class LinkController(RedditController): @cross_domain(allow_credentials=True) @allow_oauth2_access @json_validate( VModhashIfLoggedIn(), dfp_creative_id=VInt("dfp_creative_id", min=0), ) def POST_link_from_id(self, responder, dfp_creative_id, *a, **kw): if (responder.has_errors("dfp_creative_id", errors.BAD_NUMBER)): return link = LinksByDfpCreativeId.get(dfp_creative_id) if link: _check_edits(link) if not link: try: creative = creatives_service.by_id(dfp_creative_id) except Exception as e: g.log.error("dfp error: %s" % e) abort(404) link = utils.dfp_creative_to_link(creative) LinksByDfpCreativeId.add(link) listing = wrap_links([link]) thing = listing.things[0] return thing.render()
class SitemapController(MinimalController): def GET_index(self): response.content_type = 'application/xml' return Sitemap.sitemap_index() @validate(index=VInt('index', 0, 50000)) def GET_subreddits(self, index): response.content_type = 'application/xml' try: return Sitemap.subreddit_sitemap(index) except tdb_cassandra.NotFound: return self.abort404()
class LiveUpdateEmbedController(MinimalController): def __before__(self, event): MinimalController.__before__(self) if event: try: c.liveupdate_event = LiveUpdateEvent._byID(event) except tdb_cassandra.NotFound: pass if not c.liveupdate_event: self.abort404() @validate( liveupdate=VLiveUpdate('liveupdate'), embed_index=VInt('embed_index', min=0) ) def GET_mediaembed(self, liveupdate, embed_index): if c.errors or request.host != g.media_domain: # don't serve up untrusted content except on our # specifically untrusted domain abort(404) try: media_object = liveupdate.media_objects[embed_index] except IndexError: abort(404) embed = get_live_media_embed(media_object) if not embed: abort(404) content = embed.content c.allow_framing = True args = { "body": content, "unknown_dimensions": not (embed.width and embed.height), "js_context": { "liveupdate_id": unicode(liveupdate._id), # UUID serializing "embed_index": embed_index, } } return pages.LiveUpdateMediaEmbedBody(**args).render()
class PlaceController(RedditController): def pre(self): RedditController.pre(self) if not PLACE_SUBREDDIT.can_view(c.user): self.abort403() if c.user.in_timeout: self.abort403() if c.user._spam: self.abort403() @validate( is_embed=VBoolean("is_embed"), is_webview=VBoolean("webview", default=False), is_palette_hidden=VBoolean('hide_palette', default=False), ) @allow_oauth2_access def GET_canvasse(self, is_embed, is_webview, is_palette_hidden): # oauth will try to force the response into json # undo that here by hacking extension, content_type, and render_style try: del(request.environ['extension']) except: pass request.environ['content_type'] = "text/html; charset=UTF-8" request.environ['render_style'] = "html" set_content_type() websocket_url = websockets.make_url("/place", max_age=3600) content = PlaceCanvasse() js_config = { "place_websocket_url": websocket_url, "place_canvas_width": CANVAS_WIDTH, "place_canvas_height": CANVAS_HEIGHT, "place_cooldown": 0 if c.user_is_admin else PIXEL_COOLDOWN_SECONDS, "place_fullscreen": is_embed or is_webview, "place_hide_ui": is_palette_hidden, } if c.user_is_loggedin and not c.user_is_admin: js_config["place_wait_seconds"] = get_wait_seconds(c.user) # this is a sad duplication of the same from reddit_base :( # if c.user_is_loggedin: # PLACE_SUBREDDIT.record_visitor_activity("logged_in", c.user._fullname) # elif c.loid.serializable: # PLACE_SUBREDDIT.record_visitor_activity("logged_out", c.loid.loid) try: js_config["place_active_visitors"] = get_activity_count() except ActivityError: pass if is_embed: # ensure we're off the cookie domain before allowing embedding if request.host != g.media_domain: abort(404) c.allow_framing = True if is_embed or is_webview: return PlaceEmbedPage( title="place", content=content, extra_js_config=js_config, ).render() else: return PlacePage( title="place", content=content, extra_js_config=js_config, ).render() @json_validate( VUser(), # NOTE: this will respond with a 200 with an error body VModhash(), x=VInt("x", min=0, max=CANVAS_WIDTH, coerce=False), y=VInt("y", min=0, max=CANVAS_HEIGHT, coerce=False), color=VInt("color", min=0, max=15), ) @allow_oauth2_access def POST_draw(self, responder, x, y, color): #if c.user._date >= ACCOUNT_CREATION_CUTOFF: # self.abort403() if PLACE_SUBREDDIT.is_banned(c.user): self.abort403() if x is None: # copy the error set by VNumber/VInt c.errors.add( error_name=errors.BAD_NUMBER, field="x", msg_params={ "range": _("%(min)d to %(max)d") % { "min": 0, "max": CANVAS_WIDTH, }, }, ) if y is None: # copy the error set by VNumber/VInt c.errors.add( error_name=errors.BAD_NUMBER, field="y", msg_params={ "range": _("%(min)d to %(max)d") % { "min": 0, "max": CANVAS_HEIGHT, }, }, ) if color is None: c.errors.add(errors.BAD_COLOR, field="color") if (responder.has_errors("x", errors.BAD_NUMBER) or responder.has_errors("y", errors.BAD_NUMBER) or responder.has_errors("color", errors.BAD_COLOR)): # TODO: return 400 with parsable error message? return if c.user_is_admin: wait_seconds = 0 else: wait_seconds = get_wait_seconds(c.user) if wait_seconds > 2: response.status = 429 request.environ['extra_error_data'] = { "error": 429, "wait_seconds": wait_seconds, } return Pixel.create(c.user, color, x, y) c.user.set_flair( subreddit=PLACE_SUBREDDIT, text="({x},{y}) {time}".format(x=x, y=y, time=time.time()), css_class="place-%s" % color, ) websockets.send_broadcast( namespace="/place", type="place", payload={ "author": c.user.name, "x": x, "y": y, "color": color, } ) events.place_pixel(x, y, color) cooldown = 0 if c.user_is_admin else PIXEL_COOLDOWN_SECONDS return { 'wait_seconds': cooldown, } @json_validate( VUser(), # NOTE: this will respond with a 200 with an error body VAdmin(), VModhash(), x=VInt("x", min=0, max=CANVAS_WIDTH, coerce=False), y=VInt("y", min=0, max=CANVAS_HEIGHT, coerce=False), width=VInt("width", min=1, max=ADMIN_RECT_DRAW_MAX_SIZE, coerce=True, num_default=1), height=VInt("height", min=1, max=ADMIN_RECT_DRAW_MAX_SIZE, coerce=True, num_default=1), ) @allow_oauth2_access def POST_drawrect(self, responder, x, y, width, height): if x is None: # copy the error set by VNumber/VInt c.errors.add( error_name=errors.BAD_NUMBER, field="x", msg_params={ "range": _("%(min)d to %(max)d") % { "min": 0, "max": CANVAS_WIDTH, }, }, ) if y is None: # copy the error set by VNumber/VInt c.errors.add( error_name=errors.BAD_NUMBER, field="y", msg_params={ "range": _("%(min)d to %(max)d") % { "min": 0, "max": CANVAS_HEIGHT, }, }, ) if (responder.has_errors("x", errors.BAD_NUMBER) or responder.has_errors("y", errors.BAD_NUMBER)): # TODO: return 400 with parsable error message? return # prevent drawing outside of the canvas width = min(CANVAS_WIDTH - x, width) height = min(CANVAS_HEIGHT - y, height) batch_payload = [] for _x in xrange(x, x + width): for _y in xrange(y, y + height): pixel = Pixel.create(None, 0, _x, _y) payload = { "author": '', "x": _x, "y": _y, "color": 0, } batch_payload.append(payload) websockets.send_broadcast( namespace="/place", type="batch-place", payload=batch_payload, ) @json_validate( VUser(), ) @allow_oauth2_access def GET_time_to_wait(self, responder): if c.user._date >= ACCOUNT_CREATION_CUTOFF: self.abort403() if c.user_is_admin: wait_seconds = 0 else: wait_seconds = get_wait_seconds(c.user) return { "wait_seconds": wait_seconds, } @json_validate( x=VInt("x", min=0, max=CANVAS_WIDTH, coerce=False), y=VInt("y", min=0, max=CANVAS_HEIGHT, coerce=False), ) @allow_oauth2_access def GET_pixel(self, responder, x, y): if x is None: # copy the error set by VNumber/VInt c.errors.add( error_name=errors.BAD_NUMBER, field="x", msg_params={ "range": _("%(min)d to %(max)d") % { "min": 0, "max": CANVAS_WIDTH, }, }, ) if y is None: # copy the error set by VNumber/VInt c.errors.add( error_name=errors.BAD_NUMBER, field="y", msg_params={ "range": _("%(min)d to %(max)d") % { "min": 0, "max": CANVAS_HEIGHT, }, }, ) if (responder.has_errors("x", errors.BAD_NUMBER) or responder.has_errors("y", errors.BAD_NUMBER)): return pixel = Pixel.get_pixel_at(x, y) if pixel and pixel["user_name"]: # pixels blanked out by admins will not have a user_name set return pixel
class PromoteController(ListingController): where = 'promoted' render_cls = PromotePage @property def title_text(self): return _('promoted by you') @classmethod @memoize('live_by_subreddit', time=300) def live_by_subreddit(cls, sr): if sr == Frontpage: sr_id = '' else: sr_id = sr._id r = LiveAdWeights.get([sr_id]) return [i.link for i in r[sr_id]] @classmethod @memoize('subreddits_with_promos', time=3600) def subreddits_with_promos(cls): sr_ids = LiveAdWeights.get_live_subreddits() srs = Subreddit._byID(sr_ids, return_dict=False) sr_names = sorted([sr.name for sr in srs], key=lambda s: s.lower()) return sr_names @property def menus(self): filters = [ NamedButton('all_promos', dest=''), NamedButton('future_promos'), NamedButton('unpaid_promos'), NamedButton('rejected_promos'), NamedButton('pending_promos'), NamedButton('live_promos'), ] menus = [ NavMenu(filters, base_path='/promoted', title='show', type='lightdrop') ] if self.sort == 'live_promos' and c.user_is_sponsor: sr_names = self.subreddits_with_promos() buttons = [NavButton(name, name) for name in sr_names] frontbutton = NavButton('FRONTPAGE', Frontpage.name, aliases=[ '/promoted/live_promos/%s' % urllib.quote(Frontpage.name) ]) buttons.insert(0, frontbutton) buttons.insert(0, NavButton('all', '')) menus.append( NavMenu(buttons, base_path='/promoted/live_promos', title='subreddit', type='lightdrop')) return menus def keep_fn(self): def keep(item): if item.promoted and not item._deleted: return True else: return False return keep def query(self): if c.user_is_sponsor: if self.sort == "future_promos": return queries.get_all_unapproved_links() elif self.sort == "pending_promos": return queries.get_all_accepted_links() elif self.sort == "unpaid_promos": return queries.get_all_unpaid_links() elif self.sort == "rejected_promos": return queries.get_all_rejected_links() elif self.sort == "live_promos" and self.sr: return self.live_by_subreddit(self.sr) elif self.sort == 'live_promos': return queries.get_all_live_links() elif self.sort == 'underdelivered': q = queries.get_underdelivered_campaigns() campaigns = PromoCampaign._by_fullname(list(q), data=True, return_dict=False) link_ids = [camp.link_id for camp in campaigns] return [Link._fullname_from_id36(to36(id)) for id in link_ids] return queries.get_all_promoted_links() else: if self.sort == "future_promos": return queries.get_unapproved_links(c.user._id) elif self.sort == "pending_promos": return queries.get_accepted_links(c.user._id) elif self.sort == "unpaid_promos": return queries.get_unpaid_links(c.user._id) elif self.sort == "rejected_promos": return queries.get_rejected_links(c.user._id) elif self.sort == "live_promos": return queries.get_live_links(c.user._id) return queries.get_promoted_links(c.user._id) @validate(VSponsor(), sr=nop('sr')) def GET_listing(self, sr=None, sort="", **env): if not c.user_is_loggedin or not c.user.email_verified: return self.redirect("/ad_inq") self.sort = sort self.sr = None if sr and sr == Frontpage.name: self.sr = Frontpage elif sr: try: self.sr = Subreddit._by_name(sr) except NotFound: pass return ListingController.GET_listing(self, **env) GET_index = GET_listing @validate(VSponsor()) def GET_new_promo(self): return PromotePage('content', content=PromoteLinkNew()).render() @validate(VSponsor('link'), link=VLink('link')) def GET_edit_promo(self, link): if not link or link.promoted is None: return self.abort404() rendered = wrap_links(link, wrapper=promote.sponsor_wrapper, skip=False) form = PromoteLinkForm(link, rendered) page = PromotePage('new_promo', content=form) return page.render() # admin only because the route might change @validate(VSponsorAdmin('campaign'), campaign=VPromoCampaign('campaign')) def GET_edit_promo_campaign(self, campaign): if not campaign: return self.abort404() link = Link._byID(campaign.link_id) return self.redirect(promote.promo_edit_url(link)) @json_validate(sr=VSubmitSR('sr', promotion=True), start=VDate('startdate'), end=VDate('enddate')) def GET_check_inventory(self, responder, sr, start, end): sr = sr or Frontpage available_by_datestr = inventory.get_available_pageviews(sr, start, end, datestr=True) return {'inventory': available_by_datestr} @validate(VSponsor(), dates=VDateRange(["startdate", "enddate"], max_range=timedelta(days=28), required=False)) def GET_graph(self, dates): start, end, bad_dates = _check_dates(dates) return PromotePage("graph", content=Promote_Graph( start, end, bad_dates=bad_dates)).render() @validate(VSponsorAdmin(), dates=VDateRange(["startdate", "enddate"], max_range=timedelta(days=28), required=False)) def GET_admingraph(self, dates): start, end, bad_dates = _check_dates(dates) content = Promote_Graph(start, end, bad_dates=bad_dates, admin_view=True) if c.render_style == 'csv': return content.as_csv() return PromotePage("admingraph", content=content).render() # ## POST controllers below @validatedForm(VSponsorAdmin(), link=VLink("link_id"), campaign=VPromoCampaign("campaign_id36")) def POST_freebie(self, form, jquery, link, campaign): if campaign_has_oversold_error(form, campaign): form.set_html(".freebie", "target oversold, can't freebie") return if promote.is_promo(link) and campaign: promote.free_campaign(link, campaign, c.user) form.redirect(promote.promo_edit_url(link)) @validatedForm(VSponsorAdmin(), link=VByName("link"), note=nop("note")) def POST_promote_note(self, form, jquery, link, note): if promote.is_promo(link): text = PromotionLog.add(link, note) form.find(".notes").children(":last").after("<p>" + text + "</p>") @noresponse(VSponsorAdmin(), thing=VByName('id')) def POST_promote(self, thing): if promote.is_promo(thing): promote.accept_promotion(thing) @noresponse(VSponsorAdmin(), thing=VByName('id'), reason=nop("reason")) def POST_unpromote(self, thing, reason): if promote.is_promo(thing): promote.reject_promotion(thing, reason=reason) @validate(VSponsorAdmin(), link=VLink("link"), campaign=VPromoCampaign("campaign")) def GET_refund(self, link, campaign): if campaign.link_id != link._id: return self.abort404() content = RefundPage(link, campaign) return Reddit("refund", content=content, show_sidebar=False).render() @validatedForm(VSponsorAdmin(), link=VLink('link'), campaign=VPromoCampaign('campaign')) def POST_refund_campaign(self, form, jquery, link, campaign): billable_impressions = promote.get_billable_impressions(campaign) billable_amount = promote.get_billable_amount(campaign, billable_impressions) refund_amount = campaign.bid - billable_amount if refund_amount > 0: promote.refund_campaign(link, campaign, billable_amount) form.set_html('.status', _('refund succeeded')) else: form.set_html('.status', _('refund not needed')) @validatedForm(VSponsor('link_id'), VModhash(), VRatelimit(rate_user=True, rate_ip=True, prefix='create_promo_'), VShamedDomain('url'), l=VLink('link_id'), title=VTitle('title'), url=VUrl('url', allow_self=False, lookup=False), ip=ValidIP(), disable_comments=VBoolean("disable_comments"), media_width=VInt("media-width", min=0), media_height=VInt("media-height", min=0), media_embed=VLength("media-embed", 1000), media_override=VBoolean("media-override"), domain_override=VLength("domain", 100)) def POST_edit_promo(self, form, jquery, ip, l, title, url, disable_comments, media_height, media_width, media_embed, media_override, domain_override): should_ratelimit = False if not c.user_is_sponsor: should_ratelimit = True if not should_ratelimit: c.errors.remove((errors.RATELIMIT, 'ratelimit')) # check for shame banned domains if form.has_errors("url", errors.DOMAIN_BANNED): g.stats.simple_event('spam.shame.link') return # demangle URL in canonical way if url: if isinstance(url, (unicode, str)): form.set_inputs(url=url) elif isinstance(url, tuple) or isinstance(url[0], Link): # there's already one or more links with this URL, but # we're allowing mutliple submissions, so we really just # want the URL url = url[0].url # users can change the disable_comments on promoted links if ((not l or not promote.is_promoted(l)) and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG) or form.has_errors('url', errors.NO_URL, errors.BAD_URL) or jquery.has_errors('ratelimit', errors.RATELIMIT))): return if not l: l = promote.new_promotion(title, url, c.user, ip) elif promote.is_promo(l): changed = False # live items can only be changed by a sponsor, and also # pay the cost of de-approving the link trusted = c.user_is_sponsor or c.user.trusted_sponsor if not promote.is_promoted(l) or trusted: if title and title != l.title: l.title = title changed = not trusted if url and url != l.url: l.url = url changed = not trusted # only trips if the title and url are changed by a non-sponsor if changed and not promote.is_unpaid(l): promote.unapprove_promotion(l) if trusted and promote.is_unapproved(l): promote.accept_promotion(l) # comment disabling is free to be changed any time. l.disable_comments = disable_comments if c.user_is_sponsor or c.user.trusted_sponsor: if media_embed and media_width and media_height: l.media_object = dict(height=media_height, width=media_width, content=media_embed, type='custom') else: l.media_object = None l.media_override = media_override if getattr(l, "domain_override", False) or domain_override: l.domain_override = domain_override l._commit() form.redirect(promote.promo_edit_url(l)) @validate(VSponsorAdmin()) def GET_roadblock(self): return PromotePage('content', content=Roadblocks()).render() @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], future=1, reference_date=promote.promo_datetime_now, business_days=False, sponsor_override=True), sr=VSubmitSR('sr', promotion=True)) def POST_add_roadblock(self, form, jquery, dates, sr): if (form.has_errors('startdate', errors.BAD_DATE, errors.BAD_FUTURE_DATE) or form.has_errors('enddate', errors.BAD_DATE, errors.BAD_FUTURE_DATE, errors.BAD_DATE_RANGE)): return if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): return if dates and sr: sd, ed = dates PromotedLinkRoadblock.add(sr, sd, ed) jquery.refresh() @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], future=1, reference_date=promote.promo_datetime_now, business_days=False, sponsor_override=True), sr=VSubmitSR('sr', promotion=True)) def POST_rm_roadblock(self, form, jquery, dates, sr): if dates and sr: sd, ed = dates PromotedLinkRoadblock.remove(sr, sd, ed) jquery.refresh() @validatedForm(VSponsor('link_id'), VModhash(), dates=VDateRange(['startdate', 'enddate'], future=1, reference_date=promote.promo_datetime_now, business_days=False, sponsor_override=True), link=VLink('link_id'), bid=VBid('bid', min=0, max=g.max_promote_bid, coerce=False, error=errors.BAD_BID), sr=VSubmitSR('sr', promotion=True), campaign_id36=nop("campaign_id36"), targeting=VLength("targeting", 10)) def POST_edit_campaign(self, form, jquery, link, campaign_id36, dates, bid, sr, targeting): if not link: return start, end = dates or (None, None) author = Account._byID(link.author_id, data=True) cpm = author.cpm_selfserve_pennies if (start and end and not promote.is_accepted(link) and not c.user_is_sponsor): # if the ad is not approved already, ensure the start date # is at least 2 days in the future start = start.date() end = end.date() now = promote.promo_datetime_now() future = make_offset_date(now, g.min_promote_future, business_days=True) if start < future.date(): c.errors.add(errors.BAD_FUTURE_DATE, msg_params=dict(day=g.min_promote_future), field="startdate") if (form.has_errors('startdate', errors.BAD_DATE, errors.BAD_FUTURE_DATE) or form.has_errors('enddate', errors.BAD_DATE, errors.BAD_FUTURE_DATE, errors.BAD_DATE_RANGE)): return # Limit the number of PromoCampaigns a Link can have # Note that the front end should prevent the user from getting # this far existing_campaigns = list(PromoCampaign._by_link(link._id)) if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK: c.errors.add(errors.TOO_MANY_CAMPAIGNS, msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK}, field='title') form.has_errors('title', errors.TOO_MANY_CAMPAIGNS) return if form.has_errors('bid', errors.BAD_BID): return if campaign_id36: # you cannot edit the bid of a live ad unless it's a freebie try: campaign = PromoCampaign._byID36(campaign_id36) if (bid != campaign.bid and campaign.start_date < datetime.now(g.tz) and not campaign.is_freebie()): c.errors.add(errors.BID_LIVE, field='bid') form.has_errors('bid', errors.BID_LIVE) return except NotFound: pass min_bid = 0 if c.user_is_sponsor else g.min_promote_bid if bid is None or bid < min_bid: c.errors.add(errors.BAD_BID, field='bid', msg_params={ 'min': min_bid, 'max': g.max_promote_bid }) form.has_errors('bid', errors.BAD_BID) return if targeting == 'one': if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): # checking to get the error set in the form, but we can't # check for rate-limiting if there's no subreddit return roadblock = PromotedLinkRoadblock.is_roadblocked(sr, start, end) if roadblock and not c.user_is_sponsor: msg_params = { "start": roadblock[0].strftime('%m/%d/%Y'), "end": roadblock[1].strftime('%m/%d/%Y') } c.errors.add(errors.OVERSOLD, field='sr', msg_params=msg_params) form.has_errors('sr', errors.OVERSOLD) return elif targeting == 'none': sr = None # Check inventory campaign_id = campaign._id if campaign_id36 else None if has_oversold_error(form, campaign_id, start, end, bid, cpm, sr): return if campaign_id36 is not None: campaign = PromoCampaign._byID36(campaign_id36) promote.edit_campaign(link, campaign, dates, bid, cpm, sr) r = promote.get_renderable_campaigns(link, campaign) jquery.update_campaign(r.campaign_id36, r.start_date, r.end_date, r.duration, r.bid, r.spent, r.cpm, r.sr, r.status) else: campaign = promote.new_campaign(link, dates, bid, cpm, sr) r = promote.get_renderable_campaigns(link, campaign) jquery.new_campaign(r.campaign_id36, r.start_date, r.end_date, r.duration, r.bid, r.spent, r.cpm, r.sr, r.status) @validatedForm(VSponsor('link_id'), VModhash(), l=VLink('link_id'), campaign=VPromoCampaign("campaign_id36")) def POST_delete_campaign(self, form, jquery, l, campaign): if l and campaign: promote.delete_campaign(l, campaign) @validatedForm(VSponsor('container'), VModhash(), user=VExistingUname('name'), thing=VByName('container')) def POST_traffic_viewer(self, form, jquery, user, thing): """ Adds a user to the list of users allowed to view a promoted link's traffic page. """ if not form.has_errors("name", errors.USER_DOESNT_EXIST, errors.NO_USER): form.set_inputs(name="") form.set_html(".status:first", _("added")) if promote.add_traffic_viewer(thing, user): user_row = TrafficViewerList(thing).user_row( 'traffic_viewer', user) jquery(".traffic_viewer-table").show().find( "table").insert_table_rows(user_row) # send the user a message msg = user_added_messages['traffic']['pm']['msg'] subj = user_added_messages['traffic']['pm']['subject'] if msg and subj: d = dict(url=thing.make_permalink_slow(), traffic_url=promote.promo_traffic_url(thing), title=thing.title) msg = msg % d item, inbox_rel = Message._new(c.user, user, subj, msg, request.ip) queries.new_message(item, inbox_rel) @validatedForm(VSponsor('container'), VModhash(), iuser=VByName('id'), thing=VByName('container')) def POST_rm_traffic_viewer(self, form, jquery, iuser, thing): if thing and iuser: promote.rm_traffic_viewer(thing, iuser) @validatedForm( VSponsor('link'), link=VByName("link"), campaign=VPromoCampaign("campaign"), customer_id=VInt("customer_id", min=0), pay_id=VInt("account", min=0), edit=VBoolean("edit"), address=ValidAddress([ "firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber" ], allowed_countries=g.allowed_pay_countries), creditcard=ValidCard(["cardNumber", "expirationDate", "cardCode"])) def POST_update_pay(self, form, jquery, link, campaign, customer_id, pay_id, edit, address, creditcard): # Check inventory if campaign_has_oversold_error(form, campaign): return address_modified = not pay_id or edit form_has_errors = False if address_modified: if (form.has_errors([ "firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber" ], errors.BAD_ADDRESS) or form.has_errors( ["cardNumber", "expirationDate", "cardCode"], errors.BAD_CARD)): form_has_errors = True elif g.authorizenetapi: pay_id = edit_profile(c.user, address, creditcard, pay_id) else: pay_id = 1 # if link is in use or finished, don't make a change if pay_id and not form_has_errors: # valid bid and created or existing bid id. # check if already a transaction if g.authorizenetapi: success, reason = promote.auth_campaign( link, campaign, c.user, pay_id) else: success = True if success: form.redirect(promote.promo_edit_url(link)) else: form.set_html( ".status", reason or _("failed to authenticate card. sorry.")) @validate(VSponsor("link"), link=VLink("link"), campaign=VPromoCampaign("campaign")) def GET_pay(self, link, campaign): # no need for admins to play in the credit card area if c.user_is_loggedin and c.user._id != link.author_id: return self.abort404() if not campaign.link_id == link._id: return self.abort404() if g.authorizenetapi: data = get_account_info(c.user) content = PaymentForm(link, campaign, customer_id=data.customerProfileId, profiles=data.paymentProfiles, max_profiles=PROFILE_LIMIT) else: content = None res = LinkInfoPage(link=link, content=content, show_sidebar=False) return res.render() def GET_link_thumb(self, *a, **kw): """ See GET_upload_sr_image for rationale """ return "nothing to see here." @validate(VSponsor("link_id"), link=VByName('link_id'), file=VLength('file', 500 * 1024), img_type=VImageType('img_type')) def POST_link_thumb(self, link=None, file=None, img_type='jpg'): if link and (not promote.is_promoted(link) or c.user_is_sponsor or c.user.trusted_sponsor): errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="") try: # thumnails for promoted links can change and therefore expire force_thumbnail(link, file, file_type=".%s" % img_type) except cssfilter.BadImage: # if the image doesn't clean up nicely, abort errors["IMAGE_ERROR"] = _("bad image") if any(errors.values()): return UploadedImage("", "", "upload", errors=errors, form_id="image-upload").render() else: link._commit() return UploadedImage(_('saved'), thumbnail_url(link), "", errors=errors, form_id="image-upload").render() @validate(VSponsorAdmin(), launchdate=VDate('ondate'), dates=VDateRange(['startdate', 'enddate']), query_type=VOneOf('q', ('started_on', 'between'), default=None)) def GET_admin(self, launchdate=None, dates=None, query_type=None): return PromoAdminTool(query_type=query_type, launchdate=launchdate, start=dates[0], end=dates[1]).render() @validate(VSponsorAdminOrAdminSecret('secret'), start=VDate('startdate'), end=VDate('enddate'), link_text=nop('link_text'), owner=VAccountByName('owner')) def GET_report(self, start, end, link_text=None, owner=None): now = datetime.now(g.tz).replace(hour=0, minute=0, second=0, microsecond=0) end = end or now - timedelta(days=1) start = start or end - timedelta(days=7) links = [] bad_links = [] owner_name = owner.name if owner else '' if owner: promo_weights = PromotionWeights.get_campaigns(start, end, author_id=owner._id) campaign_ids = [pw.promo_idx for pw in promo_weights] campaigns = PromoCampaign._byID(campaign_ids, data=True) link_ids = {camp.link_id for camp in campaigns.itervalues()} links.extend(Link._byID(link_ids, data=True, return_dict=False)) if link_text is not None: id36s = link_text.replace(',', ' ').split() try: links_from_text = Link._byID36(id36s, data=True) except NotFound: links_from_text = {} bad_links = [id36 for id36 in id36s if id36 not in links_from_text] links.extend(links_from_text.values()) content = PromoteReport(links, link_text, owner_name, bad_links, start, end) if c.render_style == 'csv': return content.as_csv() else: return PromotePage('report', content=content).render()
class APIv1GoldController(OAuth2OnlyController): def _gift_using_creddits(self, recipient, months=1, thing_fullname=None, proxying_for=None): with creddits_lock(c.user): if not c.user.employee and c.user.gold_creddits < months: err = RedditError("INSUFFICIENT_CREDDITS") self.on_validation_error(err) note = None buyer = c.user if c.user.name.lower() in g.live_config["proxy_gilding_accounts"]: note = "proxy-%s" % c.user.name if proxying_for: try: buyer = Account._by_name(proxying_for) except NotFound: pass send_gift( buyer=buyer, recipient=recipient, months=months, days=months * 31, signed=False, giftmessage=None, thing_fullname=thing_fullname, note=note, ) if not c.user.employee: c.user.gold_creddits -= months c.user._commit() @require_oauth2_scope("creddits") @validate( VUser(), target=VByName("fullname"), ) @api_doc( api_section.gold, uri="/api/v1/gold/gild/{fullname}", ) def POST_gild(self, target): if not isinstance(target, (Comment, Link)): err = RedditError("NO_THING_ID") self.on_validation_error(err) if target.subreddit_slow.quarantine: err = RedditError("GILDING_NOT_ALLOWED") self.on_validation_error(err) self._gift_using_creddits( recipient=target.author_slow, thing_fullname=target._fullname, proxying_for=request.POST.get("proxying_for"), ) @require_oauth2_scope("creddits") @validate( VUser(), user=VAccountByName("username"), months=VInt("months", min=1, max=36), ) @api_doc( api_section.gold, uri="/api/v1/gold/give/{username}", ) def POST_give(self, user, months): self._gift_using_creddits( recipient=user, months=months, proxying_for=request.POST.get("proxying_for"), )
class APIv1GoldController(OAuth2ResourceController): def pre(self): OAuth2ResourceController.pre(self) self.authenticate_with_token() self.set_up_user_context() self.run_sitewide_ratelimits() def try_pagecache(self): pass @staticmethod def on_validation_error(error): abort_with_error(error, error.code or 400) def _gift_using_creddits(self, recipient, months=1, thing_fullname=None): with creddits_lock(c.user): if not c.user.employee and c.user.gold_creddits < months: err = RedditError("INSUFFICIENT_CREDDITS") self.on_validation_error(err) send_gift( buyer=c.user, recipient=recipient, months=months, days=months * 31, signed=False, giftmessage=None, thing_fullname=thing_fullname, ) if not c.user.employee: c.user.gold_creddits -= months c.user._commit() @require_oauth2_scope("creddits") @validate( target=VByName("fullname"), ) @api_doc( api_section.gold, uri="/api/v1/gold/gild/{fullname}", ) def POST_gild(self, target): if not isinstance(target, (Comment, Link)): err = RedditError("NO_THING_ID") self.on_validation_error(err) self._gift_using_creddits( recipient=target.author_slow, thing_fullname=target._fullname, ) @require_oauth2_scope("creddits") @validate( user=VAccountByName("username"), months=VInt("months", min=1, max=36), ) @api_doc( api_section.gold, uri="/api/v1/gold/give/{username}", ) def POST_give(self, user, months): self._gift_using_creddits( recipient=user, months=months, )
class IpnController(RedditController): # Used when buying gold with creddits @validatedForm(VUser(), months=VInt("months"), passthrough=VPrintable("passthrough", max_length=50)) def POST_spendcreddits(self, form, jquery, months, passthrough): if months is None or months < 1: form.set_html(".status", _("nice try.")) return days = months * 31 if not passthrough: raise ValueError("/spendcreddits got no passthrough?") blob_key, payment_blob = get_blob(passthrough) if payment_blob["goldtype"] != "gift": raise ValueError("/spendcreddits payment_blob %s has goldtype %s" % (passthrough, payment_blob["goldtype"])) signed = payment_blob["signed"] giftmessage = _force_unicode(payment_blob["giftmessage"]) recipient_name = payment_blob["recipient"] if payment_blob["account_id"] != c.user._id: fmt = ("/spendcreddits payment_blob %s has userid %d " + "but c.user._id is %d") raise ValueError(fmt % passthrough, payment_blob["account_id"], c.user._id) try: recipient = Account._by_name(recipient_name) except NotFound: raise ValueError( "Invalid username %s in spendcreddits, buyer = %s" % (recipient_name, c.user.name)) if recipient._deleted: form.set_html(".status", _("that user has deleted their account")) return if not c.user.employee: if months > c.user.gold_creddits: raise ValueError( "%s is trying to sneak around the creddit check" % c.user.name) c.user.gold_creddits -= months c.user.gold_creddit_escrow += months c.user._commit() comment_id = payment_blob.get("comment") comment = send_gift(c.user, recipient, months, days, signed, giftmessage, comment_id) if not c.user.employee: c.user.gold_creddit_escrow -= months c.user._commit() payment_blob["status"] = "processed" g.hardcache.set(blob_key, payment_blob, 86400 * 30) form.set_html(".status", _("the gold has been delivered!")) form.find("button").hide() if comment: gilding_message = make_comment_gold_message(comment, user_gilded=True) jquery.gild_comment(comment_id, gilding_message, comment.gildings) @textresponse(paypal_secret=VPrintable('secret', 50), payment_status=VPrintable('payment_status', 20), txn_id=VPrintable('txn_id', 20), paying_id=VPrintable('payer_id', 50), payer_email=VPrintable('payer_email', 250), mc_currency=VPrintable('mc_currency', 20), mc_gross=VFloat('mc_gross'), custom=VPrintable('custom', 50)) def POST_ipn(self, paypal_secret, payment_status, txn_id, paying_id, payer_email, mc_currency, mc_gross, custom): parameters = request.POST.copy() # Make sure it's really PayPal if paypal_secret != g.PAYPAL_SECRET: log_text("invalid IPN secret", "%s guessed the wrong IPN secret" % request.ip, "warning") raise ValueError # Return early if it's an IPN class we don't care about response, psl = check_payment_status(payment_status) if response: return response # Return early if it's a txn_type we don't care about response, subscription = check_txn_type(parameters['txn_type'], psl) if subscription is None: subscr_id = None elif subscription == "new": subscr_id = parameters['subscr_id'] elif subscription == "cancel": cancel_subscription(parameters['subscr_id']) else: raise ValueError("Weird subscription: %r" % subscription) if response: return response # Check for the debug flag, and if so, dump the IPN dict if g.cache.get("ipn-debug"): g.cache.delete("ipn-debug") dump_parameters(parameters) if mc_currency != 'USD': raise ValueError("Somehow got non-USD IPN %r" % mc_currency) if not (txn_id and paying_id and payer_email and mc_gross): dump_parameters(parameters) raise ValueError("Got incomplete IPN") pennies = int(mc_gross * 100) months, days = months_and_days_from_pennies(pennies) # Special case: autorenewal payment existing = existing_subscription(subscr_id, paying_id, custom) if existing: if existing != "deleted account": create_claimed_gold("P" + txn_id, payer_email, paying_id, pennies, days, None, existing._id, c.start_time, subscr_id) admintools.engolden(existing, days) g.log.info("Just applied IPN renewal for %s, %d days" % (existing.name, days)) return "Ok" # More sanity checks that all non-autorenewals should pass: if not custom: dump_parameters(parameters) raise ValueError("Got IPN with txn_id=%s and no custom" % txn_id) self.finish(parameters, "P" + txn_id, payer_email, paying_id, subscr_id, custom, pennies, months, days) def finish(self, parameters, txn_id, payer_email, paying_id, subscr_id, custom, pennies, months, days): blob_key, payment_blob = get_blob(custom) buyer_id = payment_blob.get('account_id', None) if not buyer_id: dump_parameters(parameters) raise ValueError("No buyer_id in IPN with custom='%s'" % custom) try: buyer = Account._byID(buyer_id) except NotFound: dump_parameters(parameters) raise ValueError("Invalid buyer_id %d in IPN with custom='%s'" % (buyer_id, custom)) if subscr_id: buyer.gold_subscr_id = subscr_id instagift = False if payment_blob['goldtype'] in ('autorenew', 'onetime'): admintools.engolden(buyer, days) subject = _("Eureka! Thank you for investing in reddit gold!") message = _("Thank you for buying reddit gold. Your patronage " "supports the site and makes future development " "possible. For example, one month of reddit gold " "pays for 5 instance hours of reddit's servers.") message += "\n\n" + strings.gold_benefits_msg if g.lounge_reddit: message += "\n* " + strings.lounge_msg elif payment_blob['goldtype'] == 'creddits': buyer._incr("gold_creddits", months) buyer._commit() subject = _("Eureka! Thank you for investing in reddit gold " "creddits!") message = _("Thank you for buying creddits. Your patronage " "supports the site and makes future development " "possible. To spend your creddits and spread reddit " "gold, visit [/gold](/gold) or your favorite " "person's user page.") message += "\n\n" + strings.gold_benefits_msg + "\n\n" message += _("Thank you again for your support, and have fun " "spreading gold!") elif payment_blob['goldtype'] == 'gift': recipient_name = payment_blob.get('recipient', None) try: recipient = Account._by_name(recipient_name) except NotFound: dump_parameters(parameters) raise ValueError( "Invalid recipient_name %s in IPN/GC with custom='%s'" % (recipient_name, custom)) signed = payment_blob.get("signed", False) giftmessage = _force_unicode(payment_blob.get("giftmessage", "")) comment_id = payment_blob.get("comment") send_gift(buyer, recipient, months, days, signed, giftmessage, comment_id) instagift = True subject = _("Thanks for giving the gift of reddit gold!") message = _("Your classy gift to %s has been delivered.\n\n" "Thank you for gifting reddit gold. Your patronage " "supports the site and makes future development " "possible.") % recipient.name message += "\n\n" + strings.gold_benefits_msg + "\n\n" message += _("Thank you again for your support, and have fun " "spreading gold!") else: dump_parameters(parameters) raise ValueError("Got status '%s' in IPN/GC" % payment_blob['status']) # Reuse the old "secret" column as a place to record the goldtype # and "custom", just in case we need to debug it later or something secret = payment_blob['goldtype'] + "-" + custom if instagift: status = "instagift" else: status = "processed" create_claimed_gold(txn_id, payer_email, paying_id, pennies, days, secret, buyer_id, c.start_time, subscr_id, status=status) message = append_random_bottlecap_phrase(message) send_system_message(buyer, subject, message, distinguished='gold-auto') payment_blob["status"] = "processed" g.hardcache.set(blob_key, payment_blob, 86400 * 30)
class StripeController(GoldPaymentController): name = 'stripe' webhook_secret = g.STRIPE_WEBHOOK_SECRET event_type_mappings = { 'charge.succeeded': 'succeeded', 'charge.failed': 'failed', 'charge.refunded': 'refunded', 'charge.dispute.created': 'noop', 'charge.dispute.updated': 'noop', 'charge.dispute.closed': 'noop', 'customer.created': 'noop', 'customer.card.created': 'noop', 'customer.card.deleted': 'noop', 'transfer.created': 'noop', 'transfer.paid': 'noop', 'balance.available': 'noop', 'invoice.created': 'noop', 'invoice.updated': 'noop', 'invoice.payment_succeeded': 'noop', 'invoice.payment_failed': 'failed_subscription', 'invoiceitem.deleted': 'noop', 'customer.subscription.created': 'noop', 'customer.deleted': 'noop', 'customer.updated': 'noop', 'customer.subscription.deleted': 'noop', 'customer.subscription.trial_will_end': 'noop', 'customer.subscription.updated': 'noop', 'dummy': 'noop', } @classmethod def process_response(cls): event_dict = json.loads(request.body) event = stripe.Event.construct_from(event_dict, g.STRIPE_SECRET_KEY) status = event.type if status == 'invoice.created': # sent 1 hr before a subscription is charged or immediately for # a new subscription invoice = event.data.object customer_id = invoice.customer account = account_from_stripe_customer_id(customer_id) # if the charge hasn't been attempted (meaning this is 1 hr before # the charge) check that the account can receive the gold if (not invoice.attempted and (not account or (account and account._banned))): # there's no associated account - delete the subscription # to cancel the charge g.log.error('no account for stripe invoice: %s', invoice) try: customer = stripe.Customer.retrieve(customer_id) customer.delete() except stripe.InvalidRequestError: pass elif status == 'invoice.payment_failed': invoice = event.data.object customer_id = invoice.customer buyer = account_from_stripe_customer_id(customer_id) webhook = Webhook(subscr_id=customer_id, buyer=buyer) return status, webhook event_type = cls.event_type_mappings.get(status) if not event_type: raise ValueError('Stripe: unrecognized status %s' % status) elif event_type == 'noop': return status, None charge = event.data.object description = charge.description invoice_id = charge.invoice transaction_id = 'S%s' % charge.id pennies = charge.amount months, days = months_and_days_from_pennies(pennies) if status == 'charge.failed' and invoice_id: # we'll get an additional failure notification event of # "invoice.payment_failed", don't double notify return 'dummy', None elif status == 'charge.failed' and not description: # create_customer can POST successfully but fail to create a # customer because the card is declined. This will trigger a # 'charge.failed' notification but without description so we can't # do anything with it return 'dummy', None elif invoice_id: # subscription charge - special handling customer_id = charge.customer buyer = account_from_stripe_customer_id(customer_id) if not buyer: charge_date = datetime.fromtimestamp(charge.created, tz=g.tz) # don't raise exception if charge date is within the past hour # db replication lag may cause the account lookup to fail if charge_date < timeago('1 hour'): raise ValueError('no buyer for charge: %s' % charge.id) else: abort(404, "not found") webhook = Webhook(transaction_id=transaction_id, subscr_id=customer_id, pennies=pennies, months=months, goldtype='autorenew', buyer=buyer) return status, webhook else: try: passthrough, buyer_name = description.split('-', 1) except (AttributeError, ValueError): g.log.error('stripe_error on charge: %s', charge) raise webhook = Webhook(passthrough=passthrough, transaction_id=transaction_id, pennies=pennies, months=months) return status, webhook @classmethod @handle_stripe_error def create_customer(cls, form, token): description = c.user.name customer = stripe.Customer.create(card=token, description=description) if (customer['active_card']['address_line1_check'] == 'fail' or customer['active_card']['address_zip_check'] == 'fail'): form.set_html('.status', _('error: address verification failed')) form.find('.stripe-submit').removeAttr('disabled').end() return None elif customer['active_card']['cvc_check'] == 'fail': form.set_html('.status', _('error: cvc check failed')) form.find('.stripe-submit').removeAttr('disabled').end() return None else: return customer @classmethod @handle_stripe_error def charge_customer(cls, form, customer, pennies, passthrough): charge = stripe.Charge.create(amount=pennies, currency="usd", customer=customer['id'], description='%s-%s' % (passthrough, c.user.name)) return charge @classmethod @handle_stripe_error def set_creditcard(cls, form, user, token): if not user.has_stripe_subscription: return customer = stripe.Customer.retrieve(user.gold_subscr_id) customer.card = token customer.save() return customer @classmethod @handle_stripe_error def set_subscription(cls, form, customer, plan_id): subscription = customer.update_subscription(plan=plan_id) return subscription @classmethod @handle_stripe_error def cancel_subscription(cls, form, user): if not user.has_stripe_subscription: return customer = stripe.Customer.retrieve(user.gold_subscr_id) customer.delete() user.gold_subscr_id = None user._commit() subject = _('your gold subscription has been cancelled') message = _('if you have any questions please email %(email)s') message %= {'email': g.goldthanks_email} send_system_message(user, subject, message) return customer @validatedForm(VUser(), token=nop('stripeToken'), passthrough=VPrintable("passthrough", max_length=50), pennies=VInt('pennies'), months=VInt("months"), period=VOneOf("period", ("monthly", "yearly"))) def POST_goldcharge(self, form, jquery, token, passthrough, pennies, months, period): """ Submit charge to stripe. Called by GoldPayment form. This submits the charge to stripe, and gold will be applied once we receive a webhook from stripe. """ try: payment_blob = validate_blob(passthrough) except GoldException as e: # This should never happen. All fields in the payment_blob # are validated on creation form.set_html('.status', _('something bad happened, try again later')) g.log.debug('POST_goldcharge: %s' % e.message) return if period: plan_id = (g.STRIPE_MONTHLY_GOLD_PLAN if period == 'monthly' else g.STRIPE_YEARLY_GOLD_PLAN) if c.user.has_gold_subscription: form.set_html( '.status', _('your account already has a gold subscription')) return else: plan_id = None penny_months, days = months_and_days_from_pennies(pennies) if not months or months != penny_months: form.set_html('.status', _('stop trying to trick the form')) return customer = self.create_customer(form, token) if not customer: return if period: subscription = self.set_subscription(form, customer, plan_id) if not subscription: return c.user.gold_subscr_id = customer.id c.user._commit() status = _('subscription created') subject = _('reddit gold subscription') body = _('Your subscription is being processed and reddit gold ' 'will be delivered shortly.') else: charge = self.charge_customer(form, customer, pennies, passthrough) if not charge: return status = _('payment submitted') subject = _('reddit gold payment') body = _('Your payment is being processed and reddit gold ' 'will be delivered shortly.') form.set_html('.status', status) body = append_random_bottlecap_phrase(body) send_system_message(c.user, subject, body, distinguished='gold-auto') @validatedForm(VUser(), VModhash(), token=nop('stripeToken')) def POST_modify_subscription(self, form, jquery, token): customer = self.set_creditcard(form, c.user, token) if not customer: return form.set_html('.status', _('your payment details have been updated')) @validatedForm(VUser(), VModhash(), user=VByName('user')) def POST_cancel_subscription(self, form, jquery, user): if user != c.user and not c.user_is_admin: self.abort403() customer = self.cancel_subscription(form, user) if not customer: return form.set_html(".status", _("your subscription has been cancelled"))
class APIv1GoldController(OAuth2ResourceController): handles_csrf = True def pre(self): OAuth2ResourceController.pre(self) if request.method != "OPTIONS": self.authenticate_with_token() self.set_up_user_context() self.run_sitewide_ratelimits() def try_pagecache(self): pass @staticmethod def on_validation_error(error): abort_with_error(error, error.code or 400) def _gift_using_creddits(self, recipient, months=1, thing_fullname=None, proxying_for=None): with creddits_lock(c.user): if not c.user.employee and c.user.gold_creddits < months: err = RedditError("INSUFFICIENT_CREDDITS") self.on_validation_error(err) note = None buyer = c.user if c.user.name.lower() in g.live_config["proxy_gilding_accounts"]: note = "proxy-%s" % c.user.name if proxying_for: try: buyer = Account._by_name(proxying_for) except NotFound: pass send_gift( buyer=buyer, recipient=recipient, months=months, days=months * 31, signed=False, giftmessage=None, thing_fullname=thing_fullname, note=note, ) if not c.user.employee: c.user.gold_creddits -= months c.user._commit() @require_oauth2_scope("creddits") @validate( VUser(), target=VByName("fullname"), ) @api_doc( api_section.gold, uri="/api/v1/gold/gild/{fullname}", ) def POST_gild(self, target): if not isinstance(target, (Comment, Link)): err = RedditError("NO_THING_ID") self.on_validation_error(err) self._gift_using_creddits( recipient=target.author_slow, thing_fullname=target._fullname, proxying_for=request.POST.get("proxying_for"), ) @require_oauth2_scope("creddits") @validate( VUser(), user=VAccountByName("username"), months=VInt("months", min=1, max=36), ) @api_doc( api_section.gold, uri="/api/v1/gold/give/{username}", ) def POST_give(self, user, months): self._gift_using_creddits( recipient=user, months=months, proxying_for=request.POST.get("proxying_for"), )
class ButtonApiController(ApiController): @validate( VUser(), VModhash(), seconds_remaining=VInt('seconds', min=0, max=60), previous_seconds=VInt('prev_seconds'), tick_time=nop('tick_time'), tick_mac=nop('tick_mac'), ) def POST_press_button(self, seconds_remaining, previous_seconds, tick_time, tick_mac): if not g.live_config['thebutton_is_active']: return if c.user._date > ACCOUNT_CREATION_CUTOFF: return user_has_pressed = ButtonPressByUser.has_pressed(c.user) if user_has_pressed and not c.user.employee: return if has_timer_expired(): # time has expired: no longer possible to press the button return has_started = has_timer_started() if not has_started: # the timer can only be started through reddit-shell return cheater = False if (seconds_remaining is None or previous_seconds is None or tick_time is None or tick_mac is None): # incomplete info from client, just let them press it anyways seconds_remaining = max(0, int(get_seconds_left())) elif not check_tick_mac(previous_seconds, tick_time, tick_mac): # can't trust the values sent by the client seconds_remaining = max(0, int(get_seconds_left())) cheater = True else: # client sent a valid mac so we can trust: # previous_seconds - the timer value at the last tick # tick_time - the datetime at the last tick # check to make sure tick_time wasn't too long ago then = str_to_datetime(tick_time) now = datetime.now(g.tz) if then and (now - then).total_seconds() > 60: # client sent an old (but potentially valid) mac, etc. seconds_remaining = max(0, int(get_seconds_left())) cheater = True # GOTCHA: the client actually sends the same value for # previous_seconds and seconds_remaining so make sure those match. # If the client sent down its own ticking down timer as # seconds_remaining we would want to compare to previous_seconds to # make sure they weren't too far apart if previous_seconds != seconds_remaining: seconds_remaining = max(0, int(get_seconds_left())) cheater = True press_button(c.user) g.stats.simple_event("thebutton.press") if cheater: g.stats.simple_event("thebutton.cheater") # don't flair on first press (the starter) if not has_started: return if user_has_pressed: # don't flair on multiple employee presses return if cheater: flair_css = "cheater" elif seconds_remaining > 51: flair_css = "press-6" elif seconds_remaining > 41: flair_css = "press-5" elif seconds_remaining > 31: flair_css = "press-4" elif seconds_remaining > 21: flair_css = "press-3" elif seconds_remaining > 11: flair_css = "press-2" else: flair_css = "press-1" flair_text = "%ss" % seconds_remaining setattr(c.user, 'flair_%s_text' % g.live_config["thebutton_srid"], flair_text) setattr(c.user, 'flair_%s_css_class' % g.live_config["thebutton_srid"], flair_css) c.user._commit()
class PromoteApiController(ApiController): @json_validate(sr=VSubmitSR('sr', promotion=True), location=VLocation(), start=VDate('startdate'), end=VDate('enddate')) def GET_check_inventory(self, responder, sr, location, start, end): sr = sr or Frontpage if not location or not location.country: available = inventory.get_available_pageviews(sr, start, end, datestr=True) else: available = inventory.get_available_pageviews_geotargeted( sr, location, start, end, datestr=True) return {'inventory': available} @validatedForm(VSponsorAdmin(), VModhash(), link=VLink("link_id36"), campaign=VPromoCampaign("campaign_id36")) def POST_freebie(self, form, jquery, link, campaign): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') if campaign_has_oversold_error(form, campaign): form.set_html(".freebie", "target oversold, can't freebie") return if promote.is_promo(link) and campaign: promote.free_campaign(link, campaign, c.user) form.redirect(promote.promo_edit_url(link)) @validatedForm(VSponsorAdmin(), VModhash(), link=VByName("link"), note=nop("note")) def POST_promote_note(self, form, jquery, link, note): if promote.is_promo(link): text = PromotionLog.add(link, note) form.find(".notes").children(":last").after("<p>" + websafe(text) + "</p>") @noresponse(VSponsorAdmin(), VModhash(), thing=VByName('id')) def POST_promote(self, thing): if promote.is_promo(thing): promote.accept_promotion(thing) @noresponse(VSponsorAdmin(), VModhash(), thing=VByName('id'), reason=nop("reason")) def POST_unpromote(self, thing, reason): if promote.is_promo(thing): promote.reject_promotion(thing, reason=reason) @validatedForm(VSponsorAdmin(), VModhash(), link=VLink('link'), campaign=VPromoCampaign('campaign')) def POST_refund_campaign(self, form, jquery, link, campaign): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') billable_impressions = promote.get_billable_impressions(campaign) billable_amount = promote.get_billable_amount(campaign, billable_impressions) refund_amount = promote.get_refund_amount(campaign, billable_amount) if refund_amount > 0: promote.refund_campaign(link, campaign, billable_amount, billable_impressions) form.set_html('.status', _('refund succeeded')) else: form.set_html('.status', _('refund not needed')) @validatedForm(VSponsor('link_id36'), VModhash(), VRatelimit(rate_user=True, rate_ip=True, prefix='create_promo_'), VShamedDomain('url'), username=VLength('username', 100, empty_error=None), l=VLink('link_id36'), title=VTitle('title'), url=VUrl('url', allow_self=False), selftext=VSelfText('text'), kind=VOneOf('kind', ['link', 'self']), ip=ValidIP(), disable_comments=VBoolean("disable_comments"), sendreplies=VBoolean("sendreplies"), media_width=VInt("media-width", min=0), media_height=VInt("media-height", min=0), media_embed=VLength("media-embed", 1000), media_override=VBoolean("media-override"), domain_override=VLength("domain", 100)) def POST_edit_promo(self, form, jquery, ip, username, l, title, url, selftext, kind, disable_comments, sendreplies, media_height, media_width, media_embed, media_override, domain_override): should_ratelimit = False if not c.user_is_sponsor: should_ratelimit = True if not should_ratelimit: c.errors.remove((errors.RATELIMIT, 'ratelimit')) # check for user override if not l and c.user_is_sponsor and username: try: user = Account._by_name(username) except NotFound: c.errors.add(errors.USER_DOESNT_EXIST, field="username") form.set_error(errors.USER_DOESNT_EXIST, "username") return if not user.email: c.errors.add(errors.NO_EMAIL_FOR_USER, field="username") form.set_error(errors.NO_EMAIL_FOR_USER, "username") return if not user.email_verified: c.errors.add(errors.NO_VERIFIED_EMAIL, field="username") form.set_error(errors.NO_VERIFIED_EMAIL, "username") return else: user = c.user # check for shame banned domains if form.has_errors("url", errors.DOMAIN_BANNED): g.stats.simple_event('spam.shame.link') return # demangle URL in canonical way if url: if isinstance(url, (unicode, str)): form.set_inputs(url=url) elif isinstance(url, tuple) or isinstance(url[0], Link): # there's already one or more links with this URL, but # we're allowing mutliple submissions, so we really just # want the URL url = url[0].url if kind == 'link': if form.has_errors('url', errors.NO_URL, errors.BAD_URL): return # users can change the disable_comments on promoted links if ((not l or not promote.is_promoted(l)) and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG) or jquery.has_errors('ratelimit', errors.RATELIMIT))): return if not l: l = promote.new_promotion(title, url if kind == 'link' else 'self', selftext if kind == 'self' else '', user, ip) elif promote.is_promo(l): # changing link type is not allowed if ((l.is_self and kind == 'link') or (not l.is_self and kind == 'self')): c.errors.add(errors.NO_CHANGE_KIND, field="kind") form.set_error(errors.NO_CHANGE_KIND, "kind") return changed = False # live items can only be changed by a sponsor, and also # pay the cost of de-approving the link trusted = c.user_is_sponsor or c.user.trusted_sponsor if not promote.is_promoted(l) or trusted: if title and title != l.title: l.title = title changed = not trusted if kind == 'link' and url and url != l.url: l.url = url changed = not trusted # only trips if the title and url are changed by a non-sponsor if changed: promote.unapprove_promotion(l) # selftext can be changed at any time if kind == 'self': l.selftext = selftext # comment disabling and sendreplies is free to be changed any time. l.disable_comments = disable_comments l.sendreplies = sendreplies if c.user_is_sponsor or c.user.trusted_sponsor: if media_embed and media_width and media_height: l.media_object = dict(height=media_height, width=media_width, content=media_embed, type='custom') else: l.media_object = None l.media_override = media_override if getattr(l, "domain_override", False) or domain_override: l.domain_override = domain_override l._commit() form.redirect(promote.promo_edit_url(l)) @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], reference_date=promote.promo_datetime_now), sr=VSubmitSR('sr', promotion=True)) def POST_add_roadblock(self, form, jquery, dates, sr): if (form.has_errors('startdate', errors.BAD_DATE) or form.has_errors( 'enddate', errors.BAD_DATE, errors.BAD_DATE_RANGE)): return if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): return if dates and sr: sd, ed = dates PromotedLinkRoadblock.add(sr, sd, ed) jquery.refresh() @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], reference_date=promote.promo_datetime_now), sr=VSubmitSR('sr', promotion=True)) def POST_rm_roadblock(self, form, jquery, dates, sr): if dates and sr: sd, ed = dates PromotedLinkRoadblock.remove(sr, sd, ed) jquery.refresh() @validatedForm(VSponsor('link_id36'), VModhash(), dates=VDateRange( ['startdate', 'enddate'], earliest=timedelta(days=g.min_promote_future), latest=timedelta(days=g.max_promote_future), reference_date=promote.promo_datetime_now, business_days=True, sponsor_override=True), link=VLink('link_id36'), bid=VFloat('bid', coerce=False), sr=VSubmitSR('sr', promotion=True), campaign_id36=nop("campaign_id36"), targeting=VLength("targeting", 10), priority=VPriority("priority"), location=VLocation()) def POST_edit_campaign(self, form, jquery, link, campaign_id36, dates, bid, sr, targeting, priority, location): if not link: return start, end = dates or (None, None) if location and sr and not c.user_is_sponsor: # only sponsors can geotarget on subreddits location = None if location and location.metro: cpm = g.cpm_selfserve_geotarget_metro.pennies elif location: cpm = g.cpm_selfserve_geotarget_country.pennies else: author = Account._byID(link.author_id, data=True) cpm = author.cpm_selfserve_pennies if (form.has_errors('startdate', errors.BAD_DATE, errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE) or form.has_errors('enddate', errors.BAD_DATE, errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE, errors.BAD_DATE_RANGE)): return # Limit the number of PromoCampaigns a Link can have # Note that the front end should prevent the user from getting # this far existing_campaigns = list(PromoCampaign._by_link(link._id)) if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK: c.errors.add(errors.TOO_MANY_CAMPAIGNS, msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK}, field='title') form.has_errors('title', errors.TOO_MANY_CAMPAIGNS) return campaign = None if campaign_id36: try: campaign = PromoCampaign._byID36(campaign_id36) except NotFound: pass if campaign and link._id != campaign.link_id: return abort(404, 'not found') if priority.cpm: min_bid = 0 if c.user_is_sponsor else g.min_promote_bid max_bid = None if c.user_is_sponsor else g.max_promote_bid if bid is None or bid < min_bid or (max_bid and bid > max_bid): c.errors.add(errors.BAD_BID, field='bid', msg_params={ 'min': min_bid, 'max': max_bid or g.max_promote_bid }) form.has_errors('bid', errors.BAD_BID) return # you cannot edit the bid of a live ad unless it's a freebie if (campaign and bid != campaign.bid and promote.is_live_promo(link, campaign) and not campaign.is_freebie()): c.errors.add(errors.BID_LIVE, field='bid') form.has_errors('bid', errors.BID_LIVE) return else: bid = 0. # Set bid to 0 as dummy value if targeting == 'one': if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): # checking to get the error set in the form, but we can't # check for rate-limiting if there's no subreddit return roadblock = PromotedLinkRoadblock.is_roadblocked(sr, start, end) if roadblock and not c.user_is_sponsor: msg_params = { "start": roadblock[0].strftime('%m/%d/%Y'), "end": roadblock[1].strftime('%m/%d/%Y') } c.errors.add(errors.OVERSOLD, field='sr', msg_params=msg_params) form.has_errors('sr', errors.OVERSOLD) return elif targeting == 'none': sr = None # Check inventory campaign = campaign if campaign_id36 else None if not priority.inventory_override: oversold = has_oversold_error(form, campaign, start, end, bid, cpm, sr, location) if oversold: return if campaign: promote.edit_campaign(link, campaign, dates, bid, cpm, sr, priority, location) else: campaign = promote.new_campaign(link, dates, bid, cpm, sr, priority, location) rc = RenderableCampaign.from_campaigns(link, campaign) jquery.update_campaign(campaign._fullname, rc.render_html()) @validatedForm(VSponsor('link_id36'), VModhash(), l=VLink('link_id36'), campaign=VPromoCampaign("campaign_id36")) def POST_delete_campaign(self, form, jquery, l, campaign): if not campaign or not l or l._id != campaign.link_id: return abort(404, 'not found') promote.delete_campaign(l, campaign) @validatedForm(VSponsorAdmin(), VModhash(), link=VLink('link_id36'), campaign=VPromoCampaign("campaign_id36")) def POST_terminate_campaign(self, form, jquery, link, campaign): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') promote.terminate_campaign(link, campaign) rc = RenderableCampaign.from_campaigns(link, campaign) jquery.update_campaign(campaign._fullname, rc.render_html()) @validatedForm(VSponsor('link'), VModhash(), link=VByName("link"), campaign=VPromoCampaign("campaign"), customer_id=VInt("customer_id", min=0), pay_id=VInt("account", min=0), edit=VBoolean("edit"), address=ValidAddress([ "firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber" ]), creditcard=ValidCard( ["cardNumber", "expirationDate", "cardCode"])) def POST_update_pay(self, form, jquery, link, campaign, customer_id, pay_id, edit, address, creditcard): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') # Check inventory if campaign_has_oversold_error(form, campaign): return address_modified = not pay_id or edit form_has_errors = False if address_modified: if (form.has_errors([ "firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber" ], errors.BAD_ADDRESS) or form.has_errors( ["cardNumber", "expirationDate", "cardCode"], errors.BAD_CARD)): form_has_errors = True elif g.authorizenetapi: pay_id = edit_profile(c.user, address, creditcard, pay_id) else: pay_id = 1 # if link is in use or finished, don't make a change if pay_id and not form_has_errors: # valid bid and created or existing bid id. # check if already a transaction if g.authorizenetapi: success, reason = promote.auth_campaign( link, campaign, c.user, pay_id) else: success = True if success: form.redirect(promote.promo_edit_url(link)) else: form.set_html( ".status", reason or _("failed to authenticate card. sorry.")) @validate(VSponsor("link_name"), VModhash(), link=VByName('link_name'), file=VUploadLength('file', 500 * 1024), img_type=VImageType('img_type')) def POST_link_thumb(self, link=None, file=None, img_type='jpg'): if link and (not promote.is_promoted(link) or c.user_is_sponsor or c.user.trusted_sponsor): errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="") try: # thumnails for promoted links can change and therefore expire force_thumbnail(link, file, file_type=".%s" % img_type) except cssfilter.BadImage: # if the image doesn't clean up nicely, abort errors["IMAGE_ERROR"] = _("bad image") if any(errors.values()): return UploadedImage("", "", "upload", errors=errors, form_id="image-upload").render() else: link._commit() return UploadedImage(_('saved'), thumbnail_url(link), "", errors=errors, form_id="image-upload").render()
class QrCodeController(RedditController): @validate( meetup=validators.VMeetup("codename"), ) def GET_portal(self, meetup): if meetup.state != "closed": if c.user_is_loggedin: content = pages.MeetupPortal(meetup=meetup) else: content = pages.LoggedOutMeetupPortal(meetup=meetup) else: content = pages.ClosedMeetupPortal(meetup=meetup) return pages.MeatspacePage(content=content, page_classes=["meatspace-portal"]).render() @validate( VUser(), meetup=validators.VMeetup("codename"), ) def GET_configure_badge(self, meetup): if meetup.state not in BADGE_STATES: return redirect_to("/meetup/%s" % str(meetup._id)) content = pages.ConversationStarterSelector(meetup, c.user) return pages.MeatspacePage(content=content).render() @validate( VUser(), meetup=validators.VMeetup("codename"), topic=validators.VConversationStarter("topic"), ) def GET_badge(self, meetup, topic): if meetup.state not in BADGE_STATES: return redirect_to("/meetup/%s" % str(meetup._id)) content = pages.QrCodeBadge(meetup, c.user, topic) return pages.MeatspaceBadgePage(content=content).render() @validate( VUser(), meetup=validators.VMeetup("codename"), ) def GET_mobile_badge(self, meetup): if meetup.state not in BADGE_STATES: return redirect_to("/meetup/%s" % str(meetup._id)) content = pages.MobileQrCodeBadge(meetup, c.user) return content.render() @validate( VUser(), meetup=validators.VMeetup("codename"), other=VExistingUname("user"), connected_with=VExistingUname("connected-with"), code=VInt("code"), ) def GET_connect(self, meetup, other, code, connected_with): if meetup.state not in CONNECT_STATES: self.abort404() content = pages.QrCodeForm( meetup=meetup, other=other, code=code, connected_with=connected_with, ) return pages.MeatspacePage(content=content).render() @validatedForm( VUser(), meetup=validators.VMeetup("codename"), other=VExistingUname("username"), code=VInt("code"), ) def POST_connect(self, form, jquery, meetup, other, code): if meetup.state not in CONNECT_STATES: self.abort403() jquery("body .connection-success").hide() if form.has_errors("username", errors.NO_USER, errors.USER_DOESNT_EXIST): return if c.user == other: c.errors.add(errors.MEETUP_NOT_WITH_SELF, field="username") form.set_error(errors.MEETUP_NOT_WITH_SELF, "username") return expected_code = utils.make_secret_code(meetup, other) if code != expected_code: g.log.warning("%r just tried an invalid code on %r", c.user.name, other.name) c.errors.add(errors.MEETUP_INVALID_CODE, field="code") form.set_error(errors.MEETUP_INVALID_CODE, "code") return models.MeetupConnections._connect(meetup, c.user, other) models.MeetupConnectionsByAccount._connect(meetup, c.user, other) g.stats.simple_event("meetup.connection") form.redirect("/meetup/%s/connect?connected-with=%s" % (meetup._id, other.name)) @validate( VUser(), meetup=validators.VMeetup("codename"), ) def GET_connections(self, meetup): all_connections = models.MeetupConnectionsByAccount._connections( meetup, c.user) connections = [a for a in all_connections if not a._deleted] content = pages.QrCodeConnections( meetup=meetup, connections=connections, ) return pages.MeatspacePage(content=content).render() @validate(meetup=validators.VMeetup("codename")) def GET_connect_shortlink(self, meetup, user, code): if meetup.state not in CONNECT_STATES: self.abort404() params = urllib.urlencode({ "user": user, "code": code, }) return redirect_to("/meetup/%s/connect?%s" % (str(meetup._id), params), _code=301)
class ModmailController(OAuth2OnlyController): def pre(self): # Set user_is_admin property on context, # normally set but this controller does not inherit # from RedditController super(ModmailController, self).pre() admin_usernames = [ name.lower() for name in g.live_config['modmail_admins'] ] c.user_is_admin = False if c.user_is_loggedin: c.user_is_admin = c.user.name.lower() in admin_usernames VNotInTimeout().run() def post(self): Session.remove() super(ModmailController, self).post() @require_oauth2_scope('modmail') @validate( srs=VSRByNames('entity', required=False), after=VModConversation('after', required=False), limit=VInt('limit', num_default=25), sort=VOneOf('sort', options=('recent', 'mod', 'user'), default='recent'), state=VOneOf('state', options=('new', 'inprogress', 'mod', 'notifications', 'archived', 'highlighted', 'all'), default='all'), ) def GET_conversations(self, srs, after, limit, sort, state): """Get conversations for logged in user or subreddits Querystring Params: entity -- name of the subreddit or a comma separated list of subreddit names (i.e. iama, pics etc) limit -- number of elements to retrieve (default: 25) after -- the id of the last item seen sort -- parameter on how to sort the results, choices: recent: max(last_user_update, last_mod_update) mod: last_mod_update user: last_user_update state -- this parameter lets users filter messages by state choices: new, inprogress, mod, notifications, archived, highlighted, all """ # Retrieve subreddits in question, if entities are passed # check if a user is a moderator for the passed entities. # If no entities are passed grab all subreddits the logged in # user moderates and has modmail permissions for modded_entities = {} modded_srs = c.user.moderated_subreddits('mail') modded_srs = {sr._fullname: sr for sr in modded_srs} if srs: for sr in srs.values(): if sr._fullname in modded_srs: modded_entities[sr._fullname] = sr else: return self.send_error(403, errors.BAD_SR_NAME, fields='entity') else: modded_entities = modded_srs if not modded_entities: return self.send_error(404, errors.SR_NOT_FOUND, fields='entity') # Retrieve conversations for given entities conversations = ModmailConversation.get_mod_conversations( modded_entities.values(), viewer=c.user, limit=limit, after=after, sort=sort, state=state) conversation_ids = [] conversations_dict = {} messages_dict = {} author_ids = [] # Extract author ids to query for all accounts at once for conversation in conversations: author_ids.extend(conversation.author_ids) author_ids.extend(conversation.mod_action_account_ids) # Query for associated account object of authors and serialize the # conversation in the correct context authors = self._try_get_byID(author_ids, Account, ignore_missing=True) for conversation in conversations: conversation_ids.append(conversation.id36) conversations_dict[ conversation.id36] = conversation.to_serializable( authors, modded_entities[conversation.owner_fullname], ) latest_message = conversation.messages[0] messages_dict[ latest_message.id36] = latest_message.to_serializable( modded_entities[conversation.owner_fullname], authors[latest_message.author_id], c.user, ) return simplejson.dumps({ 'viewerId': c.user._fullname, 'conversationIds': conversation_ids, 'conversations': conversations_dict, 'messages': messages_dict, }) @require_oauth2_scope('modmail') @validate( entity=VSRByName('srName'), subject=VLength('subject', max_length=100), body=VMarkdownLength('body'), is_author_hidden=VBoolean('isAuthorHidden', default=False), to=VModConvoRecipient('to', required=False), ) def POST_conversations(self, entity, subject, body, is_author_hidden, to): """Creates a new conversation for a particular SR This endpoint will create a ModmailConversation object as well as the first ModmailMessage within the ModmailConversation object. POST Params: srName -- the human readable name of the subreddit subject -- the subject of the first message in the conversation body -- the body of the first message in the conversation isAuthorHidden -- boolean on whether the mod name should be hidden (only mods can use this flag) to -- name of the user that a mod wants to create a convo with (only mods can use this flag) """ self._feature_enabled_check(entity) # make sure the user is not muted when creating a new conversation if entity.is_muted(c.user) and not c.user_is_admin: return self.send_error(400, errors.USER_MUTED) # validate post params if (errors.USER_BLOCKED, to) in c.errors: return self.send_error(400, errors.USER_BLOCKED, fields='to') elif (errors.USER_DOESNT_EXIST, to) in c.errors: return self.send_error(404, errors.USER_DOESNT_EXIST, fields='to') if to and not isinstance(to, Account): return self.send_error( 422, errors.NO_SR_TO_SR_MESSAGE, fields='to', ) # only mods can set a 'to' parameter if (not entity.is_moderator_with_perms(c.user, 'mail') and to): return self.send_error(403, errors.MOD_REQUIRED, fields='to') if to and entity.is_muted(to): return self.send_error( 400, errors.MUTED_FROM_SUBREDDIT, fields='to', ) try: conversation = ModmailConversation( entity, c.user, subject, body, is_author_hidden=is_author_hidden, to=to, ) except MustBeAModError: return self.send_error(403, errors.MOD_REQUIRED, fields='isAuthorHidden') except Exception as e: g.log.error('Failed to save conversation: {}'.format(e)) return self.send_error(500, errors.CONVERSATION_NOT_SAVED) # Create copy of the message in the legacy messaging system as well if to: message, inbox_rel = Message._new( c.user, to, subject, body, request.ip, sr=entity, from_sr=is_author_hidden, create_modmail=False, ) else: message, inbox_rel = Message._new( c.user, entity, subject, body, request.ip, create_modmail=False, ) queries.new_message(message, inbox_rel) conversation.set_legacy_first_message_id(message._id) # Get author associated account object for serialization # of the newly created conversation object authors = self._try_get_byID(conversation.author_ids, Account, ignore_missing=True) response.status_code = 201 serializable_convo = conversation.to_serializable(authors, entity, all_messages=True, current_user=c.user) messages = serializable_convo.pop('messages') mod_actions = serializable_convo.pop('modActions') g.events.new_modmail_event( 'ss.send_modmail_message', conversation, message=conversation.messages[0], msg_author=c.user, sr=entity, request=request, context=c, ) return simplejson.dumps({ 'conversation': serializable_convo, 'messages': messages, 'modActions': mod_actions, }) @require_oauth2_scope('modmail') @validate( conversation=VModConversation('conversation_id'), mark_read=VBoolean('markRead', default=False), ) def GET_mod_messages(self, conversation, mark_read): """Returns all messages for a given conversation id Url Params: conversation_id -- this is the id of the conversation you would like to grab messages for Querystring Param: markRead -- if passed the conversation will be marked read when the conversation is returned """ self._validate_vmodconversation() sr = self._try_get_subreddit_access(conversation, admin_override=True) authors = self._try_get_byID(list( set(conversation.author_ids) | set(conversation.mod_action_account_ids)), Account, ignore_missing=True) serializable_convo = conversation.to_serializable(authors, sr, all_messages=True, current_user=c.user) messages = serializable_convo.pop('messages') mod_actions = serializable_convo.pop('modActions') # Get participant user info for conversation try: userinfo = self._get_modmail_userinfo(conversation, sr=sr) except ValueError: userinfo = {} except NotFound: return self.send_error(404, errors.USER_DOESNT_EXIST) if mark_read: conversation.mark_read(c.user) g.events.new_modmail_event( 'ss.modmail_mark_thread', conversation, mark_type='read', request=request, context=c, ) return simplejson.dumps({ 'conversation': serializable_convo, 'messages': messages, 'modActions': mod_actions, 'user': userinfo, }) @require_oauth2_scope('modmail') def GET_modmail_enabled_srs(self): # sr_name, sr_icon, subsriber_count, most_recent_action modded_srs = c.user.moderated_subreddits('mail') enabled_srs = [ modded_sr for modded_sr in modded_srs if feature.is_enabled('new_modmail', subreddit=modded_sr.name) ] recent_convos = ModmailConversation.get_recent_convo_by_sr(enabled_srs) results = {} for sr in enabled_srs: results.update({ sr._fullname: { 'id': sr._fullname, 'name': sr.name, 'icon': sr.icon_img, 'subscribers': sr._ups, 'lastUpdated': recent_convos.get(sr._fullname), } }) return simplejson.dumps({'subreddits': results}) @require_oauth2_scope('modmail') @validate( conversation=VModConversation('conversation_id'), msg_body=VMarkdownLength('body'), is_author_hidden=VBoolean('isAuthorHidden', default=False), is_internal=VBoolean('isInternal', default=False), ) def POST_mod_messages(self, conversation, msg_body, is_author_hidden, is_internal): """Creates a new message for a particular ModmailConversation URL Params: conversation_id -- id of the conversation to post a new message to POST Params: body -- this is the message body isAuthorHidden -- boolean on whether to hide author, i.e. respond as the subreddit isInternal -- boolean to signify a moderator only message """ self._validate_vmodconversation() sr = Subreddit._by_fullname(conversation.owner_fullname) self._feature_enabled_check(sr) # make sure the user is not muted before posting a message if sr.is_muted(c.user): return self.send_error(400, errors.USER_MUTED) if conversation.is_internal and not is_internal: is_internal = True is_mod = sr.is_moderator(c.user) if not is_mod and is_author_hidden: return self.send_error( 403, errors.MOD_REQUIRED, fields='isAuthorHidden', ) elif not is_mod and is_internal: return self.send_error( 403, errors.MOD_REQUIRED, fields='isInternal', ) try: if not conversation.is_internal and not conversation.is_auto: participant = conversation.get_participant_account() if participant and sr.is_muted(participant): return self.send_error( 400, errors.MUTED_FROM_SUBREDDIT, ) except NotFound: pass try: new_message = conversation.add_message( c.user, msg_body, is_author_hidden=is_author_hidden, is_internal=is_internal, ) except: return self.send_error(500, errors.MODMAIL_MESSAGE_NOT_SAVED) # Add the message to the legacy messaging system as well (unless it's # an internal message on a non-internal conversation, since we have no # way to hide specific messages from the external participant) legacy_incompatible = is_internal and not conversation.is_internal if (conversation.legacy_first_message_id and not legacy_incompatible): first_message = Message._byID(conversation.legacy_first_message_id) subject = conversation.subject if not subject.startswith('re: '): subject = 're: ' + subject # Retrieve the participant to decide whether to send the message # to the sr or to the participant. If the currently logged in user # is the same as the participant then address the message to the # sr. recipient = sr if not is_internal: try: participant = ( ModmailConversationParticipant.get_participant( conversation.id)) is_participant = ( (c.user._id == participant.account_id) and not sr.is_moderator_with_perms(c.user, 'mail')) if not is_participant: recipient = Account._byID(participant.account_id) except NotFound: pass message, inbox_rel = Message._new( c.user, recipient, subject, msg_body, request.ip, parent=first_message, from_sr=is_author_hidden, create_modmail=False, ) queries.new_message(message, inbox_rel) serializable_convo = conversation.to_serializable( entity=sr, all_messages=True, current_user=c.user, ) messages = serializable_convo.pop('messages') g.events.new_modmail_event( 'ss.send_modmail_message', conversation, message=new_message, msg_author=c.user, sr=sr, request=request, context=c, ) response.status_code = 201 return simplejson.dumps({ 'conversation': serializable_convo, 'messages': messages, }) @require_oauth2_scope('modmail') @validate(conversation=VModConversation('conversation_id')) def POST_highlight(self, conversation): """Marks a conversation as highlighted.""" self._validate_vmodconversation() self._try_get_subreddit_access(conversation) conversation.add_action(c.user, 'highlighted') conversation.add_highlight() # Retrieve updated conversation to be returned updated_convo = self._get_updated_convo(conversation.id, c.user) g.events.new_modmail_event( 'ss.modmail_mark_thread', conversation, mark_type='highlight', request=request, context=c, ) return simplejson.dumps(updated_convo) @require_oauth2_scope('modmail') @validate(conversation=VModConversation('conversation_id')) def DELETE_highlight(self, conversation): """Removes a highlight from a conversation.""" self._validate_vmodconversation() self._try_get_subreddit_access(conversation) conversation.add_action(c.user, 'unhighlighted') conversation.remove_highlight() # Retrieve updated conversation to be returned updated_convo = self._get_updated_convo(conversation.id, c.user) g.events.new_modmail_event( 'ss.modmail_mark_thread', conversation, mark_type='unhighlight', request=request, context=c, ) return simplejson.dumps(updated_convo) @require_oauth2_scope('modmail') @validate(ids=VList('conversationIds')) def POST_unread(self, ids): """Marks conversations as unread for the user. Expects a list of conversation IDs. """ if not ids: return self.send_error(400, 'Must pass an id or list of ids.') try: ids = [int(id, base=36) for id in ids] except: return self.send_error(422, 'Must pass base 36 ids.') try: convos = self._get_conversation_access(ids) except ValueError: return self.send_error( 403, errors.INVALID_CONVERSATION_ID, fields='conversationIds', ) ModmailConversationUnreadState.mark_unread( c.user, [convo.id for convo in convos]) @require_oauth2_scope('modmail') @validate(ids=VList('conversationIds')) def POST_read(self, ids): """Marks a conversations as read for the user. Expects a list of conversation IDs. """ if not ids: return self.send_error(400, 'Must pass an id or list of ids.') try: ids = [int(id, base=36) for id in ids] except: return self.send_error(422, 'Must pass base 36 ids.') try: convos = self._get_conversation_access(ids) except ValueError: return self.send_error( 403, errors.INVALID_CONVERSATION_ID, fields='conversationIds', ) response.status_code = 204 ModmailConversationUnreadState.mark_read( c.user, [convo.id for convo in convos]) @require_oauth2_scope('modmail') @validate( ids=VList('conversationIds'), archive=VBoolean('archive', default=True), ) def POST_archive_status(self, ids, archive): try: convos = self._get_conversation_access( [int(id, base=36) for id in ids]) except ValueError: return self.send_error( 403, errors.INVALID_CONVERSATION_ID, fields='conversationIds', ) convo_ids = [] for convo in convos: if convo.is_internal: return self.send_error( 422, errors.CONVERSATION_NOT_ARCHIVABLE, fields='conversationIds', ) convo_ids.append(convo.id) if not archive: ModmailConversation.set_states( convo_ids, ModmailConversation.STATE['inprogress']) else: ModmailConversation.set_states( convo_ids, ModmailConversation.STATE['archived']) response.status_code = 204 @require_oauth2_scope('modmail') @validate(conversation=VModConversation('conversation_id')) def POST_archive(self, conversation): self._validate_vmodconversation() sr = Subreddit._by_fullname(conversation.owner_fullname) self._feature_enabled_check(sr) if sr.is_moderator_with_perms(c.user, 'mail'): if conversation.state == ModmailConversation.STATE['archived']: response.status_code = 204 return if conversation.is_internal: return self.send_error( 422, errors.CONVERSATION_NOT_ARCHIVABLE, ) conversation.add_action(c.user, 'archived') conversation.set_state('archived') updated_convo = self._get_updated_convo(conversation.id, c.user) g.events.new_modmail_event( 'ss.modmail_mark_thread', conversation, mark_type='archive', request=request, context=c, ) return simplejson.dumps(updated_convo) else: return self.send_error(403, errors.INVALID_MOD_PERMISSIONS) @require_oauth2_scope('modmail') @validate(conversation=VModConversation('conversation_id')) def POST_unarchive(self, conversation): self._validate_vmodconversation() sr = Subreddit._by_fullname(conversation.owner_fullname) self._feature_enabled_check(sr) if sr.is_moderator_with_perms(c.user, 'mail'): if conversation.state != ModmailConversation.STATE['archived']: response.status_code = 204 return if conversation.is_internal: return self.send_error( 422, errors.CONVERSATION_NOT_ARCHIVABLE, ) conversation.add_action(c.user, 'unarchived') conversation.set_state('inprogress') updated_convo = self._get_updated_convo(conversation.id, c.user) g.events.new_modmail_event( 'ss.modmail_mark_thread', conversation, mark_type='unarchive', request=request, context=c, ) return simplejson.dumps(updated_convo) else: return self.send_error(403, errors.INVALID_MOD_PERMISSIONS) @require_oauth2_scope('modmail') def GET_unread_convo_count(self): """Endpoint to retrieve the unread conversation count by category""" convo_counts = ModmailConversation.unread_convo_count(c.user) return simplejson.dumps(convo_counts) @require_oauth2_scope('modmail') @validate(conversation=VModConversation('conversation_id')) def GET_modmail_userinfo(self, conversation): # validate that the currently logged in user is a mod # of the subreddit associated with the conversation self._try_get_subreddit_access(conversation, admin_override=True) try: userinfo = self._get_modmail_userinfo(conversation) except (ValueError, NotFound): return self.send_error(404, errors.USER_DOESNT_EXIST) return simplejson.dumps(userinfo) @require_oauth2_scope('identity') @validate(conversation=VModConversation('conversation_id')) def POST_mute_participant(self, conversation): if conversation.is_internal or conversation.is_auto: return self.send_error(400, errors.CANT_RESTRICT_MODERATOR) sr = Subreddit._by_fullname(conversation.owner_fullname) try: participant = conversation.get_participant_account() except NotFound: return self.send_error(404, errors.USER_DOESNT_EXIST) if not sr.can_mute(c.user, participant): return self.send_error(400, errors.CANT_RESTRICT_MODERATOR) if not c.user_is_admin: if not sr.is_moderator_with_perms(c.user, 'access', 'mail'): return self.send_error(403, errors.INVALID_MOD_PERMISSIONS) if sr.use_quotas: sr_ratelimit = SimpleRateLimit( name="sr_muted_%s" % sr._id36, seconds=g.sr_quota_time, limit=g.sr_muted_quota, ) if not sr_ratelimit.record_and_check(): return self.send_error(403, errors.SUBREDDIT_RATELIMIT) # Add the mute record but only if successful create the # appropriate notifications, this prevents duplicate # notifications from being sent added = sr.add_muted(participant) if not added: return simplejson.dumps( self._convo_to_serializable(conversation, all_messages=True)) MutedAccountsBySubreddit.mute(sr, participant, c.user) permalink = conversation.make_permalink() # Create the appropriate objects to be displayed on the # mute moderation log, use the permalink to the new modmail # system ModAction.create(sr, c.user, 'muteuser', target=participant, description=permalink) sr.add_rel_note('muted', participant, permalink) # Add the muted mod action to the conversation conversation.add_action(c.user, 'muted', commit=True) result = self._get_updated_convo(conversation.id, c.user) result['user'] = self._get_modmail_userinfo(conversation, sr=sr) return simplejson.dumps(result) @require_oauth2_scope('identity') @validate(conversation=VModConversation('conversation_id')) def POST_unmute_participant(self, conversation): if conversation.is_internal or conversation.is_auto: return self.send_error(400, errors.CANT_RESTRICT_MODERATOR) sr = Subreddit._by_fullname(conversation.owner_fullname) try: participant = conversation.get_participant_account() except NotFound: abort(404, errors.USER_DOESNT_EXIST) if not c.user_is_admin: if not sr.is_moderator_with_perms(c.user, 'access', 'mail'): return self.send_error(403, errors.INVALID_MOD_PERMISSIONS) removed = sr.remove_muted(participant) if not removed: return simplejson.dumps( self._convo_to_serializable(conversation, all_messages=True)) MutedAccountsBySubreddit.unmute(sr, participant) ModAction.create(sr, c.user, 'unmuteuser', target=participant) conversation.add_action(c.user, 'unmuted', commit=True) result = self._get_updated_convo(conversation.id, c.user) result['user'] = self._get_modmail_userinfo(conversation, sr=sr) return simplejson.dumps(result) def _get_modmail_userinfo(self, conversation, sr=None): if conversation.is_internal: raise ValueError('Cannot get userinfo for internal conversations') if not sr: sr = Subreddit._by_fullname(conversation.owner_fullname) # Retrieve the participant associated with the conversation try: account = conversation.get_participant_account() if not account: raise ValueError('No account associated with convo') permatimeout = (account.in_timeout and account.days_remaining_in_timeout == 0) if account._deleted or permatimeout: raise ValueError('User info is inaccessible') except NotFound: raise NotFound('Unable to retrieve conversation participant') # Fetch the mute and ban status of the participant as it relates # to the subreddit associated with the conversation. mute_status = sr.is_muted(account) ban_status = sr.is_banned(account) # Parse the ban status and retrieve the length of the ban, # then output the data into a serialiazable dict ban_result = { 'isBanned': bool(ban_status), 'reason': '', 'endDate': None, 'isPermanent': False } if ban_status: ban_result['reason'] = getattr(ban_status, 'note', '') ban_duration = sr.get_tempbans('banned', account.name) ban_duration = ban_duration.get(account.name) if ban_duration: ban_result['endDate'] = ban_duration.isoformat() else: ban_result['isPermanent'] = True ban_result['endDate'] = None # Parse the mute status and retrieve the length of the ban, # then output the data into the serialiazable dict mute_result = { 'isMuted': bool(mute_status), 'endDate': None, 'reason': '' } if mute_status: mute_result['reason'] = getattr(mute_status, 'note', '') muted_items = sr.get_muted_items(account.name) mute_duration = muted_items.get(account.name) if mute_duration: mute_result['endDate'] = mute_duration.isoformat() # Retrieve the participants post and comment fullnames from cache post_fullnames = [] comment_fullnames = [] if not account._spam: post_fullnames = list(queries.get_submitted(account, 'new', 'all'))[:100] comment_fullnames = list( queries.get_comments(account, 'new', 'all'))[:100] # Retrieve the associated link objects for posts and comments # using the retrieve fullnames, afer the link objects are retrieved # create a serializable dict with the the necessary information from # the endpoint. lookup_fullnames = list(set(post_fullnames) | set(comment_fullnames)) posts = Thing._by_fullname(lookup_fullnames) serializable_posts = {} for fullname in post_fullnames: if len(serializable_posts) == 3: break post = posts[fullname] if post.sr_id == sr._id and not post._deleted: serializable_posts[fullname] = { 'title': post.title, 'permalink': post.make_permalink(sr, force_domain=True), 'date': post._date.isoformat(), } # Extract the users most recent comments associated with the # subreddit sr_comments = [] for fullname in comment_fullnames: if len(sr_comments) == 3: break comment = posts[fullname] if comment.sr_id == sr._id and not comment._deleted: sr_comments.append(comment) # Retrieve all associated link objects (combines lookup) comment_links = Link._byID( [sr_comment.link_id for sr_comment in sr_comments]) # Serialize all of the user's sr comments serializable_comments = {} for sr_comment in sr_comments: comment_link = comment_links[sr_comment.link_id] comment_body = sr_comment.body if len(comment_body) > 140: comment_body = '{:.140}...'.format(comment_body) serializable_comments[sr_comment._fullname] = { 'title': comment_link.title, 'comment': comment_body, 'permalink': sr_comment.make_permalink(comment_link, sr, force_domain=True), 'date': sr_comment._date.isoformat(), } return { 'id': account._fullname, 'name': account.name, 'created': account._date.isoformat(), 'banStatus': ban_result, 'isShadowBanned': account._spam, 'muteStatus': mute_result, 'recentComments': serializable_comments, 'recentPosts': serializable_posts, } def _get_updated_convo(self, convo_id, user): # Retrieve updated conversation to be returned updated_convo = ModmailConversation._byID(convo_id, current_user=user) return self._convo_to_serializable(updated_convo, all_messages=True) def _convo_to_serializable(self, conversation, all_messages=False): serialized_convo = conversation.to_serializable( all_messages=all_messages, current_user=c.user) messages = serialized_convo.pop('messages') mod_actions = serialized_convo.pop('modActions') return { 'conversations': serialized_convo, 'messages': messages, 'modActions': mod_actions, } def _validate_vmodconversation(self): if (errors.CONVERSATION_NOT_FOUND, 'conversation_id') in c.errors: return self.send_error(404, errors.CONVERSATION_NOT_FOUND) def _get_conversation_access(self, ids): validated_convos = [] conversations = ModmailConversation._byID(ids) # fetch all srs that a user has modmail permissions to # transform sr to be a dict with a key being the sr fullname # and the value being the sr object itself modded_srs = c.user.moderated_subreddits('mail') sr_by_fullname = { sr._fullname: sr for sr in modded_srs if feature.is_enabled('new_modmail', subreddit=sr.name) } for conversation in tup(conversations): if sr_by_fullname.get(conversation.owner_fullname): validated_convos.append(conversation) else: raise ValueError('Invalid conversation id(s).') return validated_convos def _try_get_byID(self, ids, thing_class, return_dict=True, ignore_missing=False): """Helper method to lookup objects by id for a given model or return a 404 if not found""" try: return thing_class._byID(ids, return_dict=return_dict, ignore_missing=ignore_missing) except NotFound: return self.send_error(404, errors.THING_NOT_FOUND, explanation='{} not found'.format( thing_class.__name__)) except: return self.send_error(422, 'Invalid request') def _try_get_subreddit_access(self, conversation, admin_override=False): sr = Subreddit._by_fullname(conversation.owner_fullname) self._feature_enabled_check(sr) if (not sr.is_moderator_with_perms(c.user, 'mail') and not (admin_override and c.user_is_admin)): return self.send_error( 403, errors.SUBREDDIT_NO_ACCESS, ) return sr def _feature_enabled_check(self, sr): if not feature.is_enabled('new_modmail', subreddit=sr.name): return self.send_error(403, errors.SR_FEATURE_NOT_ENABLED) def send_error(self, code, error, fields=None, explanation=None): abort( reddit_http_error( code=code or error.code, error_name=error, explanation=explanation, fields=tup(fields), ))
class WebLogController(RedditController): on_validation_error = staticmethod(abort_with_error) @csrf_exempt @validate( VRatelimit(rate_user=False, rate_ip=True, prefix='rate_weblog_'), level=VOneOf('level', ('error', )), logs=VValidatedJSON( 'logs', VValidatedJSON.ArrayOf( VValidatedJSON.PartialObject({ 'msg': VPrintable('msg', max_length=256), 'url': VPrintable('url', max_length=256), 'tag': VPrintable('tag', max_length=32), }))), ) def POST_message(self, level, logs): # Whitelist tags to keep the frontend from creating too many keys in statsd valid_frontend_log_tags = { 'unknown', 'jquery-migrate-bad-html', } # prevent simple CSRF by requiring a custom header if not request.headers.get('X-Loggit'): abort(403) uid = c.user._id if c.user_is_loggedin else '-' # only accept a maximum of 3 entries per request for log in logs[:3]: if 'msg' not in log or 'url' not in log: continue tag = 'unknown' if log.get('tag') in valid_frontend_log_tags: tag = log['tag'] g.stats.simple_event('frontend.error.' + tag) g.log.warning('[web frontend] %s: %s | U: %s FP: %s UA: %s', level, log['msg'], uid, log['url'], request.user_agent) VRatelimit.ratelimit(rate_user=False, rate_ip=True, prefix="rate_weblog_", seconds=10) def OPTIONS_report_cache_poisoning(self): """Send CORS headers for cache poisoning reports.""" if "Origin" not in request.headers: return origin = request.headers["Origin"] parsed_origin = UrlParser(origin) if not is_subdomain(parsed_origin.hostname, g.domain): return response.headers["Access-Control-Allow-Origin"] = origin response.headers["Access-Control-Allow-Methods"] = "POST" response.headers["Access-Control-Allow-Headers"] = \ "Authorization, X-Loggit, " response.headers["Access-Control-Allow-Credentials"] = "false" response.headers['Access-Control-Expose-Headers'] = \ self.COMMON_REDDIT_HEADERS @csrf_exempt @validate( VRatelimit(rate_user=False, rate_ip=True, prefix='rate_poison_'), report_mac=VPrintable('report_mac', 255), poisoner_name=VPrintable('poisoner_name', 255), poisoner_id=VInt('poisoner_id'), poisoner_canary=VPrintable('poisoner_canary', 2, min_length=2), victim_canary=VPrintable('victim_canary', 2, min_length=2), render_time=VInt('render_time'), route_name=VPrintable('route_name', 255), url=VPrintable('url', 2048), # To differentiate between web and mweb in the future source=VOneOf('source', ('web', 'mweb')), cache_policy=VOneOf( 'cache_policy', ('loggedin_www', 'loggedin_www_new', 'loggedin_mweb')), # JSON-encoded response headers from when our script re-requested # the poisoned page resp_headers=nop('resp_headers'), ) def POST_report_cache_poisoning( self, report_mac, poisoner_name, poisoner_id, poisoner_canary, victim_canary, render_time, route_name, url, source, cache_policy, resp_headers, ): """Report an instance of cache poisoning and its details""" self.OPTIONS_report_cache_poisoning() if c.errors: abort(400) # prevent simple CSRF by requiring a custom header if not request.headers.get('X-Loggit'): abort(403) # Eh? Why are you reporting this if the canaries are the same? if poisoner_canary == victim_canary: abort(400) expected_mac = make_poisoning_report_mac( poisoner_canary=poisoner_canary, poisoner_name=poisoner_name, poisoner_id=poisoner_id, cache_policy=cache_policy, source=source, route_name=route_name, ) if not constant_time_compare(report_mac, expected_mac): abort(403) if resp_headers: try: resp_headers = json.loads(resp_headers) # Verify this is a JSON map of `header_name => [value, ...]` if not isinstance(resp_headers, dict): abort(400) for hdr_name, hdr_vals in resp_headers.iteritems(): if not isinstance(hdr_name, basestring): abort(400) if not all(isinstance(h, basestring) for h in hdr_vals): abort(400) except ValueError: abort(400) if not resp_headers: resp_headers = {} poison_info = dict( poisoner_name=poisoner_name, poisoner_id=str(poisoner_id), # Convert the JS timestamp to a standard one render_time=render_time * 1000, route_name=route_name, url=url, source=source, cache_policy=cache_policy, resp_headers=resp_headers, ) # For immediate feedback when tracking the effects of caching changes g.stats.simple_event("cache.poisoning.%s.%s" % (source, cache_policy)) # For longer-term diagnosing of caching issues g.events.cache_poisoning_event(poison_info, request=request, context=c) VRatelimit.ratelimit(rate_ip=True, prefix="rate_poison_", seconds=10) return self.api_wrapper({})
class IpnController(RedditController): # Used when buying gold with creddits @validatedForm(VUser(), months = VInt("months"), passthrough = VPrintable("passthrough", max_length=50)) def POST_spendcreddits(self, form, jquery, months, passthrough): if months is None or months < 1: form.set_html(".status", _("nice try.")) return days = months * 31 if not passthrough: raise ValueError("/spendcreddits got no passthrough?") blob_key, payment_blob = get_blob(passthrough) if payment_blob["goldtype"] != "gift": raise ValueError("/spendcreddits payment_blob %s has goldtype %s" % (passthrough, payment_blob["goldtype"])) signed = payment_blob["signed"] giftmessage = _force_unicode(payment_blob["giftmessage"]) recipient_name = payment_blob["recipient"] if payment_blob["account_id"] != c.user._id: fmt = ("/spendcreddits payment_blob %s has userid %d " + "but c.user._id is %d") raise ValueError(fmt % passthrough, payment_blob["account_id"], c.user._id) try: recipient = Account._by_name(recipient_name) except NotFound: raise ValueError("Invalid username %s in spendcreddits, buyer = %s" % (recipient_name, c.user.name)) if recipient._deleted: form.set_html(".status", _("that user has deleted their account")) return if not c.user_is_admin: if months > c.user.gold_creddits: raise ValueError("%s is trying to sneak around the creddit check" % c.user.name) c.user.gold_creddits -= months c.user.gold_creddit_escrow += months c.user._commit() comment_id = payment_blob.get("comment") comment = send_gift(c.user, recipient, months, days, signed, giftmessage, comment_id) if not c.user_is_admin: c.user.gold_creddit_escrow -= months c.user._commit() payment_blob["status"] = "processed" g.hardcache.set(blob_key, payment_blob, 86400 * 30) form.set_html(".status", _("the gold has been delivered!")) form.find("button").hide() if comment: gilding_message = make_comment_gold_message(comment, user_gilded=True) jquery.gild_comment(comment_id, gilding_message, comment.gildings) @textresponse(full_sn = VLength('serial-number', 100)) def POST_gcheckout(self, full_sn): if full_sn: short_sn = full_sn.split('-')[0] g.log.error( "GOOGLE CHECKOUT: %s" % short_sn) trans = _google_ordernum_request(short_sn) # get the financial details auth = trans.find("authorization-amount-notification") custom = None cart = trans.find("shopping-cart") if cart: private_item_data = cart.find("merchant-private-item-data") if private_item_data: custom = str(private_item_data.contents[0]) if not auth: # see if the payment was declinded status = trans.findAll('financial-order-state') if 'PAYMENT_DECLINED' in [x.contents[0] for x in status]: g.log.error("google declined transaction found: '%s'" % short_sn) elif 'REVIEWING' not in [x.contents[0] for x in status]: g.log.error(("google transaction not found: " + "'%s', status: %s") % (short_sn, [x.contents[0] for x in status])) else: g.log.error(("google transaction status: " + "'%s', status: %s") % (short_sn, [x.contents[0] for x in status])) if custom: payment_blob = validate_blob(custom) buyer = payment_blob['buyer'] subject = _('gold order') msg = _('your order has been received and gold will' ' be delivered shortly. please bear with us' ' as google wallet payments can take up to an' ' hour to complete') try: send_system_message(buyer, subject, msg) except MessageError: g.log.error('gcheckout send_system_message failed') elif auth.find("financial-order-state" ).contents[0] == "CHARGEABLE": email = str(auth.find("email").contents[0]) payer_id = str(auth.find('buyer-id').contents[0]) if custom: days = None try: pennies = int(float(trans.find("order-total" ).contents[0])*100) months, days = months_and_days_from_pennies(pennies) if not months: raise ValueError("Bad pennies for %s" % short_sn) charged = trans.find("charge-amount-notification") if not charged: _google_charge_and_ship(short_sn) parameters = request.POST.copy() self.finish(parameters, "g%s" % short_sn, email, payer_id, None, custom, pennies, months, days) except ValueError, e: g.log.error(e) else: raise ValueError("Got no custom blob for %s" % short_sn) return (('<notification-acknowledgment ' + 'xmlns="http://checkout.google.com/schema/2" ' + 'serial-number="%s" />') % full_sn) else:
class WikiController(RedditController): allow_stylesheets = True @require_oauth2_scope("wikiread") @api_doc(api_section.wiki, uri='/wiki/{page}', uses_site=True) @validate(pv=VWikiPageAndVersion(('page', 'v', 'v2'), required=False, restricted=False, allow_hidden_revision=False), page_name=VWikiPageName('page', error_on_name_normalized=True)) def GET_wiki_page(self, pv, page_name): """Return the content of a wiki page If `v` is given, show the wiki page as it was at that version If both `v` and `v2` are given, show a diff of the two """ message = None if c.errors.get(('PAGE_NAME_NORMALIZED', 'page')): url = join_urls(c.wiki_base_url, page_name) return self.redirect(url) page, version, version2 = pv if not page: is_api = c.render_style in extensions.API_TYPES if this_may_revise(): if is_api: self.handle_error(404, 'PAGE_NOT_CREATED') errorpage = WikiNotFound(page=page_name) request.environ['usable_error_content'] = errorpage.render() elif is_api: self.handle_error(404, 'PAGE_NOT_FOUND') self.abort404() if version: edit_by = version.get_author() edit_date = version.date else: edit_by = page.get_author() edit_date = page._get('last_edit_date') diffcontent = None if not version: content = page.content if c.is_wiki_mod and page.name in page_descriptions: message = page_descriptions[page.name] else: message = _("viewing revision from %s") % timesince(version.date) if version2: t1 = timesince(version.date) t2 = timesince(version2.date) timestamp1 = _("%s ago") % t1 timestamp2 = _("%s ago") % t2 message = _("comparing revisions from %(date_1)s and %(date_2)s") \ % {'date_1': t1, 'date_2': t2} diffcontent = make_htmldiff(version.content, version2.content, timestamp1, timestamp2) content = version2.content else: message = _("viewing revision from %s ago") % timesince( version.date) content = version.content renderer = RENDERERS_BY_PAGE.get(page.name, 'wiki') return WikiPageView(content, alert=message, v=version, diff=diffcontent, may_revise=this_may_revise(page), edit_by=edit_by, edit_date=edit_date, page=page.name, renderer=renderer).render() @require_oauth2_scope("wikiread") @api_doc(api_section.wiki, uri='/wiki/revisions/{page}', uses_site=True) @paginated_listing(max_page_size=100, backend='cassandra') @validate(page=VWikiPage(('page'), restricted=False)) def GET_wiki_revisions(self, num, after, reverse, count, page): """Retrieve a list of revisions of this wiki `page`""" revisions = page.get_revisions() wikiuser = c.user if c.user_is_loggedin else None builder = WikiRevisionBuilder(revisions, user=wikiuser, sr=c.site, num=num, reverse=reverse, count=count, after=after, skip=not c.is_wiki_mod, wrap=default_thing_wrapper(), page=page) listing = WikiRevisionListing(builder).listing() return WikiRevisions(listing, page=page.name, may_revise=this_may_revise(page)).render() @validate(wp=VWikiPageRevise('page'), page=VWikiPageName('page')) def GET_wiki_create(self, wp, page): api = c.render_style in extensions.API_TYPES error = c.errors.get(('WIKI_CREATE_ERROR', 'page')) if error: error = error.msg_params if wp[0]: return self.redirect(join_urls(c.wiki_base_url, wp[0].name)) elif api: if error: self.handle_error(403, **error) else: self.handle_error(404, 'PAGE_NOT_CREATED') elif error: error_msg = '' if error['reason'] == 'PAGE_NAME_LENGTH': error_msg = _( "this wiki cannot handle page names of that magnitude! please select a page name shorter than %d characters" ) % error['max_length'] elif error['reason'] == 'PAGE_CREATED_ELSEWHERE': error_msg = _( "this page is a special page, please go into the subreddit settings and save the field once to create this special page" ) elif error['reason'] == 'PAGE_NAME_MAX_SEPARATORS': error_msg = _( 'a max of %d separators "/" are allowed in a wiki page name.' ) % error['max_separators'] return BoringPage(_("Wiki error"), infotext=error_msg).render() else: return WikiCreate(page=page, may_revise=True).render() @validate(wp=VWikiPageRevise('page', restricted=True, required=True)) def GET_wiki_revise(self, wp, page, message=None, **kw): wp = wp[0] previous = kw.get('previous', wp._get('revision')) content = kw.get('content', wp.content) if not message and wp.name in page_descriptions: message = page_descriptions[wp.name] return WikiEdit(content, previous, alert=message, page=wp.name, may_revise=True).render() @require_oauth2_scope("wikiread") @api_doc(api_section.wiki, uri='/wiki/revisions', uses_site=True) @paginated_listing(max_page_size=100, backend='cassandra') def GET_wiki_recent(self, num, after, reverse, count): """Retrieve a list of recently changed wiki pages in this subreddit""" revisions = WikiRevision.get_recent(c.site) wikiuser = c.user if c.user_is_loggedin else None builder = WikiRecentRevisionBuilder(revisions, num=num, count=count, reverse=reverse, after=after, wrap=default_thing_wrapper(), skip=not c.is_wiki_mod, user=wikiuser, sr=c.site) listing = WikiRevisionListing(builder).listing() return WikiRecent(listing).render() @require_oauth2_scope("wikiread") @api_doc(api_section.wiki, uri='/wiki/pages', uses_site=True) def GET_wiki_listing(self): """Retrieve a list of wiki pages in this subreddit""" def check_hidden(page): return page.listed and this_may_view(page) pages, linear_pages = WikiPage.get_listing(c.site, filter_check=check_hidden) return WikiListing(pages, linear_pages).render() def GET_wiki_redirect(self, page='index'): return self.redirect(str("%s/%s" % (c.wiki_base_url, page)), code=301) @require_oauth2_scope("wikiread") @api_doc(api_section.wiki, uri='/wiki/discussions/{page}', uses_site=True) @base_listing @validate(page=VWikiPage('page', restricted=True)) def GET_wiki_discussions(self, page, num, after, reverse, count): """Retrieve a list of discussions about this wiki `page`""" page_url = add_sr("%s/%s" % (c.wiki_base_url, page.name)) builder = url_links_builder(page_url, num=num, after=after, reverse=reverse, count=count) listing = LinkListing(builder).listing() return WikiDiscussions(listing, page=page.name, may_revise=this_may_revise(page)).render() @require_oauth2_scope("modwiki") @api_doc(api_section.wiki, uri='/wiki/settings/{page}', uses_site=True) @validate(page=VWikiPage('page', restricted=True, modonly=True)) def GET_wiki_settings(self, page): """Retrieve the current permission settings for `page`""" settings = { 'permlevel': page._get('permlevel', 0), 'listed': page.listed } mayedit = page.get_editor_accounts() restricted = (not page.special) and page.restricted show_editors = not restricted return WikiSettings(settings, mayedit, show_settings=not page.special, page=page.name, show_editors=show_editors, restricted=restricted, may_revise=True).render() @require_oauth2_scope("modwiki") @api_doc(api_section.wiki, uri='/wiki/settings/{page}', uses_site=True) @validate(VModhash(), page=VWikiPage('page', restricted=True, modonly=True), permlevel=VInt('permlevel'), listed=VBoolean('listed')) def POST_wiki_settings(self, page, permlevel, listed): """Update the permissions and visibility of wiki `page`""" oldpermlevel = page.permlevel try: page.change_permlevel(permlevel) except ValueError: self.handle_error(403, 'INVALID_PERMLEVEL') if page.listed != listed: page.listed = listed page._commit() verb = 'Relisted' if listed else 'Delisted' description = '%s page %s' % (verb, page.name) ModAction.create(c.site, c.user, 'wikipagelisted', description=description) if oldpermlevel != permlevel: description = 'Page: %s, Changed from %s to %s' % ( page.name, oldpermlevel, permlevel) ModAction.create(c.site, c.user, 'wikipermlevel', description=description) return self.GET_wiki_settings(page=page.name) def on_validation_error(self, error): RedditController.on_validation_error(self, error) if error.code: self.handle_error(error.code, error.name) def handle_error(self, code, reason=None, **data): abort(reddit_http_error(code, reason, **data)) def pre(self): RedditController.pre(self) if g.disable_wiki and not c.user_is_admin: self.handle_error(403, 'WIKI_DOWN') if not c.site._should_wiki: self.handle_error(404, 'NOT_WIKIABLE') # /r/mod for an example frontpage = isinstance(c.site, DefaultSR) c.wiki_base_url = join_urls(c.site.path, 'wiki') c.wiki_api_url = join_urls(c.site.path, '/api/wiki') c.wiki_id = g.default_sr if frontpage else c.site.name self.editconflict = False c.is_wiki_mod = (c.user_is_admin or c.site.is_moderator_with_perms( c.user, 'wiki')) if c.user_is_loggedin else False c.wikidisabled = False mode = c.site.wikimode if not mode or mode == 'disabled': if not c.is_wiki_mod: self.handle_error(403, 'WIKI_DISABLED') else: c.wikidisabled = True # Redirects from the old wiki def GET_faq(self): return self.GET_wiki_redirect(page='faq') GET_help = GET_wiki_redirect
class StripeController(GoldPaymentController): name = 'stripe' webhook_secret = g.STRIPE_WEBHOOK_SECRET event_type_mappings = { 'charge.succeeded': 'succeeded', 'charge.failed': 'failed', 'charge.refunded': 'refunded', 'customer.created': 'noop', 'transfer.created': 'noop', 'transfer.paid': 'noop', } @classmethod def process_response(cls): event_dict = json.loads(request.body) event = stripe.Event.construct_from(event_dict, g.STRIPE_SECRET_KEY) status = event.type if cls.event_type_mappings.get(status) == 'noop': return status, None, None, None, None charge = event.data.object description = charge.description try: passthrough, buyer_name = description.split('-', 1) except ValueError: g.log.error('stripe_error on charge: %s', charge) raise transaction_id = 'S%s' % charge.id pennies = charge.amount months, days = months_and_days_from_pennies(pennies) return status, passthrough, transaction_id, pennies, months @validatedForm(VUser(), token=nop('stripeToken'), passthrough=VPrintable("passthrough", max_length=50), pennies=VInt('pennies'), months=VInt("months")) def POST_goldcharge(self, form, jquery, token, passthrough, pennies, months): """ Submit charge to stripe. Called by GoldPayment form. This submits the charge to stripe, and gold will be applied once we receive a webhook from stripe. """ try: payment_blob = validate_blob(passthrough) except GoldException as e: # This should never happen. All fields in the payment_blob # are validated on creation form.set_html('.status', _('something bad happened, try again later')) g.log.debug('POST_goldcharge: %s' % e.message) return penny_months, days = months_and_days_from_pennies(pennies) if not months or months != penny_months: form.set_html('.status', _('stop trying to trick the form')) return stripe.api_key = g.STRIPE_SECRET_KEY try: customer = stripe.Customer.create(card=token) if (customer['active_card']['address_line1_check'] == 'fail' or customer['active_card']['address_zip_check'] == 'fail'): form.set_html('.status', _('error: address verification failed')) form.find('.stripe-submit').removeAttr('disabled').end() return if customer['active_card']['cvc_check'] == 'fail': form.set_html('.status', _('error: cvc check failed')) form.find('.stripe-submit').removeAttr('disabled').end() return charge = stripe.Charge.create( amount=pennies, currency="usd", customer=customer['id'], description='%s-%s' % (passthrough, c.user.name) ) except stripe.CardError as e: form.set_html('.status', 'error: %s' % e.message) form.find('.stripe-submit').removeAttr('disabled').end() except stripe.InvalidRequestError as e: form.set_html('.status', _('invalid request')) except stripe.APIConnectionError as e: form.set_html('.status', _('api error')) except stripe.AuthenticationError as e: form.set_html('.status', _('connection error')) except stripe.StripeError as e: form.set_html('.status', _('error')) g.log.error('stripe error: %s' % e) else: form.set_html('.status', _('payment submitted')) # webhook usually sends near instantly, send a message in case subject = _('gold payment') msg = _('your payment is being processed and gold will be' ' delivered shortly') send_system_message(c.user, subject, msg)
class PromoteApiController(ApiController): @json_validate(sr=VSubmitSR('sr', promotion=True), collection=VCollection('collection'), location=VLocation(), start=VDate('startdate'), end=VDate('enddate')) def GET_check_inventory(self, responder, sr, collection, location, start, end): if collection: target = Target(collection) sr = None else: sr = sr or Frontpage target = Target(sr.name) if not allowed_location_and_target(location, target): return abort(403, 'forbidden') available = inventory.get_available_pageviews(target, start, end, location=location, datestr=True) return {'inventory': available} @validatedForm(VSponsorAdmin(), VModhash(), link=VLink("link_id36"), campaign=VPromoCampaign("campaign_id36")) def POST_freebie(self, form, jquery, link, campaign): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') if campaign_has_oversold_error(form, campaign): form.set_text(".freebie", _("target oversold, can't freebie")) return if promote.is_promo(link) and campaign: promote.free_campaign(link, campaign, c.user) form.redirect(promote.promo_edit_url(link)) @validatedForm(VSponsorAdmin(), VModhash(), link=VByName("link"), note=nop("note")) def POST_promote_note(self, form, jquery, link, note): if promote.is_promo(link): text = PromotionLog.add(link, note) form.find(".notes").children(":last").after("<p>" + websafe(text) + "</p>") @noresponse(VSponsorAdmin(), VModhash(), thing=VByName('id')) def POST_promote(self, thing): if promote.is_promo(thing): promote.accept_promotion(thing) @noresponse(VSponsorAdmin(), VModhash(), thing=VByName('id'), reason=nop("reason")) def POST_unpromote(self, thing, reason): if promote.is_promo(thing): promote.reject_promotion(thing, reason=reason) @validatedForm(VSponsorAdmin(), VModhash(), link=VLink('link'), campaign=VPromoCampaign('campaign')) def POST_refund_campaign(self, form, jquery, link, campaign): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') billable_impressions = promote.get_billable_impressions(campaign) billable_amount = promote.get_billable_amount(campaign, billable_impressions) refund_amount = promote.get_refund_amount(campaign, billable_amount) if refund_amount > 0: promote.refund_campaign(link, campaign, billable_amount, billable_impressions) form.set_text('.status', _('refund succeeded')) else: form.set_text('.status', _('refund not needed')) @validatedForm( VSponsor('link_id36'), VModhash(), VRatelimit(rate_user=True, rate_ip=True, prefix='create_promo_'), VShamedDomain('url'), username=VLength('username', 100, empty_error=None), l=VLink('link_id36'), title=VTitle('title'), url=VUrl('url', allow_self=False), selftext=VMarkdownLength('text', max_length=40000), kind=VOneOf('kind', ['link', 'self']), disable_comments=VBoolean("disable_comments"), sendreplies=VBoolean("sendreplies"), media_url=VUrl("media_url", allow_self=False, valid_schemes=('http', 'https')), gifts_embed_url=VUrl("gifts_embed_url", allow_self=False, valid_schemes=('http', 'https')), media_url_type=VOneOf("media_url_type", ("redditgifts", "scrape")), media_autoplay=VBoolean("media_autoplay"), media_override=VBoolean("media-override"), domain_override=VLength("domain", 100), is_managed=VBoolean("is_managed"), ) def POST_edit_promo(self, form, jquery, username, l, title, url, selftext, kind, disable_comments, sendreplies, media_url, media_autoplay, media_override, gifts_embed_url, media_url_type, domain_override, is_managed): should_ratelimit = False if not c.user_is_sponsor: should_ratelimit = True if not should_ratelimit: c.errors.remove((errors.RATELIMIT, 'ratelimit')) # check for user override if not l and c.user_is_sponsor and username: try: user = Account._by_name(username) except NotFound: c.errors.add(errors.USER_DOESNT_EXIST, field="username") form.set_error(errors.USER_DOESNT_EXIST, "username") return if not user.email: c.errors.add(errors.NO_EMAIL_FOR_USER, field="username") form.set_error(errors.NO_EMAIL_FOR_USER, "username") return if not user.email_verified: c.errors.add(errors.NO_VERIFIED_EMAIL, field="username") form.set_error(errors.NO_VERIFIED_EMAIL, "username") return else: user = c.user # check for shame banned domains if form.has_errors("url", errors.DOMAIN_BANNED): g.stats.simple_event('spam.shame.link') return # demangle URL in canonical way if url: if isinstance(url, (unicode, str)): form.set_inputs(url=url) elif isinstance(url, tuple) or isinstance(url[0], Link): # there's already one or more links with this URL, but # we're allowing mutliple submissions, so we really just # want the URL url = url[0].url if kind == 'link': if form.has_errors('url', errors.NO_URL, errors.BAD_URL): return # users can change the disable_comments on promoted links if ((not l or not promote.is_promoted(l)) and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG) or jquery.has_errors('ratelimit', errors.RATELIMIT))): return if kind == 'self' and form.has_errors('text', errors.TOO_LONG): return if not l: # creating a new promoted link l = promote.new_promotion(title, url if kind == 'link' else 'self', selftext if kind == 'self' else '', user, request.ip) l.domain_override = domain_override or None if c.user_is_sponsor: l.managed_promo = is_managed l._commit() form.redirect(promote.promo_edit_url(l)) elif not promote.is_promo(l): return # changing link type is not allowed if ((l.is_self and kind == 'link') or (not l.is_self and kind == 'self')): c.errors.add(errors.NO_CHANGE_KIND, field="kind") form.set_error(errors.NO_CHANGE_KIND, "kind") return changed = False # live items can only be changed by a sponsor, and also # pay the cost of de-approving the link if not promote.is_promoted(l) or c.user_is_sponsor: if title and title != l.title: l.title = title changed = not c.user_is_sponsor if kind == 'link' and url and url != l.url: l.url = url changed = not c.user_is_sponsor # only trips if the title and url are changed by a non-sponsor if changed: promote.unapprove_promotion(l) # selftext can be changed at any time if kind == 'self': l.selftext = selftext # comment disabling and sendreplies is free to be changed any time. l.disable_comments = disable_comments l.sendreplies = sendreplies if c.user_is_sponsor: if (form.has_errors("media_url", errors.BAD_URL) or form.has_errors("gifts_embed_url", errors.BAD_URL)): return scraper_embed = media_url_type == "scrape" media_url = media_url or None gifts_embed_url = gifts_embed_url or None if c.user_is_sponsor and scraper_embed and media_url != l.media_url: if media_url: media = _scrape_media(media_url, autoplay=media_autoplay, save_thumbnail=False, use_cache=True) if media: l.set_media_object(media.media_object) l.set_secure_media_object(media.secure_media_object) l.media_url = media_url l.gifts_embed_url = None l.media_autoplay = media_autoplay else: c.errors.add(errors.SCRAPER_ERROR, field="media_url") form.set_error(errors.SCRAPER_ERROR, "media_url") return else: l.set_media_object(None) l.set_secure_media_object(None) l.media_url = None l.gifts_embed_url = None l.media_autoplay = False if (c.user_is_sponsor and not scraper_embed and gifts_embed_url != l.gifts_embed_url): if gifts_embed_url: parsed = UrlParser(gifts_embed_url) if not is_subdomain(parsed.hostname, "redditgifts.com"): c.errors.add(errors.BAD_URL, field="gifts_embed_url") form.set_error(errors.BAD_URL, "gifts_embed_url") return iframe = """ <iframe class="redditgifts-embed" src="%(embed_url)s" width="710" height="500" scrolling="no" frameborder="0" allowfullscreen> </iframe> """ % { 'embed_url': websafe(gifts_embed_url) } media_object = { 'oembed': { 'description': 'redditgifts embed', 'height': 500, 'html': iframe, 'provider_name': 'redditgifts', 'provider_url': 'http://www.redditgifts.com/', 'title': 'redditgifts secret santa 2014', 'type': 'rich', 'width': 710 }, 'type': 'redditgifts' } l.set_media_object(media_object) l.set_secure_media_object(media_object) l.media_url = None l.gifts_embed_url = gifts_embed_url l.media_autoplay = False else: l.set_media_object(None) l.set_secure_media_object(None) l.media_url = None l.gifts_embed_url = None l.media_autoplay = False if c.user_is_sponsor: l.media_override = media_override l.domain_override = domain_override or None l.managed_promo = is_managed l._commit() form.redirect(promote.promo_edit_url(l)) @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], reference_date=promote.promo_datetime_now), sr=VSubmitSR('sr', promotion=True)) def POST_add_roadblock(self, form, jquery, dates, sr): if (form.has_errors('startdate', errors.BAD_DATE) or form.has_errors( 'enddate', errors.BAD_DATE, errors.BAD_DATE_RANGE)): return if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): return if dates and sr: sd, ed = dates PromotedLinkRoadblock.add(sr, sd, ed) jquery.refresh() @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], reference_date=promote.promo_datetime_now), sr=VSubmitSR('sr', promotion=True)) def POST_rm_roadblock(self, form, jquery, dates, sr): if dates and sr: sd, ed = dates PromotedLinkRoadblock.remove(sr, sd, ed) jquery.refresh() @validatedForm( VSponsor('link_id36'), VModhash(), dates=VDateRange(['startdate', 'enddate'], earliest=timedelta(days=g.min_promote_future), latest=timedelta(days=g.max_promote_future), reference_date=promote.promo_datetime_now, business_days=True, sponsor_override=True), link=VLink('link_id36'), bid=VFloat('bid', coerce=False), target=VPromoTarget(), campaign_id36=nop("campaign_id36"), priority=VPriority("priority"), location=VLocation(), ) def POST_edit_campaign(self, form, jquery, link, campaign_id36, dates, bid, target, priority, location): if not link: return if not target: # run form.has_errors to populate the errors in the response form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED) form.has_errors('collection', errors.COLLECTION_NOEXIST) form.has_errors('targeting', errors.INVALID_TARGET) return start, end = dates or (None, None) if not allowed_location_and_target(location, target): return abort(403, 'forbidden') cpm = PromotionPrices.get_price(target, location) if (form.has_errors('startdate', errors.BAD_DATE, errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE) or form.has_errors('enddate', errors.BAD_DATE, errors.DATE_TOO_EARLY, errors.DATE_TOO_LATE, errors.BAD_DATE_RANGE)): return # check that start is not so late that authorization hold will expire if not c.user_is_sponsor: max_start = promote.get_max_startdate() if start > max_start: c.errors.add( errors.DATE_TOO_LATE, msg_params={'day': max_start.strftime("%m/%d/%Y")}, field='startdate') form.has_errors('startdate', errors.DATE_TOO_LATE) return # Limit the number of PromoCampaigns a Link can have # Note that the front end should prevent the user from getting # this far existing_campaigns = list(PromoCampaign._by_link(link._id)) if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK: c.errors.add(errors.TOO_MANY_CAMPAIGNS, msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK}, field='title') form.has_errors('title', errors.TOO_MANY_CAMPAIGNS) return campaign = None if campaign_id36: try: campaign = PromoCampaign._byID36(campaign_id36) except NotFound: pass if campaign and link._id != campaign.link_id: return abort(404, 'not found') if priority.cpm: min_bid = 0 if c.user_is_sponsor else g.min_promote_bid max_bid = None if c.user_is_sponsor else g.max_promote_bid if bid is None or bid < min_bid or (max_bid and bid > max_bid): c.errors.add(errors.BAD_BID, field='bid', msg_params={ 'min': min_bid, 'max': max_bid or g.max_promote_bid }) form.has_errors('bid', errors.BAD_BID) return # you cannot edit the bid of a live ad unless it's a freebie if (campaign and bid != campaign.bid and promote.is_live_promo(link, campaign) and not campaign.is_freebie()): c.errors.add(errors.BID_LIVE, field='bid') form.has_errors('bid', errors.BID_LIVE) return else: bid = 0. # Set bid to 0 as dummy value is_frontpage = (not target.is_collection and target.subreddit_name == Frontpage.name) if not target.is_collection and not is_frontpage: # targeted to a single subreddit, check roadblock sr = target.subreddits_slow[0] roadblock = PromotedLinkRoadblock.is_roadblocked(sr, start, end) if roadblock and not c.user_is_sponsor: msg_params = { "start": roadblock[0].strftime('%m/%d/%Y'), "end": roadblock[1].strftime('%m/%d/%Y') } c.errors.add(errors.OVERSOLD, field='sr', msg_params=msg_params) form.has_errors('sr', errors.OVERSOLD) return # Check inventory campaign = campaign if campaign_id36 else None if not priority.inventory_override: oversold = has_oversold_error(form, campaign, start, end, bid, cpm, target, location) if oversold: return if campaign: promote.edit_campaign(link, campaign, dates, bid, cpm, target, priority, location) else: campaign = promote.new_campaign(link, dates, bid, cpm, target, priority, location) rc = RenderableCampaign.from_campaigns(link, campaign) jquery.update_campaign(campaign._fullname, rc.render_html()) @validatedForm(VSponsor('link_id36'), VModhash(), l=VLink('link_id36'), campaign=VPromoCampaign("campaign_id36")) def POST_delete_campaign(self, form, jquery, l, campaign): if not campaign or not l or l._id != campaign.link_id: return abort(404, 'not found') promote.delete_campaign(l, campaign) @validatedForm(VSponsorAdmin(), VModhash(), link=VLink('link_id36'), campaign=VPromoCampaign("campaign_id36")) def POST_terminate_campaign(self, form, jquery, link, campaign): if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') promote.terminate_campaign(link, campaign) rc = RenderableCampaign.from_campaigns(link, campaign) jquery.update_campaign(campaign._fullname, rc.render_html()) @validatedForm(VSponsor('link'), VModhash(), link=VByName("link"), campaign=VPromoCampaign("campaign"), customer_id=VInt("customer_id", min=0), pay_id=VInt("account", min=0), edit=VBoolean("edit"), address=ValidAddress([ "firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber" ]), creditcard=ValidCard( ["cardNumber", "expirationDate", "cardCode"])) def POST_update_pay(self, form, jquery, link, campaign, customer_id, pay_id, edit, address, creditcard): if not g.authorizenetapi: return if not link or not campaign or link._id != campaign.link_id: return abort(404, 'not found') # Check inventory if campaign_has_oversold_error(form, campaign): return # check that start is not so late that authorization hold will expire max_start = promote.get_max_startdate() if campaign.start_date > max_start: msg = _("please change campaign start date to %(date)s or earlier") date = format_date(max_start, format="short", locale=c.locale) msg %= {'date': date} form.set_text(".status", msg) return # check the campaign start date is still valid (user may have created # the campaign a few days ago) now = promote.promo_datetime_now() min_start = now + timedelta(days=g.min_promote_future) if campaign.start_date.date() < min_start.date(): msg = _("please change campaign start date to %(date)s or later") date = format_date(min_start, format="short", locale=c.locale) msg %= {'date': date} form.set_text(".status", msg) return address_modified = not pay_id or edit if address_modified: address_fields = [ "firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber" ] card_fields = ["cardNumber", "expirationDate", "cardCode"] if (form.has_errors(address_fields, errors.BAD_ADDRESS) or form.has_errors(card_fields, errors.BAD_CARD)): return pay_id = edit_profile(c.user, address, creditcard, pay_id) reason = None if pay_id: success, reason = promote.auth_campaign(link, campaign, c.user, pay_id) if success: form.redirect(promote.promo_edit_url(link)) return msg = reason or _("failed to authenticate card. sorry.") form.set_text(".status", msg) @validate(VSponsor("link_name"), VModhash(), link=VByName('link_name'), file=VUploadLength('file', 500 * 1024), img_type=VImageType('img_type')) def POST_link_thumb(self, link=None, file=None, img_type='jpg'): if link and (not promote.is_promoted(link) or c.user_is_sponsor): errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="") # thumnails for promoted links can change and therefore expire force_thumbnail(link, file, file_type=".%s" % img_type) if any(errors.values()): return UploadedImage("", "", "upload", errors=errors, form_id="image-upload").render() else: link._commit() return UploadedImage(_('saved'), thumbnail_url(link), "", errors=errors, form_id="image-upload").render()
class PromoteController(ListingController): where = 'promoted' render_cls = PromotePage @property def title_text(self): return _('promoted by you') def keep_fn(self): def keep(item): if item.promoted and not item._deleted: return True else: return False return keep def query(self): if c.user_is_sponsor: if self.sort == "future_promos": return queries.get_all_unapproved_links() elif self.sort == "pending_promos": return queries.get_all_accepted_links() elif self.sort == "unpaid_promos": return queries.get_all_unpaid_links() elif self.sort == "rejected_promos": return queries.get_all_rejected_links() elif self.sort == "live_promos": return queries.get_all_live_links() return queries.get_all_promoted_links() else: if self.sort == "future_promos": return queries.get_unapproved_links(c.user._id) elif self.sort == "pending_promos": return queries.get_accepted_links(c.user._id) elif self.sort == "unpaid_promos": return queries.get_unpaid_links(c.user._id) elif self.sort == "rejected_promos": return queries.get_rejected_links(c.user._id) elif self.sort == "live_promos": return queries.get_live_links(c.user._id) return queries.get_promoted_links(c.user._id) @validate(VSponsor()) def GET_listing(self, sort="", **env): if not c.user_is_loggedin or not c.user.email_verified: return self.redirect("/ad_inq") self.sort = sort return ListingController.GET_listing(self, **env) GET_index = GET_listing @validate(VSponsor()) def GET_new_promo(self): return PromotePage('content', content=PromoteLinkForm()).render() @validate(VSponsor('link'), link=VLink('link')) def GET_edit_promo(self, link): if not link or link.promoted is None: return self.abort404() rendered = wrap_links(link, wrapper=promote.sponsor_wrapper, skip=False) form = PromoteLinkForm(link=link, listing=rendered, timedeltatext="") page = PromotePage('new_promo', content=form) return page.render() # For development. Should eventually replace GET_edit_promo @validate(VSponsor('link'), link=VLink('link')) def GET_edit_promo_cpm(self, link): if not link or link.promoted is None: return self.abort404() rendered = wrap_links(link, wrapper=promote.sponsor_wrapper, skip=False) form = PromoteLinkFormCpm(link=link, listing=rendered, timedeltatext="") page = PromotePage('new_promo', content=form) return page.render() # admin only because the route might change @validate(VSponsorAdmin('campaign'), campaign=VPromoCampaign('campaign')) def GET_edit_promo_campaign(self, campaign): if not campaign: return self.abort404() link = Link._byID(campaign.link_id) return self.redirect(promote.promo_edit_url(link)) @validate(VSponsor(), dates=VDateRange(["startdate", "enddate"], max_range=timedelta(days=28), required=False)) def GET_graph(self, dates): start, end, bad_dates = _check_dates(dates) return PromotePage("graph", content=Promote_Graph( start, end, bad_dates=bad_dates) ).render() @validate(VSponsorAdmin(), dates=VDateRange(["startdate", "enddate"], max_range=timedelta(days=28), required=False)) def GET_admingraph(self, dates): start, end, bad_dates = _check_dates(dates) content = Promote_Graph(start, end, bad_dates=bad_dates, admin_view=True) if c.render_style == 'csv': return content.as_csv() return PromotePage("admingraph", content=content).render() def GET_inventory(self, sr_name): ''' Return available inventory data as json for use in ajax calls ''' inv_start_date = promote.promo_datetime_now() inv_end_date = inv_start_date + timedelta(60) inventory = promote.get_available_impressions( sr_name, inv_start_date, inv_end_date, fuzzed=(not c.user_is_admin) ) dates = [] impressions = [] max_imps = 0 for date, imps in inventory.iteritems(): dates.append(date.strftime("%m/%d/%Y")) impressions.append(imps) max_imps = max(max_imps, imps) return json.dumps({'sr':sr_name, 'dates': dates, 'imps':impressions, 'max_imps':max_imps}) # ## POST controllers below @validatedForm(VSponsorAdmin(), link=VLink("link_id"), campaign=VPromoCampaign("campaign_id36")) def POST_freebie(self, form, jquery, link, campaign): if promote.is_promo(link) and campaign: promote.free_campaign(link, campaign, c.user) form.redirect(promote.promo_edit_url(link)) @validatedForm(VSponsorAdmin(), link=VByName("link"), note=nop("note")) def POST_promote_note(self, form, jquery, link, note): if promote.is_promo(link): text = PromotionLog.add(link, note) form.find(".notes").children(":last").after( "<p>" + text + "</p>") @noresponse(VSponsorAdmin(), thing=VByName('id')) def POST_promote(self, thing): if promote.is_promo(thing): promote.accept_promotion(thing) @noresponse(VSponsorAdmin(), thing=VByName('id'), reason=nop("reason")) def POST_unpromote(self, thing, reason): if promote.is_promo(thing): promote.reject_promotion(thing, reason=reason) @validatedForm(VSponsor('link_id'), VModhash(), VRatelimit(rate_user=True, rate_ip=True, prefix='create_promo_'), l=VLink('link_id'), title=VTitle('title'), url=VUrl('url', allow_self=False, lookup=False), ip=ValidIP(), disable_comments=VBoolean("disable_comments"), set_clicks=VBoolean("set_maximum_clicks"), max_clicks=VInt("maximum_clicks", min=0), set_views=VBoolean("set_maximum_views"), max_views=VInt("maximum_views", min=0), media_width=VInt("media-width", min=0), media_height=VInt("media-height", min=0), media_embed=VLength("media-embed", 1000), media_override=VBoolean("media-override"), domain_override=VLength("domain", 100) ) def POST_edit_promo(self, form, jquery, ip, l, title, url, disable_comments, set_clicks, max_clicks, set_views, max_views, media_height, media_width, media_embed, media_override, domain_override): should_ratelimit = False if not c.user_is_sponsor: set_clicks = False set_views = False should_ratelimit = True if not set_clicks: max_clicks = None if not set_views: max_views = None if not should_ratelimit: c.errors.remove((errors.RATELIMIT, 'ratelimit')) # demangle URL in canonical way if url: if isinstance(url, (unicode, str)): form.set_inputs(url=url) elif isinstance(url, tuple) or isinstance(url[0], Link): # there's already one or more links with this URL, but # we're allowing mutliple submissions, so we really just # want the URL url = url[0].url # users can change the disable_comments on promoted links if ((not l or not promote.is_promoted(l)) and (form.has_errors('title', errors.NO_TEXT, errors.TOO_LONG) or form.has_errors('url', errors.NO_URL, errors.BAD_URL) or jquery.has_errors('ratelimit', errors.RATELIMIT))): return if not l: l = promote.new_promotion(title, url, c.user, ip) elif promote.is_promo(l): changed = False # live items can only be changed by a sponsor, and also # pay the cost of de-approving the link trusted = c.user_is_sponsor or c.user.trusted_sponsor if not promote.is_promoted(l) or trusted: if title and title != l.title: l.title = title changed = not trusted if url and url != l.url: l.url = url changed = not trusted # only trips if the title and url are changed by a non-sponsor if changed and not promote.is_unpaid(l): promote.unapprove_promotion(l) if trusted and promote.is_unapproved(l): promote.accept_promotion(l) if c.user_is_sponsor: l.maximum_clicks = max_clicks l.maximum_views = max_views # comment disabling is free to be changed any time. l.disable_comments = disable_comments if c.user_is_sponsor or c.user.trusted_sponsor: if media_embed and media_width and media_height: l.media_object = dict(height=media_height, width=media_width, content=media_embed, type='custom') else: l.media_object = None l.media_override = media_override if getattr(l, "domain_override", False) or domain_override: l.domain_override = domain_override l._commit() form.redirect(promote.promo_edit_url(l)) @validate(VSponsorAdmin()) def GET_roadblock(self): return PromotePage('content', content=Roadblocks()).render() @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], future=1, reference_date=promote.promo_datetime_now, business_days=False, sponsor_override=True), sr=VSubmitSR('sr', promotion=True)) def POST_add_roadblock(self, form, jquery, dates, sr): if (form.has_errors('startdate', errors.BAD_DATE, errors.BAD_FUTURE_DATE) or form.has_errors('enddate', errors.BAD_DATE, errors.BAD_FUTURE_DATE, errors.BAD_DATE_RANGE)): return if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): return if dates and sr: sd, ed = dates promote.roadblock_reddit(sr.name, sd.date(), ed.date()) jquery.refresh() @validatedForm(VSponsorAdmin(), VModhash(), dates=VDateRange(['startdate', 'enddate'], future=1, reference_date=promote.promo_datetime_now, business_days=False, sponsor_override=True), sr=VSubmitSR('sr', promotion=True)) def POST_rm_roadblock(self, form, jquery, dates, sr): if dates and sr: sd, ed = dates promote.unroadblock_reddit(sr.name, sd.date(), ed.date()) jquery.refresh() @validatedForm(VSponsor('link_id'), VModhash(), dates=VDateRange(['startdate', 'enddate'], future=1, reference_date=promote.promo_datetime_now, business_days=False, sponsor_override=True), l=VLink('link_id'), bid=VFloat('bid', min=0, max=g.max_promote_bid, coerce=False, error=errors.BAD_BID), sr=VSubmitSR('sr', promotion=True), campaign_id36=nop("campaign_id36"), targeting=VLength("targeting", 10)) def POST_edit_campaign(self, form, jquery, l, campaign_id36, dates, bid, sr, targeting): if not l: return start, end = dates or (None, None) if (start and end and not promote.is_accepted(l) and not c.user_is_sponsor): # if the ad is not approved already, ensure the start date # is at least 2 days in the future start = start.date() end = end.date() now = promote.promo_datetime_now() future = make_offset_date(now, g.min_promote_future, business_days=True) if start < future.date(): c.errors.add(errors.BAD_FUTURE_DATE, msg_params=dict(day=g.min_promote_future), field="startdate") if (form.has_errors('startdate', errors.BAD_DATE, errors.BAD_FUTURE_DATE) or form.has_errors('enddate', errors.BAD_DATE, errors.BAD_FUTURE_DATE, errors.BAD_DATE_RANGE)): return # Limit the number of PromoCampaigns a Link can have # Note that the front end should prevent the user from getting # this far existing_campaigns = list(PromoCampaign._by_link(l._id)) if len(existing_campaigns) > g.MAX_CAMPAIGNS_PER_LINK: c.errors.add(errors.TOO_MANY_CAMPAIGNS, msg_params={'count': g.MAX_CAMPAIGNS_PER_LINK}, field='title') form.has_errors('title', errors.TOO_MANY_CAMPAIGNS) return duration = max((end - start).days, 1) if form.has_errors('bid', errors.BAD_BID): return # minimum bid depends on user privilege and targeting, checked here # instead of in the validator b/c current duration is needed if c.user_is_sponsor: min_daily_bid = 0 elif targeting == 'one': min_daily_bid = g.min_promote_bid * 1.5 else: min_daily_bid = g.min_promote_bid if campaign_id36: # you cannot edit the bid of a live ad unless it's a freebie try: campaign = PromoCampaign._byID36(campaign_id36) if (bid != campaign.bid and campaign.start_date < datetime.now(g.tz) and not campaign.is_freebie()): c.errors.add(errors.BID_LIVE, field='bid') form.has_errors('bid', errors.BID_LIVE) return except NotFound: pass if bid is None or bid / duration < min_daily_bid: c.errors.add(errors.BAD_BID, field='bid', msg_params={'min': min_daily_bid, 'max': g.max_promote_bid}) form.has_errors('bid', errors.BAD_BID) return if targeting == 'one': if form.has_errors('sr', errors.SUBREDDIT_NOEXIST, errors.SUBREDDIT_NOTALLOWED, errors.SUBREDDIT_REQUIRED): # checking to get the error set in the form, but we can't # check for rate-limiting if there's no subreddit return oversold = promote.is_roadblocked(sr.name, start, end) if oversold and not c.user_is_sponsor: msg_params = {"start": oversold[0].strftime('%m/%d/%Y'), "end": oversold[1].strftime('%m/%d/%Y')} c.errors.add(errors.OVERSOLD, field='sr', msg_params=msg_params) form.has_errors('sr', errors.OVERSOLD) return if targeting == 'none': sr = None if campaign_id36 is not None: campaign = PromoCampaign._byID36(campaign_id36) promote.edit_campaign(l, campaign, dates, bid, sr) r = promote.get_renderable_campaigns(l, campaign) jquery.update_campaign(r.campaign_id36, r.start_date, r.end_date, r.duration, r.bid, r.sr, r.status) else: campaign = promote.new_campaign(l, dates, bid, sr) r = promote.get_renderable_campaigns(l, campaign) jquery.new_campaign(r.campaign_id36, r.start_date, r.end_date, r.duration, r.bid, r.sr, r.status) @validatedForm(VSponsor('link_id'), VModhash(), l=VLink('link_id'), campaign=VPromoCampaign("campaign_id36")) def POST_delete_campaign(self, form, jquery, l, campaign): if l and campaign: promote.delete_campaign(l, campaign) @validatedForm(VSponsor('container'), VModhash(), user=VExistingUname('name'), thing=VByName('container')) def POST_traffic_viewer(self, form, jquery, user, thing): """ Adds a user to the list of users allowed to view a promoted link's traffic page. """ if not form.has_errors("name", errors.USER_DOESNT_EXIST, errors.NO_USER): form.set_inputs(name="") form.set_html(".status:first", _("added")) if promote.add_traffic_viewer(thing, user): user_row = TrafficViewerList(thing).user_row('traffic', user) jquery("#traffic-table").show( ).find("table").insert_table_rows(user_row) # send the user a message msg = user_added_messages['traffic']['pm']['msg'] subj = user_added_messages['traffic']['pm']['subject'] if msg and subj: d = dict(url=thing.make_permalink_slow(), traffic_url=promote.promo_traffic_url(thing), title=thing.title) msg = msg % d item, inbox_rel = Message._new(c.user, user, subj, msg, request.ip) queries.new_message(item, inbox_rel) @validatedForm(VSponsor('container'), VModhash(), iuser=VByName('id'), thing=VByName('container')) def POST_rm_traffic_viewer(self, form, jquery, iuser, thing): if thing and iuser: promote.rm_traffic_viewer(thing, iuser) @validatedForm(VSponsor('link'), link=VByName("link"), campaign=VPromoCampaign("campaign"), customer_id=VInt("customer_id", min=0), pay_id=VInt("account", min=0), edit=VBoolean("edit"), address=ValidAddress( ["firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber"], allowed_countries=g.allowed_pay_countries), creditcard=ValidCard(["cardNumber", "expirationDate", "cardCode"])) def POST_update_pay(self, form, jquery, link, campaign, customer_id, pay_id, edit, address, creditcard): address_modified = not pay_id or edit form_has_errors = False if address_modified: if (form.has_errors(["firstName", "lastName", "company", "address", "city", "state", "zip", "country", "phoneNumber"], errors.BAD_ADDRESS) or form.has_errors(["cardNumber", "expirationDate", "cardCode"], errors.BAD_CARD)): form_has_errors = True elif g.authorizenetapi: pay_id = edit_profile(c.user, address, creditcard, pay_id) else: pay_id = 1 # if link is in use or finished, don't make a change if pay_id and not form_has_errors: # valid bid and created or existing bid id. # check if already a transaction if g.authorizenetapi: success, reason = promote.auth_campaign(link, campaign, c.user, pay_id) else: success = True if success: form.redirect(promote.promo_edit_url(link)) else: form.set_html(".status", reason or _("failed to authenticate card. sorry.")) @validate(VSponsor("link"), link=VLink("link"), campaign=VPromoCampaign("campaign")) def GET_pay(self, link, campaign): # no need for admins to play in the credit card area if c.user_is_loggedin and c.user._id != link.author_id: return self.abort404() if not campaign.link_id == link._id: return self.abort404() if g.authorizenetapi: data = get_account_info(c.user) content = PaymentForm(link, campaign, customer_id=data.customerProfileId, profiles=data.paymentProfiles, max_profiles=PROFILE_LIMIT) else: content = None res = LinkInfoPage(link=link, content=content, show_sidebar=False) return res.render() def GET_link_thumb(self, *a, **kw): """ See GET_upload_sr_image for rationale """ return "nothing to see here." @validate(VSponsor("link_id"), link=VByName('link_id'), file=VLength('file', 500 * 1024)) def POST_link_thumb(self, link=None, file=None): if link and (not promote.is_promoted(link) or c.user_is_sponsor or c.user.trusted_sponsor): errors = dict(BAD_CSS_NAME="", IMAGE_ERROR="") try: # thumnails for promoted links can change and therefore expire force_thumbnail(link, file, file_type=".jpg") except cssfilter.BadImage: # if the image doesn't clean up nicely, abort errors["IMAGE_ERROR"] = _("bad image") if any(errors.values()): return UploadedImage("", "", "upload", errors=errors, form_id="image-upload").render() else: link._commit() return UploadedImage(_('saved'), thumbnail_url(link), "", errors=errors, form_id="image-upload").render() @validate(VSponsorAdmin(), launchdate=VDate('ondate'), dates=VDateRange(['startdate', 'enddate']), query_type=VOneOf('q', ('started_on', 'between'), default=None)) def GET_admin(self, launchdate=None, dates=None, query_type=None): return PromoAdminTool(query_type=query_type, launchdate=launchdate, start=dates[0], end=dates[1]).render()