def itemDelete(): """ Deletes an item owned by the current user """ state = request.values.get('state') if not check_nonce(state): return bad_request_error() cat_name = bleach.clean(request.values.get("item_delete_parent")) cat = dal.get_category_by_name(cat_name) if not cat: return not_found_error() active_user = get_active_user() if not active_user: return not_authenticated_error() item_name = bleach.clean(request.values.get("item_delete_name")) item = dal.get_item_by_name(cat.cat_id, item_name) if not item: return not_found_error() if active_user.user_id != item.creator_id: return not_authorized_error() # All checks passed generate_nonce() dal.delete_item(item.item_id) return redirect("/")
def itemUpdate(): """ Selectively update fields on an item owned by the logged-in user """ # This will take a few steps. Start with loading the old object and performing # our usual auth process. state = request.values.get('state') if not check_nonce(state): return bad_request_error() old_parent_name = bleach.clean( request.values.get("item_update_old_parent")) old_parent = dal.get_category_by_name(old_parent_name) if not old_parent: return not_found_error() active_user = get_active_user() if not active_user: return not_authenticated_error() old_item_name = bleach.clean(request.values.get("item_update_old_name")) old_item = dal.get_item_by_name(old_parent.cat_id, old_item_name) if not old_item: return not_found_error() # Item was found, security checks out. Now pull in the new values from # the request. If a field is empty, it's assumed that the user doesn't # want to change it. Set to None so the DAL will skip those. new_item_name = bleach.clean( request.values.get("item_update_new_name")) or None desc = bleach.clean(request.values.get("item_update_description")) or None raw_pic_data = request.files["item_update_pic"] or None pic_data = None try: if raw_pic_data: pic_data = validate_picture(raw_pic_data) except InvalidPictureError: return bad_request_error() new_parent_name = bleach.clean( request.values.get("item_update_new_parent")) or None new_cat = dal.get_category_by_name(new_parent_name) new_cat_id = new_cat.cat_id if new_cat else None # New values look good. All checks passed. generate_nonce() dal.update_item(old_item.item_id, name=new_item_name, description=desc, pic_id=old_item.pic_id, pic=pic_data, cat_id=new_cat_id) redirect_cat = new_parent_name or old_parent_name redirect_item = new_item_name or old_item_name return redirect("/catalog/{}/{}/".format(redirect_cat, redirect_item))
def itemUpdate(): """ Selectively update fields on an item owned by the logged-in user """ # This will take a few steps. Start with loading the old object and performing # our usual auth process. state = request.values.get('state') if not check_nonce(state): return bad_request_error() old_parent_name = bleach.clean(request.values.get("item_update_old_parent")) old_parent = dal.get_category_by_name(old_parent_name) if not old_parent: return not_found_error() active_user = get_active_user() if not active_user: return not_authenticated_error() old_item_name = bleach.clean(request.values.get("item_update_old_name")) old_item = dal.get_item_by_name(old_parent.cat_id, old_item_name) if not old_item: return not_found_error() # Item was found, security checks out. Now pull in the new values from # the request. If a field is empty, it's assumed that the user doesn't # want to change it. Set to None so the DAL will skip those. new_item_name = bleach.clean(request.values.get("item_update_new_name")) or None desc = bleach.clean(request.values.get("item_update_description")) or None raw_pic_data = request.files["item_update_pic"] or None pic_data = None try: if raw_pic_data: pic_data = validate_picture(raw_pic_data) except InvalidPictureError: return bad_request_error() new_parent_name = bleach.clean(request.values.get("item_update_new_parent")) or None new_cat = dal.get_category_by_name(new_parent_name) new_cat_id = new_cat.cat_id if new_cat else None # New values look good. All checks passed. generate_nonce() dal.update_item(old_item.item_id, name=new_item_name, description=desc, pic_id=old_item.pic_id, pic=pic_data, cat_id=new_cat_id) redirect_cat = new_parent_name or old_parent_name redirect_item = new_item_name or old_item_name return redirect("/catalog/{}/{}/".format(redirect_cat, redirect_item))
def itemLookupByName(cat_name, item_name): """ Looks up an item based on its human-readable item and category names """ cat = dal.get_category_by_name(cat_name) if not cat: return not_found_error() item = dal.get_item_by_name(cat.cat_id, item_name) if not item: return not_found_error() # All checks passed return render("show_item.html", item=item, active_cat=cat_name, active_item=item_name)
def itemCreate(): """ Creates a new item owned by the logged-in user """ state = request.values.get('state') if not check_nonce(state): return bad_request_error() cat_name = bleach.clean(request.values.get("item_create_parent")) cat = dal.get_category_by_name(cat_name) if not cat: return not_found_error() active_user = get_active_user() if not active_user: return not_authenticated_error() item_name = bleach.clean(request.values.get("item_create_name")) duplicate = dal.get_item_by_name(cat.cat_id, item_name) if duplicate: return already_exists_error() try: pic_data = validate_picture(request.files["item_create_pic"]) except InvalidPictureError: return bad_request_error() # All checks passed generate_nonce() desc = bleach.clean(request.values.get("item_create_description")) item_id = dal.create_item(item_name, cat.cat_id, active_user.user_id, pic_data, desc) if not item_id: logging.error( "Unable to create item: did not receive an item_id from database") return internal_error() item = dal.get_item(item_id) if not item: logging.error( "Unable to create item: an instance was not created for item_id {}" .format(item_id)) return internal_error() return redirect("/catalog/{}/{}/".format(cat_name, item_name))
def itemCreate(): """ Creates a new item owned by the logged-in user """ state = request.values.get('state') if not check_nonce(state): return bad_request_error() cat_name = bleach.clean(request.values.get("item_create_parent")) cat = dal.get_category_by_name(cat_name) if not cat: return not_found_error() active_user = get_active_user() if not active_user: return not_authenticated_error() item_name = bleach.clean(request.values.get("item_create_name")) duplicate = dal.get_item_by_name(cat.cat_id, item_name) if duplicate: return already_exists_error() try: pic_data = validate_picture(request.files["item_create_pic"]) except InvalidPictureError: return bad_request_error() # All checks passed generate_nonce() desc = bleach.clean(request.values.get("item_create_description")) item_id = dal.create_item( item_name, cat.cat_id, active_user.user_id, pic_data, desc) if not item_id: logging.error("Unable to create item: did not receive an item_id from database") return internal_error() item = dal.get_item(item_id) if not item: logging.error( "Unable to create item: an instance was not created for item_id {}".format(item_id)) return internal_error() return redirect("/catalog/{}/{}/".format(cat_name, item_name))
def categoryDelete(): """ Deletes a category owned by the logged-in user """ state = request.values.get('state') if not check_nonce(state): return bad_request_error() cat_name = bleach.clean(request.values.get("cat_delete_name")) cat = dal.get_category_by_name(cat_name) if not cat: return not_found_error() active_user = get_active_user() if not active_user: return not_authenticated_error() if active_user.user_id != cat.creator_id: return not_authorized_error() # All checks passed generate_nonce() dal.delete_category(cat.cat_id) return redirect("/")