def page_internal_edit_post(request):
check_csrf_token(request)
page_query_svc = request.find_service(IPageQueryService)
page_slug = request.matchdict["page"]
try:
page = page_query_svc.internal_page_from_slug(page_slug)
except ValueError:
raise HTTPNotFound()
except NoResultFound:
page = None
if page:
form = AdminPageForm(request.POST, obj=page, request=request)
else:
form = AdminPageForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"page_slug": page_slug, "page": page, "form": form}
if page:
page_update_svc = request.find_service(IPageUpdateService)
page = page_update_svc.update_internal(page.slug, body=form.body.data)
else:
page_create_svc = request.find_service(IPageCreateService)
page = page_create_svc.create_internal(page_slug, body=form.body.data)
return HTTPFound(location=request.route_path(
route_name="admin_page_internal", page=page.slug))
def page_internal_delete_post(request):
check_csrf_token(request)
page_delete_svc = request.find_service(IPageDeleteService)
page_slug = request.matchdict["page"]
page_delete_svc.delete_internal(page_slug)
return HTTPFound(location=request.route_path(route_name="admin_pages"))
def board_topic_new_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
user_login_svc = request.find_service(IUserLoginService)
user_ip_address = request.client_addr
user = user_login_svc.user_from_token(request.authenticated_userid,
user_ip_address)
form = TopicForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "user": user, "form": form}
topic_create_svc = request.find_service(ITopicCreateService)
topic = topic_create_svc.create_with_user(board.slug, user.id,
form.title.data, form.body.data,
user_ip_address)
dbsession = request.find_service(name="db")
dbsession.flush()
return HTTPFound(location=request.route_path(
route_name="admin_board_topic", board=board.slug, topic=topic.id))
def board_topic_posts_delete_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
post_query_svc = request.find_service(IPostQueryService)
query = None
if "query" in request.matchdict:
query = request.matchdict["query"]
posts = post_query_svc.list_from_topic_id(topic_id, query)
if not posts or posts[0].number == 1:
raise HTTPNotFound(request.path)
post_delete_svc = request.find_service(IPostDeleteService)
for post in posts:
post_delete_svc.delete_from_topic_id(post.topic_id, post.number)
return HTTPFound(location=request.route_path(
route_name="admin_board_topic_posts",
board=board.slug,
topic=topic.id,
query="recent",
))
def board_topic_edit_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
form = AdminTopicForm(request.POST, obj=topic, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "topic": topic, "form": form}
topic_update_svc = request.find_service(ITopicUpdateService)
topic_update_svc.update(topic.id, status=form.status.data)
return HTTPFound(location=request.route_path(
route_name="admin_board_topic_posts",
board=board.slug,
topic=topic.id,
query="recent",
))
def board_topic_new_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
user_login_svc = request.find_service(IUserLoginService)
user_ip_address = request.client_addr
user = user_login_svc.user_from_token(request.authenticated_userid, user_ip_address)
form = TopicForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "user": user, "form": form}
topic_create_svc = request.find_service(ITopicCreateService)
topic = topic_create_svc.create_with_user(
board.slug, user.id, form.title.data, form.body.data, user_ip_address
)
dbsession = request.find_service(name="db")
dbsession.flush()
return HTTPFound(
location=request.route_path(
route_name="admin_board_topic", board=board.slug, topic=topic.id
)
)
def board_topic_edit_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
form = AdminTopicForm(request.POST, obj=topic, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "topic": topic, "form": form}
topic_update_svc = request.find_service(ITopicUpdateService)
topic_update_svc.update(topic.id, status=form.status.data)
return HTTPFound(
location=request.route_path(
route_name="admin_board_topic_posts",
board=board.slug,
topic=topic.id,
query="recent",
)
)
def board_topic_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
user_login_svc = request.find_service(IUserLoginService)
user_ip_address = request.client_addr
user = user_login_svc.user_from_token(request.authenticated_userid, user_ip_address)
form = PostForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "topic": topic, "user": user, "form": form}
post_create_svc = request.find_service(IPostCreateService)
post_create_svc.create_with_user(
topic.id, user.id, form.body.data, form.bumped.data, user_ip_address
)
return HTTPFound(
location=request.route_path(
route_name="admin_board_topic_posts",
board=board.slug,
topic=topic.id,
query="recent",
)
)
def board_topic_posts_delete_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
post_query_svc = request.find_service(IPostQueryService)
query = None
if "query" in request.matchdict:
query = request.matchdict["query"]
posts = post_query_svc.list_from_topic_id(topic_id, query)
if not posts or posts[0].number == 1:
raise HTTPNotFound(request.path)
post_delete_svc = request.find_service(IPostDeleteService)
for post in posts:
post_delete_svc.delete_from_topic_id(post.topic_id, post.number)
return HTTPFound(
location=request.route_path(
route_name="admin_board_topic_posts",
board=board.slug,
topic=topic.id,
query="recent",
)
)
def csrf_view(context, request):
if request.method not in safe_methods and (
callback is None or callback(request)
):
check_csrf_origin(request, raises=True)
check_csrf_token(request, token, header, raises=True)
return view(context, request)
def page_internal_edit_post(request):
check_csrf_token(request)
page_query_svc = request.find_service(IPageQueryService)
page_slug = request.matchdict["page"]
try:
page = page_query_svc.internal_page_from_slug(page_slug)
except ValueError:
raise HTTPNotFound()
except NoResultFound:
page = None
if page:
form = AdminPageForm(request.POST, obj=page, request=request)
else:
form = AdminPageForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"page_slug": page_slug, "page": page, "form": form}
if page:
page_update_svc = request.find_service(IPageUpdateService)
page = page_update_svc.update_internal(page.slug, body=form.body.data)
else:
page_create_svc = request.find_service(IPageCreateService)
page = page_create_svc.create_internal(page_slug, body=form.body.data)
return HTTPFound(
location=request.route_path(route_name="admin_page_internal", page=page.slug)
)
def board_topic_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
user_login_svc = request.find_service(IUserLoginService)
user_ip_address = request.client_addr
user = user_login_svc.user_from_token(request.authenticated_userid,
user_ip_address)
form = PostForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "topic": topic, "user": user, "form": form}
post_create_svc = request.find_service(IPostCreateService)
post_create_svc.create_with_user(topic.id, user.id, form.body.data,
form.bumped.data, user_ip_address)
return HTTPFound(location=request.route_path(
route_name="admin_board_topic_posts",
board=board.slug,
topic=topic.id,
query="recent",
))
def page_internal_delete_post(request):
check_csrf_token(request)
page_delete_svc = request.find_service(IPageDeleteService)
page_slug = request.matchdict["page"]
page_delete_svc.delete_internal(page_slug)
return HTTPFound(location=request.route_path(route_name="admin_pages"))
def csrf_view(context, request):
if (
request.method not in safe_methods and
(callback is None or callback(request))
):
check_csrf_origin(request, raises=True)
check_csrf_token(request, token, header, raises=True)
return view(context, request)
def page_new_post(request):
check_csrf_token(request)
form = AdminPublicPageNewForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
page_create_svc = request.find_service(IPageCreateService)
page = page_create_svc.create(form.slug.data,
title=form.title.data,
body=form.body.data)
return HTTPFound(
location=request.route_path(route_name="admin_page", page=page.slug))
def validator(node, cstruct):
# check_csrf_token will also check the X-CSRF-Token
# request header. Also, not sure if I should even do
# validation here since pyramid can automatically
# do CSRF validation on unsafe HTTP methods
if not check_csrf_token(request, node.name, raises=False):
raise colander.Invalid(node, "Invalid CSRF Token!")
def delete_banner_view(self):
if not check_csrf_token(self.request):
raise HTTPBadRequest
bid = int(self.request.matchdict['id'])
if bid is None:
raise HTTPNotFound
try:
banner = DBSession.query(Banner).filter(Banner.id == bid).first()
if banner is None:
raise HTTPNotFound
if os.path.exists(f"server/{banner.image_path}" or ""):
os.remove(f"server/{banner.image_path}")
DBSession.delete(banner)
except Exception as e:
log.debug(e)
raise HTTPInternalServerError
url = self.request.route_url('admin_view')
return HTTPFound(url)
def page_edit_post(request):
check_csrf_token(request)
page_query_svc = request.find_service(IPageQueryService)
page_slug = request.matchdict["page"]
page = page_query_svc.public_page_from_slug(page_slug)
form = AdminPublicPageForm(request.POST, obj=page, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"page": page, "form": form}
page_update_svc = request.find_service(IPageUpdateService)
page = page_update_svc.update(page.slug, title=form.title.data, body=form.body.data)
return HTTPFound(
location=request.route_path(route_name="admin_page", page=page.slug)
)
def page_new_post(request):
check_csrf_token(request)
form = AdminPublicPageNewForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
page_create_svc = request.find_service(IPageCreateService)
page = page_create_svc.create(
form.slug.data, title=form.title.data, body=form.body.data
)
return HTTPFound(
location=request.route_path(route_name="admin_page", page=page.slug)
)
def __init__(self, request):
# common class variables
self.request = request
self.sess = DBSession()
body = request.body.decode('utf8')
method = json.loads(body)['method']
if request.is_weixin and method == 'wechat.jssdk.config':
return
# Step 1: check for valid session
#
# For any rpc request from a client which does not declare itself
# as bot, a proper session must be present. Otherwise we block it
if not request.is_bot and (
not request.session or request.session.new):
# request.log(action='REJECT_RPC', title='RPC no valid session',
# payload=body[:300])
raise HTTPForbidden()
# Step 2: check for valid csfr
#
# We are not using the csrf checking mechanism of view predicate
# provided by pyramid since it does not allow us to block the
# malicious IP and log the event.
if not check_csrf_token(request, raises=False):
# request.log(action='REJECT_RPC', title='RPC bad csrf token',
# payload=body[:300])
raise HTTPForbidden()
version = request.headers.get('X-Client-Version')
if version and version != siteConfig.version:
raise RPCClientVersionError()
def board_topic_delete_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
topic_delete_svc = request.find_service(ITopicDeleteService)
topic_delete_svc.delete(topic_id)
return HTTPFound(location=request.route_path(
route_name="admin_board_topics", board=board.slug))
def page_edit_post(request):
check_csrf_token(request)
page_query_svc = request.find_service(IPageQueryService)
page_slug = request.matchdict["page"]
page = page_query_svc.public_page_from_slug(page_slug)
form = AdminPublicPageForm(request.POST, obj=page, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"page": page, "form": form}
page_update_svc = request.find_service(IPageUpdateService)
page = page_update_svc.update(page.slug,
title=form.title.data,
body=form.body.data)
return HTTPFound(
location=request.route_path(route_name="admin_page", page=page.slug))
def board_topic_delete_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
topic_query_svc = request.find_service(ITopicQueryService)
topic_id = request.matchdict["topic"]
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
topic_delete_svc = request.find_service(ITopicDeleteService)
topic_delete_svc.delete(topic_id)
return HTTPFound(
location=request.route_path(route_name="admin_board_topics", board=board.slug)
)
def setup_post(request):
if not _setup_required(None, request):
raise HTTPNotFound()
check_csrf_token(request)
form = AdminSetupForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
setting_update_svc = request.find_service(ISettingUpdateService)
setting_update_svc.update("setup.version", __VERSION__)
user_create_svc = request.find_service(IUserCreateService)
user_create_svc.create(None, form.username.data, form.password.data,
form.name.data, ["admin"])
return HTTPFound(location=request.route_path(route_name="admin_root"))
def setup_post(request):
if not _setup_required(None, request):
raise HTTPNotFound()
check_csrf_token(request)
form = AdminSetupForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
setting_update_svc = request.find_service(ISettingUpdateService)
setting_update_svc.update("setup.version", __VERSION__)
user_create_svc = request.find_service(IUserCreateService)
user_create_svc.create(
None, form.username.data, form.password.data, form.name.data, ["admin"]
)
return HTTPFound(location=request.route_path(route_name="admin_root"))
def setting_post(request):
check_csrf_token(request)
setting_query_svc = request.find_service(ISettingQueryService)
setting_key = request.matchdict["setting"]
try:
setting_query_svc.value_from_key(setting_key, use_cache=False, safe_keys=True)
except KeyError:
raise HTTPNotFound()
form = AdminSettingForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"key": setting_key, "form": form}
setting_update_svc = request.find_service(ISettingUpdateService)
setting_update_svc.update(setting_key, json.loads(form.value.data))
return HTTPFound(location=request.route_path(route_name="admin_settings"))
def banword_new_post(request):
check_csrf_token(request)
form = AdminBanwordForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
banword_create_svc = request.find_service(IBanwordCreateService)
banword = banword_create_svc.create(form.expr.data,
description=form.description.data,
active=form.active.data)
# Explicitly flush so that ID is available.
dbsession = request.find_service(name="db")
dbsession.flush()
return HTTPFound(location=request.route_path(route_name="admin_banword",
banword=banword.id))
def banword_edit_post(request):
check_csrf_token(request)
banword_query_svc = request.find_service(IBanwordQueryService)
banword_id = request.matchdict["banword"]
banword = banword_query_svc.banword_from_id(banword_id)
form = AdminBanwordForm(request.POST, obj=banword, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"banword": banword, "form": form}
banword_update_svc = request.find_service(IBanwordUpdateService)
banword = banword_update_svc.update(
banword.id,
expr=form.expr.data,
description=form.description.data,
active=form.active.data,
)
return HTTPFound(location=request.route_path(route_name="admin_banword",
banword=banword.id))
def board_new_post(request):
check_csrf_token(request)
form = AdminBoardNewForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
board_create_svc = request.find_service(IBoardCreateService)
board = board_create_svc.create(
form.slug.data,
title=form.title.data,
description=form.description.data,
status=form.status.data,
agreements=form.agreements.data,
settings=json.loads(form.settings.data),
)
return HTTPFound(location=request.route_path(route_name="admin_board",
board=board.slug))
def process_interstitial(request: Request, choices: t.List[Choice], *args,
**kwargs):
"""Check if user pressed any of the buttons on form and the choice accordingly.
For example use case see :py:class:`websauna.system.crud.views.Delete`.
:param args: Passed to choice callback
:param kwargs: Passed to choice callback
:return: HTTP response given by a choice callback
"""
assert request.method == "POST"
# Force CSRF check always
check_csrf_token(request)
for c in choices:
if c.id in request.POST:
return c.callback(*args, **kwargs)
raise HTTPBadRequest("Unknown choice made")
def ban_edit_post(request):
check_csrf_token(request)
ban_query_svc = request.find_service(IBanQueryService)
ban_id = request.matchdict["ban"]
ban = ban_query_svc.ban_from_id(ban_id)
form = AdminBanForm(request.POST, obj=ban, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"ban": ban, "form": form}
ban_update_svc = request.find_service(IBanUpdateService)
ban = ban_update_svc.update(
ban.id,
ip_address=form.ip_address.data,
description=form.description.data,
duration=form.duration.data,
scope=form.scope.data,
active=form.active.data,
)
return HTTPFound(location=request.route_path(route_name="admin_ban", ban=ban.id))
def setting_post(request):
check_csrf_token(request)
setting_query_svc = request.find_service(ISettingQueryService)
setting_key = request.matchdict["setting"]
try:
setting_query_svc.value_from_key(setting_key,
use_cache=False,
safe_keys=True)
except KeyError:
raise HTTPNotFound()
form = AdminSettingForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"key": setting_key, "form": form}
setting_update_svc = request.find_service(ISettingUpdateService)
setting_update_svc.update(setting_key, json.loads(form.value.data))
return HTTPFound(location=request.route_path(route_name="admin_settings"))
def ban_new_post(request):
check_csrf_token(request)
form = AdminBanForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
ban_create_svc = request.find_service(IBanCreateService)
ban = ban_create_svc.create(
form.ip_address.data,
description=form.description.data,
duration=form.duration.data,
scope=form.scope.data,
active=form.active.data,
)
# Explicitly flush so that ID is available.
dbsession = request.find_service(name="db")
dbsession.flush()
return HTTPFound(location=request.route_path(route_name="admin_ban", ban=ban.id))
def ban_edit_post(request):
check_csrf_token(request)
ban_query_svc = request.find_service(IBanQueryService)
ban_id = request.matchdict["ban"]
ban = ban_query_svc.ban_from_id(ban_id)
form = AdminBanForm(request.POST, obj=ban, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"ban": ban, "form": form}
ban_update_svc = request.find_service(IBanUpdateService)
ban = ban_update_svc.update(
ban.id,
ip_address=form.ip_address.data,
description=form.description.data,
duration=form.duration.data,
scope=form.scope.data,
active=form.active.data,
)
return HTTPFound(
location=request.route_path(route_name="admin_ban", ban=ban.id))
def banword_edit_post(request):
check_csrf_token(request)
banword_query_svc = request.find_service(IBanwordQueryService)
banword_id = request.matchdict["banword"]
banword = banword_query_svc.banword_from_id(banword_id)
form = AdminBanwordForm(request.POST, obj=banword, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"banword": banword, "form": form}
banword_update_svc = request.find_service(IBanwordUpdateService)
banword = banword_update_svc.update(
banword.id,
expr=form.expr.data,
description=form.description.data,
scope=form.scope.data,
active=form.active.data,
)
return HTTPFound(
location=request.route_path(route_name="admin_banword", banword=banword.id)
)
def login_post(request):
"""Perform user login.
:param request: A :class:`pyramid.request.Request` object.
"""
check_csrf_token(request)
if authenticated_userid(request):
raise HTTPForbidden
form = AdminLoginForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
user_login_svc = request.find_service(IUserLoginService)
if not user_login_svc.authenticate(form.username.data, form.password.data):
return {"form": form}
token = user_login_svc.token_for(form.username.data, request.client_addr)
headers = remember(request, token)
return HTTPFound(headers=headers,
location=request.route_path(route_name="admin_dashboard"))
def login_post(request):
"""Perform user login.
:param request: A :class:`pyramid.request.Request` object.
"""
check_csrf_token(request)
if authenticated_userid(request):
raise HTTPForbidden
form = AdminLoginForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
user_login_svc = request.find_service(IUserLoginService)
if not user_login_svc.authenticate(form.username.data, form.password.data):
return {"form": form}
token = user_login_svc.token_for(form.username.data, request.client_addr)
headers = remember(request, token)
return HTTPFound(
headers=headers, location=request.route_path(route_name="admin_dashboard")
)
def board_edit_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
form = AdminBoardForm(request.POST, obj=board, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "form": form}
board_update_svc = request.find_service(IBoardUpdateService)
board = board_update_svc.update(
board.slug,
title=form.title.data,
description=form.description.data,
status=form.status.data,
agreements=form.agreements.data,
settings=json.loads(form.settings.data),
)
return HTTPFound(location=request.route_path(route_name="admin_board",
board=board.slug))
def board_new_post(request):
check_csrf_token(request)
form = AdminBoardNewForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"form": form}
board_create_svc = request.find_service(IBoardCreateService)
db_settings = json.loads(form.settings.data)
settings = DEFAULT_BOARD_CONFIG.update(db_settings)
board = board_create_svc.create(
form.slug.data,
title=form.title.data,
description=form.description.data,
status=form.status.data,
agreements=form.agreements.data,
settings=settings,
)
return HTTPFound(
location=request.route_path(route_name="admin_board", board=board.slug)
)
def board_edit_post(request):
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
board_slug = request.matchdict["board"]
board = board_query_svc.board_from_slug(board_slug)
form = AdminBoardForm(request.POST, obj=board, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "form": form}
board_update_svc = request.find_service(IBoardUpdateService)
board = board_update_svc.update(
board.slug,
title=form.title.data,
description=form.description.data,
status=form.status.data,
agreements=form.agreements.data,
settings=json.loads(form.settings.data),
)
return HTTPFound(
location=request.route_path(route_name="admin_board", board=board.slug)
)
def decrease_banner_position_view(self):
if not check_csrf_token(self.request):
raise HTTPBadRequest
bid = int(self.request.matchdict['id'])
if bid is None:
raise HTTPNotFound
try:
cursor_banner = DBSession.query(Banner).filter(
Banner.id == bid).first()
if cursor_banner is None:
raise HTTPNotFound
except Exception as e:
log.debug(e)
raise HTTPInternalServerError
try:
banners = DBSession.query(Banner).order_by(Banner.position,
Banner.id).all()
except Exception as e:
log.debug(e)
raise HTTPInternalServerError
bindex = banners.index(cursor_banner)
if bindex + 1 != len(banners):
cursor_position = banners[bindex].position
try:
banners[bindex].position = banners[bindex + 1].position
banners[bindex].updated_at = datetime.datetime.utcnow()
banners[bindex + 1].position = cursor_position
banners[bindex + 1].updated_at = datetime.datetime.utcnow()
except Exception as e:
log.debug(e)
raise HTTPInternalServerError
log.debug(201)
url = self.request.route_url('admin_view')
return HTTPFound(url)
def receive_file(request):
if request.authenticated_userid:
check_csrf_origin(request) and check_csrf_token(request)
upload = Upload.save_from(request, 'files[]')
return {'upload_id': upload.id}
def validator(self, node, _value): # pylint: disable=no-self-use
request = node.bindings["request"]
check_csrf_token(request)
def validator(self, form, value):
request = form.bindings["request"]
check_csrf_token(request)
def topic_show_post(request):
"""Handle form posting for replying to a topic.
:param request: A :class:`pyramid.request.Request` object.
"""
check_csrf_token(request)
board_query_svc = request.find_service(IBoardQueryService)
topic_query_svc = request.find_service(ITopicQueryService)
board_slug = request.matchdict["board"]
topic_id = request.matchdict["topic"]
board = board_query_svc.board_from_slug(board_slug)
topic = topic_query_svc.topic_from_id(topic_id)
if topic.board_id != board.id:
raise HTTPNotFound(request.path)
post_create_svc = request.find_service(IPostCreateService)
form = PostForm(request.POST, request=request)
if not form.validate():
request.response.status = "400 Bad Request"
return {"board": board, "topic": topic, "form": form}
ban_query_svc = request.find_service(IBanQueryService)
ban_scope = {"board": board.slug, "topic": topic.title}
if ban_query_svc.is_banned(request.client_addr, scopes=ban_scope):
response = render_to_response(
"topics/show_error.mako",
{"board": board, "topic": topic, "name": "ban_rejected"},
request=request,
)
response.status = "403 Forbidden"
return response
banword_query_svc = request.find_service(IBanwordQueryService)
if banword_query_svc.is_banned(form.body.data, scopes=ban_scope):
response = render_to_response(
"topics/show_error.mako",
{"board": board, "topic": topic, "name": "banword_rejected"},
request=request,
)
response.status = "403 Forbidden"
return response
rate_limiter_svc = request.find_service(IRateLimiterService)
if rate_limiter_svc:
payload = {"ip_address": request.client_addr, "board": board.slug}
if rate_limiter_svc.is_limited(**payload):
response = render_to_response(
"topics/show_error.mako",
{
"board": board,
"topic": topic,
"name": "rate_limited",
"time_left": rate_limiter_svc.time_left(**payload),
},
request=request,
)
response.status = "429 Too Many Requests"
return response
rate_limiter_svc.limit_for(board.settings["post_delay"], **payload)
post_create_svc = request.find_service(IPostCreateService)
task = post_create_svc.enqueue(
topic.id,
form.body.data,
form.bumped.data,
request.client_addr,
payload={
"application_url": request.application_url,
"referrer": request.referrer,
"url": request.url,
"user_agent": request.user_agent,
},
)
return HTTPFound(
location=request.route_path(
route_name="topic",
board=topic.board.slug,
topic=topic.id,
_query={"task": task.id},
)
)
def _callFUT(self, *args, **kwargs):
from pyramid.csrf import check_csrf_token
return check_csrf_token(*args, **kwargs)
def _callFUT(self, *args, **kwargs):
from pyramid.csrf import check_csrf_token
return check_csrf_token(*args, **kwargs)
def validator(self, node, _value):
request = node.bindings["request"]
check_csrf_token(request)
def receive_file(request):
if request.authenticated_userid:
check_csrf_origin(request) and check_csrf_token(request)
upload = Upload.save_from(request, 'files[]')
return {'upload_id': upload.id}
