def serve(self, id, download=False, **kwargs): """Serve a :class:`~mediacore.model.media.MediaFile` binary. :param id: File ID :type id: ``int`` :param bool download: If true, serve with an Content-Disposition that makes the file download to the users computer instead of playing in the browser. :raises webob.exc.HTTPNotFound: If no file exists with this ID. :raises webob.exc.HTTPNotAcceptable: If an Accept header field is present, and if the mimetype of the requested file doesn't match, then a 406 (not acceptable) response is returned. """ file = fetch_row(MediaFile, id=id) request.perm.assert_permission(u'view', file.media.resource) file_type = file.mimetype.encode('utf-8') file_name = file.display_name.encode('utf-8') file_path = helpers.file_path(file) if file_path is None: log.warn('No path exists for requested media file: %r', file) raise HTTPNotFound() file_path = file_path.encode('utf-8') if not os.path.exists(file_path): log.warn('No such file or directory: %r', file_path) raise HTTPNotFound() # Ensure the request accepts files with this container accept = request.environ.get('HTTP_ACCEPT', '*/*') if not mimeparse.best_match([file_type], accept): raise HTTPNotAcceptable() # 406 method = config.get('file_serve_method', None) headers = [] # Serving files with this header breaks playback on iPhone if download: headers.append(('Content-Disposition', 'attachment; filename="%s"' % file_name)) if method == 'apache_xsendfile': # Requires mod_xsendfile for Apache 2.x # XXX: Don't send Content-Length or Etag headers, # Apache handles them for you. response.headers['X-Sendfile'] = file_path response.body = '' elif method == 'nginx_redirect': # Requires NGINX server configuration: # NGINX must have a location block configured that matches # the __mediacore_serve__ path below. It should also be # configured as an "internal" location to prevent people from # surfing directly to it. # For more information see: http://wiki.nginx.org/XSendfile redirect_filename = '/__mediacore_serve__/%s' % os.path.basename( file_path) response.headers['X-Accel-Redirect'] = redirect_filename else: app = FileApp(file_path, headers, content_type=file_type) return forward(app) response.headers['Content-Type'] = file_type for header, value in headers: response.headers[header] = value return None
def serve(self, id, download=False, **kwargs): """Serve a :class:`~mediacore.model.media.MediaFile` binary. :param id: File ID :type id: ``int`` :param bool download: If true, serve with an Content-Disposition that makes the file download to the users computer instead of playing in the browser. :raises webob.exc.HTTPNotFound: If no file exists with this ID. :raises webob.exc.HTTPNotAcceptable: If an Accept header field is present, and if the mimetype of the requested file doesn't match, then a 406 (not acceptable) response is returned. """ file = fetch_row(MediaFile, id=id) file_type = file.mimetype.encode('utf-8') file_name = file.display_name.encode('utf-8') file_path = helpers.file_path(file) if file_path is None: log.warn('No path exists for requested media file: %r', file) raise HTTPNotFound().exception file_path = file_path.encode('utf-8') if not os.path.exists(file_path): log.warn('No such file or directory: %r', file_path) raise HTTPNotFound().exception # Ensure the request accepts files with this container accept = request.environ.get('HTTP_ACCEPT', '*/*') if not mimeparse.best_match([file_type], accept): raise HTTPNotAcceptable().exception # 406 method = config.get('file_serve_method', None) headers = [] # Serving files with this header breaks playback on iPhone if download: headers.append(('Content-Disposition', 'attachment; filename="%s"' % file_name)) if method == 'apache_xsendfile': # Requires mod_xsendfile for Apache 2.x # XXX: Don't send Content-Length or Etag headers, # Apache handles them for you. response.headers['X-Sendfile'] = file_path response.body = '' elif method == 'nginx_redirect': raise NotImplementedError, 'This is only a placeholder' response.headers['X-Accel-Redirect'] = '../relative/path' else: app = FileApp(file_path, headers, content_type=file_type) return forward(app) response.headers['Content-Type'] = file_type for header, value in headers: response.headers[header] = value return None
def _handle_request(self, environ, start_response): if not is_mercurial(environ): return self.application(environ, start_response) if not self._check_ssl(environ, start_response): return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) ip_addr = self._get_ip_addr(environ) username = None # skip passing error to error controller environ['pylons.status_code_redirect'] = True #====================================================================== # EXTRACT REPOSITORY NAME FROM ENV #====================================================================== try: repo_name = environ['REPO_NAME'] = self.__get_repository(environ) log.debug('Extracted repo name is %s' % repo_name) except Exception: return HTTPInternalServerError()(environ, start_response) # quick check if that dir exists... if not is_valid_repo(repo_name, self.basepath, 'hg'): return HTTPNotFound()(environ, start_response) #====================================================================== # GET ACTION PULL or PUSH #====================================================================== action = self.__get_action(environ) #====================================================================== # CHECK ANONYMOUS PERMISSION #====================================================================== if action in ['pull', 'push']: anonymous_user = self.__get_user('default') username = anonymous_user.username anonymous_perm = self._check_permission(action, anonymous_user, repo_name, ip_addr) if not anonymous_perm or not anonymous_user.active: if not anonymous_perm: log.debug('Not enough credentials to access this ' 'repository as anonymous user') if not anonymous_user.active: log.debug('Anonymous access is disabled, running ' 'authentication') #============================================================== # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS #============================================================== # Attempting to retrieve username from the container username = get_container_username(environ, self.config) # If not authenticated by the container, running basic auth if not username: self.authenticate.realm = \ safe_str(self.config['rhodecode_realm']) result = self.authenticate(environ) if isinstance(result, str): AUTH_TYPE.update(environ, 'basic') REMOTE_USER.update(environ, result) username = result else: return result.wsgi_application(environ, start_response) #============================================================== # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME #============================================================== try: user = self.__get_user(username) if user is None or not user.active: return HTTPForbidden()(environ, start_response) username = user.username except Exception: log.error(traceback.format_exc()) return HTTPInternalServerError()(environ, start_response) #check permissions for this repository perm = self._check_permission(action, user, repo_name, ip_addr) if not perm: return HTTPForbidden()(environ, start_response) # extras are injected into mercurial UI object and later available # in hg hooks executed by rhodecode from rhodecode import CONFIG server_url = get_server_url(environ) extras = { 'ip': ip_addr, 'username': username, 'action': action, 'repository': repo_name, 'scm': 'hg', 'config': CONFIG['__file__'], 'server_url': server_url, 'make_lock': None, 'locked_by': [None, None] } #====================================================================== # MERCURIAL REQUEST HANDLING #====================================================================== str_repo_name = safe_str(repo_name) repo_path = os.path.join(safe_str(self.basepath), str_repo_name) log.debug('Repository path is %s' % repo_path) # CHECK LOCKING only if it's not ANONYMOUS USER if username != User.DEFAULT_USER: log.debug('Checking locking on repository') (make_lock, locked, locked_by) = self._check_locking_state(environ=environ, action=action, repo=repo_name, user_id=user.user_id) # store the make_lock for later evaluation in hooks extras.update({'make_lock': make_lock, 'locked_by': locked_by}) fix_PATH() log.debug('HOOKS extras is %s' % extras) baseui = make_ui('db') self.__inject_extras(repo_path, baseui, extras) try: log.info('%s action on HG repo "%s" by "%s" from %s' % (action, str_repo_name, safe_str(username), ip_addr)) app = self.__make_app(repo_path, baseui, extras) return app(environ, start_response) except RepoError, e: if str(e).find('not found') != -1: return HTTPNotFound()(environ, start_response)
def _handle_request(self, environ, start_response): if not self._check_ssl(environ, start_response): reason = ('SSL required, while RhodeCode was unable ' 'to detect this as SSL request') log.debug('User not allowed to proceed, %s', reason) return HTTPNotAcceptable(reason)(environ, start_response) ip_addr = get_ip_addr(environ) username = None # skip passing error to error controller environ['pylons.status_code_redirect'] = True # ====================================================================== # EXTRACT REPOSITORY NAME FROM ENV # ====================================================================== environ['PATH_INFO'] = self._get_by_id(environ['PATH_INFO']) repo_name = self._get_repository_name(environ) environ['REPO_NAME'] = repo_name log.debug('Extracted repo name is %s', repo_name) # check for type, presence in database and on filesystem if not self.is_valid_and_existing_repo(repo_name, self.basepath, self.SCM): return HTTPNotFound()(environ, start_response) # ====================================================================== # GET ACTION PULL or PUSH # ====================================================================== action = self._get_action(environ) # ====================================================================== # CHECK ANONYMOUS PERMISSION # ====================================================================== if action in ['pull', 'push']: anonymous_user = User.get_default_user() username = anonymous_user.username if anonymous_user.active: # ONLY check permissions if the user is activated anonymous_perm = self._check_permission( action, anonymous_user, repo_name, ip_addr) else: anonymous_perm = False if not anonymous_user.active or not anonymous_perm: if not anonymous_user.active: log.debug('Anonymous access is disabled, running ' 'authentication') if not anonymous_perm: log.debug('Not enough credentials to access this ' 'repository as anonymous user') username = None # ============================================================== # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS # ============================================================== # try to auth based on environ, container auth methods log.debug( 'Running PRE-AUTH for container based authentication') pre_auth = authenticate('', '', environ, VCS_TYPE) if pre_auth and pre_auth.get('username'): username = pre_auth['username'] log.debug('PRE-AUTH got %s as username', username) # If not authenticated by the container, running basic auth if not username: self.authenticate.realm = \ safe_str(self.config['rhodecode_realm']) try: result = self.authenticate(environ) except (UserCreationError, NotAllowedToCreateUserError) as e: log.error(e) reason = safe_str(e) return HTTPNotAcceptable(reason)(environ, start_response) if isinstance(result, str): AUTH_TYPE.update(environ, 'basic') REMOTE_USER.update(environ, result) username = result else: return result.wsgi_application(environ, start_response) # ============================================================== # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME # ============================================================== user = User.get_by_username(username) if not self.valid_and_active_user(user): return HTTPForbidden()(environ, start_response) username = user.username user.update_lastactivity() meta.Session().commit() # check user attributes for password change flag user_obj = user if user_obj and user_obj.username != User.DEFAULT_USER and \ user_obj.user_data.get('force_password_change'): reason = 'password change required' log.debug('User not allowed to authenticate, %s', reason) return HTTPNotAcceptable(reason)(environ, start_response) # check permissions for this repository perm = self._check_permission(action, user, repo_name, ip_addr) if not perm: return HTTPForbidden()(environ, start_response) # extras are injected into UI object and later available # in hooks executed by rhodecode check_locking = _should_check_locking(environ.get('QUERY_STRING')) extras = vcs_operation_context(environ, repo_name=repo_name, username=username, action=action, scm=self.SCM, check_locking=check_locking) # ====================================================================== # REQUEST HANDLING # ====================================================================== str_repo_name = safe_str(repo_name) repo_path = os.path.join(safe_str(self.basepath), str_repo_name) log.debug('Repository path is %s', repo_path) fix_PATH() log.info('%s action on %s repo "%s" by "%s" from %s', action, self.SCM, str_repo_name, safe_str(username), ip_addr) return self._generate_vcs_response(environ, start_response, repo_path, repo_name, extras, action)