X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=roundup%2Fcgi%2Fclient.py;h=170d86bc87a4cd03b0e4a35e3fcebc3e4f6cb417;hb=14ccca8ea95dd75eb4001ca4059c743b0b10a7a8;hp=9c786f99376c60c31ab7bb438c4ea9d493024829;hpb=d4ec9eea1a5205bb56d46d44d4239226b93ca7c3;p=roundup.git diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py index 9c786f9..170d86b 100644 --- a/roundup/cgi/client.py +++ b/roundup/cgi/client.py @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.8 2002-09-03 03:23:56 richard Exp $ +# $Id: client.py,v 1.66 2003-01-11 23:52:28 richard Exp $ __doc__ = """ WWW request handler (also used in the stand-alone server). @@ -10,10 +10,10 @@ import binascii, Cookie, time, random from roundup import roundupdb, date, hyperdb, password from roundup.i18n import _ -from roundup.cgi.templating import getTemplate, HTMLRequest +from roundup.cgi.templating import Templates, HTMLRequest, NoTemplate from roundup.cgi import cgitb -from PageTemplates import PageTemplate +from roundup.cgi.PageTemplates import PageTemplate class Unauthorised(ValueError): pass @@ -48,24 +48,36 @@ def initialiseSecurity(security): security.addPermissionToRole('Admin', p) class Client: - ''' - A note about login - ------------------ - - If the user has no login cookie, then they are anonymous. There - are two levels of anonymous use. If there is no 'anonymous' user, there - is no login at all and the database is opened in read-only mode. If the - 'anonymous' user exists, the user is logged in using that user (though - there is no cookie). This allows them to modify the database, and all - modifications are attributed to the 'anonymous' user. - - Once a user logs in, they are assigned a session. The Client instance - keeps the nodeid of the session as the "session" attribute. - - Client attributes: - "url" is the current url path - "path" is the PATH_INFO inside the instance + ''' Instantiate to handle one CGI request. + + See inner_main for request processing. + + Client attributes at instantiation: + "path" is the PATH_INFO inside the instance (with no leading '/') "base" is the base URL for the instance + "form" is the cgi form, an instance of FieldStorage from the standard + cgi module + "additional_headers" is a dictionary of additional HTTP headers that + should be sent to the client + "response_code" is the HTTP response code to send to the client + + During the processing of a request, the following attributes are used: + "error_message" holds a list of error messages + "ok_message" holds a list of OK messages + "session" is the current user session id + "user" is the current user's name + "userid" is the current user's id + "template" is the current :template context + "classname" is the current class context name + "nodeid" is the current context item id + + User Identification: + If the user has no login cookie, then they are anonymous and are logged + in as that user. This typically gives them all Permissions assigned to the + Anonymous Role. + + Once a user logs in, they are assigned a session. The Client instance + keeps the nodeid of the session as the "session" attribute. ''' def __init__(self, instance, request, env, form=None): @@ -74,35 +86,67 @@ class Client: self.request = request self.env = env + # save off the path self.path = env['PATH_INFO'] - self.split_path = self.path.split('/') - self.instance_path_name = env['INSTANCE_NAME'] # this is the base URL for this instance - url = self.env['SCRIPT_NAME'] + '/' + self.instance_path_name - self.base = urlparse.urlunparse(('http', env['HTTP_HOST'], url, - None, None, None)) - - # request.path is the full request path - x, x, path, x, x, x = urlparse.urlparse(request.path) - self.url = urlparse.urlunparse(('http', env['HTTP_HOST'], path, - None, None, None)) + self.base = self.instance.config.TRACKER_WEB + # see if we need to re-parse the environment for the form (eg Zope) if form is None: self.form = cgi.FieldStorage(environ=env) else: self.form = form - self.headers_done = 0 + + # turn debugging on/off try: self.debug = int(env.get("ROUNDUP_DEBUG", 0)) except ValueError: # someone gave us a non-int debug level, turn it off self.debug = 0 + # flag to indicate that the HTTP headers have been sent + self.headers_done = 0 + + # additional headers to send with the request - must be registered + # before the first write + self.additional_headers = {} + self.response_code = 200 + def main(self): - ''' Wrap the request and handle unauthorised requests + ''' Wrap the real main in a try/finally so we always close off the db. + ''' + try: + self.inner_main() + finally: + if hasattr(self, 'db'): + self.db.close() + + def inner_main(self): + ''' Process a request. + + The most common requests are handled like so: + 1. figure out who we are, defaulting to the "anonymous" user + see determine_user + 2. figure out what the request is for - the context + see determine_context + 3. handle any requested action (item edit, search, ...) + see handle_action + 4. render a template, resulting in HTML output + + In some situations, exceptions occur: + - HTTP Redirect (generally raised by an action) + - SendFile (generally raised by determine_context) + serve up a FileClass "content" property + - SendStaticFile (generally raised by determine_context) + serve up a file from the tracker "html" directory + - Unauthorised (generally raised by an action) + the action is cancelled, the request is rendered and an error + message is displayed indicating that permission was not + granted for the action to take place + - NotFound (raised wherever it needs to be) + percolates up to the CGI interface that called the client ''' - self.content_action = None self.ok_message = [] self.error_message = [] try: @@ -110,25 +154,38 @@ class Client: self.determine_user() # figure out the context and desired content template self.determine_context() - # possibly handle a form submit action (may change self.message - # and self.template_name) + # possibly handle a form submit action (may change self.classname + # and self.template, and may also append error/ok_messages) self.handle_action() # now render the page - self.write(self.template('page', ok_message=self.ok_message, - error_message=self.error_message)) + + # we don't want clients caching our dynamic pages + self.additional_headers['Cache-Control'] = 'no-cache' + self.additional_headers['Pragma'] = 'no-cache' + self.additional_headers['Expires'] = 'Thu, 1 Jan 1970 00:00:00 GMT' + + # render the content + self.write(self.renderContext()) except Redirect, url: # let's redirect - if the url isn't None, then we need to do # the headers, otherwise the headers have been set before the # exception was raised if url: - self.header({'Location': url}, response=302) + self.additional_headers['Location'] = url + self.response_code = 302 + self.write('Redirecting to %s'%(url, url)) except SendFile, designator: self.serve_file(designator) except SendStaticFile, file: - self.serve_static_file(file) + self.serve_static_file(str(file)) except Unauthorised, message: - self.write(self.template('page.unauthorised', - error_message=message)) + self.classname=None + self.template='' + self.error_message.append(message) + self.write(self.renderContext()) + except NotFound: + # pass through + raise except: # everything else self.write(cgitb.html()) @@ -187,43 +244,53 @@ class Client: self.opendb(self.user) def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')): - ''' Determine the context of this page: - - home (default if no url is given) - classname - designator (classname and nodeid) - - The desired template to be rendered is also determined There - are two exceptional contexts: - - _file - serve up a static file - path len > 1 - serve up a FileClass content - (the additional path gives the browser a - nicer filename to save as) + ''' Determine the context of this page from the URL: + + The URL path after the instance identifier is examined. The path + is generally only one entry long. + + - if there is no path, then we are in the "home" context. + * if the path is "_file", then the additional path entry + specifies the filename of a static file we're to serve up + from the instance "html" directory. Raises a SendStaticFile + exception. + - if there is something in the path (eg "issue"), it identifies + the tracker class we're to display. + - if the path is an item designator (eg "issue123"), then we're + to display a specific item. + * if the path starts with an item designator and is longer than + one entry, then we're assumed to be handling an item of a + FileClass, and the extra path information gives the filename + that the client is going to label the download with (ie + "file123/image.png" is nicer to download than "file123"). This + raises a SendFile exception. + + Both of the "*" types of contexts stop before we bother to + determine the template we're going to use. That's because they + don't actually use templates. The template used is specified by the :template CGI variable, which defaults to: + only classname suplied: "index" full item designator supplied: "item" We set: - self.classname - self.nodeid - self.template_name + self.classname - the class to display, can be None + self.template - the template to render the current context with + self.nodeid - the nodeid of the class we're displaying ''' # default the optional variables self.classname = None self.nodeid = None # determine the classname and possibly nodeid - path = self.split_path + path = self.path.split('/') if not path or path[0] in ('', 'home', 'index'): if self.form.has_key(':template'): - self.template_type = self.form[':template'].value - self.template_name = 'home' + '.' + self.template_type + self.template = self.form[':template'].value else: - self.template_type = '' - self.template_name = 'home' + self.template = '' return elif path[0] == '_file': raise SendStaticFile, path[1] @@ -238,16 +305,23 @@ class Client: if m: self.classname = m.group(1) self.nodeid = m.group(2) + if not self.db.getclass(self.classname).hasnode(self.nodeid): + raise NotFound, '%s/%s'%(self.classname, self.nodeid) # with a designator, we default to item view - self.template_type = 'item' + self.template = 'item' else: # with only a class, we default to index view - self.template_type = 'index' + self.template = 'index' + + # make sure the classname is valid + try: + self.db.getclass(self.classname) + except KeyError: + raise NotFound, self.classname # see if we have a template override if self.form.has_key(':template'): - self.template_type = self.form[':template'].value - + self.template = self.form[':template'].value # see if we were passed in a message if self.form.has_key(':ok_message'): @@ -255,9 +329,6 @@ class Client: if self.form.has_key(':error_message'): self.error_message.append(self.form[':error_message'].value) - # we have the template name now - self.template_name = self.classname + '.' + self.template_type - def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')): ''' Serve the file from the content property of the designated item. ''' @@ -270,73 +341,79 @@ class Client: # we just want to serve up the file named file = self.db.file - self.header({'Content-Type': file.get(nodeid, 'type')}) + self.additional_headers['Content-Type'] = file.get(nodeid, 'type') self.write(file.get(nodeid, 'content')) def serve_static_file(self, file): # we just want to serve up the file named mt = mimetypes.guess_type(str(file))[0] - self.header({'Content-Type': mt}) - self.write(open(os.path.join(self.instance.TEMPLATES, file)).read()) + self.additional_headers['Content-Type'] = mt + self.write(open(os.path.join(self.instance.config.TEMPLATES, + file)).read()) - def template(self, name, **kwargs): + def renderContext(self): ''' Return a PageTemplate for the named page ''' - pt = getTemplate(self.instance.TEMPLATES, name) - # XXX handle PT rendering errors here more nicely + name = self.classname + extension = self.template + pt = Templates(self.instance.config.TEMPLATES).get(name, extension) + + # catch errors so we can handle PT rendering errors more nicely + args = { + 'ok_message': self.ok_message, + 'error_message': self.error_message + } try: # let the template render figure stuff out - return pt.render(self, None, None, **kwargs) - except PageTemplate.PTRuntimeError, message: - return '%s
%s'%cgi.escape(s.getvalue())) + return + try: # handle linked nodes self._post_editnode(nid) @@ -654,10 +794,7 @@ class Client: self.nodeid = nid # and some nice feedback for the user - message = _('%(classname)s created ok')%self.__dict__ - except (ValueError, KeyError), message: - self.error_message.append(_('Error: ') + str(message)) - return + message = _('%(classname)s created ok')%self.__dict__ + xtra except: # oops self.db.rollback() @@ -667,7 +804,7 @@ class Client: return # redirect to the new item's page - raise Redirect, '%s/%s%s?:ok_message=%s'%(self.base, self.classname, + raise Redirect, '%s%s%s?:ok_message=%s'%(self.base, self.classname, nid, urllib.quote(message)) def newItemPermission(self, props): @@ -686,15 +823,15 @@ class Client: return 1 return 0 - def genericEditAction(self): + def editCSVAction(self): ''' Performs an edit of all of a class' items in one go. The "rows" CGI var defines the CSV-formatted entries for the class. New nodes are identified by the ID 'X' (or any other non-existent ID) and removed lines are retired. ''' - # generic edit is per-class only - if not self.genericEditPermission(): + # this is per-class only + if not self.editCSVPermission(): self.error_message.append( _('You do not have permission to edit %s' %self.classname)) @@ -709,6 +846,7 @@ class Client: cl = self.db.classes[self.classname] idlessprops = cl.getprops(protected=0).keys() + idlessprops.sort() props = ['id'] + idlessprops # do the edit @@ -716,19 +854,24 @@ class Client: p = csv.parser() found = {} line = 0 - for row in rows: + for row in rows[1:]: line += 1 values = p.parse(row) # not a complete row, keep going if not values: continue + # skip property names header + if values == props: + continue + # extract the nodeid nodeid, values = values[0], values[1:] found[nodeid] = 1 # confirm correct weight if len(idlessprops) != len(values): - message=(_('Not enough values on line %(line)s'%{'line':line})) + self.error_message.append( + _('Not enough values on line %(line)s')%{'line':line}) return # extract the new values @@ -755,13 +898,12 @@ class Client: if not found.has_key(nodeid): cl.retire(nodeid) - message = _('items edited OK') + # all OK + self.db.commit() - # redirect to the class' edit page - raise Redirect, '%s/%s?:ok_message=%s'%(self.base, self.classname, - urllib.quote(message)) + self.ok_message.append(_('Items edited OK')) - def genericEditPermission(self): + def editCSVPermission(self): ''' Determine whether the user has permission to edit this class. Base behaviour is to check the user can edit this class. @@ -818,7 +960,6 @@ class Client: # commit the query change to the database self.db.commit() - def searchPermission(self): ''' Determine whether the user has permission to search this class. @@ -829,34 +970,46 @@ class Client: return 0 return 1 - def XXXremove_action(self, dre=re.compile(r'([^\d]+)(\d+)')): - # XXX I believe this could be handled by a regular edit action that - # just sets the multilink... - # XXX handle this ! - target = self.index_arg(':target')[0] - m = dre.match(target) - if m: - classname = m.group(1) - nodeid = m.group(2) - cl = self.db.getclass(classname) - cl.retire(nodeid) - # now take care of the reference - parentref = self.index_arg(':multilink')[0] - parent, prop = parentref.split(':') - m = dre.match(parent) - if m: - self.classname = m.group(1) - self.nodeid = m.group(2) - cl = self.db.getclass(self.classname) - value = cl.get(self.nodeid, prop) - value.remove(nodeid) - cl.set(self.nodeid, **{prop:value}) - func = getattr(self, 'show%s'%self.classname) - return func() - else: - raise NotFound, parent - else: - raise NotFound, target + def retireAction(self): + ''' Retire the context item. + ''' + # if we want to view the index template now, then unset the nodeid + # context info (a special-case for retire actions on the index page) + nodeid = self.nodeid + if self.template == 'index': + self.nodeid = None + + # generic edit is per-class only + if not self.retirePermission(): + self.error_message.append( + _('You do not have permission to retire %s' %self.classname)) + return + + # make sure we don't try to retire admin or anonymous + if self.classname == 'user' and \ + self.db.user.get(nodeid, 'username') in ('admin', 'anonymous'): + self.error_message.append( + _('You may not retire the admin or anonymous user')) + return + + # do the retire + self.db.getclass(self.classname).retire(nodeid) + self.db.commit() + + self.ok_message.append( + _('%(classname)s %(itemid)s has been retired')%{ + 'classname': self.classname.capitalize(), 'itemid': nodeid}) + + def retirePermission(self): + ''' Determine whether the user has permission to retire this class. + + Base behaviour is to check the user can edit this class. + ''' + if not self.db.security.hasPermission('Edit', self.userid, + self.classname): + return 0 + return 1 + # # Utility methods for editing @@ -895,16 +1048,30 @@ class Client: ''' # handle file attachments files = [] - if self.form.has_key('__file'): - file = self.form['__file'] + if self.form.has_key(':file'): + file = self.form[':file'] + + # if there's a filename, then we create a file if file.filename: + # see if there are any file properties we should set + file_props={}; + if self.form.has_key(':file_fields'): + for field in self.form[':file_fields'].value.split(','): + if self.form.has_key(field): + if field.startswith("file_"): + file_props[field[5:]] = self.form[field].value + else : + file_props[field] = self.form[field].value + + # try to determine the file content-type filename = file.filename.split('\\')[-1] mime_type = mimetypes.guess_type(filename)[0] if not mime_type: mime_type = "application/octet-stream" + # create the new file entry files.append(self.db.file.create(type=mime_type, - name=filename, content=file.file.read())) + name=filename, content=file.file.read(), **file_props)) # we don't want to do a message if none of the following is true... cn = self.classname @@ -913,8 +1080,9 @@ class Client: note = None # in a nutshell, don't do anything if there's no note or there's no # NOSY - if self.form.has_key('__note'): - note = self.form['__note'].value.strip() + if self.form.has_key(':note'): + # fix the CRLF/CR -> LF stuff + note = fixNewlines(self.form[':note'].value.strip()) if not note: return None, files if not props.has_key('messages'): @@ -936,13 +1104,23 @@ class Client: # handle the messageid # TODO: handle inreplyto messageid = "<%s.%s.%s@%s>"%(time.time(), random.random(), - self.classname, self.instance.MAIL_DOMAIN) + self.classname, self.instance.config.MAIL_DOMAIN) + + # see if there are any message properties we should set + msg_props={}; + if self.form.has_key(':msg_fields'): + for field in self.form[':msg_fields'].value.split(','): + if self.form.has_key(field): + if field.startswith("msg_"): + msg_props[field[4:]] = self.form[field].value + else : + msg_props[field] = self.form[field].value # now create the message, attaching the files content = '\n'.join(m) message_id = self.db.msg.create(author=self.userid, recipients=[], date=date.Date('.'), summary=summary, - content=content, files=files, messageid=messageid) + content=content, files=files, messageid=messageid, **msg_props) # update the messages property return message_id, files @@ -958,7 +1136,7 @@ class Client: which issue to link the file to. TODO: I suspect that this and newfile will go away now that - there's the ability to upload a file using the issue __file form + there's the ability to upload a file using the issue :file form element! ''' cn = self.classname @@ -986,92 +1164,215 @@ class Client: link = self.db.classes[link] link.set(nodeid, **{property: nid}) +def fixNewlines(text): + ''' Homogenise line endings. + + Different web clients send different line ending values, but + other systems (eg. email) don't necessarily handle those line + endings. Our solution is to convert all line endings to LF. + ''' + text = text.replace('\r\n', '\n') + return text.replace('\r', '\n') def parsePropsFromForm(db, cl, form, nodeid=0, num_re=re.compile('^\d+$')): - '''Pull properties for the given class out of the form. + ''' Pull properties for the given class out of the form. + + If a ":required" parameter is supplied, then the names property values + must be supplied or a ValueError will be raised. + + Other special form values: + :remove: