def runTest(self):
""" Tries to subscribe to a PluginChannel with a non-activated plugin and to restricted/private channel
without being in the authorized subscribers and verifies that the subscription has not been done"""
screen = self.screen
plugin_channel = self.plugin_channels[0]
plugin_channel.plugin.activated = "no"
diff = {plugin_channel.id: True}
post_params = {"diff": json.dumps(diff)}
before = {repr(s) for s in screen.subscribed_channels}
assert self.testApp.post("/screens/%s/subscriptions" % screen.id, post_params, status=303).body is not None
after = {repr(s) for s in Screen.get(screen.id).subscribed_channels}
assert after == before
# Now try to subscribe to restricted channel without having the right to do this
plugin_channel.plugin.activated = "yes"
def try_sub_fail():
for right in "restricted", "private":
plugin_channel.subscription_right = right
diff = {plugin_channel.id: True}
post_params = {"diff": json.dumps(diff)}
before = {repr(s) for s in screen.subscribed_channels}
assert self.testApp.post("/screens/%s/subscriptions" % screen.id, post_params, status=403).body is not None
after = {repr(s) for s in Screen.get(screen.id).subscribed_channels}
assert after == before
# Nobody (excepted the admin and super_admin) can succeed to do this, even the owner of the screen
self.run_as([self.user_nothing_email, self.user_contributor_email, self.user_channel_admin_email,
self.user_contributor_of_other_channel_email, self.user_administrator_of_other_channel_email,
self.user_screen_owner_email, self.user_other_screen_owner_email], try_sub_fail)
def get(self, id):
try:
id = int(id)
sc = Screen.get(id)
return self.render_page(sc)
except (SQLObjectNotFound, ValueError):
resp.seeother('/screens')
def runTest(self):
""" Submits an empty diff to the page and ensures that nothing has changed """
screen = self.screen
before = {repr(s) for s in screen.subscribed_channels}
post_params = {"diff": json.dumps({})}
assert self.testApp.post("/screens/%s/subscriptions" % screen.id, post_params, status=303).body is not None
after = {repr(s) for s in Screen.get(screen.id).subscribed_channels}
assert after == before
def get(self, screen_id):
try:
screen = Screen.get(screen_id)
u = User.get(self.session['user']['id'])
if not (UserPermissions.administrator in u.highest_permission_level or screen in u.screens):
resp.forbidden()
except SQLObjectNotFound:
resp.notfound()
return self.render_page(screen, u)
def try_sub_fail():
for right in "restricted", "private":
plugin_channel.subscription_right = right
diff = {plugin_channel.id: True}
post_params = {"diff": json.dumps(diff)}
before = {repr(s) for s in screen.subscribed_channels}
assert self.testApp.post("/screens/%s/subscriptions" % screen.id, post_params, status=403).body is not None
after = {repr(s) for s in Screen.get(screen.id).subscribed_channels}
assert after == before
def GET(self, screen_id, secret):
""" Serves the pure web-based client for this screen. """
try:
screen = Screen.get(screen_id)
if screen.secret != secret:
raise web.forbidden()
except SQLObjectNotFound:
raise web.notfound()
return self.ictv_renderer.render_screen_client(screen)
def runTest(self):
""" Tries to subscribe the screen to a non-existing channel and verifies that it is forbidden by the app and
nothing has been done """
screen = self.screen
plugin_channel = self.plugin_channels[0]
plugin_channel.plugin.activated = "no"
diff = {plugin_channel.id: True, -1: True}
post_params = {"diff": json.dumps(diff)}
before = {repr(s) for s in screen.subscribed_channels}
assert self.testApp.post("/screens/%s/subscriptions" % screen.id, post_params, status=403).body is not None
after = {repr(s) for s in Screen.get(screen.id).subscribed_channels}
assert after == before
def get(self, screen_id, secret):
""" Render the channels of this screen. """
try:
screen = Screen.get(screen_id)
except SQLObjectNotFound:
return migration_adapter.notfound()
if screen.secret != secret:
return migration_adapter.forbidden()
if flask.request.remote_addr is None:
pass
else:
screens_logger.info("Request to the screen " + str(screen_id) + " has been done from:" + flask.request.remote_addr)
if flask.request.headers.get('User-Agent') == 'cache_daemon.py':
screen.last_ip = flask.g.ip
screen.last_access = datetime.now()
return render_screen(screen, self.app)
def GET(self, screen_id, secret):
""" Render the channels of this screen. """
try:
screen = Screen.get(screen_id)
except SQLObjectNotFound:
raise web.notfound()
if screen.secret != secret:
raise web.forbidden()
if web.ctx.env.get('REMOTE_ADDR') is None:
pass
else:
screens_logger.info("Request to the screen " + str(screen_id) +
" has been done from:" +
web.ctx.env.get('REMOTE_ADDR'))
if web.ctx.env.get('HTTP_USER_AGENT') == 'cache_daemon.py':
screen.last_ip = web.ctx.ip
screen.last_access = datetime.now()
return render_screen(screen, self.app)
def post(self, screen_id):
def wrong_channel(channel, subscribe, user):
""" returns True if the the user wants to subscribe to the channel while its plugin is not activated or if
the user tries to subscribe to the channel without being in its authorized subscribers"""
return subscribe and (type(channel) is PluginChannel and channel.plugin.activated != "yes" or (subscribe and not channel.can_subscribe(user)))
form = self.form
try:
screen = Screen.get(screen_id)
u = User.get(self.session['user']['id'])
# Forbid if not admin or does not own this screen
if not (UserPermissions.administrator in u.highest_permission_level or screen in u.screens):
logger.warning('user %s tried change subscriptions of screen %d without having the rights to do this',
u.log_name, screen.id)
resp.forbidden()
diff = json.loads(form.diff)
if diff == {}:
logger.info('user %s submitted empty diff for subscriptions of screen %s', u.log_name, screen.name)
raise ImmediateFeedback("subscription", 'nothing_changed')
# Do the subscription/unsubscription for every channel in the diff
subscribed = []
unsubscribed = []
try:
changes = [(Channel.get(channel_id), subscribe) for channel_id, subscribe in diff.items()]
except SQLObjectNotFound:
logger.warning('user %s tried to subscribe/unsubscribe screen %d to a channel which does not exist',
u.log_name, screen.id)
resp.forbidden()
# if somebody tries to subscribe to a channel with a disabled plugin
wrong_channels = [(channel, subscribe) for channel, subscribe in changes if wrong_channel(channel, subscribe, u)]
if wrong_channels:
channel, subscribe = wrong_channels[0]
if channel.plugin.activated != "yes":
logger.warning('user %s tried to %s screen %d to channel %d with disabled plugin',
u.log_name, 'subscribe' if subscribe else "unsubscribe", screen.id, channel.id)
raise ImmediateFeedback("subscription", "disabled_plugin")
else:
logger.warning('user %s tried to subscribe screen %d to channel %d without having the right to do this',
u.log_name, screen.id, channel.id)
resp.forbidden()
for channel, subscribe in changes:
if subscribe:
screen.subscribe_to(u, channel)
subscribed.append(str(channel.id))
else:
screen.unsubscribe_from(u, channel)
unsubscribed.append(str(channel.id))
if subscribed and unsubscribed:
message = "user %s has subscribed screen %d to channel(s) %s and unsubscribed from channel(s) %s" % \
(u.log_name, screen.id, ', '.join(subscribed), ', '.join(unsubscribed))
else:
message = "user %s has %s screen %d to channel(s) %s" % \
(u.log_name, "subscribed" if subscribed else "unsubscribed", screen.id,
', '.join(subscribed if subscribed else unsubscribed))
logger.info(message)
add_feedback("subscription", 'ok')
except SQLObjectNotFound:
resp.notfound()
except ImmediateFeedback:
pass
store_form(form)
resp.seeother("/screens/%s/subscriptions" % screen.id)
def post(self, channel_id):
form = self.form
u = User.get(self.session['user']['id'])
subscribed = []
unsubscribed = []
if form.diff == 'diff':
raise ImmediateFeedback(form.action, 'nothing_changed')
try:
diff = json.loads(form.diff)
except (json.JSONDecodeError, ValueError):
raise ImmediateFeedback(form.action, 'inconsistent_diff')
try:
channelid = int(channel_id)
except ValueError:
raise ImmediateFeedback(form.action, 'invalid_channel/screen_id')
for k, v in diff.items():
try:
sub = bool(v)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
try:
screenid = int(k)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
try:
channel = Channel.get(channelid)
if not channel.can_subscribe(u):
raise self.forbidden(message="You're not allow to do that")
screen = Screen.get(screenid)
if not u in screen.owners:
raise self.forbidden(message="You're not allow to do that")
#sub true -> New subscription
#sub false -> Remove subscription
if sub:
screen.subscribe_to(u, channel)
subscribed.append(str(channel.id))
else:
screen.unsubscribe_from(u, channel)
unsubscribed.append(str(channel.id))
if subscribed and unsubscribed:
message = "user %s has subscribed screen %d to channel(s) %s and unsubscribed from channel(s) %s" % \
(u.log_name, screen.id, ', '.join(subscribed), ', '.join(unsubscribed))
else:
message = "user %s has %s screen %d to channel(s) %s" % \
(u.log_name, "subscribed" if subscribed else "unsubscribed", screen.id,
', '.join(subscribed if subscribed else unsubscribed))
logger.info(message)
add_feedback("subscription", 'ok')
except SQLObjectNotFound:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
except DuplicateEntryError:
# if the user has checked + unchecked the same checkbox, it will appear on the diff,
# we just need to do nothing.
pass
except SQLObjectIntegrityError:
# when there id more than one subscription matching the pair channel/screen
pass
resp.seeother("/channels/config/%s/subscriptions" % channel_id)
def screen_client_1(self):
sc = Screen.get(1)
r = self.testApp.get('/screens/1/client/' + sc.secret, status=200)
assert_not_equal(r.body, None)
def post(self):
""" Handles screen creation, editing, deletion, channel subscriptions. """
form = self.form
u = User.get(self.session['user']['id'])
try:
if form.action == 'delete':
if not u.super_admin:
resp.forbidden()
try:
screenid = int(form.screenid)
except ValueError:
raise ImmediateFeedback(form.action, 'invalid_id')
try:
Screen.delete(screenid)
raise ImmediateFeedback(form.action, 'ok')
except SQLObjectNotFound as e:
raise ImmediateFeedback(form.action, 'no_id_matching')
elif form.action == 'subscribe':
if form.diff == 'diff':
raise ImmediateFeedback(form.action, 'nothing_changed')
try:
diff = json.loads(form.diff)
except (json.JSONDecodeError, ValueError):
raise ImmediateFeedback(form.action, 'inconsistent_diff')
try:
screenid = int(form.screenid)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
for k, v in diff.items():
try:
sub = bool(v)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
try:
channelid = int(k)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
try:
channel = Channel.get(channelid)
screen = Screen.get(screenid)
if UserPermissions.administrator not in u.highest_permission_level and not (
channel.can_subscribe(u)
and u in screen.owners):
resp.forbidden()
if sub:
if hasattr(channel, "plugin"
) and channel.plugin.activated != 'yes':
resp.forbidden()
screen.subscribe_to(user=u, channel=channel)
else:
screen.unsubscribe_from(user=u, channel=channel)
except SQLObjectNotFound:
raise ImmediateFeedback(form.action,
'invalid_channel/screen_id')
except DuplicateEntryError:
# if the user has checked + unchecked the same checkbox, it will appear on the diff,
# we just need to do nothing.
pass
except SQLObjectIntegrityError:
# when there id more than one subscription matching the pair channel/screen
# TODO: log something
pass
elif form.action == 'chown':
if form.diff == 'diff':
raise ImmediateFeedback(form.action, 'nothing_changed')
try:
diff = json.loads(form.diff)
except (json.JSONDecodeError, ValueError):
raise ImmediateFeedback(form.action, 'inconsistent_diff')
try:
screenid = int(form.screenid)
except ValueError:
raise ImmediateFeedback(form.action, 'screenid')
for k, v in diff.items():
try:
own = bool(v)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_screen/user_id')
try:
userid = int(k)
except ValueError:
raise ImmediateFeedback(form.action,
'invalid_screen/user_id')
try:
screen = Screen.get(screenid)
if UserPermissions.administrator not in u.highest_permission_level and u not in screen.owners:
resp.forbidden()
user = User.get(userid)
if own:
screen.safe_add_user(user)
else:
screen.removeUser(user)
except SQLObjectNotFound:
raise ImmediateFeedback(form.action,
'invalid_screen/user_id')
except DuplicateEntryError:
# if the user has checked + unchecked the same checkbox, it will appear on the diff,
# we just need to do nothing.
pass
except SQLObjectIntegrityError:
# when there is more than one subscription mathing the pair channel/screen
# TODO: log something
pass
elif form.action == 'configure':
screen = Screen.get(int(form.id))
screen.shuffle = form.get('shuffle') == 'on'
screen.show_postit = form.get('postit') == 'on'
screen.show_slide_number = form.get(
'show_slide_number') == 'on'
else:
building = Building.get(form.building.strip())
name = form.name.strip()
form.building_name = None
if not building:
raise ImmediateFeedback(form.action, 'empty_building')
form.building_name = building.name
if not name:
raise ImmediateFeedback(form.action, 'empty_name')
if len(name) > Screen.sqlmeta.columns['name'].length:
raise ImmediateFeedback(form.action, 'too_long_name')
try:
macs = {
self.check_mac_address(mac)
for mac in form.mac.strip().lower().split(';') if mac
}
except ValueError:
raise ImmediateFeedback(form.action, 'invalid_mac_address')
if form.action == 'create':
if UserPermissions.administrator not in u.highest_permission_level:
resp.forbidden()
try:
screen = Screen(name=form.name.strip(),
building=form.building,
location=form.location.strip(),
comment=form.comment.strip(),
orientation=form.orientation)
except DuplicateEntryError:
raise ImmediateFeedback(form.action,
'name_already_exists')
elif form.action == 'edit':
if UserPermissions.administrator not in u.highest_permission_level:
resp.forbidden()
try:
screenid = int(form.screenid)
except ValueError:
raise ImmediateFeedback(form.action, 'invalid_id')
screen = Screen.get(screenid)
if screen is None:
raise ImmediateFeedback(form.action, 'no_id_matching')
try:
screen.name = form.name.strip()
screen.building = form.building
screen.orientation = form.orientation
except DuplicateEntryError:
raise ImmediateFeedback(form.action,
'name_already_exists')
screen.location = form.location.strip()
screen.comment = form.comment.strip()
else:
raise NotImplementedError
try:
screen_macs = [
screen_mac.mac for screen_mac in screen.macs
]
for mac in screen_macs:
if mac not in macs:
ScreenMac.selectBy(mac=mac).getOne().destroySelf()
for mac in macs:
if mac not in screen_macs:
ScreenMac(screen=screen, mac=mac)
except DuplicateEntryError:
raise ImmediateFeedback(form.action, 'mac_already_exists')
add_feedback(form.action, 'ok')
except ImmediateFeedback:
pass
store_form(form)
return self.render_page()