def _():
bs = app.get_beaker_session()
userid = bs.get('userid') or 0
wikipath = bottle.request.forms.wikipath
if wikipath:
with MyS() as session:
page = session.query(WikiPages).filter(WikiPages.path == wikipath).first()
is_wiki_admin = app.check_user_in_groups(app.module_config.get('admins access'))
if page:
page_id = page.id
is_owner = (userid == page.userid)
can_admin = is_wiki_admin or is_owner
if can_admin:
upload = bottle.request.files.get('upload')
if upload:
# name, ext = os.path.splitext(upload.filename)
upload_folder = app.module_config.get('upload folder', 'upload')
upload_path = os.path.join(app.module_folder, upload_folder)
save_path = os.path.join(app.module_folder, upload_folder, str(page_id))
try:
os.mkdir(upload_path)
except:
pass
try:
os.mkdir(save_path)
except:
pass
upload.save(save_path) # appends upload.filename automatically
return html_redirect('/{}{}'.format(app.module_name, wikipath))
return '??'
def _(wikipath):
if not wikipath.startswith('/'):
wikipath = '/' + wikipath
wikipath = u''+wikipath
version_index = int(bottle.request.query.get('v', 0))
bs = app.get_beaker_session()
userid = bs.get('userid') or 0
with MyS() as session:
page = session.query(WikiPages).filter(WikiPages.path == wikipath).first()
if page:
page_versions = session.query(WikiVersions).filter(WikiVersions.parent_id == page.id) \
.order_by(WikiVersions.created.desc()).all()
else:
page_versions = []
if page:
version = page_versions[version_index]
is_wiki_admin = app.check_user_in_groups(app.module_config.get('admins access'))
is_owner = (userid == version.userid) or (userid == page.userid)
can_admin = is_wiki_admin or is_owner
if can_admin:
session.delete(version)
else:
return app.err_msg(wikipath, "You can't delete this page version.")
url = '/{}{}'.format(app.module_name, wikipath)
return html_redirect(url)
def _():
"""
Login with token and autoconfirm cookie
"""
code = bottle.request.query.code
go = bottle.request.query.go
cookie = bottle.request.query.cookie
cookielaw_name = app.server_config.get('cookielaw_name')
using_cookies = bottle.request.get_cookie(cookielaw_name)
if not using_cookies:
# redirect
d = bottle.request.query
q = '&'.join(['{}={}'.format(x,d[x]) for x in d.keys()])
url = '/confirmcookie?back=/{}/users/qrscan&{}'.format(app.module_name, q)
return html_redirect(url)
if not cookie and not using_cookies:
# cookie not accepted
return "Cookies not accepted by browser."
bs = app.get_beaker_session()
token = code.split('=')[-1]
with MyS() as session:
obuser = session.query(Users).filter(Users.token == token).first()
if obuser:
# user is logged in
bs.clear()
bs[getRndString(12)] = getRndString(32)
bs['username'] = obuser.name
bs['userid'] = obuser.id
bs['userfullname'] = obuser.fullname
bs['REMOTE_ADDR'] = bottle.request.environ.get('REMOTE_ADDR')
# add group id -1 (All users)
L = [gr.id for gr in obuser.groups]
L.append(-1)
bs['groups'] = L
bs['authenticated'] = True
# something random
bs[getRndString(12)] = getRndString(32)
if go:
return html_redirect(go)
else:
return html_redirect(obuser.home or '/')
else:
# return 'No access! Invalid or expired token.'
return html_redirect('/auth/login')
def logout():
"""
Logout method
"""
bs = app.get_beaker_session()
try:
bs.delete()
confirm_logout = '/{}/confirmlogout'.format(app.module_name)
return html_redirect(confirm_logout)
except:
return 'Logout Error'
def _(wikipath):
if not wikipath.startswith('/'):
wikipath = '/' + wikipath
wikipath = u''+wikipath
bs = app.get_beaker_session()
userid = bs.get('userid') or 0
is_wiki_admin = app.check_user_in_groups(app.module_config.get('admins access'))
with MyS() as session:
page = session.query(WikiPages).filter(WikiPages.path == wikipath).first()
if page:
is_owner = (userid == page.userid)
can_admin = is_wiki_admin or is_owner
if can_admin:
for ver in page.versions:
session.delete(ver)
session.delete(page)
else:
return app.err_msg(wikipath, "You can't delete this page.")
url = '/{}'.format(app.module_name)
return html_redirect(url)
def callback():
expires = int(server_config.get('cookie_life') or 3)
bottle.response.set_cookie(server_config.get('cookielaw_name'),
'yes',
expires=datetime.datetime.now() +
datetime.timedelta(days=expires),
path="/")
d = bottle.request.query
q = '&'.join(['{}={}'.format(x, d[x]) for x in d.keys()])
referer = bottle.request.environ.get('HTTP_REFERER', '/')
urlback = bottle.request.query.back or referer
if urlback.find('?') == -1:
urlback = urlback + '?cookie=y'
else:
urlback = urlback + '&cookie=y'
if q:
urlback = urlback + '&' + q
return html_redirect(urlback)
def wrapper(*args, **kwargs):
# executed on each request
if self.module_config.get('module disabled'):
return self.err_msg("Error", "Module disabled by admin")
accesspath = '/{}{}'.format(self.module_name,
bottle.request.path)
if self.server_config.get('DEBUG'):
print('auth {} {}'.format(bottle.request.method,
accesspath))
# check permission
authenticated = False
permission = saved_permission
if isinstance(permission, (str, )):
permission = [permission]
for p in permission:
groups_list = self.module_config.get(p)
if self.check_user_in_groups(groups_list):
authenticated = True
break
if not authenticated:
url = '{}?back={}'.format(self.login_url, accesspath)
return html_redirect(url)
return func(*args, **kwargs)
def login():
"""
Login dialog
"""
title = 'Login'
with MyS() as session:
bs = app.get_beaker_session()
notUsingCookies = type(bs) is dict
back = bottle.request.forms.get('back', None) # from HTML form with POST
if not back:
back = bottle.request.query.get('back', '/') # from URL with GET
if not back.startswith('/'):
back = '/' + back
emergency_admin_activated = app.server_config.get('emergency admin')
if emergency_admin_activated:
# Emergency Admin
back = '/adm'
EmergencyAdmin = bottle.request.query.EmergencyAdmin
if EmergencyAdmin:
print('Login Emergency Admin')
bs.clear()
# something random
bs[getRndString(12)] = getRndString(32)
bs['username'] = '******'
bs['userfullname'] = 'Emergency Admin'
bs['userid'] = 1
bs['REMOTE_ADDR'] = bottle.request.environ.get('REMOTE_ADDR')
# Emergency Admin groups: All users, Anonymous and Admins
bs['groups'] = [-1, 0, 1]
bs['authenticated'] = True
# something random
bs[getRndString(12)] = getRndString(32)
return html_redirect(back)
authenticated = False
user = bottle.request.forms.user # POST
password = bottle.request.forms.password # POST
msg = ''
if user:
try:
obuser = session.query(Users).filter(Users.name == user).first()
if obuser:
if obuser._validate(password):
bs.clear()
# when password is correct, set the session cookie
# something random
bs[getRndString(12)] = getRndString(32)
bs['username'] = obuser.name
bs['userid'] = obuser.id
bs['userfullname'] = obuser.fullname
bs['REMOTE_ADDR'] = bottle.request.environ.get('REMOTE_ADDR')
# add group id -1 (All users)
L = [gr.id for gr in obuser.groups]
L.append(-1)
bs['groups'] = L
bs['authenticated'] = True
authenticated = True
# something random
bs[getRndString(12)] = getRndString(32)
else:
msg = "Invalid password"
else:
msg = "Invalid user"
except Exception as ex:
# import sys, traceback
# traceback.print_exc(file=sys.stdout)
if emergency_admin_activated:
msg = 'SQL error: <b>{}</b>'.format(ex)
else:
msg = '''SQL error: <b>{}</b>
Activate emergency admin in auth module and login
as emergency admin if this error persists.
'''.format(ex).replace('\n', '<br>')
if authenticated:
return html_redirect(back)
else:
# render login
return dict(title=title, msg=msg, back=back,
emergency_admin_activated=emergency_admin_activated,
notUsingCookies=notUsingCookies)
def _():
"""
Save json config of user or of module.
"""
bs = app.get_beaker_session()
module_name = bottle.request.forms.module
foruser = bottle.request.forms.foruser
if foruser:
username = bs.get('username')
configFile = 'config_{}.json'.format(username)
else:
configFile = 'config.json'
#
# json module config contains sensitive data (like SQL DSN)
# and is accesible ony to ADMIN = users in group id=1
#
if not app.check_user_in_groups(app.module_config.get('ADMIN')):
return 'Access denied.'
Referer = bottle.request.headers.get('Referer')
if module_name:
server_folder = app.server_config['DATAFOLDER']
extensions_folder = os.path.join(server_folder, app.server_config.get('extensions_folder', 'extensions'))
custom_module_folder = os.path.join(extensions_folder, module_name)
if not os.path.isdir(custom_module_folder):
pth = custom_module_folder+'.pth'
if os.path.isfile(pth):
with open(pth, 'rt') as f:
custom_module_folder = f.read().replace('\r','').replace('\n','')
if os.path.isdir(custom_module_folder):
config_file = os.path.join(custom_module_folder, configFile)
with open(config_file) as f:
data = json.loads(f.read())
for i in data.get('data').keys():
name = 'par{}'.format(i)
value = bottle.request.forms.getall(name) or ''
if data.get('data')[i]['type'] not in ('mc',):
if value and len(value) == 1:
# because of getall
value = value[0]
else:
value = value or []
data.get('data')[i]['value'] = value
# delete oldest and rename old versions
VERSIONS = int(app.server_config.get('keep config baks') or 0)
if VERSIONS < 2:
# at least 2 versions (baks) must be used
VERSIONS = 2
for cnt in range(VERSIONS - 1, 0, -1):
oldfile = '{}.{}'.format(config_file, cnt)
newfile = '{}.{}'.format(config_file, cnt - 1)
if os.path.isfile(oldfile):
os.remove(oldfile)
if os.path.isfile(newfile):
os.rename(newfile, oldfile)
newfile = '{}.{}'.format(config_file, 0)
if os.path.isfile(config_file):
os.rename(config_file, newfile)
with open(config_file, 'wb') as f:
ret = json.dumps(data, sort_keys=True, indent=2, separators=(',', ': ')).encode('utf-8')
f.write(ret)
if Referer:
return html_redirect(Referer)
else:
return html_redirect('/{}'.format(module_name))
def _():
return html_redirect(server_config.get('home_url', '/adm'))