def ff_tree_delete(params, request):
sess = DBSession()
user = request.user
root_ff = user.group.effective_root_folder
total = 0
for rec in params.get('records', ()):
ff_id = rec.get('id')
if ff_id == 'root':
continue
ff_id = int(ff_id)
ff = sess.query(FileFolder).get(ff_id)
if ff is None:
raise KeyError('Unknown folder ID %d' % ff_id)
if root_ff and (not ff.is_inside(root_ff)):
raise ValueError('Folder access denied')
cur_parent = ff.parent
if cur_parent and ((not cur_parent.can_write(user)) or (not cur_parent.can_traverse_path(user))):
raise ValueError('Folder access denied')
if (not cur_parent) and (not user.root_writable):
raise ValueError('Folder access denied')
# Extra precaution
if ff.user != user:
raise ValueError('Folder access denied')
sess.delete(ff)
total += 1
return {
'success' : True,
'total' : total
}
def client_activate(request):
if authenticated_userid(request):
return HTTPSeeOther(location=request.route_url('access.cl.home'))
did_fail = True
cur_locale = locale_neg(request)
cfg = request.registry.settings
comb_js = asbool(cfg.get('netprofile.client.combine_js', False))
can_reg = asbool(cfg.get('netprofile.client.registration.enabled', False))
must_verify = asbool(cfg.get('netprofile.client.registration.verify_email', True))
link_id = int(cfg.get('netprofile.client.registration.link_id', 1))
rand_len = int(cfg.get('netprofile.client.registration.code_length', 20))
if (not can_reg) or (not must_verify):
return HTTPSeeOther(location=request.route_url('access.cl.login'))
code = request.GET.get('code', '').strip().upper()
login = request.GET.get('for', '')
if code and login and (len(code) == rand_len):
sess = DBSession()
for link in sess.query(AccessEntityLink)\
.options(joinedload(AccessEntityLink.entity))\
.filter(AccessEntityLink.type_id == link_id, AccessEntityLink.value == code):
# TODO: implement code timeouts
ent = link.entity
if (ent.access_state == AccessState.block_inactive.value) and (ent.nick == login):
ent.access_state = AccessState.ok.value
sess.delete(link)
did_fail = False
break
tpldef = {
'failed' : did_fail,
'comb_js' : comb_js,
'cur_loc' : cur_locale
}
request.run_hook('access.cl.tpldef.activate', tpldef, request)
return tpldef
def client_upload(request):
csrf = request.POST.get('csrf', '')
mode = request.POST.get('mode', '')
if not mode:
raise HTTPForbidden('Invalid upload use')
if csrf != request.get_csrf():
raise HTTPForbidden('Error uploading file')
sess = DBSession()
# FIXME: add folder cfg
tpldef = []
for fo in request.POST.getall('files'):
obj = File()
if fo.filename:
obj.name = obj.filename = fo.filename
sess.add(obj)
obj.set_from_file(fo.file, None, sess)
signal = request.run_hook('access.cl.upload', obj, mode, request, sess, tpldef)
if True not in signal:
tpldef.append({
'name' : obj.filename,
'size' : obj.size,
'error' : _('Error uploading file')
})
sess.delete(obj)
tpldef = { 'files' : tpldef }
request.run_hook('access.cl.tpldef.upload', tpldef, request)
return tpldef
def client_activate(request):
if authenticated_userid(request):
return HTTPSeeOther(location=request.route_url('access.cl.home'))
did_fail = True
cur_locale = locale_neg(request)
cfg = request.registry.settings
comb_js = asbool(cfg.get('netprofile.client.combine_js', False))
can_reg = asbool(cfg.get('netprofile.client.registration.enabled', False))
must_verify = asbool(cfg.get('netprofile.client.registration.verify_email', True))
link_id = int(cfg.get('netprofile.client.registration.link_id', 1))
rand_len = int(cfg.get('netprofile.client.registration.code_length', 20))
if (not can_reg) or (not must_verify):
return HTTPSeeOther(location=request.route_url('access.cl.login'))
code = request.GET.get('code', '').strip().upper()
login = request.GET.get('for', '')
if code and login and (len(code) == rand_len):
sess = DBSession()
for link in sess.query(AccessEntityLink)\
.options(joinedload(AccessEntityLink.entity))\
.filter(AccessEntityLink.type_id == link_id, AccessEntityLink.value == code):
# TODO: implement code timeouts
ent = link.entity
if (ent.access_state == AccessState.block_inactive.value) and (ent.nick == login):
ent.access_state = AccessState.ok.value
sess.delete(link)
did_fail = False
break
tpldef = {
'failed' : did_fail,
'comb_js' : comb_js,
'cur_loc' : cur_locale
}
request.run_hook('access.cl.tpldef.activate', tpldef, request)
return tpldef
def client_upload(request):
csrf = request.POST.get('csrf', '')
mode = request.POST.get('mode', '')
if not mode:
raise HTTPForbidden('Invalid upload use')
if csrf != request.get_csrf():
raise HTTPForbidden('Error uploading file')
sess = DBSession()
# FIXME: add folder cfg
tpldef = []
for fo in request.POST.getall('files'):
obj = File()
if fo.filename:
obj.name = obj.filename = fo.filename
sess.add(obj)
obj.set_from_file(fo.file, None, sess)
signal = request.run_hook('access.cl.upload', obj, mode, request, sess, tpldef)
if True not in signal:
tpldef.append({
'name' : obj.filename,
'size' : obj.size,
'error' : _('Error uploading file')
})
sess.delete(obj)
tpldef = { 'files' : tpldef }
request.run_hook('access.cl.tpldef.upload', tpldef, request)
return tpldef
def delete_record(request):
#if d in GET, delete domain
#if r in GET, delete record
#before delete check if this record exists and belongs to auth_user
#delete and redirect to main module page
#use _query to add aditional params when redirecting
loc = get_localizer(request)
cfg = request.registry.settings
sess = DBSession()
csrf = request.POST.get('csrf', '')
access_user = sess.query(AccessEntity).filter_by(nick=str(request.user)).first()
user_domains = [d.id for d in sess.query(PDNSDomain).filter_by(account=str(request.user.id))]
if csrf != request.get_csrf():
request.session.flash({
'text' : loc.translate(_('Error submitting form')),
'class' : 'danger'
})
return HTTPSeeOther(location=request.route_url('pdns.cl.domains'), _query=(('error', 'asc'),))
else:
domainid = request.POST.get('domainid', None)
recid = request.POST.get('recordid', None)
if domainid and not recid:
domain = sess.query(PDNSDomain).filter_by(id=int(request.POST.get('domainid', None))).first()
if domain.id in user_domains:
sess.delete(domain)
sess.flush()
elif recid:
record = sess.query(PDNSRecord).filter_by(id=int(request.POST.get('recordid', None))).first()
if record.domain_id in user_domains:
sess.delete(record)
sess.flush()
return HTTPSeeOther(location=request.route_url('pdns.cl.domains'))
def deleteMailBox(request):
loc = get_localizer(request)
cfg = request.registry.settings
sess = DBSession()
errmess = None
csrf = request.POST.get('csrf', '')
access_user = sess.query(AccessEntity).filter_by(nick=str(request.user)).first()
if csrf != request.get_csrf():
request.session.flash({
'text' : loc.translate(_('Error submitting form')),
'class' : 'danger'
})
return HTTPSeeOther(location=request.route_url('postfix.cl.mail'), _query=(('error', 'asc'),))
else:
domainid = request.POST.get('domainid', None)
mboxid = request.POST.get('mboxid', None)
if mboxid:
mbox = sess.query(PostfixMailbox).filter_by(id=int(mboxid)).first()
if mbox.username == access_user.nick:
sess.delete(mbox)
sess.flush()
elif domainid:
domain = sess.query(PostfixDomain).filter_by(id=int(domainid)).first()
domainadmins = sess.query(PostfixDomainAdmins).filter_by(domain=domain.domain)
if access_user.nick in [adm.username for adm in domainadmins]:
sess.delete(domain)
sess.query(PostfixDomainAdmins).filter_by(domain=domain.domain).delete()
sess.flush()
return HTTPSeeOther(location=request.route_url('postfix.cl.mail'))
def delete(self, req, ctx, recurse=True, _flush=True): sess = DBSession() if recurse: for ch in self.children(ctx): self.delete(req, ch, recurse, False) sess.delete(ctx) if _flush: sess.flush()
def delete(self, req, ctx, recurse=True, _flush=True):
sess = DBSession()
if recurse:
for ch in self.children(ctx):
self.delete(req, ch, recurse, False)
sess.delete(ctx)
if _flush:
sess.flush()
def dyn_usersettings_submit(param, request):
"""
ExtDirect method for submitting user settings form.
"""
sess = DBSession()
mmgr = request.registry.getUtility(IModuleManager)
cached = None
if 'auth.settings' in request.session:
cached = request.session['auth.settings']
all_settings = mmgr.get_settings('user')
values = dict(
(s.name, s)
for s
in sess.query(UserSetting).filter(UserSetting.user == request.user)
)
for moddef, sections in all_settings.items():
for sname, section in sections.items():
if section.read_cap and not request.has_permission(section.read_cap):
continue
for setting_name, setting in section.items():
if setting.read_cap and not request.has_permission(setting.read_cap):
continue
if setting.write_cap and not request.has_permission(setting.write_cap):
continue
fullname = '%s.%s.%s' % (moddef, sname, setting_name)
old_value = setting.default
if fullname in values:
old_value = setting.parse_param(values[fullname].value)
new_value = old_value
if fullname in param:
new_value = setting.parse_param(param[fullname])
if new_value == setting.default:
if fullname in values:
sess.delete(values[fullname])
del values[fullname]
if cached:
cached[fullname] = setting.default
continue
if new_value != old_value:
if fullname in values:
values[fullname].value = setting.format_param(new_value)
else:
values[fullname] = UserSetting(
user=request.user,
name=fullname,
value=setting.format_param(new_value)
)
sess.add(values[fullname])
if cached:
cached[fullname] = new_value
if cached:
request.session['auth.settings'] = cached
return { 'success' : True }
def client_delete(request):
if ('mode' not in request.matchdict) or ('id' not in request.matchdict):
return False
mode = request.matchdict['mode']
try:
objid = int(request.matchdict['id'])
except ValueError:
return False
sess = DBSession()
ret = request.run_hook('access.cl.download', mode, objid, request, sess)
for r in ret:
if isinstance(r, File):
sess.delete(r)
return True
return False
def client_delete(request):
if ('mode' not in request.matchdict) or ('id' not in request.matchdict):
return False
mode = request.matchdict['mode']
try:
objid = int(request.matchdict['id'])
except (TypeError, ValueError):
return False
sess = DBSession()
ret = request.run_hook('access.cl.download', mode, objid, request, sess)
for r in ret:
if isinstance(r, File):
sess.delete(r)
return True
return False
def _cal_events_delete(params, req):
if 'EventId' not in params:
return
evtype, evid = params['EventId'].split('-')
if evtype != 'event':
return
evid = int(evid)
sess = DBSession()
ev = sess.query(Event).get(evid)
if ev is None:
return False
if (not ev.calendar) or (not ev.calendar.can_write(req.user)):
return False
sess.delete(ev)
return True
def delete_record(request):
# if d in GET, delete domain
# if r in GET, delete record
# before delete check if this record exists and belongs to auth_user
# delete and redirect to main module page
# use _query to add aditional params when redirecting
loc = get_localizer(request)
sess = DBSession()
csrf = request.POST.get('csrf', '')
user_domains = [
d.id for d in sess.query(PDNSDomain)
.filter_by(account=str(request.user.id))
]
if csrf != request.get_csrf():
request.session.flash({
'text': loc.translate(_('Error submitting form')),
'class': 'danger'
})
return HTTPSeeOther(
location=request.route_url('pdns.cl.domains'),
_query=(('error', 'asc'),)
)
else:
domainid = request.POST.get('domainid', None)
recid = request.POST.get('recordid', None)
if domainid and not recid:
domain = sess.query(PDNSDomain).filter_by(
id=int(request.POST.get('domainid', None))
).first()
if domain.id in user_domains:
sess.delete(domain)
sess.flush()
elif recid:
record = sess.query(PDNSRecord).filter_by(
id=int(request.POST.get('recordid', None))
).first()
if record.domain_id in user_domains:
sess.delete(record)
sess.flush()
return HTTPSeeOther(location=request.route_url('pdns.cl.domains'))
def unlock(self):
req = self.req
ctx = req.context
req.dav.user_acl(req, ctx, dprops.ACL_WRITE_CONTENT)
token = req.headers.get('Lock-Token')
if not token:
raise dav.DAVBadRequestError('UNLOCK request must be accompanied by a valid lock token header.')
path = req.dav.ctx_path(ctx)
if token[0] != '<':
token = '<%s>' % (token,)
locks = req.dav.get_locks(path)
for lock in locks:
token_str = '<opaquelocktoken:%s>' % (lock.token,)
if token == token_str:
sess = DBSession()
sess.delete(lock)
return dav.DAVUnlockResponse(request=req)
raise dav.DAVLockTokenMatchError('Invalid lock token supplied.')
