def check_permission(session, flag, message = ""): """ Throws an ASMPermissionError if the flag is not in the map """ if "superuser" not in session or "securitymap" not in session: raise utils.ASMPermissionError("Invalid session") l = session.locale if session.superuser == 1: return if not has_security_flag(session.securitymap, flag): if message == "": message = i18n._("Forbidden", l) raise utils.ASMPermissionError(message)
def check_permission_map(l, superuser, securitymap, flag): """ Throws an ASMPermissionError if the flag is not in the map """ if superuser == 1: return if not has_security_flag(securitymap, flag): raise utils.ASMPermissionError(i18n._("Forbidden", l))
def check_view_permission(dbo, username, session, acid): """ Checks that the currently logged in user has permission to view the incident with acid. If they can't, an ASMPermissionError is thrown. """ # Superusers can do anything if session.superuser == 1: return True viewroles = [] for rr in dbo.query( "SELECT RoleID FROM animalcontrolrole WHERE AnimalControlID = ? AND CanView = 1", [acid]): viewroles.append(rr.ROLEID) # No view roles means anyone can view if len(viewroles) == 0: return True # Does the user have any of the view roles? userroles = [] for ur in dbo.query( "SELECT RoleID FROM userrole INNER JOIN users ON userrole.UserID = users.ID WHERE users.UserName LIKE ?", [username]): userroles.append(ur.ROLEID) hasperm = False for ur in userroles: if ur in viewroles: hasperm = True if hasperm: return True raise utils.ASMPermissionError( "User does not have required role to view this incident")
def hotlink_protect(method, referer): """ Protect a method from having any referer other than the one we set """ domains = IMAGE_HOTLINKING_ONLY_FROM_DOMAIN.split(",") fromhldomain = False for d in domains: if d != "" and referer.find(d) != -1: fromhldomain = True if referer != "" and IMAGE_HOTLINKING_ONLY_FROM_DOMAIN != "" and not fromhldomain: raise utils.ASMPermissionError("Hotlinking to %s from %s is forbidden" % (method, referer))
def get_animal_view(dbo, animalid): """ Constructs the animal view page to the template. """ a = dbo.first_row( get_animal_data(dbo, animalid=animalid, include_additional_fields=True, strip_personal_data=True)) # If the animal is not adoptable, bail out if a is None: raise utils.ASMPermissionError("animal is not adoptable (None)") if not is_animal_adoptable(dbo, a): raise utils.ASMPermissionError("animal is not adoptable (False)") # If the option is on, use animal comments as the notes if configuration.publisher_use_comments(dbo): a.WEBSITEMEDIANOTES = a.ANIMALCOMMENTS head, body, foot = get_animal_view_template(dbo) if head == "": head = "<!DOCTYPE html>\n<html>\n<head>\n<title>$$SHELTERCODE$$ - $$ANIMALNAME$$</title></head>\n<body>" body = "<h2>$$SHELTERCODE$$ - $$ANIMALNAME$$</h2><p><img src='$$WEBMEDIAFILENAME$$'/></p><p>$$WEBMEDIANOTES$$</p>" foot = "</body>\n</html>" if smcom.active(): a.WEBSITEMEDIANAME = "%s?account=%s&method=animal_image&animalid=%d" % ( SERVICE_URL, dbo.database, animalid) else: a.WEBSITEMEDIANAME = "%s?method=animal_image&animalid=%d" % ( SERVICE_URL, animalid) s = head + body + foot tags = wordprocessor.animal_tags_publisher(dbo, a) tags = wordprocessor.append_tags(tags, wordprocessor.org_tags(dbo, "system")) # Add extra tags for websitemedianame2-10 if they exist for x in range(2, 11): if a.WEBSITEIMAGECOUNT > x - 1: tags["WEBMEDIAFILENAME%d" % x] = "%s&seq=%d" % (a.WEBSITEMEDIANAME, x) # Add extra publishing text, preserving the line endings notes = utils.nulltostr(a.WEBSITEMEDIANOTES) notes += configuration.third_party_publisher_sig(dbo) notes = notes.replace("\n", "**le**") tags["WEBMEDIANOTES"] = notes tags["WEBSITEMEDIANOTES"] = notes s = wordprocessor.substitute_tags(s, tags, True, "$$", "$$") s = s.replace("**le**", "<br />") return s
def handler(data, remoteip, referer): """ Handles the various service method types. data: The GET/POST parameters return value is a tuple containing MIME type, max-age, content """ # Database info dbo = db.DatabaseInfo() # Get service parameters account = utils.df_ks(data, "account") username = utils.df_ks(data, "username") password = utils.df_ks(data, "password") method = utils.df_ks(data, "method") animalid = utils.df_ki(data, "animalid") formid = utils.df_ki(data, "formid") title = utils.df_ks(data, "title") cache_key = "a" + account + "u" + username + "p" + password + "m" + method + "a" + str( animalid) + "f" + str(formid) + "t" + title # cache keys aren't allowed spaces cache_key = cache_key.replace(" ", "") # Do we have a cached response for these parameters? cached_response = get_cached_response(cache_key) if cached_response is not None: al.debug( "cache hit for %s/%s/%s/%s" % (account, method, animalid, title), "service.handler") return cached_response # Are we dealing with multiple databases, but no account was specified? if account == "" and MULTIPLE_DATABASES: return ("text/plan", 0, "ERROR: No database/alias specified") # Are we dealing with multiple databases and an account was specified? if account != "": if MULTIPLE_DATABASES: if MULTIPLE_DATABASES_TYPE == "smcom": # Is this sheltermanager.com? If so, we need to get the # database connection info (dbo) before we can login. dbo = smcom.get_database_info(account) else: # Look up the database info from our map dbo = db.get_multiple_database_info(account) if dbo.database == "FAIL" or dbo.database == "DISABLED": al.error( "auth failed - invalid smaccount %s from %s" % (account, remoteip), "service.handler", dbo) return ("text/plain", 0, "ERROR: Invalid database") # Does the method require us to authenticate? If so, do it. user = None if method in AUTH_METHODS: user = users.authenticate(dbo, username, password) if user is None: al.error( "auth failed - %s/%s is not a valid username/password from %s" % (username, password, remoteip), "service.handler", dbo) return ("text/plain", 0, "ERROR: Invalid username and password") # Get the preferred locale for the site dbo.locale = configuration.locale(dbo) al.info("call %s->%s [%s %s]" % (username, method, str(animalid), title), "service.handler", dbo) if method == "animal_image": # If we have a hotlinking restriction, enforce it if referer != "" and IMAGE_HOTLINKING_ONLY_FROM_DOMAIN != "" and referer.find( IMAGE_HOTLINKING_ONLY_FROM_DOMAIN) == -1: raise utils.ASMPermissionError("Image hotlinking is forbidden.") if animalid == "" or utils.cint(animalid) == 0: al.error( "animal_image failed, %s is not an animalid" % str(animalid), "service.handler", dbo) return ("text/plain", 0, "ERROR: Invalid animalid") # If the option is on, forbid hotlinking else: seq = utils.df_ki(data, "seq") if seq == 0: seq = 1 mm = media.get_media_by_seq(dbo, media.ANIMAL, utils.cint(animalid), seq) if len(mm) == 0: return ("image/jpeg", 86400, dbfs.get_string(dbo, "nopic.jpg", "/reports")) else: return ("image/jpeg", 86400, dbfs.get_string(dbo, mm[0]["MEDIANAME"])) elif method == "extra_image": return ("image/jpeg", 86400, dbfs.get_string(dbo, title, "/reports")) elif method == "json_adoptable_animals": pc = publish.PublishCriteria(configuration.publisher_presets(dbo)) rs = publish.get_animal_data(dbo, pc, True) return set_cached_response(cache_key, "application/json", 3600, html.json(rs)) elif method == "xml_adoptable_animals": pc = publish.PublishCriteria(configuration.publisher_presets(dbo)) rs = publish.get_animal_data(dbo, pc, True) return set_cached_response(cache_key, "application/xml", 3600, html.xml(rs)) elif method == "json_recent_adoptions": rs = movement.get_recent_adoptions(dbo) return set_cached_response(cache_key, "application/json", 3600, html.json(rs)) elif method == "xml_recent_adoptions": rs = movement.get_recent_adoptions(dbo) return set_cached_response(cache_key, "application/xml", 3600, html.xml(rs)) elif method == "html_report": crid = reports.get_id(dbo, title) p = reports.get_criteria_params(dbo, crid, data) rhtml = reports.execute(dbo, crid, username, p) return set_cached_response(cache_key, "text/html", 3600, rhtml) elif method == "jsonp_shelter_animals": sa = animal.get_animal_find_simple(dbo, "", "shelter") return set_cached_response( cache_key, "application/javascript", 3600, str(utils.df_ks(data, "callback")) + "(" + html.json(sa) + ")") elif method == "json_shelter_animals": sa = animal.get_animal_find_simple(dbo, "", "shelter") return set_cached_response(cache_key, "application/json", 3600, html.json(sa)) elif method == "xml_shelter_animals": sa = animal.get_animal_find_simple(dbo, "", "shelter") return set_cached_response(cache_key, "application/xml", 3600, html.json(sa)) elif method == "upload_animal_image": media.attach_file_from_form(dbo, username, media.ANIMAL, int(animalid), data) return ("text/plain", 0, "OK") elif method == "online_form_html": if formid == 0: raise utils.ASMError( "method online_form_html requires a valid formid") return set_cached_response(cache_key, "text/html", 120, onlineform.get_onlineform_html(dbo, formid)) elif method == "online_form_post": onlineform.insert_onlineformincoming_from_form(dbo, data, remoteip) redirect = utils.df_ks(data, "redirect") if redirect == "": redirect = BASE_URL + "/static/pages/form_submitted.html" return ("redirect", 0, redirect) else: al.error("invalid method '%s'" % method, "service.handler", dbo) raise utils.ASMError("Invalid method '%s'" % method)