[mediagoblin.git] / mediagoblin / decorators.py

# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from functools import wraps

from werkzeug.exceptions import Forbidden, NotFound
from oauthlib.oauth1 import ResourceEndpoint

from six.moves.urllib.parse import urljoin

from mediagoblin import mg_globals as mgg
from mediagoblin import messages
from mediagoblin.db.models import MediaEntry, LocalUser, TextComment, \
                                  AccessToken, Comment
from mediagoblin.tools.response import (
    redirect, render_404,
    render_user_banned, json_response)
from mediagoblin.tools.translate import pass_to_ugettext as _

from mediagoblin.oauth.tools.request import decode_authorization_header
from mediagoblin.oauth.oauth import GMGRequestValidator


def user_not_banned(controller):
    """
    Requires that the user has not been banned. Otherwise redirects to the page
    explaining why they have been banned
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if request.user:
            if request.user.is_banned():
                return render_user_banned(request)
        return controller(request, *args, **kwargs)

    return wrapper


def require_active_login(controller):
    """
    Require an active login from the user. If the user is banned, redirects to
    the "You are Banned" page.
    """
    @wraps(controller)
    @user_not_banned
    def new_controller_func(request, *args, **kwargs):
        if request.user and \
                not request.user.has_privilege(u'active'):
            return redirect(
                request, 'mediagoblin.user_pages.user_home',
                user=request.user.username)
        elif not request.user or not request.user.has_privilege(u'active'):
            next_url = urljoin(
                    request.urlgen('mediagoblin.auth.login',
                        qualified=True),
                    request.url)

            return redirect(request, 'mediagoblin.auth.login',
                            next=next_url)

        return controller(request, *args, **kwargs)

    return new_controller_func


def user_has_privilege(privilege_name, allow_admin=True):
    """
    Requires that a user have a particular privilege in order to access a page.
    In order to require that a user have multiple privileges, use this
    decorator twice on the same view. This decorator also makes sure that the
    user is not banned, or else it redirects them to the "You are Banned" page.

        :param privilege_name       A unicode object that is that represents
                                        the privilege object. This object is
                                        the name of the privilege, as assigned
                                        in the Privilege.privilege_name column

        :param allow_admin          If this is true then if the user is an admin
                                    it will allow the user even if the user doesn't
                                    have the privilage given in privilage_name.
    """

    def user_has_privilege_decorator(controller):
        @wraps(controller)
        @require_active_login
        def wrapper(request, *args, **kwargs):
            if not request.user.has_privilege(privilege_name, allow_admin):
                raise Forbidden()

            return controller(request, *args, **kwargs)

        return wrapper
    return user_has_privilege_decorator


def active_user_from_url(controller):
    """Retrieve LocalUser() from <user> URL pattern and pass in as url_user=...

    Returns a 404 if no such active user has been found"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
        if user is None:
            return render_404(request)

        return controller(request, *args, url_user=user, **kwargs)

    return wrapper


def user_may_delete_media(controller):
    """
    Require user ownership of the MediaEntry to delete.
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        uploader_id = kwargs['media'].actor
        if not (request.user.has_privilege(u'admin') or
                request.user.id == uploader_id):
            raise Forbidden()

        return controller(request, *args, **kwargs)

    return wrapper


def user_may_alter_collection(controller):
    """
    Require user ownership of the Collection to modify.
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        creator_id = request.db.LocalUser.query.filter_by(
            username=request.matchdict['user']).first().id
        if not (request.user.has_privilege(u'admin') or
                request.user.id == creator_id):
            raise Forbidden()

        return controller(request, *args, **kwargs)

    return wrapper


def uses_pagination(controller):
    """
    Check request GET 'page' key for wrong values
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        try:
            page = int(request.GET.get('page', 1))
            if page < 0:
                return render_404(request)
        except ValueError:
            return render_404(request)

        return controller(request, page=page, *args, **kwargs)

    return wrapper


def get_user_media_entry(controller):
    """
    Pass in a MediaEntry based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
        if not user:
            raise NotFound()

        media = None

        # might not be a slug, might be an id, but whatever
        media_slug = request.matchdict['media']

        # if it starts with id: it actually isn't a slug, it's an id.
        if media_slug.startswith(u'id:'):
            try:
                media = MediaEntry.query.filter_by(
                    id=int(media_slug[3:]),
                    state=u'processed',
                    actor=user.id).first()
            except ValueError:
                raise NotFound()
        else:
            # no magical id: stuff?  It's a slug!
            media = MediaEntry.query.filter_by(
                slug=media_slug,
                state=u'processed',
                actor=user.id).first()

        if not media:
            # Didn't find anything?  Okay, 404.
            raise NotFound()

        return controller(request, media=media, *args, **kwargs)

    return wrapper


def get_user_collection(controller):
    """
    Pass in a Collection based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = request.db.LocalUser.query.filter_by(
            username=request.matchdict['user']).first()

        if not user:
            return render_404(request)

        collection = request.db.Collection.query.filter_by(
            slug=request.matchdict['collection'],
            actor=user.id).first()

        # Still no collection?  Okay, 404.
        if not collection:
            return render_404(request)

        return controller(request, collection=collection, *args, **kwargs)

    return wrapper


def get_user_collection_item(controller):
    """
    Pass in a CollectionItem based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = request.db.LocalUser.query.filter_by(
            username=request.matchdict['user']).first()

        if not user:
            return render_404(request)

        collection_item = request.db.CollectionItem.query.filter_by(
            id=request.matchdict['collection_item']).first()

        # Still no collection item?  Okay, 404.
        if not collection_item:
            return render_404(request)

        return controller(request, collection_item=collection_item, *args, **kwargs)

    return wrapper


def get_media_entry_by_id(controller):
    """
    Pass in a MediaEntry based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        media = MediaEntry.query.filter_by(
                id=request.matchdict['media_id']).first()
        # Still no media?  Okay, 404.
        if not media:
            return render_404(request)

        given_username = request.matchdict.get('user')
        if given_username and (given_username != media.get_actor.username):
            return render_404(request)

        return controller(request, media=media, *args, **kwargs)

    return wrapper


def get_workbench(func):
    """Decorator, passing in a workbench as kwarg which is cleaned up afterwards"""

    @wraps(func)
    def new_func(*args, **kwargs):
        with mgg.workbench_manager.create() as workbench:
            return func(*args, workbench=workbench, **kwargs)

    return new_func


def allow_registration(controller):
    """ Decorator for if registration is enabled"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if not mgg.app_config["allow_registration"]:
            messages.add_message(
                request,
                messages.WARNING,
                _('Sorry, registration is disabled on this instance.'))
            return redirect(request, "index")

        return controller(request, *args, **kwargs)

    return wrapper

def allow_reporting(controller):
    """ Decorator for if reporting is enabled"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if not mgg.app_config["allow_reporting"]:
            messages.add_message(
                request,
                messages.WARNING,
                _('Sorry, reporting is disabled on this instance.'))
            return redirect(request, 'index')

        return controller(request, *args, **kwargs)

    return wrapper

def get_optional_media_comment_by_id(controller):
    """
    Pass in a Comment based off of a url component. Because of this decor-
    -ator's use in filing Reports, it has two valid outcomes.

    :returns        The view function being wrapped with kwarg `comment` set to
                        the Comment who's id is in the URL. If there is a
                        comment id in the URL and if it is valid.
    :returns        The view function being wrapped with kwarg `comment` set to
                        None. If there is no comment id in the URL.
    :returns        A 404 Error page, if there is a comment if in the URL and it
                        is invalid.
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if 'comment' in request.matchdict:
            comment = Comment.query.filter_by(
                    id=request.matchdict['comment']
            ).first()

            if comment is None:
                return render_404(request)

            return controller(request, comment=comment, *args, **kwargs)
        else:
            return controller(request, comment=None, *args, **kwargs)
    return wrapper


def auth_enabled(controller):
    """Decorator for if an auth plugin is enabled"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if not mgg.app.auth:
            messages.add_message(
                request,
                messages.WARNING,
                _('Sorry, authentication is disabled on this instance.'))
            return redirect(request, 'index')

        return controller(request, *args, **kwargs)

    return wrapper

def require_admin_or_moderator_login(controller):
    """
    Require a login from an administrator or a moderator.
    """
    @wraps(controller)
    def new_controller_func(request, *args, **kwargs):
        if request.user and \
            not (request.user.has_privilege(u'admin')
                or request.user.has_privilege(u'moderator')):

            raise Forbidden()
        elif not request.user:
            next_url = urljoin(
                    request.urlgen('mediagoblin.auth.login',
                        qualified=True),
                    request.url)

            return redirect(request, 'mediagoblin.auth.login',
                            next=next_url)

        return controller(request, *args, **kwargs)

    return new_controller_func


def oauth_required(controller):
    """ Used to wrap API endpoints where oauth is required """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        data = request.headers
        authorization = decode_authorization_header(data)

        if authorization == dict():
            error = "Missing required parameter."
            return json_response({"error": error}, status=400)


        request_validator = GMGRequestValidator()
        resource_endpoint = ResourceEndpoint(request_validator)
        valid, r = resource_endpoint.validate_protected_resource_request(
                uri=request.url,
                http_method=request.method,
                body=request.data,
                headers=dict(request.headers),
                )

        if not valid:
            error = "Invalid oauth parameter."
            return json_response({"error": error}, status=400)

        # Fill user if not already
        token = authorization[u"oauth_token"]
        request.access_token = AccessToken.query.filter_by(token=token).first()
        if request.access_token is not None and request.user is None:
            user_id = request.access_token.actor
            request.user = LocalUser.query.filter_by(id=user_id).first()

        return controller(request, *args, **kwargs)

    return wrapper
Commit	Line	Data
bb3eaf20	1	# GNU MediaGoblin -- federated, autonomous media hosting
cf29e8a8	2	# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
bb3eaf20 CAW	3	#
	4	# This program is free software: you can redistribute it and/or modify
	5	# it under the terms of the GNU Affero General Public License as published by
	6	# the Free Software Foundation, either version 3 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU Affero General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16
1e03504e	17	from functools import wraps
bb3eaf20	18
7f4e42b0	19	from werkzeug.exceptions import Forbidden, NotFound
1e2675b0	20	from oauthlib.oauth1 import ResourceEndpoint
bb3eaf20	21
fd19da34 BP	22	from six.moves.urllib.parse import urljoin
fd19da34 BP	23
f91dcc9d	24	from mediagoblin import mg_globals as mgg
5adb906a	25	from mediagoblin import messages
64a456a4 JT	26	from mediagoblin.db.models import MediaEntry, LocalUser, TextComment, \
64a456a4 JT	27	AccessToken, Comment
a4bf3e58 CAW	28	from mediagoblin.tools.response import (
	29	redirect, render_404,
	30	render_user_banned, json_response)
5adb906a	31	from mediagoblin.tools.translate import pass_to_ugettext as _
bb3eaf20	32
0ec89cb2	33	from mediagoblin.oauth.tools.request import decode_authorization_header
0ec89cb2	34	from mediagoblin.oauth.oauth import GMGRequestValidator
bb3eaf20	35
8e91df87	36
	37	def user_not_banned(controller):
	38	"""
	39	Requires that the user has not been banned. Otherwise redirects to the page
	40	explaining why they have been banned
	41	"""
	42	@wraps(controller)
	43	def wrapper(request, args, *kwargs):
	44	if request.user:
	45	if request.user.is_banned():
	46	return render_user_banned(request)
	47	return controller(request, args, *kwargs)
	48
	49	return wrapper
	50
	51
bb3eaf20 CAW	52	def require_active_login(controller):
bb3eaf20 CAW	53	"""
8e91df87	54	Require an active login from the user. If the user is banned, redirects to
8e91df87	55	the "You are Banned" page.
bb3eaf20	56	"""
1e03504e	57	@wraps(controller)
8e91df87	58	@user_not_banned
bb3eaf20	59	def new_controller_func(request, args, *kwargs):
a72c504b	60	if request.user and \
8394febb	61	not request.user.has_privilege(u'active'):
d43b472a CAW	62	return redirect(
d43b472a CAW	63	request, 'mediagoblin.user_pages.user_home',
5a4e3ff1	64	user=request.user.username)
8394febb	65	elif not request.user or not request.user.has_privilege(u'active'):
3a199328 JW	66	next_url = urljoin(
	67	request.urlgen('mediagoblin.auth.login',
	68	qualified=True),
	69	request.url)
	70
059eaee4	71	return redirect(request, 'mediagoblin.auth.login',
56c113c7	72	next=next_url)
bb3eaf20 CAW	73
	74	return controller(request, args, *kwargs)
	75
1e03504e	76	return new_controller_func
3eb6fc4f	77
ad742028	78
7bfc81b2	79	def user_has_privilege(privilege_name, allow_admin=True):
8e91df87	80	"""
	81	Requires that a user have a particular privilege in order to access a page.
	82	In order to require that a user have multiple privileges, use this
	83	decorator twice on the same view. This decorator also makes sure that the
	84	user is not banned, or else it redirects them to the "You are Banned" page.
	85
	86	:param privilege_name A unicode object that is that represents
	87	the privilege object. This object is
	88	the name of the privilege, as assigned
	89	in the Privilege.privilege_name column
7bfc81b2 JT	90
	91	:param allow_admin If this is true then if the user is an admin
	92	it will allow the user even if the user doesn't
	93	have the privilage given in privilage_name.
8e91df87	94	"""
6bba33d7	95
3fb96fc9	96	def user_has_privilege_decorator(controller):
9b8ef022	97	@wraps(controller)
8e91df87	98	@require_active_login
9b8ef022	99	def wrapper(request, args, *kwargs):
7bfc81b2	100	if not request.user.has_privilege(privilege_name, allow_admin):
9b8ef022	101	raise Forbidden()
	102
	103	return controller(request, args, *kwargs)
	104
	105	return wrapper
3fb96fc9	106	return user_has_privilege_decorator
9b8ef022	107
53c5e0b0	108
8e91df87	109	def active_user_from_url(controller):
d88fcb03	110	"""Retrieve LocalUser() from <user> URL pattern and pass in as url_user=...
8e91df87	111
	112	Returns a 404 if no such active user has been found"""
	113	@wraps(controller)
	114	def wrapper(request, args, *kwargs):
d88fcb03	115	user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
8e91df87	116	if user is None:
	117	return render_404(request)
	118
	119	return controller(request, args, url_user=user, *kwargs)
	120
	121	return wrapper
	122
	123
502073f2 JW	124	def user_may_delete_media(controller):
502073f2 JW	125	"""
53c5e0b0	126	Require user ownership of the MediaEntry to delete.
502073f2	127	"""
1e03504e	128	@wraps(controller)
502073f2	129	def wrapper(request, args, *kwargs):
0f3bf8d4	130	uploader_id = kwargs['media'].actor
8394febb	131	if not (request.user.has_privilege(u'admin') or
5c2b8486	132	request.user.id == uploader_id):
cfa92229	133	raise Forbidden()
502073f2 JW	134
	135	return controller(request, args, *kwargs)
	136
1e03504e	137	return wrapper
502073f2	138
3eb6fc4f	139
be5be115 AW	140	def user_may_alter_collection(controller):
	141	"""
	142	Require user ownership of the Collection to modify.
	143	"""
	144	@wraps(controller)
	145	def wrapper(request, args, *kwargs):
d88fcb03	146	creator_id = request.db.LocalUser.query.filter_by(
44082b12	147	username=request.matchdict['user']).first().id
8394febb	148	if not (request.user.has_privilege(u'admin') or
5c2b8486	149	request.user.id == creator_id):
cfa92229	150	raise Forbidden()
be5be115 AW	151
	152	return controller(request, args, *kwargs)
	153
	154	return wrapper
	155
	156
3eb6fc4f BK	157	def uses_pagination(controller):
	158	"""
	159	Check request GET 'page' key for wrong values
	160	"""
1e03504e	161	@wraps(controller)
3eb6fc4f BK	162	def wrapper(request, args, *kwargs):
3eb6fc4f BK	163	try:
1301a8ad	164	page = int(request.GET.get('page', 1))
3eb6fc4f	165	if page < 0:
de12b4e7	166	return render_404(request)
3eb6fc4f	167	except ValueError:
de12b4e7	168	return render_404(request)
3eb6fc4f	169
439e37f7	170	return controller(request, page=page, args, *kwargs)
3eb6fc4f	171
1e03504e	172	return wrapper
724933b1 CAW	173
724933b1 CAW	174
01674e10	175	def get_user_media_entry(controller):
724933b1 CAW	176	"""
	177	Pass in a MediaEntry based off of a url component
	178	"""
1e03504e	179	@wraps(controller)
724933b1	180	def wrapper(request, args, *kwargs):
d88fcb03	181	user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
01674e10	182	if not user:
7f4e42b0 SS	183	raise NotFound()
7f4e42b0 SS	184
7de20e52 CAW	185	media = None
	186
	187	# might not be a slug, might be an id, but whatever
	188	media_slug = request.matchdict['media']
	189
e4e50a27 CAW	190	# if it starts with id: it actually isn't a slug, it's an id.
	191	if media_slug.startswith(u'id:'):
	192	try:
	193	media = MediaEntry.query.filter_by(
	194	id=int(media_slug[3:]),
	195	state=u'processed',
0f3bf8d4	196	actor=user.id).first()
e4e50a27 CAW	197	except ValueError:
e4e50a27 CAW	198	raise NotFound()
7de20e52 CAW	199	else:
	200	# no magical id: stuff? It's a slug!
	201	media = MediaEntry.query.filter_by(
697c74c2	202	slug=media_slug,
7de20e52	203	state=u'processed',
0f3bf8d4	204	actor=user.id).first()
724933b1	205
724933b1	206	if not media:
7de20e52	207	# Didn't find anything? Okay, 404.
7f4e42b0	208	raise NotFound()
724933b1 CAW	209
	210	return controller(request, media=media, args, *kwargs)
	211
1e03504e	212	return wrapper
aba81c9f	213
243c3843	214
be5be115 AW	215	def get_user_collection(controller):
	216	"""
	217	Pass in a Collection based off of a url component
	218	"""
	219	@wraps(controller)
	220	def wrapper(request, args, *kwargs):
d88fcb03	221	user = request.db.LocalUser.query.filter_by(
44082b12	222	username=request.matchdict['user']).first()
be5be115 AW	223
	224	if not user:
	225	return render_404(request)
	226
44082b12 RE	227	collection = request.db.Collection.query.filter_by(
44082b12 RE	228	slug=request.matchdict['collection'],
0f3bf8d4	229	actor=user.id).first()
be5be115 AW	230
	231	# Still no collection? Okay, 404.
	232	if not collection:
	233	return render_404(request)
	234
	235	return controller(request, collection=collection, args, *kwargs)
	236
	237	return wrapper
	238
	239
	240	def get_user_collection_item(controller):
	241	"""
	242	Pass in a CollectionItem based off of a url component
	243	"""
	244	@wraps(controller)
	245	def wrapper(request, args, *kwargs):
d88fcb03	246	user = request.db.LocalUser.query.filter_by(
44082b12	247	username=request.matchdict['user']).first()
be5be115 AW	248
	249	if not user:
	250	return render_404(request)
	251
44082b12 RE	252	collection_item = request.db.CollectionItem.query.filter_by(
44082b12 RE	253	id=request.matchdict['collection_item']).first()
be5be115 AW	254
	255	# Still no collection item? Okay, 404.
	256	if not collection_item:
	257	return render_404(request)
	258
	259	return controller(request, collection_item=collection_item, args, *kwargs)
	260
	261	return wrapper
	262
	263
aba81c9f E	264	def get_media_entry_by_id(controller):
	265	"""
	266	Pass in a MediaEntry based off of a url component
	267	"""
1e03504e	268	@wraps(controller)
aba81c9f	269	def wrapper(request, args, *kwargs):
71717fd5	270	media = MediaEntry.query.filter_by(
2f2b4cba	271	id=request.matchdict['media_id']).first()
aba81c9f E	272	# Still no media? Okay, 404.
aba81c9f E	273	if not media:
de12b4e7	274	return render_404(request)
aba81c9f	275
461dd971	276	given_username = request.matchdict.get('user')
0f3bf8d4	277	if given_username and (given_username != media.get_actor.username):
461dd971 E	278	return render_404(request)
461dd971 E	279
aba81c9f E	280	return controller(request, media=media, args, *kwargs)
aba81c9f E	281
1e03504e	282	return wrapper
f91dcc9d SS	283
	284
	285	def get_workbench(func):
	286	"""Decorator, passing in a workbench as kwarg which is cleaned up afterwards"""
	287
	288	@wraps(func)
	289	def new_func(args, *kwargs):
bd6fe977	290	with mgg.workbench_manager.create() as workbench:
f91dcc9d SS	291	return func(args, workbench=workbench, *kwargs)
	292
	293	return new_func
5adb906a RE	294
	295
	296	def allow_registration(controller):
	297	""" Decorator for if registration is enabled"""
	298	@wraps(controller)
	299	def wrapper(request, args, *kwargs):
	300	if not mgg.app_config["allow_registration"]:
	301	messages.add_message(
	302	request,
	303	messages.WARNING,
	304	_('Sorry, registration is disabled on this instance.'))
	305	return redirect(request, "index")
	306
	307	return controller(request, args, *kwargs)
	308
	309	return wrapper
	310
6483b370	311	def allow_reporting(controller):
	312	""" Decorator for if reporting is enabled"""
	313	@wraps(controller)
	314	def wrapper(request, args, *kwargs):
	315	if not mgg.app_config["allow_reporting"]:
	316	messages.add_message(
	317	request,
	318	messages.WARNING,
	319	_('Sorry, reporting is disabled on this instance.'))
	320	return redirect(request, 'index')
	321
	322	return controller(request, args, *kwargs)
	323
	324	return wrapper
	325
8e91df87	326	def get_optional_media_comment_by_id(controller):
30a9fe7c	327	"""
64a456a4 JT	328	Pass in a Comment based off of a url component. Because of this decor-
64a456a4 JT	329	-ator's use in filing Reports, it has two valid outcomes.
8e91df87	330
8e91df87	331	:returns The view function being wrapped with kwarg `comment` set to
64a456a4	332	the Comment who's id is in the URL. If there is a
8e91df87	333	comment id in the URL and if it is valid.
	334	:returns The view function being wrapped with kwarg `comment` set to
	335	None. If there is no comment id in the URL.
	336	:returns A 404 Error page, if there is a comment if in the URL and it
	337	is invalid.
30a9fe7c	338	"""
	339	@wraps(controller)
	340	def wrapper(request, args, *kwargs):
8e91df87	341	if 'comment' in request.matchdict:
64a456a4 JT	342	comment = Comment.query.filter_by(
	343	id=request.matchdict['comment']
	344	).first()
30a9fe7c	345
8e91df87	346	if comment is None:
8e91df87	347	return render_404(request)
30a9fe7c	348
8e91df87	349	return controller(request, comment=comment, args, *kwargs)
	350	else:
	351	return controller(request, comment=None, args, *kwargs)
30a9fe7c	352	return wrapper
	353
	354
5adb906a RE	355	def auth_enabled(controller):
	356	"""Decorator for if an auth plugin is enabled"""
	357	@wraps(controller)
	358	def wrapper(request, args, *kwargs):
	359	if not mgg.app.auth:
	360	messages.add_message(
	361	request,
	362	messages.WARNING,
	363	_('Sorry, authentication is disabled on this instance.'))
	364	return redirect(request, 'index')
	365
52a355b2	366	return controller(request, args, *kwargs)
	367
	368	return wrapper
30a9fe7c	369
6bba33d7	370	def require_admin_or_moderator_login(controller):
9b8ef022	371	"""
8e91df87	372	Require a login from an administrator or a moderator.
9b8ef022	373	"""
	374	@wraps(controller)
	375	def new_controller_func(request, args, *kwargs):
	376	if request.user and \
7bfc81b2 JT	377	not (request.user.has_privilege(u'admin')
7bfc81b2 JT	378	or request.user.has_privilege(u'moderator')):
6bba33d7	379
9b8ef022	380	raise Forbidden()
	381	elif not request.user:
	382	next_url = urljoin(
	383	request.urlgen('mediagoblin.auth.login',
	384	qualified=True),
	385	request.url)
	386
	387	return redirect(request, 'mediagoblin.auth.login',
	388	next=next_url)
	389
	390	return controller(request, args, *kwargs)
	391
	392	return new_controller_func
	393
9e204e49	394
9e204e49	395
1e2675b0	396	def oauth_required(controller):
2b60a56c	397	""" Used to wrap API endpoints where oauth is required """
	398	@wraps(controller)
	399	def wrapper(request, args, *kwargs):
	400	data = request.headers
	401	authorization = decode_authorization_header(data)
	402
	403	if authorization == dict():
	404	error = "Missing required parameter."
	405	return json_response({"error": error}, status=400)
	406
dfd66b78	407
1e2675b0	408	request_validator = GMGRequestValidator()
1e2675b0	409	resource_endpoint = ResourceEndpoint(request_validator)
d7b3805f	410	valid, r = resource_endpoint.validate_protected_resource_request(
3b4ad554	411	uri=request.url,
1e2675b0	412	http_method=request.method,
d4a21d7e	413	body=request.data,
1e2675b0	414	headers=dict(request.headers),
1e2675b0	415	)
49a47ec9	416
49a47ec9	417	if not valid:
1db8690f	418	error = "Invalid oauth parameter."
49a47ec9	419	return json_response({"error": error}, status=400)
1e2675b0	420
c894b424 JT	421	# Fill user if not already
c894b424 JT	422	token = authorization[u"oauth_token"]
5436d980 JT	423	request.access_token = AccessToken.query.filter_by(token=token).first()
5436d980 JT	424	if request.access_token is not None and request.user is None:
fd703bb4	425	user_id = request.access_token.actor
d88fcb03	426	request.user = LocalUser.query.filter_by(id=user_id).first()
c894b424	427
1e2675b0	428	return controller(request, args, *kwargs)
	429
	430	return wrapper