def check_permission(session, flag, message = ""):
"""
Throws an ASMPermissionError if the flag is not in the map
"""
if "superuser" not in session or "securitymap" not in session: raise utils.ASMPermissionError("Invalid session")
l = session.locale
if session.superuser == 1: return
if not has_security_flag(session.securitymap, flag):
if message == "":
message = i18n._("Forbidden", l)
raise utils.ASMPermissionError(message)
def check_permission_map(l, superuser, securitymap, flag):
"""
Throws an ASMPermissionError if the flag is not in the map
"""
if superuser == 1: return
if not has_security_flag(securitymap, flag):
raise utils.ASMPermissionError(i18n._("Forbidden", l))
def check_view_permission(dbo, username, session, acid):
"""
Checks that the currently logged in user has permission to
view the incident with acid.
If they can't, an ASMPermissionError is thrown.
"""
# Superusers can do anything
if session.superuser == 1: return True
viewroles = []
for rr in dbo.query(
"SELECT RoleID FROM animalcontrolrole WHERE AnimalControlID = ? AND CanView = 1",
[acid]):
viewroles.append(rr.ROLEID)
# No view roles means anyone can view
if len(viewroles) == 0:
return True
# Does the user have any of the view roles?
userroles = []
for ur in dbo.query(
"SELECT RoleID FROM userrole INNER JOIN users ON userrole.UserID = users.ID WHERE users.UserName LIKE ?",
[username]):
userroles.append(ur.ROLEID)
hasperm = False
for ur in userroles:
if ur in viewroles:
hasperm = True
if hasperm:
return True
raise utils.ASMPermissionError(
"User does not have required role to view this incident")
def hotlink_protect(method, referer):
""" Protect a method from having any referer other than the one we set """
domains = IMAGE_HOTLINKING_ONLY_FROM_DOMAIN.split(",")
fromhldomain = False
for d in domains:
if d != "" and referer.find(d) != -1: fromhldomain = True
if referer != "" and IMAGE_HOTLINKING_ONLY_FROM_DOMAIN != "" and not fromhldomain:
raise utils.ASMPermissionError("Hotlinking to %s from %s is forbidden" % (method, referer))
def get_animal_view(dbo, animalid):
""" Constructs the animal view page to the template. """
a = dbo.first_row(
get_animal_data(dbo,
animalid=animalid,
include_additional_fields=True,
strip_personal_data=True))
# If the animal is not adoptable, bail out
if a is None:
raise utils.ASMPermissionError("animal is not adoptable (None)")
if not is_animal_adoptable(dbo, a):
raise utils.ASMPermissionError("animal is not adoptable (False)")
# If the option is on, use animal comments as the notes
if configuration.publisher_use_comments(dbo):
a.WEBSITEMEDIANOTES = a.ANIMALCOMMENTS
head, body, foot = get_animal_view_template(dbo)
if head == "":
head = "<!DOCTYPE html>\n<html>\n<head>\n<title>$$SHELTERCODE$$ - $$ANIMALNAME$$</title></head>\n<body>"
body = "<h2>$$SHELTERCODE$$ - $$ANIMALNAME$$</h2><p><img src='$$WEBMEDIAFILENAME$$'/></p><p>$$WEBMEDIANOTES$$</p>"
foot = "</body>\n</html>"
if smcom.active():
a.WEBSITEMEDIANAME = "%s?account=%s&method=animal_image&animalid=%d" % (
SERVICE_URL, dbo.database, animalid)
else:
a.WEBSITEMEDIANAME = "%s?method=animal_image&animalid=%d" % (
SERVICE_URL, animalid)
s = head + body + foot
tags = wordprocessor.animal_tags_publisher(dbo, a)
tags = wordprocessor.append_tags(tags,
wordprocessor.org_tags(dbo, "system"))
# Add extra tags for websitemedianame2-10 if they exist
for x in range(2, 11):
if a.WEBSITEIMAGECOUNT > x - 1:
tags["WEBMEDIAFILENAME%d" %
x] = "%s&seq=%d" % (a.WEBSITEMEDIANAME, x)
# Add extra publishing text, preserving the line endings
notes = utils.nulltostr(a.WEBSITEMEDIANOTES)
notes += configuration.third_party_publisher_sig(dbo)
notes = notes.replace("\n", "**le**")
tags["WEBMEDIANOTES"] = notes
tags["WEBSITEMEDIANOTES"] = notes
s = wordprocessor.substitute_tags(s, tags, True, "$$", "$$")
s = s.replace("**le**", "<br />")
return s
def handler(data, remoteip, referer):
"""
Handles the various service method types.
data: The GET/POST parameters
return value is a tuple containing MIME type, max-age, content
"""
# Database info
dbo = db.DatabaseInfo()
# Get service parameters
account = utils.df_ks(data, "account")
username = utils.df_ks(data, "username")
password = utils.df_ks(data, "password")
method = utils.df_ks(data, "method")
animalid = utils.df_ki(data, "animalid")
formid = utils.df_ki(data, "formid")
title = utils.df_ks(data, "title")
cache_key = "a" + account + "u" + username + "p" + password + "m" + method + "a" + str(
animalid) + "f" + str(formid) + "t" + title
# cache keys aren't allowed spaces
cache_key = cache_key.replace(" ", "")
# Do we have a cached response for these parameters?
cached_response = get_cached_response(cache_key)
if cached_response is not None:
al.debug(
"cache hit for %s/%s/%s/%s" % (account, method, animalid, title),
"service.handler")
return cached_response
# Are we dealing with multiple databases, but no account was specified?
if account == "" and MULTIPLE_DATABASES:
return ("text/plan", 0, "ERROR: No database/alias specified")
# Are we dealing with multiple databases and an account was specified?
if account != "":
if MULTIPLE_DATABASES:
if MULTIPLE_DATABASES_TYPE == "smcom":
# Is this sheltermanager.com? If so, we need to get the
# database connection info (dbo) before we can login.
dbo = smcom.get_database_info(account)
else:
# Look up the database info from our map
dbo = db.get_multiple_database_info(account)
if dbo.database == "FAIL" or dbo.database == "DISABLED":
al.error(
"auth failed - invalid smaccount %s from %s" %
(account, remoteip), "service.handler", dbo)
return ("text/plain", 0, "ERROR: Invalid database")
# Does the method require us to authenticate? If so, do it.
user = None
if method in AUTH_METHODS:
user = users.authenticate(dbo, username, password)
if user is None:
al.error(
"auth failed - %s/%s is not a valid username/password from %s"
% (username, password, remoteip), "service.handler", dbo)
return ("text/plain", 0, "ERROR: Invalid username and password")
# Get the preferred locale for the site
dbo.locale = configuration.locale(dbo)
al.info("call %s->%s [%s %s]" % (username, method, str(animalid), title),
"service.handler", dbo)
if method == "animal_image":
# If we have a hotlinking restriction, enforce it
if referer != "" and IMAGE_HOTLINKING_ONLY_FROM_DOMAIN != "" and referer.find(
IMAGE_HOTLINKING_ONLY_FROM_DOMAIN) == -1:
raise utils.ASMPermissionError("Image hotlinking is forbidden.")
if animalid == "" or utils.cint(animalid) == 0:
al.error(
"animal_image failed, %s is not an animalid" % str(animalid),
"service.handler", dbo)
return ("text/plain", 0, "ERROR: Invalid animalid")
# If the option is on, forbid hotlinking
else:
seq = utils.df_ki(data, "seq")
if seq == 0: seq = 1
mm = media.get_media_by_seq(dbo, media.ANIMAL,
utils.cint(animalid), seq)
if len(mm) == 0:
return ("image/jpeg", 86400,
dbfs.get_string(dbo, "nopic.jpg", "/reports"))
else:
return ("image/jpeg", 86400,
dbfs.get_string(dbo, mm[0]["MEDIANAME"]))
elif method == "extra_image":
return ("image/jpeg", 86400, dbfs.get_string(dbo, title, "/reports"))
elif method == "json_adoptable_animals":
pc = publish.PublishCriteria(configuration.publisher_presets(dbo))
rs = publish.get_animal_data(dbo, pc, True)
return set_cached_response(cache_key, "application/json", 3600,
html.json(rs))
elif method == "xml_adoptable_animals":
pc = publish.PublishCriteria(configuration.publisher_presets(dbo))
rs = publish.get_animal_data(dbo, pc, True)
return set_cached_response(cache_key, "application/xml", 3600,
html.xml(rs))
elif method == "json_recent_adoptions":
rs = movement.get_recent_adoptions(dbo)
return set_cached_response(cache_key, "application/json", 3600,
html.json(rs))
elif method == "xml_recent_adoptions":
rs = movement.get_recent_adoptions(dbo)
return set_cached_response(cache_key, "application/xml", 3600,
html.xml(rs))
elif method == "html_report":
crid = reports.get_id(dbo, title)
p = reports.get_criteria_params(dbo, crid, data)
rhtml = reports.execute(dbo, crid, username, p)
return set_cached_response(cache_key, "text/html", 3600, rhtml)
elif method == "jsonp_shelter_animals":
sa = animal.get_animal_find_simple(dbo, "", "shelter")
return set_cached_response(
cache_key, "application/javascript", 3600,
str(utils.df_ks(data, "callback")) + "(" + html.json(sa) + ")")
elif method == "json_shelter_animals":
sa = animal.get_animal_find_simple(dbo, "", "shelter")
return set_cached_response(cache_key, "application/json", 3600,
html.json(sa))
elif method == "xml_shelter_animals":
sa = animal.get_animal_find_simple(dbo, "", "shelter")
return set_cached_response(cache_key, "application/xml", 3600,
html.json(sa))
elif method == "upload_animal_image":
media.attach_file_from_form(dbo, username, media.ANIMAL, int(animalid),
data)
return ("text/plain", 0, "OK")
elif method == "online_form_html":
if formid == 0:
raise utils.ASMError(
"method online_form_html requires a valid formid")
return set_cached_response(cache_key, "text/html", 120,
onlineform.get_onlineform_html(dbo, formid))
elif method == "online_form_post":
onlineform.insert_onlineformincoming_from_form(dbo, data, remoteip)
redirect = utils.df_ks(data, "redirect")
if redirect == "":
redirect = BASE_URL + "/static/pages/form_submitted.html"
return ("redirect", 0, redirect)
else:
al.error("invalid method '%s'" % method, "service.handler", dbo)
raise utils.ASMError("Invalid method '%s'" % method)