![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index 1f23faea242d87b281c686f1b7db7b4d5eda0b2e..a96babfd7e6ccb7af54ad7c4fa2a69d5b1ae18f5 100644 (file)
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
-# $Id: client.py,v 1.96 2003-02-20 07:13:14 richard Exp $
+# $Id: client.py,v 1.108 2003-03-19 02:50:40 richard Exp $
__doc__ = """
WWW request handler (also used in the stand-alone server).
"""
import os, os.path, cgi, StringIO, urlparse, re, traceback, mimetypes, urllib
-import binascii, Cookie, time, random
+import binascii, Cookie, time, random, MimeWriter, smtplib, socket, quopri
+import stat, rfc822, string
from roundup import roundupdb, date, hyperdb, password
from roundup.i18n import _
-
from roundup.cgi.templating import Templates, HTMLRequest, NoTemplate
from roundup.cgi import cgitb
-
from roundup.cgi.PageTemplates import PageTemplate
+from roundup.rfc2822 import encode_header
+from roundup.mailgw import uidFromAddress
class HTTPException(Exception):
pass
pass
class Redirect(HTTPException):
pass
+class NotModified(HTTPException):
+ pass
+
+# set to indicate to roundup not to actually _send_ email
+# this var must contain a file to write the mail to
+SENDMAILDEBUG = os.environ.get('SENDMAILDEBUG', '')
+
# XXX actually _use_ FormError
class FormError(ValueError):
FV_OK_MESSAGE = re.compile(r'[@:]ok_message')
FV_ERROR_MESSAGE = re.compile(r'[@:]error_message')
+ FV_QUERYNAME = re.compile(r'[@:]queryname')
+
# edit form variable handling (see unit tests)
FV_LABELS = r'''
^(
except SendFile, designator:
self.serve_file(designator)
except SendStaticFile, file:
- self.serve_static_file(str(file))
+ try:
+ self.serve_static_file(str(file))
+ except NotModified:
+ # send the 304 response
+ self.request.send_response(304)
+ self.request.end_headers()
except Unauthorised, message:
- self.classname=None
- self.template=''
+ self.classname = None
+ self.template = ''
self.error_message.append(message)
self.write(self.renderContext())
except NotFound:
self.write(cgitb.html())
def clean_sessions(self):
- '''age sessions, remove when they haven't been used for a week.
- Do it only once an hour'''
+ ''' Age sessions, remove when they haven't been used for a week.
+
+ Do it only once an hour.
+
+ Note: also cleans One Time Keys, and other "session" based
+ stuff.
+ '''
sessions = self.db.sessions
last_clean = sessions.get('last_clean', 'last_use') or 0
hour = 60*60
now = time.time()
if now - last_clean > hour:
- # remove age sessions
+ # remove aged sessions
for sessid in sessions.list():
interval = now - sessions.get(sessid, 'last_use')
if interval > week:
sessions.destroy(sessid)
+ # remove aged otks
+ otks = self.db.otks
+ for sessid in otks.list():
+ interval = now - otks.get(sessid, '__time')
+ if interval > week:
+ otks.destroy(sessid)
sessions.set('last_clean', last_use=time.time())
def determine_user(self):
sessions = self.db.sessions
# look up the user session cookie
- cookie = Cookie.Cookie(self.env.get('HTTP_COOKIE', ''))
+ cookie = Cookie.SimpleCookie(self.env.get('HTTP_COOKIE', ''))
user = 'anonymous'
# bump the "revision" of the cookie since the format changed
self.write(file.get(nodeid, 'content'))
def serve_static_file(self, file):
+ ims = None
+ # see if there's an if-modified-since...
+ if hasattr(self.request, 'headers'):
+ ims = self.request.headers.getheader('if-modified-since')
+ elif self.env.has_key('HTTP_IF_MODIFIED_SINCE'):
+ # cgi will put the header in the env var
+ ims = self.env['HTTP_IF_MODIFIED_SINCE']
+ filename = os.path.join(self.instance.config.TEMPLATES, file)
+ lmt = os.stat(filename)[stat.ST_MTIME]
+ if ims:
+ ims = rfc822.parsedate(ims)[:6]
+ lmtt = time.gmtime(lmt)[:6]
+ if lmtt <= ims:
+ raise NotModified
+
# we just want to serve up the file named
mt = mimetypes.guess_type(str(file))[0]
+ if not mt:
+ mt = 'text/plain'
self.additional_headers['Content-Type'] = mt
- self.write(open(os.path.join(self.instance.config.TEMPLATES,
- file)).read())
+ self.additional_headers['Last-Modifed'] = rfc822.formatdate(lmt)
+ self.write(open(filename, 'rb').read())
def renderContext(self):
''' Return a PageTemplate for the named page
# these are the actions that are available
actions = (
('edit', 'editItemAction'),
- ('editCSV', 'editCSVAction'),
+ ('editcsv', 'editCSVAction'),
('new', 'newItemAction'),
('register', 'registerAction'),
+ ('confrego', 'confRegoAction'),
+ ('passrst', 'passResetAction'),
('login', 'loginAction'),
('logout', 'logout_action'),
('search', 'searchAction'),
('show', 'showAction'),
)
def handle_action(self):
- ''' Determine whether there should be an _action called.
+ ''' Determine whether there should be an Action called.
The action is defined by the form variable :action which
- identifies the method on this object to call. The four basic
- actions are defined in the "actions" sequence on this class:
- "edit" -> self.editItemAction
- "new" -> self.newItemAction
- "register" -> self.registerAction
- "login" -> self.loginAction
- "logout" -> self.logout_action
- "search" -> self.searchAction
- "retire" -> self.retireAction
+ identifies the method on this object to call. The actions
+ are defined in the "actions" sequence on this class.
'''
- if not self.form.has_key(':action'):
+ if self.form.has_key(':action'):
+ action = self.form[':action'].value.lower()
+ elif self.form.has_key('@action'):
+ action = self.form['@action'].value.lower()
+ else:
return None
try:
# get the action, validate it
- action = self.form[':action'].value
for name, method in self.actions:
if name == action:
break
else:
raise ValueError, 'No such action "%s"'%action
-
# call the mapped action
getattr(self, method)()
except Redirect:
raise
except Unauthorised:
raise
- except:
- self.db.rollback()
- s = StringIO.StringIO()
- traceback.print_exc(None, s)
- self.error_message.append('<pre>%s</pre>'%cgi.escape(s.getvalue()))
def write(self, content):
if not self.headers_done:
# Let the user know what's going on
self.ok_message.append(_('You are logged out'))
+ chars = string.letters+string.digits
def registerAction(self):
'''Attempt to create a new user based on the contents of the form
and then set the cookie.
return 1 on successful login
'''
- # create the new user
- cl = self.db.user
-
# parse the props from the form
try:
- props = self.parsePropsFromForm()
+ props = self.parsePropsFromForm()[0][('user', None)]
except (ValueError, KeyError), message:
self.error_message.append(_('Error: ') + str(message))
return
if not self.registerPermission(props):
raise Unauthorised, _("You do not have permission to register")
+ try:
+ self.db.user.lookup(props['username'])
+ self.error_message.append('Error: A user with the username "%s" '
+ 'already exists'%props['username'])
+ return
+ except KeyError:
+ pass
+
+ # generate the one-time-key and store the props for later
+ otk = ''.join([random.choice(self.chars) for x in range(32)])
+ for propname, proptype in self.db.user.getprops().items():
+ value = props.get(propname, None)
+ if value is None:
+ pass
+ elif isinstance(proptype, hyperdb.Date):
+ props[propname] = str(value)
+ elif isinstance(proptype, hyperdb.Interval):
+ props[propname] = str(value)
+ elif isinstance(proptype, hyperdb.Password):
+ props[propname] = str(value)
+ props['__time'] = time.time()
+ self.db.otks.set(otk, **props)
+
+ # send the email
+ tracker_name = self.db.config.TRACKER_NAME
+ subject = 'Complete your registration to %s'%tracker_name
+ body = '''
+To complete your registration of the user "%(name)s" with %(tracker)s,
+please visit the following URL:
+
+ %(url)s?@action=confrego&otk=%(otk)s
+'''%{'name': props['username'], 'tracker': tracker_name, 'url': self.base,
+ 'otk': otk}
+ if not self.sendEmail(props['address'], subject, body):
+ return
+
+ # commit changes to the database
+ self.db.commit()
+
+ # redirect to the "you're almost there" page
+ raise Redirect, '%suser?@template=rego_progress'%self.base
+
+ def sendEmail(self, to, subject, content):
+ # send email to the user's email address
+ message = StringIO.StringIO()
+ writer = MimeWriter.MimeWriter(message)
+ tracker_name = self.db.config.TRACKER_NAME
+ writer.addheader('Subject', encode_header(subject))
+ writer.addheader('To', to)
+ writer.addheader('From', roundupdb.straddr((tracker_name,
+ self.db.config.ADMIN_EMAIL)))
+ writer.addheader('Date', time.strftime("%a, %d %b %Y %H:%M:%S +0000",
+ time.gmtime()))
+ # add a uniquely Roundup header to help filtering
+ writer.addheader('X-Roundup-Name', tracker_name)
+ # avoid email loops
+ writer.addheader('X-Roundup-Loop', 'hello')
+ writer.addheader('Content-Transfer-Encoding', 'quoted-printable')
+ body = writer.startbody('text/plain; charset=utf-8')
+
+ # message body, encoded quoted-printable
+ content = StringIO.StringIO(content)
+ quopri.encode(content, body, 0)
+
+ if SENDMAILDEBUG:
+ # don't send - just write to a file
+ open(SENDMAILDEBUG, 'a').write('FROM: %s\nTO: %s\n%s\n'%(
+ self.db.config.ADMIN_EMAIL,
+ ', '.join(to),message.getvalue()))
+ else:
+ # now try to send the message
+ try:
+ # send the message as admin so bounces are sent there
+ # instead of to roundup
+ smtp = smtplib.SMTP(self.db.config.MAILHOST)
+ smtp.sendmail(self.db.config.ADMIN_EMAIL, [to],
+ message.getvalue())
+ except socket.error, value:
+ self.error_message.append("Error: couldn't send email: "
+ "mailhost %s"%value)
+ return 0
+ except smtplib.SMTPException, msg:
+ self.error_message.append("Error: couldn't send email: %s"%msg)
+ return 0
+ return 1
+
+ def registerPermission(self, props):
+ ''' Determine whether the user has permission to register
+
+ Base behaviour is to check the user has "Web Registration".
+ '''
+ # registration isn't allowed to supply roles
+ if props.has_key('roles'):
+ return 0
+ if self.db.security.hasPermission('Web Registration', self.userid):
+ return 1
+ return 0
+
+ def confRegoAction(self):
+ ''' Grab the OTK, use it to load up the new user details
+ '''
+ # pull the rego information out of the otk database
+ otk = self.form['otk'].value
+ props = self.db.otks.getall(otk)
+ for propname, proptype in self.db.user.getprops().items():
+ value = props.get(propname, None)
+ if value is None:
+ pass
+ elif isinstance(proptype, hyperdb.Date):
+ props[propname] = date.Date(value)
+ elif isinstance(proptype, hyperdb.Interval):
+ props[propname] = date.Interval(value)
+ elif isinstance(proptype, hyperdb.Password):
+ props[propname] = password.Password()
+ props[propname].unpack(value)
+
# re-open the database as "admin"
if self.user != 'admin':
self.opendb('admin')
-
+
# create the new user
cl = self.db.user
+# XXX we need to make the "default" page be able to display errors!
try:
props['roles'] = self.instance.config.NEW_WEB_USER_ROLES
- self.userid = cl.create(**props['user'])
+ del props['__time']
+ self.userid = cl.create(**props)
+ # clear the props from the otk database
+ self.db.otks.destroy(otk)
self.db.commit()
except (ValueError, KeyError), message:
- self.error_message.append(message)
+ self.error_message.append(str(message))
return
# log the new user in
# nice message
message = _('You are now registered, welcome!')
- # redirect to the item's edit page
- raise Redirect, '%s%s%s?+ok_message=%s'%(
- self.base, self.classname, self.userid, urllib.quote(message))
+ # redirect to the user's page
+ raise Redirect, '%suser%s?@ok_message=%s&@template=%s'%(self.base,
+ self.userid, urllib.quote(message), urllib.quote(self.template))
- def registerPermission(self, props):
- ''' Determine whether the user has permission to register
+ def passResetAction(self):
+ ''' Handle password reset requests.
- Base behaviour is to check the user has "Web Registration".
+ Presence of either "name" or "address" generate email.
+ Presense of "otk" performs the reset.
'''
- # registration isn't allowed to supply roles
- if props.has_key('roles'):
- return 0
- if self.db.security.hasPermission('Web Registration', self.userid):
- return 1
- return 0
+ if self.form.has_key('otk'):
+ # pull the rego information out of the otk database
+ otk = self.form['otk'].value
+ uid = self.db.otks.get(otk, 'uid')
+
+ # re-open the database as "admin"
+ if self.user != 'admin':
+ self.opendb('admin')
+
+ # change the password
+ newpw = ''.join([random.choice(self.chars) for x in range(8)])
+
+ cl = self.db.user
+# XXX we need to make the "default" page be able to display errors!
+ try:
+ # set the password
+ cl.set(uid, password=password.Password(newpw))
+ # clear the props from the otk database
+ self.db.otks.destroy(otk)
+ self.db.commit()
+ except (ValueError, KeyError), message:
+ self.error_message.append(str(message))
+ return
+
+ # user info
+ address = self.db.user.get(uid, 'address')
+ name = self.db.user.get(uid, 'username')
+
+ # send the email
+ tracker_name = self.db.config.TRACKER_NAME
+ subject = 'Password reset for %s'%tracker_name
+ body = '''
+The password has been reset for username "%(name)s".
+
+Your password is now: %(password)s
+'''%{'name': name, 'password': newpw}
+ if not self.sendEmail(address, subject, body):
+ return
+
+ self.ok_message.append('Password reset and email sent to %s'%address)
+ return
+
+ # no OTK, so now figure the user
+ if self.form.has_key('username'):
+ name = self.form['username'].value
+ try:
+ uid = self.db.user.lookup(name)
+ except KeyError:
+ self.error_message.append('Unknown username')
+ return
+ address = self.db.user.get(uid, 'address')
+ elif self.form.has_key('address'):
+ address = self.form['address'].value
+ uid = uidFromAddress(self.db, ('', address), create=0)
+ if not uid:
+ self.error_message.append('Unknown email address')
+ return
+ name = self.db.user.get(uid, 'username')
+ else:
+ self.error_message.append('You need to specify a username '
+ 'or address')
+ return
+
+ # generate the one-time-key and store the props for later
+ otk = ''.join([random.choice(self.chars) for x in range(32)])
+ self.db.otks.set(otk, uid=uid, __time=time.time())
+
+ # send the email
+ tracker_name = self.db.config.TRACKER_NAME
+ subject = 'Confirm reset of password for %s'%tracker_name
+ body = '''
+Someone, perhaps you, has requested that the password be changed for your
+username, "%(name)s". If you wish to proceed with the change, please follow
+the link below:
+
+ %(url)suser?@template=forgotten&@action=passrst&otk=%(otk)s
+
+You should then receive another email with the new password.
+'''%{'name': name, 'tracker': tracker_name, 'url': self.base, 'otk': otk}
+ if not self.sendEmail(address, subject, body):
+ return
+
+ self.ok_message.append('Email sent to %s'%address)
def editItemAction(self):
''' Perform an edit of an item in the database.
See parsePropsFromForm and _editnodes for special variables
'''
# parse the props from the form
- if 1:
-# try:
+ try:
props, links = self.parsePropsFromForm()
-# except (ValueError, KeyError), message:
-# self.error_message.append(_('Error: ') + str(message))
-# return
+ except (ValueError, KeyError), message:
+ self.error_message.append(_('Error: ') + str(message))
+ return
# handle the props
- if 1:
-# try:
+ try:
message = self._editnodes(props, links)
-# except (ValueError, KeyError, IndexError), message:
-# self.error_message.append(_('Error: ') + str(message))
-# return
+ except (ValueError, KeyError, IndexError), message:
+ self.error_message.append(_('Error: ') + str(message))
+ return
# commit now that all the tricky stuff is done
self.db.commit()
# redirect to the item's edit page
- raise Redirect, '%s%s%s?@ok_message=%s'%(self.base, self.classname,
- self.nodeid, urllib.quote(message))
+ raise Redirect, '%s%s%s?@ok_message=%s&@template=%s'%(self.base,
+ self.classname, self.nodeid, urllib.quote(message),
+ urllib.quote(self.template))
def editItemPermission(self, props):
''' Determine whether the user has permission to edit this item.
special form values.
'''
# parse the props from the form
-# XXX reinstate exception handling
-# try:
- if 1:
+ try:
props, links = self.parsePropsFromForm()
-# except (ValueError, KeyError), message:
-# self.error_message.append(_('Error: ') + str(message))
-# return
+ except (ValueError, KeyError), message:
+ self.error_message.append(_('Error: ') + str(message))
+ return
# handle the props - edit or create
-# XXX reinstate exception handling
-# try:
- if 1:
- # create the context here
-# cn = self.classname
-# nid = self._createnode(cn, props[(cn, None)])
-# del props[(cn, None)]
-
+ try:
# when it hits the None element, it'll set self.nodeid
- messages = self._editnodes(props, links) #, {(cn, None): nid})
+ messages = self._editnodes(props, links)
-# except (ValueError, KeyError, IndexError), message:
-# # these errors might just be indicative of user dumbness
-# self.error_message.append(_('Error: ') + str(message))
-# return
+ except (ValueError, KeyError, IndexError), message:
+ # these errors might just be indicative of user dumbness
+ self.error_message.append(_('Error: ') + str(message))
+ return
# commit now that all the tricky stuff is done
self.db.commit()
# redirect to the new item's page
- raise Redirect, '%s%s%s?@ok_message=%s'%(self.base, self.classname,
- self.nodeid, urllib.quote(messages))
+ raise Redirect, '%s%s%s?@ok_message=%s&@template=%s'%(self.base,
+ self.classname, self.nodeid, urllib.quote(messages),
+ urllib.quote(self.template))
def newItemPermission(self, props):
''' Determine whether the user has permission to create (edit) this
''' Use the props in all_props to perform edit and creation, then
use the link specs in all_links to do linking.
'''
-# print '='*75
-# print 'ALL_PROPS', all_props
# figure dependencies and re-work links
deps = {}
links = {}
deps.setdefault((cn, nodeid), []).append(value)
links.setdefault(value, []).append((cn, nodeid, propname))
-# print '*'*75
-# print 'LINKS', links
-# print 'DEPS', deps
-
# figure chained dependencies ordering
order = []
done = {}
if done.has_key(needed):
continue
tlist = deps.get(needed, [])
-# print 'SOLVING', needed, tlist
for target in tlist:
if not done.has_key(target):
break
else:
-# print 'DONE', needed
done[needed] = 1
order.append(needed)
change = 1
'''
# check for permission
if not self.editItemPermission(props):
- raise PermissionError, 'You do not have permission to edit %s'%cn
+ raise Unauthorised, 'You do not have permission to edit %s'%cn
# make the changes
cl = self.db.classes[cn]
'''
# check for permission
if not self.newItemPermission(props):
- raise PermissionError, 'You do not have permission to create %s'%cn
+ raise Unauthorised, 'You do not have permission to create %s'%cn
# create the node and return its id
cl = self.db.classes[cn]
nodeid, values = values[0], values[1:]
found[nodeid] = 1
+ # see if the node exists
+ if cl.hasnode(nodeid):
+ exists = 1
+ else:
+ exists = 0
+
# confirm correct weight
if len(idlessprops) != len(values):
self.error_message.append(
# extract the new values
d = {}
for name, value in zip(idlessprops, values):
+ prop = cl.properties[name]
value = value.strip()
# only add the property if it has a value
if value:
# if it's a multilink, split it
- if isinstance(cl.properties[name], hyperdb.Multilink):
+ if isinstance(prop, hyperdb.Multilink):
value = value.split(':')
d[name] = value
+ elif exists:
+ # nuke the existing value
+ if isinstance(prop, hyperdb.Multilink):
+ d[name] = []
+ else:
+ d[name] = None
# perform the edit
- if cl.hasnode(nodeid):
+ if exists:
# edit existing
cl.set(nodeid, **d)
else:
_('You do not have permission to search %s' %self.classname))
# add a faked :filter form variable for each filtering prop
-# XXX migrate to new : @ +
props = self.db.classes[self.classname].getprops()
+ queryname = ''
for key in self.form.keys():
- if not props.has_key(key): continue
+ # special vars
+ if self.FV_QUERYNAME.match(key):
+ queryname = self.form[key].value.strip()
+ continue
+
+ if not props.has_key(key):
+ continue
if isinstance(self.form[key], type([])):
# search for at least one entry which is not empty
for minifield in self.form[key]:
continue
else:
if not self.form[key].value: continue
- self.form.value.append(cgi.MiniFieldStorage(':filter', key))
+ self.form.value.append(cgi.MiniFieldStorage('@filter', key))
# handle saving the query params
- if self.form.has_key(':queryname'):
- queryname = self.form[':queryname'].value.strip()
- if queryname:
- # parse the environment and figure what the query _is_
- req = HTMLRequest(self)
- url = req.indexargs_href('', {})
-
- # handle editing an existing query
- try:
- qid = self.db.query.lookup(queryname)
- self.db.query.set(qid, klass=self.classname, url=url)
- except KeyError:
- # create a query
- qid = self.db.query.create(name=queryname,
- klass=self.classname, url=url)
+ if queryname:
+ # parse the environment and figure what the query _is_
+ req = HTMLRequest(self)
+ url = req.indexargs_href('', {})
- # and add it to the user's query multilink
- queries = self.db.user.get(self.userid, 'queries')
- queries.append(qid)
- self.db.user.set(self.userid, queries=queries)
+ # handle editing an existing query
+ try:
+ qid = self.db.query.lookup(queryname)
+ self.db.query.set(qid, klass=self.classname, url=url)
+ except KeyError:
+ # create a query
+ qid = self.db.query.create(name=queryname,
+ klass=self.classname, url=url)
- # commit the query change to the database
- self.db.commit()
+ # and add it to the user's query multilink
+ queries = self.db.user.get(self.userid, 'queries')
+ queries.append(qid)
+ self.db.user.set(self.userid, queries=queries)
+
+ # commit the query change to the database
+ self.db.commit()
def searchPermission(self):
''' Determine whether the user has permission to search this class.
return 1
- def showAction(self):
- ''' Show a node
+ def showAction(self, typere=re.compile('[@:]type'),
+ numre=re.compile('[@:]number')):
+ ''' Show a node of a particular class/id
'''
-# XXX allow : @ +
- t = self.form[':type'].value
- n = self.form[':number'].value
+ t = n = ''
+ for key in self.form.keys():
+ if typere.match(key):
+ t = self.form[key].value.strip()
+ elif numre.match(key):
+ n = self.form[key].value.strip()
+ if not t:
+ raise ValueError, 'Invalid %s number'%t
url = '%s%s%s'%(self.db.config.TRACKER_WEB, t, n)
raise Redirect, url