X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=roundup%2Fcgi%2Fclient.py;h=10fd44897bd8e423e252cc1e8304f868725af3e4;hb=5c31da71b45e1b9a8cf9f533540d549d3c961eed;hp=bcc0a16157a5dcbbf2ddb29d142c120b7da7d0ef;hpb=edcaadf85fe6ee29a8a374495fadaf380667dbcf;p=roundup.git diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py index bcc0a16..10fd448 100644 --- a/roundup/cgi/client.py +++ b/roundup/cgi/client.py @@ -1,18 +1,19 @@ -# $Id: client.py,v 1.1 2002-08-30 08:28:44 richard Exp $ +# $Id: client.py,v 1.55 2002-10-18 03:34:58 richard Exp $ __doc__ = """ WWW request handler (also used in the stand-alone server). """ -import os, cgi, StringIO, urlparse, re, traceback, mimetypes, urllib +import os, os.path, cgi, StringIO, urlparse, re, traceback, mimetypes, urllib import binascii, Cookie, time, random from roundup import roundupdb, date, hyperdb, password from roundup.i18n import _ -from roundup.cgi.templating import RoundupPageTemplate +from roundup.cgi.templating import Templates, HTMLRequest, NoTemplate from roundup.cgi import cgitb -from PageTemplates import PageTemplate + +from roundup.cgi.PageTemplates import PageTemplate class Unauthorised(ValueError): pass @@ -47,19 +48,36 @@ def initialiseSecurity(security): security.addPermissionToRole('Admin', p) class Client: - ''' - A note about login - ------------------ - - If the user has no login cookie, then they are anonymous. There - are two levels of anonymous use. If there is no 'anonymous' user, there - is no login at all and the database is opened in read-only mode. If the - 'anonymous' user exists, the user is logged in using that user (though - there is no cookie). This allows them to modify the database, and all - modifications are attributed to the 'anonymous' user. - - Once a user logs in, they are assigned a session. The Client instance - keeps the nodeid of the session as the "session" attribute. + ''' Instantiate to handle one CGI request. + + See inner_main for request processing. + + Client attributes at instantiation: + "path" is the PATH_INFO inside the instance (with no leading '/') + "base" is the base URL for the instance + "form" is the cgi form, an instance of FieldStorage from the standard + cgi module + "additional_headers" is a dictionary of additional HTTP headers that + should be sent to the client + "response_code" is the HTTP response code to send to the client + + During the processing of a request, the following attributes are used: + "error_message" holds a list of error messages + "ok_message" holds a list of OK messages + "session" is the current user session id + "user" is the current user's name + "userid" is the current user's id + "template" is the current :template context + "classname" is the current class context name + "nodeid" is the current context item id + + User Identification: + If the user has no login cookie, then they are anonymous and are logged + in as that user. This typically gives them all Permissions assigned to the + Anonymous Role. + + Once a user logs in, they are assigned a session. The Client instance + keeps the nodeid of the session as the "session" attribute. ''' def __init__(self, instance, request, env, form=None): @@ -67,31 +85,68 @@ class Client: self.instance = instance self.request = request self.env = env + + # save off the path self.path = env['PATH_INFO'] - self.split_path = self.path.split('/') - self.instance_path_name = env['INSTANCE_NAME'] - url = self.env['SCRIPT_NAME'] + '/' + self.instance_path_name - machine = self.env['SERVER_NAME'] - port = self.env['SERVER_PORT'] - if port != '80': machine = machine + ':' + port - self.base = urlparse.urlunparse(('http', env['HTTP_HOST'], url, - None, None, None)) + # this is the base URL for this instance + self.base = self.instance.config.TRACKER_WEB + + # see if we need to re-parse the environment for the form (eg Zope) if form is None: self.form = cgi.FieldStorage(environ=env) else: self.form = form - self.headers_done = 0 + + # turn debugging on/off try: self.debug = int(env.get("ROUNDUP_DEBUG", 0)) except ValueError: # someone gave us a non-int debug level, turn it off self.debug = 0 + # flag to indicate that the HTTP headers have been sent + self.headers_done = 0 + + # additional headers to send with the request - must be registered + # before the first write + self.additional_headers = {} + self.response_code = 200 + def main(self): - ''' Wrap the request and handle unauthorised requests + ''' Wrap the real main in a try/finally so we always close off the db. + ''' + try: + self.inner_main() + finally: + if hasattr(self, 'db'): + self.db.close() + + def inner_main(self): + ''' Process a request. + + The most common requests are handled like so: + 1. figure out who we are, defaulting to the "anonymous" user + see determine_user + 2. figure out what the request is for - the context + see determine_context + 3. handle any requested action (item edit, search, ...) + see handle_action + 4. render a template, resulting in HTML output + + In some situations, exceptions occur: + - HTTP Redirect (generally raised by an action) + - SendFile (generally raised by determine_context) + serve up a FileClass "content" property + - SendStaticFile (generally raised by determine_context) + serve up a file from the tracker "html" directory + - Unauthorised (generally raised by an action) + the action is cancelled, the request is rendered and an error + message is displayed indicating that permission was not + granted for the action to take place + - NotFound (raised wherever it needs to be) + percolates up to the CGI interface that called the client ''' - self.content_action = None self.ok_message = [] self.error_message = [] try: @@ -99,25 +154,38 @@ class Client: self.determine_user() # figure out the context and desired content template self.determine_context() - # possibly handle a form submit action (may change self.message - # and self.template_name) + # possibly handle a form submit action (may change self.classname + # and self.template, and may also append error/ok_messages) self.handle_action() # now render the page - self.write(self.template('page', ok_message=self.ok_message, - error_message=self.error_message)) + + # we don't want clients caching our dynamic pages + self.additional_headers['Cache-Control'] = 'no-cache' + self.additional_headers['Pragma'] = 'no-cache' + self.additional_headers['Expires'] = 'Thu, 1 Jan 1970 00:00:00 GMT' + + # render the content + self.write(self.renderContext()) except Redirect, url: # let's redirect - if the url isn't None, then we need to do # the headers, otherwise the headers have been set before the # exception was raised if url: - self.header({'Location': url}, response=302) + self.additional_headers['Location'] = url + self.response_code = 302 + self.write('Redirecting to %s'%(url, url)) except SendFile, designator: self.serve_file(designator) except SendStaticFile, file: - self.serve_static_file(file) + self.serve_static_file(str(file)) except Unauthorised, message: - self.write(self.template('page.unauthorised', - error_message=message)) + self.classname=None + self.template='' + self.error_message.append(message) + self.write(self.renderContext()) + except NotFound: + # pass through + raise except: # everything else self.write(cgitb.html()) @@ -144,11 +212,12 @@ class Client: cookie = Cookie.Cookie(self.env.get('HTTP_COOKIE', '')) user = 'anonymous' - if (cookie.has_key('roundup_user') and - cookie['roundup_user'].value != 'deleted'): + # bump the "revision" of the cookie since the format changed + if (cookie.has_key('roundup_user_2') and + cookie['roundup_user_2'].value != 'deleted'): # get the session key from the cookie - self.session = cookie['roundup_user'].value + self.session = cookie['roundup_user_2'].value # get the user from the session try: # update the lifetime datestamp @@ -171,44 +240,57 @@ class Client: else: self.user = user - def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')): - ''' Determine the context of this page: - - home (default if no url is given) - classname - designator (classname and nodeid) - - The desired template to be rendered is also determined There - are two exceptional contexts: + # reopen the database as the correct user + self.opendb(self.user) - _file - serve up a static file - path len > 1 - serve up a FileClass content - (the additional path gives the browser a - nicer filename to save as) + def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')): + ''' Determine the context of this page from the URL: + + The URL path after the instance identifier is examined. The path + is generally only one entry long. + + - if there is no path, then we are in the "home" context. + * if the path is "_file", then the additional path entry + specifies the filename of a static file we're to serve up + from the instance "html" directory. Raises a SendStaticFile + exception. + - if there is something in the path (eg "issue"), it identifies + the tracker class we're to display. + - if the path is an item designator (eg "issue123"), then we're + to display a specific item. + * if the path starts with an item designator and is longer than + one entry, then we're assumed to be handling an item of a + FileClass, and the extra path information gives the filename + that the client is going to label the download with (ie + "file123/image.png" is nicer to download than "file123"). This + raises a SendFile exception. + + Both of the "*" types of contexts stop before we bother to + determine the template we're going to use. That's because they + don't actually use templates. The template used is specified by the :template CGI variable, which defaults to: + only classname suplied: "index" full item designator supplied: "item" We set: - self.classname - self.nodeid - self.template_name + self.classname - the class to display, can be None + self.template - the template to render the current context with + self.nodeid - the nodeid of the class we're displaying ''' # default the optional variables self.classname = None self.nodeid = None # determine the classname and possibly nodeid - path = self.split_path + path = self.path.split('/') if not path or path[0] in ('', 'home', 'index'): if self.form.has_key(':template'): - self.template_type = self.form[':template'].value - self.template_name = 'home' + '.' + self.template_type + self.template = self.form[':template'].value else: - self.template_type = '' - self.template_name = 'home' + self.template = '' return elif path[0] == '_file': raise SendStaticFile, path[1] @@ -223,16 +305,23 @@ class Client: if m: self.classname = m.group(1) self.nodeid = m.group(2) + if not self.db.getclass(self.classname).hasnode(self.nodeid): + raise NotFound, '%s/%s'%(self.classname, self.nodeid) # with a designator, we default to item view - self.template_type = 'item' + self.template = 'item' else: # with only a class, we default to index view - self.template_type = 'index' + self.template = 'index' + + # make sure the classname is valid + try: + self.db.getclass(self.classname) + except KeyError: + raise NotFound, self.classname # see if we have a template override if self.form.has_key(':template'): - self.template_type = self.form[':template'].value - + self.template = self.form[':template'].value # see if we were passed in a message if self.form.has_key(':ok_message'): @@ -240,9 +329,6 @@ class Client: if self.form.has_key(':error_message'): self.error_message.append(self.form[':error_message'].value) - # we have the template name now - self.template_name = self.classname + '.' + self.template_type - def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')): ''' Serve the file from the content property of the designated item. ''' @@ -255,73 +341,79 @@ class Client: # we just want to serve up the file named file = self.db.file - self.header({'Content-Type': file.get(nodeid, 'type')}) + self.additional_headers['Content-Type'] = file.get(nodeid, 'type') self.write(file.get(nodeid, 'content')) def serve_static_file(self, file): # we just want to serve up the file named mt = mimetypes.guess_type(str(file))[0] - self.header({'Content-Type': mt}) - self.write(open('/tmp/test/html/%s'%file).read()) + self.additional_headers['Content-Type'] = mt + self.write(open(os.path.join(self.instance.config.TEMPLATES, + file)).read()) - def template(self, name, **kwargs): + def renderContext(self): ''' Return a PageTemplate for the named page ''' - pt = RoundupPageTemplate(self) - # make errors nicer - pt.id = name - pt.write(open('/tmp/test/html/%s'%name).read()) - # XXX handle PT rendering errors here nicely + name = self.classname + extension = self.template + pt = Templates(self.instance.config.TEMPLATES).get(name, extension) + + # catch errors so we can handle PT rendering errors more nicely + args = { + 'ok_message': self.ok_message, + 'error_message': self.error_message + } try: - return pt.render(**kwargs) - except PageTemplate.PTRuntimeError, message: - return '%s
%s'%cgi.escape(s.getvalue())) + return # redirect to the new item's page - raise Redirect, '%s/%s%s?:ok_message=%s'%(self.base, cn, nid, - urllib.quote(message)) + raise Redirect, '%s%s%s?:ok_message=%s'%(self.base, self.classname, + nid, urllib.quote(message)) - def genericedit_action(self): + def newItemPermission(self, props): + ''' Determine whether the user has permission to create (edit) this + item. + + Base behaviour is to check the user can edit this class. No + additional property checks are made. Additionally, new user items + may be created if the user has the "Web Registration" Permission. + ''' + has = self.db.security.hasPermission + if self.classname == 'user' and has('Web Registration', self.userid, + 'user'): + return 1 + if has('Edit', self.userid, self.classname): + return 1 + return 0 + + def editCSVAction(self): ''' Performs an edit of all of a class' items in one go. The "rows" CGI var defines the CSV-formatted entries for the class. New nodes are identified by the ID 'X' (or any other non-existent ID) and removed lines are retired. ''' - userid = self.db.user.lookup(self.user) - if not self.db.security.hasPermission('Edit', userid): - raise Unauthorised, _("You do not have permission to access"\ - " %(action)s.")%{'action': self.classname} - w = self.write - cn = self.classname - cl = self.db.classes[cn] - idlessprops = cl.getprops(protected=0).keys() - props = ['id'] + idlessprops + # this is per-class only + if not self.editCSVPermission(): + self.error_message.append( + _('You do not have permission to edit %s' %self.classname)) # get the CSV module try: @@ -621,24 +835,34 @@ class Client: 'Get it from: http://www.object-craft.com.au/projects/csv/')) return + cl = self.db.classes[self.classname] + idlessprops = cl.getprops(protected=0).keys() + idlessprops.sort() + props = ['id'] + idlessprops + # do the edit rows = self.form['rows'].value.splitlines() p = csv.parser() found = {} line = 0 - for row in rows: + for row in rows[1:]: line += 1 values = p.parse(row) # not a complete row, keep going if not values: continue + # skip property names header + if values == props: + continue + # extract the nodeid nodeid, values = values[0], values[1:] found[nodeid] = 1 # confirm correct weight if len(idlessprops) != len(values): - w(_('Not enough values on line %(line)s'%{'line':line})) + self.error_message.append( + _('Not enough values on line %(line)s')%{'line':line}) return # extract the new values @@ -665,12 +889,122 @@ class Client: if not found.has_key(nodeid): cl.retire(nodeid) - message = _('items edited OK') + # all OK + self.db.commit() + + self.ok_message.append(_('Items edited OK')) + + def editCSVPermission(self): + ''' Determine whether the user has permission to edit this class. + + Base behaviour is to check the user can edit this class. + ''' + if not self.db.security.hasPermission('Edit', self.userid, + self.classname): + return 0 + return 1 + + def searchAction(self): + ''' Mangle some of the form variables. - # redirect to the class' edit page - raise Redirect, '%s/%s?:ok_message=%s'%(self.base, cn, - urllib.quote(message)) + Set the form ":filter" variable based on the values of the + filter variables - if they're set to anything other than + "dontcare" then add them to :filter. + Also handle the ":queryname" variable and save off the query to + the user's query list. + ''' + # generic edit is per-class only + if not self.searchPermission(): + self.error_message.append( + _('You do not have permission to search %s' %self.classname)) + + # add a faked :filter form variable for each filtering prop + props = self.db.classes[self.classname].getprops() + for key in self.form.keys(): + if not props.has_key(key): continue + if not self.form[key].value: continue + self.form.value.append(cgi.MiniFieldStorage(':filter', key)) + + # handle saving the query params + if self.form.has_key(':queryname'): + queryname = self.form[':queryname'].value.strip() + if queryname: + # parse the environment and figure what the query _is_ + req = HTMLRequest(self) + url = req.indexargs_href('', {}) + + # handle editing an existing query + try: + qid = self.db.query.lookup(queryname) + self.db.query.set(qid, klass=self.classname, url=url) + except KeyError: + # create a query + qid = self.db.query.create(name=queryname, + klass=self.classname, url=url) + + # and add it to the user's query multilink + queries = self.db.user.get(self.userid, 'queries') + queries.append(qid) + self.db.user.set(self.userid, queries=queries) + + # commit the query change to the database + self.db.commit() + + def searchPermission(self): + ''' Determine whether the user has permission to search this class. + + Base behaviour is to check the user can view this class. + ''' + if not self.db.security.hasPermission('View', self.userid, + self.classname): + return 0 + return 1 + + def retireAction(self): + ''' Retire the context item. + ''' + # if we want to view the index template now, then unset the nodeid + # context info (a special-case for retire actions on the index page) + nodeid = self.nodeid + if self.template == 'index': + self.nodeid = None + + # generic edit is per-class only + if not self.retirePermission(): + self.error_message.append( + _('You do not have permission to retire %s' %self.classname)) + return + + # make sure we don't try to retire admin or anonymous + if self.classname == 'user' and \ + self.db.user.get(nodeid, 'username') in ('admin', 'anonymous'): + self.error_message.append( + _('You may not retire the admin or anonymous user')) + return + + # do the retire + self.db.getclass(self.classname).retire(nodeid) + self.db.commit() + + self.ok_message.append( + _('%(classname)s %(itemid)s has been retired')%{ + 'classname': self.classname.capitalize(), 'itemid': nodeid}) + + def retirePermission(self): + ''' Determine whether the user has permission to retire this class. + + Base behaviour is to check the user can edit this class. + ''' + if not self.db.security.hasPermission('Edit', self.userid, + self.classname): + return 0 + return 1 + + + # + # Utility methods for editing + # def _changenode(self, props): ''' change the node based on the contents of the form ''' @@ -686,11 +1020,10 @@ class Client: # make the changes return cl.set(self.nodeid, **props) - def _createnode(self): + def _createnode(self, props): ''' create a node based on the contents of the form ''' cl = self.db.classes[self.classname] - props = parsePropsFromForm(self.db, cl, self.form) # check for messages and files message, files = self._handle_message() @@ -706,8 +1039,8 @@ class Client: ''' # handle file attachments files = [] - if self.form.has_key('__file'): - file = self.form['__file'] + if self.form.has_key(':file'): + file = self.form[':file'] if file.filename: filename = file.filename.split('\\')[-1] mime_type = mimetypes.guess_type(filename)[0] @@ -724,8 +1057,9 @@ class Client: note = None # in a nutshell, don't do anything if there's no note or there's no # NOSY - if self.form.has_key('__note'): - note = self.form['__note'].value.strip() + if self.form.has_key(':note'): + # fix the CRLF/CR -> LF stuff + note = fixNewlines(self.form[':note'].value.strip()) if not note: return None, files if not props.has_key('messages'): @@ -747,7 +1081,7 @@ class Client: # handle the messageid # TODO: handle inreplyto messageid = "<%s.%s.%s@%s>"%(time.time(), random.random(), - self.classname, self.instance.MAIL_DOMAIN) + self.classname, self.instance.config.MAIL_DOMAIN) # now create the message, attaching the files content = '\n'.join(m) @@ -769,7 +1103,7 @@ class Client: which issue to link the file to. TODO: I suspect that this and newfile will go away now that - there's the ability to upload a file using the issue __file form + there's the ability to upload a file using the issue :file form element! ''' cn = self.classname @@ -797,85 +1131,131 @@ class Client: link = self.db.classes[link] link.set(nodeid, **{property: nid}) +def fixNewlines(text): + ''' Homogenise line endings. - def remove_action(self, dre=re.compile(r'([^\d]+)(\d+)')): - # XXX handle this ! - target = self.index_arg(':target')[0] - m = dre.match(target) - if m: - classname = m.group(1) - nodeid = m.group(2) - cl = self.db.getclass(classname) - cl.retire(nodeid) - # now take care of the reference - parentref = self.index_arg(':multilink')[0] - parent, prop = parentref.split(':') - m = dre.match(parent) - if m: - self.classname = m.group(1) - self.nodeid = m.group(2) - cl = self.db.getclass(self.classname) - value = cl.get(self.nodeid, prop) - value.remove(nodeid) - cl.set(self.nodeid, **{prop:value}) - func = getattr(self, 'show%s'%self.classname) - return func() - else: - raise NotFound, parent - else: - raise NotFound, target - + Different web clients send different line ending values, but + other systems (eg. email) don't necessarily handle those line + endings. Our solution is to convert all line endings to LF. + ''' + text = text.replace('\r\n', '\n') + return text.replace('\r', '\n') def parsePropsFromForm(db, cl, form, nodeid=0, num_re=re.compile('^\d+$')): - '''Pull properties for the given class out of the form. + ''' Pull properties for the given class out of the form. + + If a ":required" parameter is supplied, then the names property values + must be supplied or a ValueError will be raised. + + Other special form values: + :remove: