def getBill(self, key, *args, **kwargs): """ Returns the Bill for the given order. """ skel = self.viewSkel() if "canView" in dir(self): if not self.canView(key): raise errors.Unauthorized() else: queryObj = self.viewSkel().all().mergeExternalFilter({"key": key}) queryObj = self.listFilter(queryObj) # Access control if queryObj is None: raise errors.Unauthorized() bill = self.getBillPdf(key) if not bill: raise errors.NotFound() request.current.get( ).response.headers['Content-Type'] = "application/pdf" return (bill)
def view(self, *args, **kwargs): """ Prepares and renders the singleton entry for viewing. The function performs several access control checks on the requested entity before it is rendered. .. seealso:: :func:`viewSkel`, :func:`canView`, :func:`onViewed` :returns: The rendered representation of the entity. :raises: :exc:`server.errors.NotFound`, if there is no singleton entry existing, yet. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. """ skel = self.viewSkel() if not self.canView(): raise errors.Unauthorized() key = db.Key(self.editSkel().kindName, self.getKey()) if not skel.fromDB(key): raise errors.NotFound() self.onViewed(skel) return self.render.view(skel)
def setIndex(self, item, index, skey, *args, **kwargs): """ Changes the order of the elements in the current level by changing the index of *item*. .. seealso:: :func:`canSetIndex` :param item: URL-safe key of the item which index should be changed. :type item: str :param index: New index for this item. This value must be cast-able to float. :type index: str :returns: A rendered success result generated by the default renderer. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() if not self.canSetIndex(item, index): raise errors.Unauthorized() fromItem = db.Get(item) fromItem["sortindex"] = float(index) db.Put(fromItem) skel = self.editSkel() assert skel.fromDB(item) self.onItemSetIndex(skel) self.onItemChanged(skel) return self.render.setIndexSuccess(obj=fromItem)
def list(self, parent, *args, **kwargs): """ List the entries which are direct children of the given *parent*. Any other supplied parameters are interpreted as filters for the elements displayed. .. seealso:: :func:`canList`, :func:`server.db.mergeExternalFilter` :param parent: URL-safe key of the parent. :type parent: str :returns: The rendered list objects for the matching entries. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.NotFound`, if *parent* could not be found. """ if not parent or not self.canList(parent): raise errors.Unauthorized() parentSkel = self.viewSkel() if not parentSkel.fromDB(parent): if not str(parent) in [ str(x["key"]) for x in self.getAvailableRootNodes() ]: # It isn't a rootNode either raise errors.NotFound() else: parentSkel = None query = self.viewSkel().all() query.mergeExternalFilter(kwargs) query.filter("parententry", parent) return self.render.list(query.fetch(), parent=parent, parentSkel=parentSkel)
def view(self, skelType, key, *args, **kwargs): """ Prepares and renders a single entry for viewing. The entry is fetched by its *key* and its *skelType*. The function performs several access control checks on the requested entity before it is rendered. .. seealso:: :func:`canView`, :func:`onView` :returns: The rendered representation of the requested entity. :param skelType: May either be "node" or "leaf". :type skelType: str :param node: URL-safe key of the parent. :type node: str :raises: :exc:`server.errors.NotAcceptable`, when an incorrect *skelType* is provided. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. """ if not self._checkSkelType(skelType): raise errors.NotAcceptable() skel = self.viewSkel(skelType) if not key: raise errors.NotAcceptable() # We return a single entry for viewing if not skel.fromDB(key): raise errors.NotFound() if not self.canView(skelType, skel): raise errors.Unauthorized() self.onView(skel) return self.render.view(skel)
def list(self, skelType, *args, **kwargs): """ Prepares and renders a list of entries. All supplied parameters are interpreted as filters for the elements displayed. Unlike other ViUR BasicApplications, the access control in this function is performed by calling the function :func:`listFilter`, which updates the query-filter to match only elements which the user is allowed to see. .. seealso:: :func:`listFilter`, :func:`server.db.mergeExternalFilter` :returns: The rendered list objects for the matching entries. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. """ if not self._checkSkelType(skelType): raise errors.NotAcceptable() skel = self.viewSkel(skelType) query = self.listFilter( skel.all().mergeExternalFilter(kwargs)) # Access control if query is None: raise errors.Unauthorized() res = query.fetch() return self.render.list(res)
def logout(self, skey="", *args, **kwargs): """ Implements the logout action. It also terminates the current session (all keys not listed in viur.session.persistentFieldsOnLogout will be lost). """ user = session.current.get("user") if not user: raise errors.Unauthorized() if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() self.onLogout(user) oldSession = {k: v for k, v in session.current.items() } # Store all items in the current session session.current.reset() # Copy the persistent fields over for k in conf["viur.session.persistentFieldsOnLogout"]: if k in oldSession: session.current[k] = oldSession[k] del oldSession return self.render.logoutSuccess()
def delete(self, key, skey, *args, **kwargs): """ Delete an entry. The function runs several access control checks on the data before it is deleted. .. seealso:: :func:`canDelete`, :func:`editSkel`, :func:`onDeleted` :returns: The rendered, deleted object of the entry. :raises: :exc:`viur.core.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`viur.core.errors.PreconditionFailed`, if the *skey* could not be verified. """ skel = self.editSkel() if not skel.fromDB(key): raise errors.NotFound() if not self.canDelete(skel): raise errors.Unauthorized() if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() self.onDelete(skel) skel.delete() self.onDeleted(skel) return self.render.deleteSuccess(skel)
def add(self, skelType, node, *args, **kwargs): """ Add a new entry with the given parent *node*, and render the entry, eventually with error notes on incorrect data. Data is taken by any other arguments in *kwargs*. The function performs several access control checks on the requested entity before it is added. .. seealso:: :func:`onItemAdded`, :func:`canAdd` :param skelType: Defines the type of the new entry and may either be "node" or "leaf". :type skelType: str :param node: URL-safe key of the parent. :type node: str :returns: The rendered, added object of the entry, eventually with error hints. :raises: :exc:`server.errors.NotAcceptable`, when no valid *skelType* was provided. :raises: :exc:`server.errors.NotFound`, when no valid *node* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if skelType == "node": skel = self.viewSkel(TreeType.Node) elif skelType == "leaf" and self.hasDistinctLeafs: skel = self.viewSkel(TreeType.Leaf) else: raise errors.NotAcceptable() # FIXME: IsValidParent? #parentNodeSkel = self.editNodeSkel() #if not parentNodeSkel.fromDB(node): # raise errors.NotFound() if not self.canAdd(skelType, node): raise errors.Unauthorized() if (len(kwargs) == 0 # no data supplied or skey == "" # no security key # or not request.current.get().isPostRequest fixme: POST-method check missing? # failure if not using POST-method or not skel.fromClient(kwargs) # failure on reading into the bones or ("bounce" in kwargs and kwargs["bounce"] == "1") # review before adding ): return self.render.add(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel["parentdir"] = str(node) skel["parentrepo"] = parentNodeSkel["parentrepo"] or str(node) skel.toDB() self.onItemAdded(skel) return self.render.addItemSuccess(skel)
def reparent(self, item, dest, skey, *args, **kwargs): """ Moves an entry *item* (and everything beneath it) to another parent-node *dest*. .. seealso:: :func:`canReparent` :param item: URL-safe key of the item which will be moved. :type item: str :param dest: URL-safe key of the new parent for this item. :type dest: str :returns: A rendered success result generated by the default renderer. :raises: :exc:`server.errors.NotFound`, when no entry with the given *id* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() if not self.canReparent(item, dest): raise errors.Unauthorized() if not self.isValidParent(dest) or item == dest: raise errors.NotAcceptable() ## Test for recursion isValid = False currLevel = db.Get(dest) for x in range(0, 99): if str(currLevel.key()) == item: break if currLevel.key().kind( ) == self.viewSkel().kindName + "_rootNode": # We reached a rootNode isValid = True break currLevel = db.Get(currLevel["parententry"]) if not isValid: raise errors.NotAcceptable() ## Update entry fromItem = db.Get(item) fromItem["parententry"] = dest fromItem["parentrepo"] = str(self.getRootNode(dest).key()) db.Put(fromItem) skel = self.editSkel() assert skel.fromDB(item) self.onItemReparent(skel) self.onItemChanged(skel) return self.render.reparentSuccess(obj=fromItem)
def edit(self, *args, **kwargs): """ Modify an existing entry, and render the entry, eventually with error notes on incorrect data. Data is taken by any other arguments in *kwargs*. The entry is fetched by its entity key, which either is provided via *kwargs["key"]*, or as the first parameter in *args*. The function performs several access control checks on the requested entity before it is modified. .. seealso:: :func:`editSkel`, :func:`onItemEdited`, :func:`canEdit` :returns: The rendered, edited object of the entry, eventually with error hints. :raises: :exc:`server.errors.NotAcceptable`, when no *key* is provided. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if len(args) == 1: key = args[0] elif "key" in kwargs: key = kwargs["key"] else: raise errors.NotAcceptable() skel = self.editSkel() if not skel.fromDB(key): raise errors.NotAcceptable() if not self.canEdit(skel): raise errors.Unauthorized() if (len(kwargs) == 0 # no data supplied or skey == "" # no security key or not request.current.get(). isPostRequest # failure if not using POST-method or not skel.fromClient( kwargs) # failure on reading into the bones or ("bounce" in kwargs and kwargs["bounce"] == "1" ) # review before changing ): return self.render.edit(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel.toDB() # write it! self.onItemEdited(skel) self.onItemChanged(skel) return self.render.editItemSuccess(skel)
def structure(self, *args, **kwargs): """ :returns: Returns the structure of our skeleton as used in list/view. Values are the defaultValues set in each bone. :raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions. """ skel = self.viewSkel() if not self.canView(): raise errors.Unauthorized() return self.render.view(skel)
def view(self, key, *args, **kwargs): """ Allow a special key "self" to reference always the current user """ if key == "self": user = self.getCurrentUser() if user: return super(User, self).view(str(user["key"].id_or_name), *args, **kwargs) else: raise errors.Unauthorized() return super(User, self).view(key, *args, **kwargs)
def view(self, skelType, key, *args, **kwargs): """ Prepares and renders a single entry for viewing. The entry is fetched by its *key* and its *skelType*. The function performs several access control checks on the requested entity before it is rendered. .. seealso:: :func:`canView`, :func:`onItemViewed` :returns: The rendered representation of the requested entity. :param skelType: May either be "node" or "leaf". :type skelType: str :param node: URL-safe key of the parent. :type node: str :raises: :exc:`server.errors.NotAcceptable`, when an incorrect *skelType* is provided. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. """ if skelType == "node": skel = self.viewSkel(TreeType.Node) elif skelType == "leaf" and self.hasDistinctLeafs: skel = self.viewSkel(TreeType.Leaf) else: raise errors.NotAcceptable() if not key: raise errors.NotAcceptable() if key == u"structure": # We dump just the structure of that skeleton, including it's default values if not self.canView(skelType, None): raise errors.Unauthorized() else: # We return a single entry for viewing if not skel.fromDB(key): raise errors.NotFound() if not self.canView(skelType, skel): raise errors.Unauthorized() self.onItemViewed(skel) return self.render.view(skel)
def add(self, skelType, node, *args, **kwargs): """ Add a new entry with the given parent *node*, and render the entry, eventually with error notes on incorrect data. Data is taken by any other arguments in *kwargs*. The function performs several access control checks on the requested entity before it is added. .. seealso:: :func:`canAdd`, :func:`onAdd`, , :func:`onAdded` :param skelType: Defines the type of the new entry and may either be "node" or "leaf". :type skelType: str :param node: URL-safe key of the parent. :type node: str :returns: The rendered, added object of the entry, eventually with error hints. :raises: :exc:`server.errors.NotAcceptable`, when no valid *skelType* was provided. :raises: :exc:`server.errors.NotFound`, when no valid *node* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if not self._checkSkelType(skelType): raise errors.NotAcceptable() skel = self.addSkel(skelType) parentNodeSkel = self.editSkel("node") if not parentNodeSkel.fromDB(node): raise errors.NotFound() if not self.canAdd(skelType, parentNodeSkel): raise errors.Unauthorized() if (len(kwargs) == 0 # no data supplied or skey == "" # no security key or not skel.fromClient( kwargs) # failure on reading into the bones or not currentRequest.get().isPostRequest or ("bounce" in kwargs and kwargs["bounce"] == "1" ) # review before adding ): return self.render.add(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel["parententry"] = parentNodeSkel["key"] # parentrepo may not exist of parentNodeSkel as it may be an rootNode skel["parentrepo"] = parentNodeSkel["parentrepo"] or parentNodeSkel[ "key"] self.onAdd(skel) skel.toDB() self.onAdded(skel) return self.render.addSuccess(skel)
def clone(self, fromRepo, toRepo, fromParent=None, toParent=None, *args, **kwargs): """ Clones a hierarchy recursively. This function only initiates the cloning process, which is performed in the background. It states only a successful result when the clone action has been correctly initiated. :param fromRepo: URL-safe key of the key to the repository (=root-node Key) to clone from. :type fromRepo: str :param toRepo: URL-safe key of the key to the repository (=root-node Key) to clone to. :type toRepo: str :param fromParent: URL-safe key of the parent to clone from; for root nodes, this is equal \ to fromRepo, and can be omitted. :type fromParent: str :param toParent: URL-safe key of the parent to clone to; for root nodes, this is equal to \ toRepo, and can be omitted. :type toParent: str :returns: A rendered success result generated by the default renderer. :raises: :exc:`server.errors.NotAcceptable`, when no valid *parent* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if fromParent is None: fromParent = fromRepo if toParent is None: toParent = toRepo if not (self.isValidParent(fromParent) and self.isValidParent(toParent)): # Ensure the parents exists raise errors.NotAcceptable() if not self.canAdd(toParent): raise errors.Unauthorized() if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() self._clone(fromRepo, toRepo, fromParent, toParent) return self.render.cloneSuccess()
def structure(self, *args, **kwargs): """ :returns: Returns the structure of our skeleton as used in list/view. Values are the defaultValues set in each bone. :raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions. """ skel = self.viewSkel() if not self.canAdd(): # We can't use canView here as it would require passing a skeletonInstance. # As a fallback, we'll check if the user has the permissions to view at least one entry qry = self.listFilter(skel.all()) if not qry or not qry.getEntry(): raise errors.Unauthorized() return self.render.view(skel)
def edit(self, skelType, key, *args, **kwargs): """ Modify an existing entry, and render the entry, eventually with error notes on incorrect data. Data is taken by any other arguments in *kwargs*. The function performs several access control checks on the requested entity before it is added. .. seealso:: :func:`onAdded`, :func:`canEdit` :param skelType: Defines the type of the entry that should be modified and may either be "node" or "leaf". :type skelType: str :param key: URL-safe key of the item to be edited. :type key: str :returns: The rendered, modified object of the entry, eventually with error hints. :raises: :exc:`server.errors.NotAcceptable`, when no valid *skelType* was provided. :raises: :exc:`server.errors.NotFound`, when no valid *node* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if skelType == "node": skelType = TreeType.Node elif skelType == "leaf" and self.leafSkelCls: skelType = TreeType.Leaf else: raise errors.NotAcceptable() skel = self.addSkel(skelType) if not skel.fromDB(key): raise errors.NotFound() if not self.canEdit(skelType, skel): raise errors.Unauthorized() if (len(kwargs) == 0 # no data supplied or skey == "" # no security key or not skel.fromClient( kwargs) # failure on reading into the bones or not currentRequest.get().isPostRequest or ("bounce" in kwargs and kwargs["bounce"] == "1" ) # review before adding ): return self.render.edit(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel.toDB() self.onEdited(skel) return self.render.editSuccess(skel)
def view(self, *args, **kwargs): """ Prepares and renders a single entry for viewing. The entry is fetched by its entity key, which either is provided via *kwargs["key"]*, or as the first parameter in *args*. The function performs several access control checks on the requested entity before it is rendered. .. seealso:: :func:`viewSkel`, :func:`canView`, :func:`onItemViewed` :returns: The rendered representation of the requested entity. :raises: :exc:`server.errors.NotAcceptable`, when no *key* is provided. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. """ if "key" in kwargs: key = kwargs["key"] elif len(args) >= 1: key = args[0] else: raise errors.NotAcceptable() if not len(key): raise errors.NotAcceptable() skel = self.viewSkel() if key == u"structure": # We dump just the structure of that skeleton, including it's default values if not self.canView(None): raise errors.Unauthorized() else: # We return a single entry for viewing if not skel.fromDB(key): raise errors.NotFound() if not self.canView(skel): raise errors.Unauthorized() self.onItemViewed(skel) return self.render.view(skel)
def markCanceled(self, key, skey, *args, **kwargs): """ Exposed function for marking an order as cancelled. :param key: The key of the order to be marked. :type key: str """ if not self.canEdit(key): raise errors.Unauthorized() if not securitykey.validate(skey): raise errors.PreconditionFailed() self.setCanceled(key) return "OKAY"
def edit(self, *args, **kwargs): """ Modify the existing entry, and render the entry, eventually with error notes on incorrect data. The entry is fetched by its entity key, which either is provided via *kwargs["key"]*, or as the first parameter in *args*. The function performs several access control checks on the singleton's entity before it is modified. .. seealso:: :func:`editSkel`, :func:`onItemEdited`, :func:`canEdit` :returns: The rendered, edited object of the entry, eventually with error hints. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" skel = self.editSkel() if not self.canEdit(): raise errors.Unauthorized() key = db.Key.from_path(self.editSkel().kindName, self.getKey()) if not skel.fromDB( str(key)): # Its not there yet; we need to set the key again skel["key"] = str(key) if (len(kwargs) == 0 # no data supplied or skey == "" # no skey provided or not skel.fromClient( kwargs) # failure on reading into the bones or ("bounce" in kwargs and kwargs["bounce"] == "1")): # review before changing return self.render.edit(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel.toDB() self.onItemEdited(skel) return self.render.editItemSuccess(skel)
def add(self, parent, *args, **kwargs): """ Add a new entry with the given parent, and render the entry, eventually with error notes on incorrect data. Data is taken by any other arguments in *kwargs*. The function performs several access control checks on the requested entity before it is added. .. seealso:: :func:`addSkel`, :func:`onItemAdded`, :func:`canAdd` :param parent: URL-safe key of the parent. :type parent: str :returns: The rendered, added object of the entry, eventually with error hints. :raises: :exc:`server.errors.NotAcceptable`, when no valid *parent* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if not self.isValidParent(parent): # Ensure the parent exists raise errors.NotAcceptable() if not self.canAdd(parent): raise errors.Unauthorized() skel = self.addSkel() if (len(kwargs) == 0 or skey == "" or not request.current.get().isPostRequest or not skel.fromClient(kwargs) or ("bounce" in kwargs and kwargs["bounce"] == "1")): return self.render.add(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel["parententry"] = str(parent) skel["parentrepo"] = str(self.getRootNode(parent).key()) key = skel.toDB() self.onItemAdded(skel) self.onItemChanged(skel) return self.render.addItemSuccess(skel)
def delete(self, skelType, key, *args, **kwargs): """ Deletes an entry or an directory (including its contents). The function runs several access control checks on the data before it is deleted. .. seealso:: :func:`canDelete`, :func:`onItemDeleted` :param skelType: Defines the type of the entry that should be deleted and may either be "node" or "leaf". :type skelType: str :param key: URL-safe key of the item to be deleted. :type key: str :returns: The rendered, deleted object of the entry. :raises: :exc:`server.errors.NotFound`, when no entry with the given *key* was found. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if skelType == "node": skel = self.viewSkel(TreeType.Node) elif skelType == "leaf" and self.hasDistinctLeafs: skel = self.viewSkel(TreeType.Leaf) else: raise errors.NotAcceptable() if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if not skel.fromDB(key): raise errors.NotFound() if not self.canDelete(skelType, skel): raise errors.Unauthorized() if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() if skelType == "node": self.deleteRecursive(key) skel.delete() self.onItemDeleted(skel) return self.render.deleteSuccess(skel, skelType=skelType)
def add(self, *args, **kwargs): """ Allows guests to register a new account if self.registrationEnabled is set to true .. seealso:: :func:`addSkel`, :func:`onAdded`, :func:`canAdd` :returns: The rendered, added object of the entry, eventually with error hints. :raises: :exc:`server.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`server.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if not self.canAdd(): raise errors.Unauthorized() skel = self.addSkel() if (len(kwargs) == 0 # no data supplied or skey == "" # no skey supplied or not currentRequest.get(). isPostRequest # bail out if not using POST-method or not skel.fromClient( kwargs) # failure on reading into the bones or ("bounce" in kwargs and kwargs["bounce"] == "1")): # review before adding # render the skeleton in the version it could as far as it could be read. return self.userModule.render.add(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel.toDB() if self.registrationEmailVerificationRequired and str( skel["status"]) == "1": # The user will have to verify his email-address. Create an skey and send it to his address skey = securitykey.create(duration=60 * 60 * 24 * 7, userKey=utils.normalizeKey(skel["key"]), name=skel["name"]) skel.skey = baseBone(descr="Skey") skel["skey"] = skey email.sendEMail(dests=[skel["name"]], tpl=self.userModule.verifyEmailAddressMail, skel=skel) self.userModule.onAdded(skel) # Call onAdded on our parent user module return self.userModule.render.addSuccess(skel)
def preview(self, skey, *args, **kwargs): """ Renders data for the entry, without reading it from the database. This function allows to preview the entry without writing it to the database. Any entity values are provided via *kwargs*. The function uses the viewTemplate of the application. :returns: The rendered representation of the supplied data. """ if not self.canPreview(): raise errors.Unauthorized() if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() skel = self.viewSkel() skel.fromClient(kwargs) return self.render.view(skel)
def add(self, *args, **kwargs): """ Add a new entry, and render the entry, eventually with error notes on incorrect data. Data is taken by any other arguments in *kwargs*. The function performs several access control checks on the requested entity before it is added. .. seealso:: :func:`addSkel`, :func:`onAdd`, :func:`onAdded`, :func:`canAdd` :returns: The rendered, added object of the entry, eventually with error hints. :raises: :exc:`viur.core.errors.Unauthorized`, if the current user does not have the required permissions. :raises: :exc:`viur.core.errors.PreconditionFailed`, if the *skey* could not be verified. """ if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if not self.canAdd(): raise errors.Unauthorized() skel = self.addSkel() if (len(kwargs) == 0 # no data supplied or skey == "" # no skey supplied or not currentRequest.get(). isPostRequest # failure if not using POST-method or not skel.fromClient( kwargs) # failure on reading into the bones or ("bounce" in kwargs and kwargs["bounce"] == "1" ) # review before adding ): # render the skeleton in the version it could as far as it could be read. return self.render.add(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() self.onAdd(skel) skel.toDB() self.onAdded(skel) return self.render.addSuccess(skel)
def execute(self, taskID, *args, **kwargs): """Queues a specific task for the next maintenance run""" global _callableTasks from viur.core import securitykey if taskID in _callableTasks: task = _callableTasks[taskID]() else: return if not task.canCall(): raise errors.Unauthorized() skel = task.dataSkel() if "skey" in kwargs: skey = kwargs["skey"] else: skey = "" if len(kwargs) == 0 or skey == "" or not skel.fromClient(kwargs) or ( "bounce" in kwargs and kwargs["bounce"] == "1"): return self.render.add(skel) if not securitykey.validate(skey, useSessionKey=True): raise errors.PreconditionFailed() task.execute(**skel.accessedValues) return self.render.addSuccess(skel)
def findAndCall(self, path: str, *args, **kwargs): """ Does the actual work of sanitizing the parameter, determine which @exposed (or @internalExposed) function to call (and with witch parameters) """ # Prevent Hash-collision attacks kwargs = {} stopCount = conf["viur.maxPostParamsCount"] try: for key, value in self.request.params.iteritems(): key = unicodedata.normalize("NFC", key) value = unicodedata.normalize("NFC", value) if key.startswith( "_" ): # Ignore keys starting with _ (like VI's _unused_time_stamp) continue if key in kwargs: if isinstance(kwargs[key], list): kwargs[key].append(value) else: # Convert that key to a list kwargs[key] = [kwargs[key], value] else: kwargs[key] = value stopCount -= 1 if not stopCount: # We reached zero; maximum PostParamsCount exceeded raise errors.NotAcceptable() except UnicodeError: # We received invalid unicode data (usually happens when someone tries to exploit unicode normalisation bugs) raise errors.BadRequest() if "self" in kwargs or "return" in kwargs: # self or return is reserved for bound methods raise errors.BadRequest() # Parse the URL path = parse.urlparse(path).path self.pathlist = [ unicodedata.normalize("NFC", parse.unquote(x)) for x in path.strip("/").split("/") ] caller = conf["viur.mainResolver"] idx = 0 # Count how may items from *args we'd have consumed (so the rest can go into *args of the called func for currpath in self.pathlist: if "canAccess" in caller and not caller["canAccess"](): # We have a canAccess function guarding that object, # and it returns False... raise (errors.Unauthorized()) idx += 1 currpath = currpath.replace("-", "_").replace(".", "_") if currpath in caller: caller = caller[currpath] if (("exposed" in dir(caller) and caller.exposed) or ("internalExposed" in dir(caller) and caller.internalExposed and self.internalRequest)) and hasattr( caller, '__call__'): args = self.pathlist[idx:] + [ x for x in args ] # Prepend the rest of Path to args break elif "index" in caller: caller = caller["index"] if (("exposed" in dir(caller) and caller.exposed) or ("internalExposed" in dir(caller) and caller.internalExposed and self.internalRequest)) and hasattr( caller, '__call__'): args = self.pathlist[idx - 1:] + [x for x in args] break else: raise (errors.NotFound( "The path %s could not be found" % "/".join([("".join([ y for y in x if y.lower() in "0123456789abcdefghijklmnopqrstuvwxyz" ])) for x in self.pathlist[:idx]]))) else: raise (errors.NotFound( "The path %s could not be found" % "/".join([("".join([ y for y in x if y.lower() in "0123456789abcdefghijklmnopqrstuvwxyz" ])) for x in self.pathlist[:idx]]))) if (not callable(caller) or ((not "exposed" in dir(caller) or not caller.exposed)) and (not "internalExposed" in dir(caller) or not caller.internalExposed or not self.internalRequest)): if "index" in caller \ and (callable(caller["index"]) \ and ("exposed" in dir(caller["index"]) and caller["index"].exposed) \ or ("internalExposed" in dir( caller["index"]) and caller["index"].internalExposed and self.internalRequest)): caller = caller["index"] else: raise (errors.MethodNotAllowed()) # Check for forceSSL flag if not self.internalRequest \ and "forceSSL" in dir(caller) \ and caller.forceSSL \ and not self.request.host_url.lower().startswith("https://") \ and not self.isDevServer: raise (errors.PreconditionFailed( "You must use SSL to access this ressource!")) # Check for forcePost flag if "forcePost" in dir( caller) and caller.forcePost and not self.isPostRequest: raise (errors.MethodNotAllowed( "You must use POST to access this ressource!")) self.args = args self.kwargs = kwargs # Check if this request should bypass the caches if self.request.headers.get("X-Viur-Disable-Cache"): from viur.core import utils # No cache requested, check if the current user is allowed to do so user = utils.getCurrentUser() if user and "root" in user["access"]: logging.debug( "Caching disabled by X-Viur-Disable-Cache header") self.disableCache = True try: annotations = typing.get_type_hints(caller) if annotations and not self.internalRequest: newKwargs = { } # The dict of new **kwargs we'll pass to the caller newArgs = [] # List of new *args we'll pass to the caller argsOrder = list( caller.__code__.co_varnames)[1:caller.__code__.co_argcount] # Map args in for idx in range(0, min(len(self.args), len(argsOrder))): paramKey = argsOrder[idx] if paramKey in annotations: # We have to enforce a type-annotation for this *args parameter _, newTypeValue = self.processTypeHint( annotations[paramKey], self.args[idx], True) newArgs.append(newTypeValue) else: newArgs.append(self.args[idx]) newArgs.extend(self.args[min(len(self.args), len(argsOrder)):]) # Last, we map the kwargs in for k, v in kwargs.items(): if k in annotations: newStrValue, newTypeValue = self.processTypeHint( annotations[k], v, False) self.kwargs[k] = newStrValue newKwargs[k] = newTypeValue else: newKwargs[k] = v else: newArgs = self.args newKwargs = self.kwargs if (conf["viur.debug.traceExternalCallRouting"] and not self.internalRequest ) or conf["viur.debug.traceInternalCallRouting"]: logging.debug("Calling %s with args=%s and kwargs=%s" % (str(caller), str(newArgs), str(newKwargs))) res = caller(*newArgs, **newKwargs) res = str(res).encode("UTF-8") if not isinstance(res, bytes) else res self.response.write(res) except TypeError as e: if self.internalRequest: # We provide that "service" only for requests originating from outside raise if "viur/core/request.py\", line 5" in traceback.format_exc( ).splitlines()[-3]: # Don't raise NotAcceptable for type-errors raised deep somewhere inside caller. # We check if the last line in traceback originates from viur/core/request.py and a line starting with # 5 and only raise NotAcceptable then. Otherwise a "normal" 500 Server error will be raised. # This is kinda hackish, however this is much faster than reevaluating the args and kwargs passed # to caller as we did in ViUR2. raise errors.NotAcceptable() raise
def findAndCall(self, path, *args, **kwargs): # Do the actual work: process the request # Prevent Hash-collision attacks kwargs = {} stopCount = conf["viur.maxPostParamsCount"] for key, value in self.request.params.iteritems(): if key in kwargs: if isinstance(kwargs[key], list): kwargs[key].append(value) else: kwargs[key] = [kwargs[key], value] else: kwargs[key] = value stopCount -= 1 if not stopCount: # We reached zero; maximum PostParamsCount exceeded raise errors.NotAcceptable() if "self" in kwargs: # self is reserved for bound methods raise errors.BadRequest() # Parse the URL path = parse.urlparse(path).path self.pathlist = [parse.unquote(x) for x in path.strip("/").split("/")] caller = conf["viur.mainResolver"] idx = 0 # Count how may items from *args we'd have consumed (so the rest can go into *args of the called func for currpath in self.pathlist: if "canAccess" in caller and not caller["canAccess"](): # We have a canAccess function guarding that object, # and it returns False... raise (errors.Unauthorized()) idx += 1 currpath = currpath.replace("-", "_").replace(".", "_") if currpath in caller: caller = caller[currpath] if (("exposed" in dir(caller) and caller.exposed) or ("internalExposed" in dir(caller) and caller.internalExposed and self.internalRequest)) and hasattr( caller, '__call__'): args = self.pathlist[idx:] + [ x for x in args ] # Prepend the rest of Path to args break elif "index" in caller: caller = caller["index"] if (("exposed" in dir(caller) and caller.exposed) or ("internalExposed" in dir(caller) and caller.internalExposed and self.internalRequest)) and hasattr( caller, '__call__'): args = self.pathlist[idx - 1:] + [x for x in args] break else: raise (errors.NotFound( "The path %s could not be found" % "/".join([("".join([ y for y in x if y.lower() in "0123456789abcdefghijklmnopqrstuvwxyz" ])) for x in self.pathlist[:idx]]))) else: raise (errors.NotFound( "The path %s could not be found" % "/".join([("".join([ y for y in x if y.lower() in "0123456789abcdefghijklmnopqrstuvwxyz" ])) for x in self.pathlist[:idx]]))) if (not callable(caller) or ((not "exposed" in dir(caller) or not caller.exposed)) and (not "internalExposed" in dir(caller) or not caller.internalExposed or not self.internalRequest)): if "index" in caller \ and (callable(caller["index"]) \ and ("exposed" in dir(caller["index"]) and caller["index"].exposed) \ or ("internalExposed" in dir( caller["index"]) and caller["index"].internalExposed and self.internalRequest)): caller = caller["index"] else: raise (errors.MethodNotAllowed()) # Check for forceSSL flag if not self.internalRequest \ and "forceSSL" in dir(caller) \ and caller.forceSSL \ and not self.request.host_url.lower().startswith("https://") \ and not self.isDevServer: raise (errors.PreconditionFailed( "You must use SSL to access this ressource!")) # Check for forcePost flag if "forcePost" in dir( caller) and caller.forcePost and not self.isPostRequest: raise (errors.MethodNotAllowed( "You must use POST to access this ressource!")) self.args = [] for arg in args: if isinstance(arg, str): self.args.append(arg) else: try: self.args.append(arg.decode("UTF-8")) except: pass self.kwargs = kwargs # Check if this request should bypass the caches if self.request.headers.get("X-Viur-Disable-Cache"): from viur.core import utils # No cache requested, check if the current user is allowed to do so user = utils.getCurrentUser() if user and "root" in user["access"]: logging.debug( "Caching disabled by X-Viur-Disable-Cache header") self.disableCache = True try: if (conf["viur.debug.traceExternalCallRouting"] and not self.internalRequest ) or conf["viur.debug.traceInternalCallRouting"]: logging.debug("Calling %s with args=%s and kwargs=%s" % (str(caller), str(args), str(kwargs))) res = caller(*self.args, **self.kwargs) res = str(res).encode("UTF-8") if not isinstance(res, bytes) else res self.response.write(res) except TypeError as e: if self.internalRequest: # We provide that "service" only for requests originating from outside raise # Check if the function got too few arguments and raise a NotAcceptable error tmpRes = {} argsOrder = list( caller.__code__.co_varnames)[1:caller.__code__.co_argcount] # Map default values in reversedArgsOrder = argsOrder[::-1] for defaultValue in list(caller.__defaults__ or [])[::-1]: tmpRes[reversedArgsOrder.pop(0)] = defaultValue del reversedArgsOrder # Map args in setArgs = [] # Store a list of args already set by *args for idx in range(0, min(len(args), len(argsOrder))): setArgs.append(argsOrder[idx]) tmpRes[argsOrder[idx]] = args[idx] # Last, we map the kwargs in for k, v in kwargs.items(): if k in setArgs: # This key has already been set by *args raise ( errors.NotAcceptable() ) # We reraise that exception as we got duplicate arguments tmpRes[k] = v # Last check, that every parameter is satisfied: if not all([x in tmpRes.keys() for x in argsOrder]): raise (errors.NotAcceptable()) raise
def checkout(self, step=None, key=None, skey=None, *args, **kwargs): """ Performs the checkout process trough the state machine provided by self.steps. :param step: The current step index, None for beginning a new checkout :param key: Key of the current checkout :param skey: Server security key :return: Returns the rendered template or throws redirection exceptions. """ myKindName = self.viewSkel().kindName if step is None: logging.info("Starting new checkout process") billObj = db.Entity(myKindName) billObj["idx"] = "0000000" for state in self.states: billObj["state_%s" % state] = "0" db.Put(billObj) key = str(billObj.key()) # Copy the Cart if "amountSkel" in dir(self): cart = session.current.get("cart_products") or {} s = self.amountSkel() products = [] for prod, atts in cart.items(): for i in range(0, atts["amount"]): products.append(str(prod)) s.fromClient({"product": products}) s.toDB() session.current["order_" + myKindName] = { "key": str(key), "completedSteps": [] } session.current.markChanged() raise errors.Redirect("?step=0&key=%s" % str(key)) elif key: try: orderKey = db.Key(key) step = int(step) assert (step >= 0) assert (step < len(self.steps)) except: raise errors.NotAcceptable() sessionInfo = session.current.get("order_" + myKindName) if not sessionInfo or not sessionInfo.get("key") == str(orderKey): raise errors.Unauthorized() if step in sessionInfo["completedSteps"]: session.current["order_" + myKindName]["completedSteps"] = [ x for x in sessionInfo["completedSteps"] if x < step ] session.current.markChanged() # Make sure that no steps can be skipped if step != 0 and not step - 1 in sessionInfo["completedSteps"]: raise errors.Redirect("?step=0&key=%s" % str(str(orderKey))) currentStep = self.steps[step] if "preHandler" in currentStep.keys(): try: if isinstance(currentStep["preHandler"], list): for handler in currentStep["preHandler"]: handler(self, step, str(orderKey), *args, **kwargs) else: currentStep["preHandler"](self, step, str(orderKey), refkwargs=kwargs, *args, **kwargs) except SkipStepException: session.current["order_" + myKindName]["completedSteps"].append(step) session.current.markChanged() raise errors.Redirect("?step=%s&key=%s" % (str(step + 1), str(orderKey))) except ReturnHtmlException as e: return (e.html) if "requiresSecurityKey" in currentStep and currentStep[ "requiresSecurityKey"]: if not securitykey.validate(skey): raise errors.PreconditionFailed() pass if "mainHandler" in currentStep: if currentStep["mainHandler"]["action"] == "edit": skel = self.getSkelByName( currentStep["mainHandler"]["skeleton"], str(orderKey)) skel.fromDB(str(orderKey)) if not len(kwargs.keys()) or not skel.fromClient(kwargs): return (self.render.edit( skel, tpl=currentStep["mainHandler"]["template"], step=step)) skel.toDB() if currentStep["mainHandler"]["action"] == "view": if not "complete" in kwargs or not kwargs[ "complete"] == u"1": skel = self.getSkelByName( currentStep["mainHandler"]["skeleton"], str(orderKey)) skel.fromDB(str(orderKey)) return (self.render.view( skel, tpl=currentStep["mainHandler"]["template"], step=step)) elif currentStep["mainHandler"]["action"] == "function": res = currentStep["mainHandler"]["function"](self, step, str(orderKey), *args, **kwargs) if res: return res if "postHandler" in currentStep: currentStep["postHandler"](self, step, str(orderKey), *args, **kwargs) session.current["order_" + myKindName]["completedSteps"].append(step) session.current.markChanged() logging.info("next ?step=%s&key=%s" % (str(step + 1), str(orderKey))) raise errors.Redirect("?step=%s&key=%s" % (str(step + 1), str(orderKey)))