def ff_tree_delete(params, request): sess = DBSession() user = request.user root_ff = user.group.effective_root_folder total = 0 for rec in params.get('records', ()): ff_id = rec.get('id') if ff_id == 'root': continue ff_id = int(ff_id) ff = sess.query(FileFolder).get(ff_id) if ff is None: raise KeyError('Unknown folder ID %d' % ff_id) if root_ff and (not ff.is_inside(root_ff)): raise ValueError('Folder access denied') cur_parent = ff.parent if cur_parent and ((not cur_parent.can_write(user)) or (not cur_parent.can_traverse_path(user))): raise ValueError('Folder access denied') if (not cur_parent) and (not user.root_writable): raise ValueError('Folder access denied') # Extra precaution if ff.user != user: raise ValueError('Folder access denied') sess.delete(ff) total += 1 return { 'success' : True, 'total' : total }
def client_activate(request): if authenticated_userid(request): return HTTPSeeOther(location=request.route_url('access.cl.home')) did_fail = True cur_locale = locale_neg(request) cfg = request.registry.settings comb_js = asbool(cfg.get('netprofile.client.combine_js', False)) can_reg = asbool(cfg.get('netprofile.client.registration.enabled', False)) must_verify = asbool(cfg.get('netprofile.client.registration.verify_email', True)) link_id = int(cfg.get('netprofile.client.registration.link_id', 1)) rand_len = int(cfg.get('netprofile.client.registration.code_length', 20)) if (not can_reg) or (not must_verify): return HTTPSeeOther(location=request.route_url('access.cl.login')) code = request.GET.get('code', '').strip().upper() login = request.GET.get('for', '') if code and login and (len(code) == rand_len): sess = DBSession() for link in sess.query(AccessEntityLink)\ .options(joinedload(AccessEntityLink.entity))\ .filter(AccessEntityLink.type_id == link_id, AccessEntityLink.value == code): # TODO: implement code timeouts ent = link.entity if (ent.access_state == AccessState.block_inactive.value) and (ent.nick == login): ent.access_state = AccessState.ok.value sess.delete(link) did_fail = False break tpldef = { 'failed' : did_fail, 'comb_js' : comb_js, 'cur_loc' : cur_locale } request.run_hook('access.cl.tpldef.activate', tpldef, request) return tpldef
def client_upload(request): csrf = request.POST.get('csrf', '') mode = request.POST.get('mode', '') if not mode: raise HTTPForbidden('Invalid upload use') if csrf != request.get_csrf(): raise HTTPForbidden('Error uploading file') sess = DBSession() # FIXME: add folder cfg tpldef = [] for fo in request.POST.getall('files'): obj = File() if fo.filename: obj.name = obj.filename = fo.filename sess.add(obj) obj.set_from_file(fo.file, None, sess) signal = request.run_hook('access.cl.upload', obj, mode, request, sess, tpldef) if True not in signal: tpldef.append({ 'name' : obj.filename, 'size' : obj.size, 'error' : _('Error uploading file') }) sess.delete(obj) tpldef = { 'files' : tpldef } request.run_hook('access.cl.tpldef.upload', tpldef, request) return tpldef
def delete_record(request): #if d in GET, delete domain #if r in GET, delete record #before delete check if this record exists and belongs to auth_user #delete and redirect to main module page #use _query to add aditional params when redirecting loc = get_localizer(request) cfg = request.registry.settings sess = DBSession() csrf = request.POST.get('csrf', '') access_user = sess.query(AccessEntity).filter_by(nick=str(request.user)).first() user_domains = [d.id for d in sess.query(PDNSDomain).filter_by(account=str(request.user.id))] if csrf != request.get_csrf(): request.session.flash({ 'text' : loc.translate(_('Error submitting form')), 'class' : 'danger' }) return HTTPSeeOther(location=request.route_url('pdns.cl.domains'), _query=(('error', 'asc'),)) else: domainid = request.POST.get('domainid', None) recid = request.POST.get('recordid', None) if domainid and not recid: domain = sess.query(PDNSDomain).filter_by(id=int(request.POST.get('domainid', None))).first() if domain.id in user_domains: sess.delete(domain) sess.flush() elif recid: record = sess.query(PDNSRecord).filter_by(id=int(request.POST.get('recordid', None))).first() if record.domain_id in user_domains: sess.delete(record) sess.flush() return HTTPSeeOther(location=request.route_url('pdns.cl.domains'))
def deleteMailBox(request): loc = get_localizer(request) cfg = request.registry.settings sess = DBSession() errmess = None csrf = request.POST.get('csrf', '') access_user = sess.query(AccessEntity).filter_by(nick=str(request.user)).first() if csrf != request.get_csrf(): request.session.flash({ 'text' : loc.translate(_('Error submitting form')), 'class' : 'danger' }) return HTTPSeeOther(location=request.route_url('postfix.cl.mail'), _query=(('error', 'asc'),)) else: domainid = request.POST.get('domainid', None) mboxid = request.POST.get('mboxid', None) if mboxid: mbox = sess.query(PostfixMailbox).filter_by(id=int(mboxid)).first() if mbox.username == access_user.nick: sess.delete(mbox) sess.flush() elif domainid: domain = sess.query(PostfixDomain).filter_by(id=int(domainid)).first() domainadmins = sess.query(PostfixDomainAdmins).filter_by(domain=domain.domain) if access_user.nick in [adm.username for adm in domainadmins]: sess.delete(domain) sess.query(PostfixDomainAdmins).filter_by(domain=domain.domain).delete() sess.flush() return HTTPSeeOther(location=request.route_url('postfix.cl.mail'))
def delete(self, req, ctx, recurse=True, _flush=True): sess = DBSession() if recurse: for ch in self.children(ctx): self.delete(req, ch, recurse, False) sess.delete(ctx) if _flush: sess.flush()
def dyn_usersettings_submit(param, request): """ ExtDirect method for submitting user settings form. """ sess = DBSession() mmgr = request.registry.getUtility(IModuleManager) cached = None if 'auth.settings' in request.session: cached = request.session['auth.settings'] all_settings = mmgr.get_settings('user') values = dict( (s.name, s) for s in sess.query(UserSetting).filter(UserSetting.user == request.user) ) for moddef, sections in all_settings.items(): for sname, section in sections.items(): if section.read_cap and not request.has_permission(section.read_cap): continue for setting_name, setting in section.items(): if setting.read_cap and not request.has_permission(setting.read_cap): continue if setting.write_cap and not request.has_permission(setting.write_cap): continue fullname = '%s.%s.%s' % (moddef, sname, setting_name) old_value = setting.default if fullname in values: old_value = setting.parse_param(values[fullname].value) new_value = old_value if fullname in param: new_value = setting.parse_param(param[fullname]) if new_value == setting.default: if fullname in values: sess.delete(values[fullname]) del values[fullname] if cached: cached[fullname] = setting.default continue if new_value != old_value: if fullname in values: values[fullname].value = setting.format_param(new_value) else: values[fullname] = UserSetting( user=request.user, name=fullname, value=setting.format_param(new_value) ) sess.add(values[fullname]) if cached: cached[fullname] = new_value if cached: request.session['auth.settings'] = cached return { 'success' : True }
def client_delete(request): if ('mode' not in request.matchdict) or ('id' not in request.matchdict): return False mode = request.matchdict['mode'] try: objid = int(request.matchdict['id']) except ValueError: return False sess = DBSession() ret = request.run_hook('access.cl.download', mode, objid, request, sess) for r in ret: if isinstance(r, File): sess.delete(r) return True return False
def client_delete(request): if ('mode' not in request.matchdict) or ('id' not in request.matchdict): return False mode = request.matchdict['mode'] try: objid = int(request.matchdict['id']) except (TypeError, ValueError): return False sess = DBSession() ret = request.run_hook('access.cl.download', mode, objid, request, sess) for r in ret: if isinstance(r, File): sess.delete(r) return True return False
def _cal_events_delete(params, req): if 'EventId' not in params: return evtype, evid = params['EventId'].split('-') if evtype != 'event': return evid = int(evid) sess = DBSession() ev = sess.query(Event).get(evid) if ev is None: return False if (not ev.calendar) or (not ev.calendar.can_write(req.user)): return False sess.delete(ev) return True
def delete_record(request): # if d in GET, delete domain # if r in GET, delete record # before delete check if this record exists and belongs to auth_user # delete and redirect to main module page # use _query to add aditional params when redirecting loc = get_localizer(request) sess = DBSession() csrf = request.POST.get('csrf', '') user_domains = [ d.id for d in sess.query(PDNSDomain) .filter_by(account=str(request.user.id)) ] if csrf != request.get_csrf(): request.session.flash({ 'text': loc.translate(_('Error submitting form')), 'class': 'danger' }) return HTTPSeeOther( location=request.route_url('pdns.cl.domains'), _query=(('error', 'asc'),) ) else: domainid = request.POST.get('domainid', None) recid = request.POST.get('recordid', None) if domainid and not recid: domain = sess.query(PDNSDomain).filter_by( id=int(request.POST.get('domainid', None)) ).first() if domain.id in user_domains: sess.delete(domain) sess.flush() elif recid: record = sess.query(PDNSRecord).filter_by( id=int(request.POST.get('recordid', None)) ).first() if record.domain_id in user_domains: sess.delete(record) sess.flush() return HTTPSeeOther(location=request.route_url('pdns.cl.domains'))
def unlock(self): req = self.req ctx = req.context req.dav.user_acl(req, ctx, dprops.ACL_WRITE_CONTENT) token = req.headers.get('Lock-Token') if not token: raise dav.DAVBadRequestError('UNLOCK request must be accompanied by a valid lock token header.') path = req.dav.ctx_path(ctx) if token[0] != '<': token = '<%s>' % (token,) locks = req.dav.get_locks(path) for lock in locks: token_str = '<opaquelocktoken:%s>' % (lock.token,) if token == token_str: sess = DBSession() sess.delete(lock) return dav.DAVUnlockResponse(request=req) raise dav.DAVLockTokenMatchError('Invalid lock token supplied.')