def setDiffField(self, pt_name, field, diff): """ Set the diff type for 'field' on the portal type 'pt_name' to 'diff' """ if pt_name not in self.portal_types.listContentTypes(): raise BadRequest('Error: invalid portal type') elif not field: raise BadRequest('Error: no field specified') elif diff not in self.listDiffTypes(): raise BadRequest('Error: invalid diff type') else: self._pt_diffs.setdefault(pt_name, {})[field] = diff self._p_changed = 1
def test_standard_error_message_is_called(self): from zExceptions import BadRequest from OFS.SimpleItem import SimpleItem # handle_errors should default to True. It is a flag used for # functional doctests. See ZPublisher/Test.py and # ZPublisher/Publish.py. class REQUEST(object): class RESPONSE(object): handle_errors = True class StandardErrorMessage(object): def __init__(self): self.kw = {} def __call__(self, **kw): self.kw.clear() self.kw.update(kw) item = SimpleItem() item.standard_error_message = sem = StandardErrorMessage() try: raise BadRequest("1") except Exception: item.raise_standardErrorMessage(client=item, REQUEST=REQUEST()) self.assertEqual(sem.kw.get('error_type'), 'BadRequest')
def reply(self): if not self.params: raise BadRequest("Missing parameter typename") # Disable CSRF protection if "IDisableCSRFProtection" in dir(plone.protect.interfaces): alsoProvides(self.request, plone.protect.interfaces.IDisableCSRFProtection) # Make sure we get the right dexterity-types adapter if IPloneRestapiLayer.providedBy(self.request): noLongerProvides(self.request, IPloneRestapiLayer) data = json_body(self.request) name = self.params.pop() dtypes = queryMultiAdapter((self.context, self.request), name="dexterity-types") ctype = dtypes.publishTraverse(self.request, name) self.update_layouts(name, data) self.remove_fields(ctype, data) self.remove_fieldsets(ctype, data) self.add_fields(ctype, data) self.add_fieldsets(ctype, data) self.update_fields(ctype, data) self.update_fieldsets(ctype, data) serializeSchema(ctype.schema) return self.reply_no_content()
def reply(self): # Disable CSRF protection if 'IDisableCSRFProtection' in dir(plone.protect.interfaces): alsoProvides(self.request, plone.protect.interfaces.IDisableCSRFProtection) conversation = IConversation(self.context) if self.comment_id and self.comment_id not in list(conversation): self.request.response.setStatus(404) return # Fake request data body = json_body(self.request) for key, value in body.items(): self.request.form['form.widgets.' + key] = value form = CommentForm(self.context, self.request) form.update() action = form.actions['comment'] data, errors = form.extractData() if errors: raise BadRequest({'errors': [err.error for err in errors]}) form.handleComment(form=form, action=action) self.request.response.setStatus(204) fix_location_header(self.context, self.request)
def transition(self): if not hasattr(self, '_transition'): self._transition = self.request.get('form.widgets.transition', self.request.get('transition')) if not self._transition: raise BadRequest("A transition is required") return self._transition
def testDebugExceptionsBypassesExceptionResponse(self): from zExceptions import BadRequest # Register an exception view for BadRequest registerExceptionView(IException) environ = self._makeEnviron() start_response = DummyCallable() _publish = DummyCallable() _publish._raise = BadRequest('debugbypass') # Responses will always have debug_exceptions set def response_factory(stdout, stderr): response = DummyResponse() response.debug_exceptions = True return response try: # With debug_exceptions, the exception view is not called. with self.assertRaises(BadRequest): self._callFUT(environ, start_response, _publish, _response_factory=response_factory) finally: # Clean up view registration unregisterExceptionView(IException)
def delete_permanently(self, REQUEST, uuid): """Permanently delete a trashed item by uuid. """ catalog = getToolByName(self.context, 'portal_catalog') brains = catalog({'UID': uuid, 'trashed': True}) if len(brains) != 1: raise BadRequest() # The user maybe able to clean the trash, but depending on the workflow the user may not have # delete permission in the given context with api.env.adopt_roles(['Manager']): path = brains[0].getPath() obj = self.context.restrictedTraverse(path) got_path = '/'.join(obj.getPhysicalPath()) if got_path != path: raise ValueError( 'Unexpectly found path {!r} when looking for {!r}'.format( got_path, path)) aq_parent(aq_inner(obj)).manage_immediatelyDeleteObjects( [obj.getId()]) IStatusMessage(self.request).addStatusMessage(_( u'statusmessage_content_permanently_deleted', default=u'The content "${title}" has ben parmanently deleted.', mapping={u'title': safe_unicode(obj.Title())}), type='info') return self.request.response.redirect(self.context.absolute_url() + '/trash')
def __call__(self): body = json.loads(self.request.get('BODY')) url = body.get('url') fileType = body.get('fileType') fileTitle = body.get('fileTitle') folderUID = body.get('folderUID') if not url or not fileType or not fileTitle: raise BadRequest( u'Required url or fileType or fileTitle parameters not found.') if not folderUID: portal_url = getToolByName(self.context, "portal_url") folder = portal_url.getPortalObject() else: folder = uuidToObject(folderUID) if not getSecurityManager().checkPermission(AddPortalContent, folder): response = self.request.RESPONSE response.setStatus(403) return "You are not authorized to add content to this folder." fileName = fileUtils.getCorrectFileName(fileTitle + "." + fileType) contentType = mimetypes.guess_type(fileName)[0] or '' data = urlopen(url).read() factory = IDXFileFactory(folder) file = factory(fileName, contentType, data) self.request.response.setHeader("Content-Type", "application/json; charset=utf-8") return json_dumps({"status": "success", "fileName": fileName})
def manage_changeProperties(self, REQUEST=None, **kw): """Change existing object properties. Change object properties by passing either a REQUEST object or name=value parameters """ if REQUEST is None: props = {} elif isinstance(REQUEST, dict): props = REQUEST else: props = REQUEST.form if kw: for name, value in kw.items(): props[name] = value propdict = self.propdict() for name, value in props.items(): if self.hasProperty(name): if not 'w' in propdict[name].get('mode', 'wd'): raise BadRequest('%s cannot be changed' % escape(name)) self._updateProperty(name, value) if REQUEST: message = "Saved changes." return self.manage_propertiesForm(self, REQUEST, manage_tabs_message=message)
def add(self, names): data = json_body(self.request) title = data.get("title", None) if not title: raise BadRequest("Property 'title' is required") tid = data.get("id", None) if not tid: tid = idnormalizer.normalize(title).replace("-", "_") description = data.get("description", "") properties = {"id": tid, "title": title, "description": description} # Disable CSRF protection if "IDisableCSRFProtection" in dir(plone.protect.interfaces): alsoProvides(self.request, plone.protect.interfaces.IDisableCSRFProtection) if IPloneRestapiLayer.providedBy(self.request): noLongerProvides(self.request, IPloneRestapiLayer) context = queryMultiAdapter((self.context, self.request), name='dexterity-types') add_type = queryMultiAdapter((context, self.request), name='add-type') fti = add_type.form_instance.create(data=properties) add_type.form_instance.add(fti) return self.get([ tid, ])
def perform_custom_transition(self): data = json_body(self.request) self.disable_csrf_protection() # TODO: Do we need to handle comments and publication dates # etc. for dossier transitions like the original implementation does? # For now we also extract these, but we don't do anything with them # in the case of resolving a dossier. comment = data.get('comment', '') include_children = data.get('include_children', False) publication_dates = self.parse_publication_dates(data) args = [self.context], comment, publication_dates, include_children if self.transition == 'dossier-transition-resolve': self.resolve_dossier(*args) elif self.transition == 'dossier-transition-activate': self.activate_dossier(*args) elif self.transition == 'dossier-transition-deactivate': self.deactivate_dossier(*args) elif self.transition == 'dossier-transition-reactivate': self.reactivate_dossier(*args) else: raise BadRequest('Unexpected custom transition %r' % self.transition)
def reply(self): sm = getSecurityManager() if len(self.query) > 0 and len(self.params) == 0: query = self.query.get('query', '') limit = self.query.get('limit', DEFAULT_SEARCH_RESULTS_LIMIT) if query: # Someone is searching users, check if he is authorized if sm.checkPermission('Manage portal', self.context): users = self._get_filtered_users(query, limit) result = [] for user in users: serializer = queryMultiAdapter( (user, self.request), ISerializeToJson ) result.append(serializer()) return result else: self.request.response.setStatus(401) return else: raise BadRequest("Query string supplied is not valid") if len(self.params) == 0: # Someone is asking for all users, check if he is authorized if sm.checkPermission('Manage portal', self.context): result = [] for user in self._get_users(): serializer = queryMultiAdapter( (user, self.request), ISerializeToJson ) result.append(serializer()) return result else: self.request.response.setStatus(401) return # Some is asking one user, check if the logged in user is asking # his own information or he is a Manager mt = getToolByName(self.context, 'portal_membership') current_user_id = mt.getAuthenticatedMember().getId() if sm.checkPermission( 'plone.restapi: Access Plone user information', self.context) or \ (current_user_id and current_user_id == self._get_user_id): # we retrieve the user on the user id not the username user = self._get_user(self._get_user_id) if not user: self.request.response.setStatus(404) return serializer = queryMultiAdapter( (user, self.request), ISerializeToJson ) return serializer() else: self.request.response.setStatus(401) return
def manage_cutObjects(self, ids=None, REQUEST=None): """Put a reference to the objects named in ids in the clip board""" if ids is None and REQUEST is not None: raise BadRequest('No items specified') elif ids is None: raise ValueError('ids must be specified') if isinstance(ids, str): ids = [ids] oblist = [] for id in ids: ob = self._getOb(id) if ob.wl_isLocked(): raise ResourceLockedError('Object "%s" is locked' % ob.getId()) if not ob.cb_isMoveable(): raise CopyError('Not Supported') m = Moniker(ob) oblist.append(m.dump()) cp = (1, oblist) cp = _cb_encode(cp) if REQUEST is not None: resp = REQUEST['RESPONSE'] resp.setCookie('__cp', cp, path='%s' % cookie_path(REQUEST)) REQUEST['__cp'] = cp return self.manage_main(self, REQUEST) return cp
def read_params(self): if len(self.params) != 2: raise BadRequest( "Must supply type and token ID as URL path parameters.") return PARTICIPATION_TYPES_BY_PATH_IDENTIFIER.get( self.params[0]), self.params[1]
def manage_delObjects(self, ids=None, uids=None, REQUEST=None): """Delete a subordinate object The objects specified in 'ids' get deleted. """ if ids is None: ids = [] if uids is None: uids = [] if len(ids) > 0: # Use default method return ObjectManager.manage_delObjects(self, ids, REQUEST) if not uids: return MessageDialog( title='No items specified', message='No items were specified!', action='./manage_main', ) while uids: uid = uids.pop() ob = self.getPortalObject().portal_catalog.getObject(uid) container = ob.aq_inner.aq_parent id = ob.id v = container._getOb(id, self) if v is self: raise BadRequest('%s does not exist' % id) container._delObject(id) if REQUEST is not None: return self.manage_main(self, REQUEST, update_menu=1)
def __getitem__(self, name): if name == "+": # To-Do: Ideally this should be POST-only to protect # against CSRF. It's not critical. try: layout = self.request.TraversalRequestNameStack.pop() except IndexError: raise BadRequest("Missing layout.") def adding(): """Add panel, then redirect to referer.""" self.addPanel(layout) referer = (self.request.get('HTTP_REFERER') or self.context.absolute_url()) return self.request.response.redirect(referer) return ExplicitAcquisitionWrapper(adding, self) for panel in self.getAssignments(): if panel.__name__ == name: return panel.__of__(self) raise KeyError(name)
def recurse_transition(self, objs, comment, publication_dates, include_children=False): data = json_body(self.request) for obj in objs: if publication_dates: deserializer = queryMultiAdapter((obj, self.request), IDeserializeFromJson) deserializer(data=publication_dates) adapter = queryMultiAdapter((obj, getRequest()), ITransitionExtender, name=self.transition) if adapter: errors = adapter.validate_schema(data) if errors: raise BadRequest(errors) self.wftool.doActionFor(obj, self.transition, comment=comment, transition_params=data) if include_children and IFolderish.providedBy(obj): self.recurse_transition(obj.objectValues(), comment, publication_dates, include_children)
def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen.""" valid_roles = self.valid_roles() have = REQUEST.__contains__ permissions = self.ac_inherited_permissions(1) fails = [] for ip in range(len(permissions)): permission_name = permissions[ip][0] permission_hash = _string_hash(permission_name) roles = [] for role in valid_roles: role_name = role role_hash = _string_hash(role_name) if have("permission_%srole_%s" % (permission_hash, role_hash)): roles.append(role) name, value = permissions[ip][:2] try: p = Permission(name, value, self) if not have('acquire_%s' % permission_hash): roles = tuple(roles) p.setRoles(roles) except Exception: fails.append(name) if fails: raise BadRequest('Some permissions had errors: ' + escape(', '.join(fails), True)) if REQUEST is not None: return self.manage_access(REQUEST)
def add_field(context, request, data): factory = data.get("factory", None) title = data.get("title", None) description = data.get("description", None) required = data.get("required", False) name = data.get("id", None) if not name: name = idnormalizer.normalize(title).replace("-", "_") klass = None vocabulary = queryUtility(IVocabularyFactory, name="Fields") for term in vocabulary(context): if factory not in (term.title, term.token): continue klass = term.value break if not klass: raise BadRequest("Missing/Invalid parameter factory: %s" % factory) add = queryMultiAdapter((context, request), name="add-field") properties = { "title": title, "__name__": name, "description": description, "factory": klass, "required": required, } field = add.form_instance.create(data=properties) add.form_instance.add(field) return get_info_for_field(context, request, name)
def reply(self): if len(self.query) > 0 and len(self.params) == 0: query = self.query.get('query', '') limit = self.query.get('limit', DEFAULT_SEARCH_RESULTS_LIMIT) if query: groups = self._get_filtered_groups(query, limit) result = [] for group in groups: serializer = queryMultiAdapter((group, self.request), ISerializeToJsonSummary) result.append(serializer()) return result else: raise BadRequest("Query string supplied is not valid") if len(self.params) == 0: result = [] for group in self._get_groups(): serializer = queryMultiAdapter((group, self.request), ISerializeToJsonSummary) result.append(serializer()) return result # we retrieve the user on the user id not the username group = self._get_group(self._get_group_id) if not group: self.request.response.setStatus(404) return serializer = queryMultiAdapter((group, self.request), ISerializeToJson) return serializer()
def send_data(self): subject = self.form_data.get("subject", "") or self.block.get( "default_subject", "") mfrom = self.form_data.get("from", "") or self.block.get( "default_from", "") mreply_to = self.get_reply_to() if not subject or not mfrom: raise BadRequest( translate( _( "send_required_field_missing", default="Missing required field: subject or from.", ), context=self.request, )) portal = api.portal.get() overview_controlpanel = getMultiAdapter((portal, self.request), name="overview-controlpanel") if overview_controlpanel.mailhost_warning(): raise BadRequest("MailHost is not configured.") registry = getUtility(IRegistry) mail_settings = registry.forInterface(IMailSchema, prefix="plone") mto = self.block.get("default_to", mail_settings.email_from_address) encoding = registry.get("plone.email_charset", "utf-8") message = self.prepare_message() msg = EmailMessage() msg.set_content(message) msg["Subject"] = subject msg["From"] = mfrom msg["To"] = mto msg["Reply-To"] = mreply_to msg.replace_header("Content-Type", 'text/html; charset="utf-8"') self.manage_attachments(msg=msg) self.send_mail(msg=msg, encoding=encoding) for bcc in self.get_bcc(): # send a copy also to the fields with bcc flag msg.replace_header("To", bcc) self.send_mail(msg=msg, encoding=encoding)
def checkValidId(self, id, allow_dup=0): # If allow_dup is false, an error will be raised if an object # with the given id already exists. If allow_dup is true, # only check that the id string contains no illegal chars; # check_valid_id() will be called again later with allow_dup # set to false before the object is added. if not id or not isinstance(id, str): if isinstance(id, unicode): id = escape(id) raise BadRequest('Empty or invalid id specified', id) if bad_id(id) is not None: raise BadRequest( 'The id "%s" contains characters illegal in URLs.' % escape(id)) if id in ('.', '..'): raise BadRequest( 'The id "%s" is invalid because it is not traversable.' % id) if id.startswith('_'): raise BadRequest( 'The id "%s" is invalid because it ' 'begins with an underscore.' % id) if id.startswith('aq_'): raise BadRequest( 'The id "%s" is invalid because it begins with "aq_".' % id) if id.endswith('__'): raise BadRequest( 'The id "%s" is invalid because it ' 'ends with two underscores.' % id) if not allow_dup: obj = getattr(self, id, None) if obj is not None: # An object by the given id exists either in this # ObjectManager or in the acquisition path. flags = getattr(obj, '__replaceable__', NOT_REPLACEABLE) if hasattr(aq_base(self), id): # The object is located in this ObjectManager. if not flags & REPLACEABLE: raise BadRequest( 'The id "%s" is invalid - it is already in use.' % id) # else the object is replaceable even if the UNIQUE # flag is set. elif flags & UNIQUE: raise BadRequest('The id "%s" is reserved.' % id) if id == 'REQUEST': raise BadRequest('REQUEST is a reserved name.') if '/' in id: raise BadRequest( 'The id "%s" contains characters illegal in URLs.' % id)
def __call__(self): """Answer for the webservice.""" wa_path = self.request.form.get('wa', False) year = self.request.form.get('year', False) #import ipdb; ipdb.set_trace() # self.context.gwopa_year_phases[1] #{'end': 'June 11, 2021', 'end_iso': '2021-06-11', 'pattern_end': '2021,5,11', 'start': 'June 11, 2020', 'pattern_start': '2020,5,11', 'start_iso': '2020-06-11', 'fase': 2} if not wa_path: BadRequest('Working area are required') if not year: BadRequest('Year are required') results = [] titles = [] values = [{'data': []}] if wa_path: activities = api.content.find(portal_type=['Activity'], path={ 'query': wa_path, 'depth': 1 }) for act in activities: outputs = api.content.find(portal_type=['Output'], path={ 'query': act.getPath(), 'depth': 1 }) for output in outputs: titles.append(output.Title) annotations = IAnnotations(output.getObject()) KEY = "GWOPA_TARGET_YEAR_" + str(year) if annotations[KEY]['planned'] == '' or annotations[KEY][ 'monitoring'] == '' or annotations[KEY][ 'monitoring']['progress'] == '': value = 0 else: planned = annotations[KEY]['planned'] real = annotations[KEY]['monitoring']['progress'] value = percentage(real, planned) values[0]['data'].append(value) results.append(titles) results.append(values) self.request.response.setHeader("Content-type", "application/json") return json.dumps(results) else: return None
def __call__(self): transition = self.request.get('transition') if not transition: raise BadRequest('transition') handler = self._interceptors.get( transition, self.__class__.redirect_to_content_status_modify) return handler(self, self.context, transition)
def _delProperty(self, id): # Delete the property with the given id. If a property with the # given id does not exist, a ValueError is raised. if not self.hasProperty(id): raise BadRequest('The property %s does not exist.' % escape(id, True)) vself = self.v_self() if hasattr(vself, '_reserved_names'): nd = vself._reserved_names else: nd = () if ('d' not in self.propertyInfo(id).get('mode', 'wd')) or (id in nd): raise BadRequest('%s cannot be deleted.' % escape(id, True)) delattr(vself, id) pself = self.p_self() pself._properties = tuple( [i for i in pself._properties if i['id'] != id])
def validate(*args, **kwargs): registry = getUtility(IRegistry) settings = registry.forInterface(ISearchSettings) if not settings.use_solr: raise BadRequest("Solr is deactivated. The @listing endpoint is " "only available with an activated solr") return func(*args, **kwargs)
def validate_form(self, form_data): """ check all required fields and parameters """ for field in ["channels", "email"]: if not form_data.get(field, ""): raise BadRequest( "Campo obbligatorio mancante: {}".format(field))
def reply(self): alsoProvides(self.request, IDisableCSRFProtection) if not self.id: raise BadRequest("Missing id") tool = getUtility(self.store) res = tool.delete(id=self.id) if not res: return self.reply_no_content() if res.get("error", "") == "NotFound": raise BadRequest('Unable to find item with id "{}"'.format(self.id)) self.request.response.setStatus(500) return dict( error=dict( type="InternalServerError", message="Unable to delete item. Contact site manager.", ) )
def validate_additional_schema(self, data, schema): """This will validate the values in data corresponding to the fields from schema, check that all required fields are in data, and validate the invariants. """ errors = get_validation_errors(self.context, data, schema) if errors: raise BadRequest(errors)
def reply(self): if len(self.params) < 2: raise BadRequest("Can't delete Control Panel: %s" % self.params) panel = self.panel_by_name(self.params[0]) panel.delete(self.params[1:]) return self.reply_no_content()