, centroid.y), 1, objects=True)) top_regions[result.object[2]] += 1 users_in_period = grouped_users_by_period.get(x[0], 0) top_regions_string = ' '.join( ["{0}:{1}".format(x[0], x[1]) for x in top_regions.most_common(5)]) periods.append({ 'start_date': x[0], 'jobs_count': len(jobs_in_group), 'users_count': users_in_period, 'top_regions': top_regions_string }) if is_csv: output = io.StringIO() writer = csv.writer(output) writer.writerow( ['start_date', 'jobs_count', 'users_count', 'top_regions']) for period in periods: writer.writerow([ period['start_date'], period['jobs_count'], period['users_count'], period['top_regions'] ]) return HttpResponse(output.getvalue()) else: return HttpResponse(json.dumps({'periods': periods, 'geoms': geoms}))
def move_plugin(self, request): """ Performs a move or a "paste" operation (when «move_a_copy» is set) POST request with following parameters: - plugin_id - placeholder_id - plugin_language (optional) - plugin_parent (optional) - plugin_order (array, optional) - move_a_copy (Boolean, optional) (anything supplied here except a case- insensitive "false" is True) NOTE: If move_a_copy is set, the plugin_order should contain an item '__COPY__' with the desired destination of the copied plugin. """ # plugin_id and placeholder_id are required, so, if nothing is supplied, # an ValueError exception will be raised by get_int(). try: plugin_id = get_int(request.POST.get('plugin_id')) except TypeError: raise RuntimeError("'plugin_id' is a required parameter.") plugin = CMSPlugin.objects.get(pk=plugin_id) try: placeholder_id = get_int(request.POST.get('placeholder_id')) except TypeError: raise RuntimeError("'placeholder_id' is a required parameter.") except ValueError: raise RuntimeError("'placeholder_id' must be an integer string.") placeholder = Placeholder.objects.get(pk=placeholder_id) # The rest are optional parent_id = get_int(request.POST.get('plugin_parent', ""), None) language = request.POST.get('plugin_language', None) move_a_copy = request.POST.get('move_a_copy', False) move_a_copy = (move_a_copy and move_a_copy != "0" and move_a_copy.lower() != "false") source_placeholder = plugin.placeholder if not language and plugin.language: language = plugin.language order = request.POST.getlist("plugin_order[]") if not self.has_move_plugin_permission(request, plugin, placeholder): return HttpResponseForbidden( force_text(_("You have no permission to move this plugin"))) if placeholder != source_placeholder: try: template = self.get_placeholder_template(request, placeholder) has_reached_plugin_limit(placeholder, plugin.plugin_type, plugin.language, template=template) except PluginLimitReached as er: return HttpResponseBadRequest(er) if move_a_copy: # "paste" if plugin.plugin_type == "PlaceholderPlugin": parent_id = None inst = plugin.get_plugin_instance()[0] plugins = inst.placeholder_ref.get_plugins() else: plugins = [plugin] + list(plugin.get_descendants()) new_plugins = copy_plugins.copy_plugins_to( plugins, placeholder, language, parent_plugin_id=parent_id, ) top_plugins = [] top_parent = new_plugins[0][0].parent_id for new_plugin, old_plugin in new_plugins: if new_plugin.parent_id == top_parent: # NOTE: There is no need to save() the plugins here. new_plugin.position = old_plugin.position top_plugins.append(new_plugin) # Creates a list of string PKs of the top-level plugins ordered by # their position. top_plugins_pks = [str(p.pk) for p in sorted( top_plugins, key=lambda x: x.position)] if parent_id: parent = CMSPlugin.objects.get(pk=parent_id) for plugin in top_plugins: plugin.parent = parent plugin.placeholder = placeholder plugin.language = language plugin.save() # If an ordering was supplied, we should replace the item that has # been copied with the new copy if order: if '__COPY__' in order: copy_idx = order.index('__COPY__') del order[copy_idx] order[copy_idx:0] = top_plugins_pks else: order.extend(top_plugins_pks) # Set the plugin variable to point to the newly created plugin. plugin = new_plugins[0][0] else: # Regular move if parent_id: if plugin.parent_id != parent_id: parent = CMSPlugin.objects.get(pk=parent_id) if parent.placeholder_id != placeholder.pk: return HttpResponseBadRequest(force_text( _('parent must be in the same placeholder'))) if parent.language != language: return HttpResponseBadRequest(force_text( _('parent must be in the same language as ' 'plugin_language'))) plugin.parent_id = parent.pk plugin.language = language plugin.save() plugin = plugin.move(parent, pos='last-child') else: sibling = CMSPlugin.get_last_root_node() plugin.parent = plugin.parent_id = None plugin.placeholder = placeholder plugin.save() plugin = plugin.move(sibling, pos='right') plugins = [plugin] + list(plugin.get_descendants()) # Don't neglect the children for child in plugins: child.placeholder = placeholder child.language = language child.save() reorder_plugins(placeholder, parent_id, language, order) # When this is executed we are in the admin class of the source placeholder # It can be a page or a model with a placeholder field. # Because of this we need to get the admin class instance of the # target placeholder and call post_move_plugin() on it. # By doing this we make sure that both the source and target are # informed of the operation. target_placeholder_admin = self._get_attached_admin(placeholder) if move_a_copy: # "paste" self.post_copy_plugins(request, source_placeholder, placeholder, plugins) if (target_placeholder_admin and target_placeholder_admin.model != self.model): target_placeholder_admin.post_copy_plugins( request, source_placeholder=source_placeholder, target_placeholder=placeholder, plugins=plugins, ) else: self.post_move_plugin(request, source_placeholder, placeholder, plugin) if (target_placeholder_admin and target_placeholder_admin.model != self.model): target_placeholder_admin.post_move_plugin( request, source_placeholder=source_placeholder, target_placeholder=placeholder, plugin=plugin, ) try: language = request.toolbar.toolbar_language except AttributeError: language = get_language_from_request(request) with force_language(language): plugin_urls = plugin.get_action_urls() json_response = { 'urls': plugin_urls, 'reload': move_a_copy or requires_reload( PLUGIN_MOVE_ACTION, [plugin]) } return HttpResponse( json.dumps(json_response), content_type='application/json')
def __init__(self): HttpResponseForbidden.__init__(self) self.write(render_to_string('errors/http_forbidden.phtml'))
def get(self, request, rcon_server_port, rcon_cmd): if not request.user.is_staff or not request.user.is_superuser or not request.user.is_authenticated: return HttpResponseForbidden() context = {} context = run_rcon_cmd(rcon_server_port, rcon_cmd) return render(request, 'remote_admin/rcon_cmd.html', context)
def dispatch(self, request, *args, **kwargs): if self.permission is None or request.user.has_perm(self.permission): return super(Submit, self).dispatch(request, *args, **kwargs) else: return HttpResponseForbidden()
def test_bad_guard(self): settings.STATSD_RECORD_GUARD = lambda r: HttpResponseForbidden() assert self.client.get(self.url, self.good).status_code == 403
def admin_question(request, pid): if not request.user.is_authenticated(): return HttpResponseForbidden() p = get_object_or_404(Poll, id=pid) context = {'poll': p, 'pid': pid, "errors": []} return render(request, 'poll/admin/results.html', context)
def __init__(self, request, msg): HttpResponseForbidden.__init__(self,'<h1>403 Forbidden</h1><p>%s</p>'%msg)
def profile(request): profile = request.user.profile # Switch user back to its default team if profile.current_team_id != profile.id: request.team = profile profile.current_team_id = profile.id profile.save() show_api_key = False if request.method == "POST": if "set_password" in request.POST: profile.send_set_password_link() return redirect("hc-set-password-link-sent") elif "create_api_key" in request.POST: profile.set_api_key() show_api_key = True messages.success(request, "The API key has been created!") elif "revoke_api_key" in request.POST: profile.api_key = "" profile.save() messages.info(request, "The API key has been revoked!") elif "show_api_key" in request.POST: show_api_key = True elif "update_reports_allowed" in request.POST: form = ReportSettingsForm(request.POST) if form.is_valid(): profile.reports_allowed = form.cleaned_data["reports_allowed"] profile.save() messages.success(request, "Your settings have been updated!") elif "update_weekly_reports_allowed" in request.POST: form = WeeklyReportsForm(request.POST) if form.is_valid(): profile.weekly_reports_allowed = form.cleaned_data[ "weekly_reports_allowed"] profile.save() messages.success(request, "Your settings have been updated") elif "update_daily_reports_allowed" in request.POST: form = DailyReportSettingsForm(request.POST) if form.is_valid(): profile.daily_reports_allowed = form.cleaned_data[ "daily_reports_allowed"] profile.save() messages.success(request, "Your settings have been updated") elif "invite_team_member" in request.POST: if not profile.team_access_allowed: return HttpResponseForbidden() form = InviteTeamMemberForm(request.POST) if form.is_valid(): email = form.cleaned_data["email"] user_checks = [ value for key, value in request.POST.items() if 'check' in key ] print(user_checks) try: user = User.objects.get(email=email) except User.DoesNotExist: user = _make_user(email) for chek in user_checks: notify = UserToNotify(recepient=user) check_object = Check.objects.get(id=chek) notify.check_id = check_object notify.save() profile.invite(user) messages.success(request, "Invitation to %s sent!" % email) elif "remove_team_member" in request.POST: form = RemoveTeamMemberForm(request.POST) if form.is_valid(): email = form.cleaned_data["email"] farewell_user = User.objects.get(email=email) farewell_user.profile.current_team = None farewell_user.profile.save() Member.objects.filter(team=profile, user=farewell_user).delete() messages.info(request, "%s removed from team!" % email) elif "set_team_name" in request.POST: if not profile.team_access_allowed: return HttpResponseForbidden() form = TeamNameForm(request.POST) if form.is_valid(): profile.team_name = form.cleaned_data["team_name"] profile.save() messages.success(request, "Team Name updated!") tags = set() filtered_checks = Check.objects.filter( user=request.team.user).order_by("created") checks = list(filtered_checks) for check in filtered_checks: tags.update(check.tags_list()) username = request.team.user.username badge_urls = [] for tag in sorted(tags, key=lambda s: s.lower()): if not re.match("^[\w-]+$", tag): continue badge_urls.append(get_badge_url(username, tag)) ctx = { "page": "profile", "badge_urls": badge_urls, "profile": profile, "show_api_key": show_api_key, "checks": checks } return render(request, "accounts/profile.html", ctx)
def csrf_failure(request, reason='', template=None): return HttpResponseForbidden( render(request, template), content_type='text/html' )
def profile(request): _ensure_own_team(request) profile = request.profile ctx = { "page": "profile", "profile": profile, "show_api_key": False, "api_status": "default", "team_status": "default" } if request.method == "POST": if "change_email" in request.POST: profile.send_change_email_link() return redirect("hc-link-sent") elif "set_password" in request.POST: profile.send_set_password_link() return redirect("hc-link-sent") elif "create_api_key" in request.POST: profile.set_api_key() ctx["show_api_key"] = True ctx["api_key_created"] = True ctx["api_status"] = "success" elif "revoke_api_key" in request.POST: profile.api_key = "" profile.save() ctx["api_key_revoked"] = True ctx["api_status"] = "info" elif "show_api_key" in request.POST: ctx["show_api_key"] = True elif "invite_team_member" in request.POST: if not profile.can_invite(): return HttpResponseForbidden() form = InviteTeamMemberForm(request.POST) if form.is_valid(): email = form.cleaned_data["email"] try: user = User.objects.get(email=email) except User.DoesNotExist: user = _make_user(email) profile.invite(user) ctx["team_member_invited"] = email ctx["team_status"] = "success" elif "remove_team_member" in request.POST: form = RemoveTeamMemberForm(request.POST) if form.is_valid(): email = form.cleaned_data["email"] farewell_user = User.objects.get(email=email) farewell_user.profile.current_team = None farewell_user.profile.save() Member.objects.filter(team=profile, user=farewell_user).delete() ctx["team_member_removed"] = email ctx["team_status"] = "info" elif "set_team_name" in request.POST: form = TeamNameForm(request.POST) if form.is_valid(): profile.team_name = form.cleaned_data["team_name"] profile.save() ctx["team_name_updated"] = True ctx["team_status"] = "success" return render(request, "accounts/profile.html", ctx)
def edit_dashboard(request, pk=None): if request.method == 'GET': user = request.user if request.user.is_authenticated(): saved_queries = Query.objects.filter(user=user).exclude( document__from=[]) else: saved_queries = [] for q in saved_queries: doc = q.document changed = False for f in doc['from']: for s in f['select']: if s['type'] == "VALUE": if 'datatype' not in s.keys(): try: s['datatype'] = Variable.objects.get( pk=int(f['type'])).dataType changed = True except: s['datatype'] = 'FLOAT' pass else: if 'datatype' not in s.keys(): try: s['datatype'] = Dimension.objects.get( pk=int(s['type'])).dataType changed = True except: s['datatype'] = 'FLOAT' pass if changed: q.document = doc q.save() try: dashboard = Dashboard.objects.get(pk=pk) except ObjectDoesNotExist: message = 'You cannot edit this Dashboard!\nThe Dashboard does not exist or has already been deleted!' return render(request, 'error_page.html', {'message': message}) # try: # if dashboard.user_id != user.id: # raise PermissionDenied # except: # return HttpResponseForbidden() # check for the access try: access_decision = PEP.access_to_edit_dashboard( request, dashboard.id) if access_decision is False: raise PermissionDenied except: return HttpResponseForbidden() # variables_list = [] # dimensions_list = [] # var_list = Variable.objects.all() # dim_list = Dimension.objects.all() # for el in var_list: # if not (el.name in variables_list): # variables_list.append(el.name.encode('ascii')) # for el in dim_list: # if not (el.name in dimensions_list): # dimensions_list.append(el.name.encode('ascii')) # toCreate = dashboard.title form_class = forms.CkEditorForm dashboard.viz_components = convert_unicode_json( dashboard.viz_components) print dashboard.viz_components conf_viz_json = '' try: with open( 'visualizer/static/visualizer/visualisations_settings.json' ) as f: conf_viz_json = json.dumps(json.load(f)) except: pass # check if user is the owner or just has been granted access owner = False if dashboard.user_id == user.id: owner = True return render( request, 'dashboard_builder/dashboard_editor_new.html', { 'dashboard': dashboard, 'dashboard_json': json.dumps(dashboard.viz_components), 'dashboard_pk': pk, 'dashboard_title': dashboard.title, 'is_owner': owner, 'sidebar_active': 'products', 'saved_queries': saved_queries, 'available_viz': Visualization.objects.filter(hidden=False).order_by( '-type', '-title'), 'form': form_class, # 'toCreate': toCreate, # 'variables_list': variables_list, # 'dimensions_list': dimensions_list, 'visualisation_configuration': conf_viz_json }) return None
def change_enrollment(request, check_access=True): """ Modify the enrollment status for the logged-in user. TODO: This is lms specific and does not belong in common code. The request parameter must be a POST request (other methods return 405) that specifies course_id and enrollment_action parameters. If course_id or enrollment_action is not specified, if course_id is not valid, if enrollment_action is something other than "enroll" or "unenroll", if enrollment_action is "enroll" and enrollment is closed for the course, or if enrollment_action is "unenroll" and the user is not enrolled in the course, a 400 error will be returned. If the user is not logged in, 403 will be returned; it is important that only this case return 403 so the front end can redirect the user to a registration or login page when this happens. This function should only be called from an AJAX request, so the error messages in the responses should never actually be user-visible. Args: request (`Request`): The Django request object Keyword Args: check_access (boolean): If True, we check that an accessible course actually exists for the given course_key before we enroll the student. The default is set to False to avoid breaking legacy code or code with non-standard flows (ex. beta tester invitations), but for any standard enrollment flow you probably want this to be True. Returns: Response """ # Get the user user = request.user # Ensure the user is authenticated if not user.is_authenticated: return HttpResponseForbidden() # Ensure we received a course_id action = request.POST.get("enrollment_action") if 'course_id' not in request.POST: return HttpResponseBadRequest(_("Course id not specified")) try: course_id = CourseKey.from_string(request.POST.get("course_id")) except InvalidKeyError: log.warning( u"User %s tried to %s with invalid course id: %s", user.username, action, request.POST.get("course_id"), ) return HttpResponseBadRequest(_("Invalid course id")) # Allow us to monitor performance of this transaction on a per-course basis since we often roll-out features # on a per-course basis. monitoring_utils.set_custom_attribute('course_id', text_type(course_id)) if action == "enroll": # Make sure the course exists # We don't do this check on unenroll, or a bad course id can't be unenrolled from if not modulestore().has_course(course_id): log.warning(u"User %s tried to enroll in non-existent course %s", user.username, course_id) return HttpResponseBadRequest(_("Course id is invalid")) # Record the user's email opt-in preference if settings.FEATURES.get('ENABLE_MKTG_EMAIL_OPT_IN'): _update_email_opt_in(request, course_id.org) available_modes = CourseMode.modes_for_course_dict(course_id) # Check whether the user is blocked from enrolling in this course # This can occur if the user's IP is on a global blacklist # or if the user is enrolling in a country in which the course # is not available. redirect_url = embargo_api.redirect_if_blocked( course_id, user=user, ip_address=get_ip(request), url=request.path) if redirect_url: return HttpResponse(redirect_url) if CourseEntitlement.check_for_existing_entitlement_and_enroll( user=user, course_run_key=course_id): return HttpResponse( reverse('courseware', args=[six.text_type(course_id)])) # Check that auto enrollment is allowed for this course # (= the course is NOT behind a paywall) if CourseMode.can_auto_enroll(course_id): # Enroll the user using the default mode (audit) # We're assuming that users of the course enrollment table # will NOT try to look up the course enrollment model # by its slug. If they do, it's possible (based on the state of the database) # for no such model to exist, even though we've set the enrollment type # to "audit". try: enroll_mode = CourseMode.auto_enroll_mode( course_id, available_modes) if enroll_mode: CourseEnrollment.enroll(user, course_id, check_access=check_access, mode=enroll_mode) except Exception: # pylint: disable=broad-except return HttpResponseBadRequest(_("Could not enroll")) # If we have more than one course mode or professional ed is enabled, # then send the user to the choose your track page. # (In the case of no-id-professional/professional ed, this will redirect to a page that # funnels users directly into the verification / payment flow) if CourseMode.has_verified_mode( available_modes) or CourseMode.has_professional_mode( available_modes): return HttpResponse( reverse("course_modes_choose", kwargs={'course_id': text_type(course_id)})) # Otherwise, there is only one mode available (the default) return HttpResponse() elif action == "unenroll": enrollment = CourseEnrollment.get_enrollment(user, course_id) if not enrollment: return HttpResponseBadRequest( _("You are not enrolled in this course")) certificate_info = cert_info(user, enrollment.course_overview) if certificate_info.get('status') in DISABLE_UNENROLL_CERT_STATES: return HttpResponseBadRequest( _("Your certificate prevents you from unenrolling from this course" )) CourseEnrollment.unenroll(user, course_id) REFUND_ORDER.send(sender=None, course_enrollment=enrollment) return HttpResponse() else: return HttpResponseBadRequest(_("Enrollment action is invalid"))
def __call__(self, request): if request.user.is_authenticated and not request.user.is_active(): return HttpResponseForbidden() response = self.get_response(request) return response
def infoapply(request): ultra = False from crawler.models import OfficialInfo,Relation from memberinfo.models import MemberInfo,Group,Team import memberinfo.divisions as div if request.GET.has_key('ultra'): if not request.user.is_staff: return HttpResponseForbidden('You are not a staff of this site.') else: ultra = True rela = Relation.objects.filter(mid__isnull = False) for r in rela: OfficialInfo.objects.filter(mid__isnull = True, name__iexact = r.jp_name).update(mid = r.mid) pass counter = 0 infolist = OfficialInfo.objects.filter(mid__isnull = False, applied = False).all() namelist = infolist.values('name').all() for name in namelist: items = infolist.filter(name__iexact = name['name']).all() member = {} for item in items: for k in item._meta.get_all_field_names(): v = getattr(item,k) if v: member[k] = v try: m = member['mid'] g = Group.objects.get(groupname__iexact = member['group']) t = g.team_set.get(teamname__iexact = member['team']) m.team = t m.comefrom = div.getIdByJp(member['hometown']) m.birthday = member['birthday'] if ultra: from memberinfo.cn_jp import jp2cn m.name = member['name'] l = [] for c in m.cn_name: l.append(jp2cn(c)) m.cn_name = ''.join(l) if member.get('nick', False): m.nick = member['nick'] if member.get('avatar', False): m.avatar = member['avatar'] if member.get('concurrent_group',False): cg = Group.objects.get(groupname__iexact = member['concurrent_group']) ct = cg.team_set.get(teamname__iexact = member['concurrent_team']) m.bothin = ct pass des = [] if member.get('managercom',False): if member.get('managercom_href',False): des.append(u'经纪公司:<a href="' + member['managercom_href'] + '">' + member['managercom'] + '</a>') else: des.append(u'经纪公司:' + member['managercom']) if member.get('bloodtype',False): des.append(u'血型:' + member['bloodtype']) if member.get('height',False): des.append(u'身高:' + member['height']) if member.get('catchphrase',False): des.append(u'Catch Phrase:' + member['catchphrase']) if member.get('stunt',False): des.append(u'特技:' + member['stunt']) if member.get('dream',False): des.append(u'梦想:' + member['dream']) if member.get('favfood',False): des.append(u'最爱的食物:' + member['favfood']) if member.get('favquote',False): des.append(u'座右铭:' + member['favquote']) if member.get('favfood',False): des.append(u'最爱的食物:' + member['favfood']) if member.get('hobby',False): des.append(u'爱好:' + member['hobby']) if member.get('charm',False): des.append(u'魅力点:' + member['charm']) if member.get('msg',False): des.append(member['msg']) m.description = '<br />'.join(des) m.save() counter += 1 except Exception, e: print e continue items.update(applied = True) pass
def post(self, request): try: data = json.loads(request.body) except ValueError: return HttpResponseBadRequest('Request body is not valid JSON.') # Must be a json dictionary. if not isinstance(data, dict): return HttpResponseBadRequest('Request body not a JSON dict.') # Odlc type is required. if 'type' not in data: return HttpResponseBadRequest('Odlc type required.') # Team id can only be specified if superuser. user = request.user if 'team_id' in data: if request.user.is_superuser: user = User.objects.get(username=data['team_id']) else: return HttpResponseForbidden( 'Non-admin users cannot send team_id') latitude = data.get('latitude') longitude = data.get('longitude') # Require zero or both of latitude and longitude. if (latitude is not None and longitude is None) or \ (latitude is None and longitude is not None): return HttpResponseBadRequest( 'Either none or both of latitude and longitude required.') # Cannot submit JSON with actionable_override if not superuser. if 'actionable_override' in data and not request.user.is_superuser: return HttpResponseForbidden( 'Non-admin users cannot submit actionable override.') try: data = normalize_data(data) except ValueError as e: return HttpResponseBadRequest(str(e)) l = None if latitude is not None and longitude is not None: l = GpsPosition( latitude=data['latitude'], longitude=data['longitude']) l.save() # Use the dictionary get() method to default non-existent values to None. t = Odlc( user=user, odlc_type=data['type'], location=l, orientation=data.get('orientation'), shape=data.get('shape'), background_color=data.get('background_color'), alphanumeric=data.get('alphanumeric', ''), alphanumeric_color=data.get('alphanumeric_color'), description=data.get('description', ''), autonomous=data.get('autonomous', False), actionable_override=data.get('actionable_override', False)) t.save() return JsonResponse( t.json(is_superuser=request.user.is_superuser), status=201)
def wrapper(req, *args, **kwargs): user = req.user in_group = user.groups.filter(id__in=groups).first() if in_group or user.is_superuser: return func(req, *args, **kwargs) return HttpResponseForbidden()
def parameterval_oauth_generate_access_token(request, pk) -> HttpResponse: """Return a temporary access_token the client can use. Only the owner can generate an access token: we must keep the secret away from prying eyes. This access token lets the client read all the owner's documents on GDrive. The response is always text/plain. Status codes: 200 OK -- a token 404 Not Found -- param not found, or param has no secret 403 Forbidden -- user not allowed to generate token We expect the caller to silently accept 404 Not Found but log other errors. """ param = parameter_val_or_response_for_read(pk, request) if isinstance(param, HttpResponse): return param workflow = param.wf_module.workflow # Let's be abundantly clear: this is a _secret_. Users give us their # refresh tokens under the assmption that we won't share access to all # their files with _anybody_. # # We aren't checking if writes are allowed. We're checking the user's # identity. # # See Workflow.request_authorized_write(), which is _currently_ the same # but may not stay that way. is_owner = False if request.user and request.user == workflow.owner: is_owner = True if workflow.anonymous_owner_session_key and request.session.session_key: if workflow.anonymous_owner_session_key == request.session.session_key: is_owner = True if not is_owner: return HttpResponseForbidden( 'Only the workspace owner can generate an access token') spec = param.parameter_spec if spec.type != ParameterSpec.SECRET: return HttpResponseForbidden(f'This is a {spec.type}, not a SECRET') service = oauth.OAuthService.lookup_or_none(spec.id_name) if not service: allowed_services = settings.PARAMETER_OAUTH_SERVICES.keys() return HttpResponseForbidden( f'We only support id_name {", ".join(allowed_services)}') secret_json = param.value if not secret_json: return HttpResponseNotFound('secret not set') try: secret_data = json.loads(secret_json) except json.decoder.JSONDecodeError: return HttpResponseForbidden('non-JSON secret') try: offline_token = secret_data['secret'] except KeyError: return HttpResponseForbidden('secret value has no secret') token = service.generate_access_token_or_str_error(offline_token) if isinstance(token, str): return HttpResponseForbidden(token) # token['access_token'] is short-term (1hr). token['refresh_token'] is # super-private and we should never transmit it. return HttpResponse(token['access_token'], content_type='text/plain')
def wrapper(obj, req, *args, **kwargs): user = req.user if user.has_perm(perm): return func(obj, req, *args, **kwargs) else: return HttpResponseForbidden()
def fc_callback(request): fc_base = settings.FC_AS_FS_BASE_URL fc_callback_uri = f"{settings.FC_AS_FS_CALLBACK_URL}/callback" # fc_callback_uri_logout = f"{settings.FC_AS_FS_CALLBACK_URL}/logout-callback" fc_id = settings.FC_AS_FS_ID fc_secret = settings.FC_AS_FS_SECRET state = request.GET.get("state") try: connection = Connection.objects.get(state=state) except Connection.DoesNotExist: log.info("FC as FS - This state does not seem to exist") log.info(state) return HttpResponseForbidden() if connection.expiresOn < timezone.now(): log.info("403: The connection has expired.") return HttpResponseForbidden() code = request.GET.get("code") if not code: log.info("403: No code has been provided.") return HttpResponseForbidden() token_url = f"{fc_base}/token" payload = { "grant_type": "authorization_code", "redirect_uri": fc_callback_uri, "client_id": fc_id, "client_secret": fc_secret, "code": code, } headers = {"Accept": "application/json"} request_for_token = python_request.post(token_url, data=payload, headers=headers) content = request_for_token.json() connection.access_token = content.get("access_token") connection.save() fc_id_token = content.get("id_token") try: decoded_token = jwt.decode( fc_id_token, settings.FC_AS_FS_SECRET, audience=settings.FC_AS_FS_ID, algorithm="HS256", ) except ExpiredSignatureError: log.info("403: token signature has expired.") return HttpResponseForbidden() if connection.nonce != decoded_token.get("nonce"): log.info("403: The nonce is different than the one expected.") return HttpResponseForbidden() if connection.expiresOn < timezone.now(): log.info("403: The connection has expired.") return HttpResponseForbidden() try: usager = Usager.objects.get(sub=decoded_token["sub"]) except Usager.DoesNotExist: usager, error = get_user_info(fc_base, connection.access_token) if error: messages.error(request, error) return redirect("dashboard") connection.usager = usager connection.save() # logout_base = f"{fc_base}/logout" # logout_id_token = f"id_token_hint={fc_id_token}" # logout_state = f"state={state}" # logout_redirect = f"post_logout_redirect_uri={fc_callback_uri_logout}" # logout_url = f"{logout_base}?{logout_id_token}&{logout_state}&{logout_redirect}" return redirect("new_mandat_recap") # revert to logout_url
def __init__(self): HttpResponseForbidden.__init__(self)#,msg="You don't have permission to access the requested object.") # Hopefully this doesn't break the error self.write(render_to_string('errors/http_forbidden.phtml')) self.write("You don't have permission to access the requested object.")
def get(self, request): user = request.user if not user.is_staff or not user.is_superuser or not user.is_authenticated: return HttpResponseForbidden() return render(request, 'remote_admin/rcon.html')
def user_repo_sync(request, repo_id): """ POST /repo/:id/sync or DELETE /repo/:id/sync Sets repo synced property as True or False (POST or DELETE) """ try: repo = Repo.objects.get(id=repo_id) except Repo.DoesNotExist: raise Http404 if not repo.user == request.user: return HttpResponseForbidden() if request.method == 'POST': # See tests for the why on this awfulness if 'testing' in request.GET: return HttpResponse('ok', status=201) repo.synced = True repo.sync_status = repo.SYNCING # Create a GitHub web hook so we get notified when this repo is pushed hook_data = { 'name': 'web', 'active': True, 'events': ['push'], 'config': { 'url': repo.hook_url, 'content_type': 'json' } } github = GitHub(repo.user) gh_request = github.post('/repos/{0}/hooks'.format(repo.full_name), hook_data) if gh_request.status_code == 201: logger.info('Hook created for repo: {0}'.format(repo)) else: logger.info('Hook not created for repo: {0}'.format(repo)) repo.save() get_repo_feature_sets.apply_async((repo,)) return HttpResponse(json.dumps({'status': 'ok'}), content_type='application/json', status=201) else: # DELETE # See tests for the why on this awfulness if 'testing' in request.GET: return HttpResponse('ok', status=204) repo.synced = False repo.sync_status = repo.NOT_SYNCED github = GitHub(repo.user) gh_request = github.get('/repos/{0}/hooks'.format(repo.full_name)) hook_id_to_delete = None for hook in gh_request.json(): if 'url' in hook['config'] and hook['config']['url'] == repo.hook_url: hook_id_to_delete = hook['id'] continue if hook_id_to_delete is not None: gh_request = github.delete('/repos/{0}/hooks/{1}'.format(repo.full_name, hook_id_to_delete)) if gh_request.status_code == 204: logger.info('Hook deleted for repo: {0}'.format(repo)) delete_repo_feature_sets.apply_async((repo,)) else: logger.warning('Hook not deleted for repo: {0}'.format(repo)) repo.save() return HttpResponse(json.dumps({'status': 'ok'}), content_type='application/json', status=204)
auth, created = AuthProfile.objects.get_or_create(user=request.user) # store dropbox_access_token auth.dropbox_access_token = dropbox_access_token auth.dropbox_userid = user_id auth.user = request.user auth.save() return HttpResponseRedirect("/profile/") except dropbox.client.DropboxOAuth2Flow.BadRequestException, e: return HttpResponseBadRequest(e) except dropbox.client.DropboxOAuth2Flow.BadStateException, e: # Start the auth flow again. return HttpResponseRedirect( "http://www.mydomain.com/dropbox_auth_start") except dropbox.client.DropboxOAuth2Flow.CsrfException, e: return HttpResponseForbidden() except dropbox.client.DropboxOAuth2Flow.NotApprovedException, e: raise e except dropbox.client.DropboxOAuth2Flow.ProviderException, e: raise e # URL handler for /dropbox-auth-start def dropbox_auth_disconnect(request): request.user.authprofile.dropbox_access_token = "" request.user.authprofile.save() return HttpResponseRedirect("/profile/") def process_file(path, metadata, client, user): def get_app_config(client, path):
def user_feature_set(request, feature_set_id): per_page = 50 feature_set = get_object_or_404(FeatureSet, id=feature_set_id) if not feature_set.repo.user == request.user: return HttpResponseForbidden() if request.method == 'GET': if feature_set.is_syncing: context = {'feature_set': feature_set} else: count = Feature.objects.filter(feature_set=feature_set).count() requested_page = request.GET.get('page', 1) try: requested_page = int(requested_page) except ValueError: return redirect('user_feature_set', feature_set_id=feature_set_id) features = Feature.objects.filter(feature_set=feature_set).geojson() paginated = Paginator(features, per_page) try: current_page = paginated.page(requested_page) except EmptyPageException: if requested_page == 0: return redirect('%s?page=%s' % (reverse('user_feature_set', args=(feature_set_id,)), 1)) else: return redirect('%s?page=%s' % (reverse('user_feature_set', args=(feature_set_id,)), paginated.num_pages)) current_features = current_page.object_list previous_page_number = current_page.previous_page_number() if current_page.has_previous() else None next_page_number = current_page.next_page_number() if current_page.has_next() else None prop_keys = json.loads(current_features[0].properties).keys() processed_features = [] geojson = {'type': 'FeatureCollection', 'features': []} for current_feature in current_features: processed_feature = {'id': current_feature.id} current_feature_props = json.loads(current_feature.properties) for prop_key in prop_keys: processed_feature[prop_key] = current_feature_props.get(prop_key) processed_features.append(processed_feature) geometry = json.loads(current_feature.geojson) geojson_feature = {'type': 'Feature', 'geometry': geometry, 'properties': current_feature_props, 'id': current_feature.id} geojson['features'].append(geojson_feature) context = { 'feature_set': feature_set, 'api_url': '{0}{1}'.format( 'http://gitspatial.com', reverse('v1_feature_set_query', kwargs={'user_name': feature_set.repo.user.username, 'repo_name': feature_set.repo.name, 'feature_set_name': feature_set.name})), 'count': count, 'center_lat': feature_set.center[1], 'center_lng': feature_set.center[0], 'bounds': list(feature_set.bounds), 'features': processed_features, 'geojson': json.dumps(geojson), 'prop_keys': prop_keys, 'page_range': paginated.page_range, 'current_page': requested_page, 'previous_page_number': previous_page_number, 'next_page_number': next_page_number, 'start_index': current_page.start_index(), 'end_index': current_page.end_index()} return render(request, 'user_feature_set.html', context) else: raw_data = request.body parts = raw_data.split('&') data = {} for part in parts: key, value = part.split('=') data[key] = value if 'value' not in data: return HttpResponseBadRequest('No value found') value = data['value'] if not (0 < len(value) < 1000): return HttpResponseBadRequest('Feature set name must be between 1 and 1,000 characters.') feature_set.name = value feature_set.save() return HttpResponse('Success! Seeya.')
def form_valid(self, form): if not self.request.user.has_perm('groups.delete_group'): raise HttpResponseForbidden() else: return super().form_valid(form)
def __init__(self, message): DjangoHttpResponseForbidden.__init__(self, message_to_json(message), content_type='application/json')