def _q_access(self, request): user = auth.login_user(quiet=True) p = self.pic() if not p.mayView(user): user = auth.login_user() if not p.mayView(user): raise AccessError('may not view picture')
def handle_upload(self): request = quixote.get_request() response = quixote.get_response() user = auth.login_user() perm = self.db.permissions(user) mayupload = (user and user.mayUpload) or (perm and perm.mayUpload) if not mayupload: raise AccessError('You may not upload images') if 'image' not in request.form: response.set_status(204) # no content return '' added = [] skipped = {} if isinstance(request.form['image'], list): for img in request.form['image']: self.do_upload(img, user, added, skipped) else: img = request.form['image'] self.do_upload(img, user, added, skipped) added = [ image.Image(self, id) for id in added ] added = [ (p.path(), p.meta.get_meta()) for p in added ] http.json_response() response.set_status(201) # created return json.write({ 'added': added, 'skipped': skipped })
def _q_index(self, request): sess_user = auth.login_user(quiet=True) if sess_user is None: return quixote.redirect(path(sess_user)) return user_page.user_page(request)
def _q_access(self, request): user = auth.login_user() perm = self.collection.db.permissions(user) mayupload = (user and user.mayUpload) or (perm and perm.mayUpload) if not mayupload: raise AccessError, 'You may not upload images'
def _q_index(self, request): user = auth.login_user(quiet=True) if self.year is None: self.year = self.calendar.most_recent(user).year y = self.calendar.yearview(self.year, user=user) return self.ui.formatyear(y, user)
def mayEdit(self, p, quiet=False): user = auth.login_user(quiet=quiet) if user is None: return False perms = self.db.permissions(user) return (perms and perms.mayEdit) or p.mayEdit(user)
def mayViewCollection(self, quiet=False): user = auth.login_user(quiet=quiet) if self.db.visibility == 'public': return True if user and self.db.visibility == 'private': perms = self.db.permissions(user) return user.mayAdmin or self.db.ownerID == user.id or (perms and perms.mayView) return False
def set_meta(self, name, value): user = auth.login_user() p = self.image.pic() if not p.mayEdit(user): raise AccessError('Must log in to change picture') if name not in self.set_fields: raise http.ForbiddenError("can't change '%s' field" % name) return self.set_fields[name](self, value)
def mayUpload(self, quiet=False): user = auth.login_user(quiet=quiet) if not user: return False; if user.mayAdmin or user.mayUpload: return True p = self.db.permissions(user) if p and p.mayUpload: return True return False
def mayView(self, p, quiet=False): user = auth.login_user(quiet=quiet) if self.db.visibility == 'public': return p.mayView(user) if user is None: return False if self.db.owner == user: return p.mayView(user) perms = self.db.permissions(user) if p.visibility == 'restricted' and perms.mayViewRestricted: return True return False
def mayAdminCol(self, quiet=False): user = auth.login_user(quiet=quiet) if user is None: return False if user.id == self.db.ownerID: return True if user.mayAdmin: return True p = self.db.permissions(user) if p and p.mayAdmin: return True return False
def mayViewOrig(self, p, quiet=False): user = auth.login_user(quiet=quiet) if self.db.visibility == 'public' and self.db.showOriginal: return p.mayView(user) if user is None: return False if self.db.owner == user or p.owner == user: return p.mayView(user) perms = self.db.permissions(user) if perms is not None and (perms.mayAdmin or perms.mayViewall): return p.mayView(user) return False
def _q_access(self, request): if not self.mayViewCollection(quiet=True): raise AccessError, "You may not view this collection" m = menu.SubMenu(heading='Collection: %s' % self.db.name) if self.mayAdminCol(quiet=True): m += [ menu.Link(link='Administer', url=self.admin_path()) ] if self.mayUpload(quiet=True): um = menu.SubMenu(heading=menu.Link(link='Upload', url=self.upload.path())) if False and self.upload.have_pending(auth.login_user(quiet=True)): um += [ menu.Link(link='Pending', url=self.upload.pending_path()) ] m += [ um ] request.context_menu += [ menu.Separator(), m ] request.context_menu += [ self.calendar.menupane_extra() ] request.context_menu += self.search.menupane_extra()
def _q_access(request): """ This _q_access is not really used for access checking, but as a hook which is always called when the path is traversed. It installs the state needed for the context menu, which is hung off the request. """ request = quixote.get_request() request.context_menu = menu.SubMenu() user = auth.login_user(quiet=True) # Add collection list collections = db.Collection.select(dbfilters.mayViewCollectionFilter(user), orderBy=db.Collection.q.id) request.context_menu += [ menu.Separator(), menu.SubMenu(heading='Collections:', items=[ menu.Link(link=c.name, url=collection.Collection(c, imagestore).path(), extra={ 'title': c.description }) for c in collections ]) ] # add navigation request.navigation = nav.Nav(request)
def _q_index(self, request): request = quixote.get_request() method = request.get_method() user = auth.login_user() if method == 'POST': if request.form.get('file') is None: raise QueryError('Missing file') dbu = db.Upload(user=user, collection=self.collection.db) pending = PendingUpload(self, dbu) if isinstance(request.form['file'], list): files = request.form['file'] else: files = [ request.form['file'] ] response = quixote.get_response() response.buffered = False return pending.do_upload(files, request.form['visibility']) elif method == 'GET': uploads = self.uploads(user) if http.want_json(): ret = [ (u.import_time.year, u.import_time.month, u.import_time.day, u.import_time.hour, u.import_time.minute, u.import_time.second) for u in uploads if len(u.pictures) > 0 ] http.json_response() return json.write(ret) else: return self.ui.uploadform(uploads) else: raise http.MethodError(['GET', 'POST'])
def _q_access(request): sess_user = auth.login_user(quiet=True) if sess_user and sess_user.mayAdmin: request.context_menu += [ menu.Separator(), menu.Link('User admin', '%suser/editusers' % imagestore.path()) ]
def _q_index(self, request): user = auth.login_user(quiet=True) return self.ui._q_index(self.date, self.interval, user)
def _q_access(self, request): request = quixote.get_request() if request.get_method() in ('POST', 'PUT'): auth.login_user()
def _q_access(self, request): sess_user = auth.login_user() if not sess_user or (sess_user != self.user and not sess_user.mayAdmin): raise AccessError("You may not view this user's details")