[mediagoblin.git] / mediagoblin / decorators.py

# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from functools import wraps

from werkzeug.exceptions import Forbidden, NotFound
from oauthlib.oauth1 import ResourceEndpoint

from six.moves.urllib.parse import urljoin

from mediagoblin import mg_globals as mgg
from mediagoblin import messages
from mediagoblin.db.models import MediaEntry, LocalUser, TextComment, \
                                  AccessToken, Comment
from mediagoblin.tools.response import (
    redirect, render_404,
    render_user_banned, json_response)
from mediagoblin.tools.translate import pass_to_ugettext as _

from mediagoblin.oauth.tools.request import decode_authorization_header
from mediagoblin.oauth.oauth import GMGRequestValidator


def user_not_banned(controller):
    """
    Requires that the user has not been banned. Otherwise redirects to the page
    explaining why they have been banned
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if request.user:
            if request.user.is_banned():
                return render_user_banned(request)
        return controller(request, *args, **kwargs)

    return wrapper


def require_active_login(controller):
    """
    Require an active login from the user. If the user is banned, redirects to
    the "You are Banned" page.
    """
    @wraps(controller)
    @user_not_banned
    def new_controller_func(request, *args, **kwargs):
        if request.user and \
                not request.user.has_privilege(u'active'):
            return redirect(
                request, 'mediagoblin.user_pages.user_home',
                user=request.user.username)
        elif not request.user or not request.user.has_privilege(u'active'):
            next_url = urljoin(
                    request.urlgen('mediagoblin.auth.login',
                        qualified=True),
                    request.url)

            return redirect(request, 'mediagoblin.auth.login',
                            next=next_url)

        return controller(request, *args, **kwargs)

    return new_controller_func


def user_has_privilege(privilege_name, allow_admin=True):
    """
    Requires that a user have a particular privilege in order to access a page.
    In order to require that a user have multiple privileges, use this
    decorator twice on the same view. This decorator also makes sure that the
    user is not banned, or else it redirects them to the "You are Banned" page.

        :param privilege_name       A unicode object that is that represents
                                        the privilege object. This object is
                                        the name of the privilege, as assigned
                                        in the Privilege.privilege_name column

        :param allow_admin          If this is true then if the user is an admin
                                    it will allow the user even if the user doesn't
                                    have the privilage given in privilage_name.
    """

    def user_has_privilege_decorator(controller):
        @wraps(controller)
        @require_active_login
        def wrapper(request, *args, **kwargs):
            if not request.user.has_privilege(privilege_name, allow_admin):
                raise Forbidden()

            return controller(request, *args, **kwargs)

        return wrapper
    return user_has_privilege_decorator


def active_user_from_url(controller):
    """Retrieve LocalUser() from <user> URL pattern and pass in as url_user=...

    Returns a 404 if no such active user has been found"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
        if user is None:
            return render_404(request)

        return controller(request, *args, url_user=user, **kwargs)

    return wrapper

def path_subtitle(controller):
    """Retrieve <path> URL pattern and pass in as path=..."""

    
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        path_sub = request.matchdict['path']

        return controller(request, *args, path=path_sub, **kwargs)

    return wrapper

def path_subtitle(controller):
    """Retrieve <path> URL pattern and pass in as path=..."""


    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        path_sub = request.matchdict['path']

        return controller(request, *args, path=path_sub, **kwargs)

    return wrapper


def user_may_delete_media(controller):
    """
    Require user ownership of the MediaEntry to delete.
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        uploader_id = kwargs['media'].actor
        if not (request.user.has_privilege(u'admin') or
                request.user.id == uploader_id):
            raise Forbidden()

        return controller(request, *args, **kwargs)

    return wrapper


def user_may_alter_collection(controller):
    """
    Require user ownership of the Collection to modify.
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        creator_id = request.db.LocalUser.query.filter_by(
            username=request.matchdict['user']).first().id
        if not (request.user.has_privilege(u'admin') or
                request.user.id == creator_id):
            raise Forbidden()

        return controller(request, *args, **kwargs)

    return wrapper


def uses_pagination(controller):
    """
    Check request GET 'page' key for wrong values
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        try:
            page = int(request.GET.get('page', 1))
            if page < 0:
                return render_404(request)
        except ValueError:
            return render_404(request)

        return controller(request, page=page, *args, **kwargs)

    return wrapper


def get_user_media_entry(controller):
    """
    Pass in a MediaEntry based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
        if not user:
            raise NotFound()

        media = None

        # might not be a slug, might be an id, but whatever
        media_slug = request.matchdict['media']

        # if it starts with id: it actually isn't a slug, it's an id.
        if media_slug.startswith(u'id:'):
            try:
                media = MediaEntry.query.filter_by(
                    id=int(media_slug[3:]),
                    state=u'processed',
                    actor=user.id).first()
            except ValueError:
                raise NotFound()
        else:
            # no magical id: stuff?  It's a slug!
            media = MediaEntry.query.filter_by(
                slug=media_slug,
                state=u'processed',
                actor=user.id).first()

        if not media:
            # Didn't find anything?  Okay, 404.
            raise NotFound()

        return controller(request, media=media, *args, **kwargs)

    return wrapper


def get_user_collection(controller):
    """
    Pass in a Collection based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = request.db.LocalUser.query.filter_by(
            username=request.matchdict['user']).first()

        if not user:
            return render_404(request)

        collection = request.db.Collection.query.filter_by(
            slug=request.matchdict['collection'],
            actor=user.id).first()

        # Still no collection?  Okay, 404.
        if not collection:
            return render_404(request)

        return controller(request, collection=collection, *args, **kwargs)

    return wrapper


def get_user_collection_item(controller):
    """
    Pass in a CollectionItem based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        user = request.db.LocalUser.query.filter_by(
            username=request.matchdict['user']).first()

        if not user:
            return render_404(request)

        collection_item = request.db.CollectionItem.query.filter_by(
            id=request.matchdict['collection_item']).first()

        # Still no collection item?  Okay, 404.
        if not collection_item:
            return render_404(request)

        return controller(request, collection_item=collection_item, *args, **kwargs)

    return wrapper


def get_media_entry_by_id(controller):
    """
    Pass in a MediaEntry based off of a url component
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        media = MediaEntry.query.filter_by(
                id=request.matchdict['media_id'],
                state=u'processed').first()
        # Still no media?  Okay, 404.
        if not media:
            return render_404(request)

        given_username = request.matchdict.get('user')
        if given_username and (given_username != media.get_actor.username):
            return render_404(request)

        return controller(request, media=media, *args, **kwargs)

    return wrapper


def get_workbench(func):
    """Decorator, passing in a workbench as kwarg which is cleaned up afterwards"""

    @wraps(func)
    def new_func(*args, **kwargs):
        with mgg.workbench_manager.create() as workbench:
            return func(*args, workbench=workbench, **kwargs)

    return new_func


def allow_registration(controller):
    """ Decorator for if registration is enabled"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if not mgg.app_config["allow_registration"]:
            messages.add_message(
                request,
                messages.WARNING,
                _('Sorry, registration is disabled on this instance.'))
            return redirect(request, "index")

        return controller(request, *args, **kwargs)

    return wrapper

def allow_reporting(controller):
    """ Decorator for if reporting is enabled"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if not mgg.app_config["allow_reporting"]:
            messages.add_message(
                request,
                messages.WARNING,
                _('Sorry, reporting is disabled on this instance.'))
            return redirect(request, 'index')

        return controller(request, *args, **kwargs)

    return wrapper

def get_optional_media_comment_by_id(controller):
    """
    Pass in a Comment based off of a url component. Because of this decor-
    -ator's use in filing Reports, it has two valid outcomes.

    :returns        The view function being wrapped with kwarg `comment` set to
                        the Comment who's id is in the URL. If there is a
                        comment id in the URL and if it is valid.
    :returns        The view function being wrapped with kwarg `comment` set to
                        None. If there is no comment id in the URL.
    :returns        A 404 Error page, if there is a comment if in the URL and it
                        is invalid.
    """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if 'comment' in request.matchdict:
            comment = Comment.query.filter_by(
                    id=request.matchdict['comment']
            ).first()

            if comment is None:
                return render_404(request)

            return controller(request, comment=comment, *args, **kwargs)
        else:
            return controller(request, comment=None, *args, **kwargs)
    return wrapper


def auth_enabled(controller):
    """Decorator for if an auth plugin is enabled"""
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        if not mgg.app.auth:
            messages.add_message(
                request,
                messages.WARNING,
                _('Sorry, authentication is disabled on this instance.'))
            return redirect(request, 'index')

        return controller(request, *args, **kwargs)

    return wrapper

def require_admin_or_moderator_login(controller):
    """
    Require a login from an administrator or a moderator.
    """
    @wraps(controller)
    def new_controller_func(request, *args, **kwargs):
        if request.user and \
            not (request.user.has_privilege(u'admin')
                or request.user.has_privilege(u'moderator')):

            raise Forbidden()
        elif not request.user:
            next_url = urljoin(
                    request.urlgen('mediagoblin.auth.login',
                        qualified=True),
                    request.url)

            return redirect(request, 'mediagoblin.auth.login',
                            next=next_url)

        return controller(request, *args, **kwargs)

    return new_controller_func


def oauth_required(controller):
    """ Used to wrap API endpoints where oauth is required """
    @wraps(controller)
    def wrapper(request, *args, **kwargs):
        data = request.headers
        authorization = decode_authorization_header(data)

        if authorization == dict():
            error = "Missing required parameter."
            return json_response({"error": error}, status=400)


        request_validator = GMGRequestValidator()
        resource_endpoint = ResourceEndpoint(request_validator)
        valid, r = resource_endpoint.validate_protected_resource_request(
                uri=request.url,
                http_method=request.method,
                body=request.data,
                headers=dict(request.headers),
                )

        if not valid:
            error = "Invalid oauth parameter."
            return json_response({"error": error}, status=400)

        # Fill user if not already
        token = authorization[u"oauth_token"]
        request.access_token = AccessToken.query.filter_by(token=token).first()
        if request.access_token is not None and request.user is None:
            user_id = request.access_token.actor
            request.user = LocalUser.query.filter_by(id=user_id).first()

        return controller(request, *args, **kwargs)

    return wrapper
Commit	Line	Data
	1	# GNU MediaGoblin -- federated, autonomous media hosting
	2	# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
	3	#
	4	# This program is free software: you can redistribute it and/or modify
	5	# it under the terms of the GNU Affero General Public License as published by
	6	# the Free Software Foundation, either version 3 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU Affero General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16
	17	from functools import wraps
	18
	19	from werkzeug.exceptions import Forbidden, NotFound
	20	from oauthlib.oauth1 import ResourceEndpoint
	21
	22	from six.moves.urllib.parse import urljoin
	23
	24	from mediagoblin import mg_globals as mgg
	25	from mediagoblin import messages
	26	from mediagoblin.db.models import MediaEntry, LocalUser, TextComment, \
	27	AccessToken, Comment
	28	from mediagoblin.tools.response import (
	29	redirect, render_404,
	30	render_user_banned, json_response)
	31	from mediagoblin.tools.translate import pass_to_ugettext as _
	32
	33	from mediagoblin.oauth.tools.request import decode_authorization_header
	34	from mediagoblin.oauth.oauth import GMGRequestValidator
	35
	36
	37	def user_not_banned(controller):
	38	"""
	39	Requires that the user has not been banned. Otherwise redirects to the page
	40	explaining why they have been banned
	41	"""
	42	@wraps(controller)
	43	def wrapper(request, args, *kwargs):
	44	if request.user:
	45	if request.user.is_banned():
	46	return render_user_banned(request)
	47	return controller(request, args, *kwargs)
	48
	49	return wrapper
	50
	51
	52	def require_active_login(controller):
	53	"""
	54	Require an active login from the user. If the user is banned, redirects to
	55	the "You are Banned" page.
	56	"""
	57	@wraps(controller)
	58	@user_not_banned
	59	def new_controller_func(request, args, *kwargs):
	60	if request.user and \
	61	not request.user.has_privilege(u'active'):
	62	return redirect(
	63	request, 'mediagoblin.user_pages.user_home',
	64	user=request.user.username)
	65	elif not request.user or not request.user.has_privilege(u'active'):
	66	next_url = urljoin(
	67	request.urlgen('mediagoblin.auth.login',
	68	qualified=True),
	69	request.url)
	70
	71	return redirect(request, 'mediagoblin.auth.login',
	72	next=next_url)
	73
	74	return controller(request, args, *kwargs)
	75
	76	return new_controller_func
	77
	78
	79	def user_has_privilege(privilege_name, allow_admin=True):
	80	"""
	81	Requires that a user have a particular privilege in order to access a page.
	82	In order to require that a user have multiple privileges, use this
	83	decorator twice on the same view. This decorator also makes sure that the
	84	user is not banned, or else it redirects them to the "You are Banned" page.
	85
	86	:param privilege_name A unicode object that is that represents
	87	the privilege object. This object is
	88	the name of the privilege, as assigned
	89	in the Privilege.privilege_name column
	90
	91	:param allow_admin If this is true then if the user is an admin
	92	it will allow the user even if the user doesn't
	93	have the privilage given in privilage_name.
	94	"""
	95
	96	def user_has_privilege_decorator(controller):
	97	@wraps(controller)
	98	@require_active_login
	99	def wrapper(request, args, *kwargs):
	100	if not request.user.has_privilege(privilege_name, allow_admin):
	101	raise Forbidden()
	102
	103	return controller(request, args, *kwargs)
	104
	105	return wrapper
	106	return user_has_privilege_decorator
	107
	108
	109	def active_user_from_url(controller):
	110	"""Retrieve LocalUser() from <user> URL pattern and pass in as url_user=...
	111
	112	Returns a 404 if no such active user has been found"""
	113	@wraps(controller)
	114	def wrapper(request, args, *kwargs):
	115	user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
	116	if user is None:
	117	return render_404(request)
	118
	119	return controller(request, args, url_user=user, *kwargs)
	120
	121	return wrapper
	122
	123	def path_subtitle(controller):
	124	"""Retrieve <path> URL pattern and pass in as path=..."""
	125
	126
	127	@wraps(controller)
	128	def wrapper(request, args, *kwargs):
	129	path_sub = request.matchdict['path']
	130
	131	return controller(request, args, path=path_sub, *kwargs)
	132
	133	return wrapper
	134
	135	def path_subtitle(controller):
	136	"""Retrieve <path> URL pattern and pass in as path=..."""
	137
	138
	139	@wraps(controller)
	140	def wrapper(request, args, *kwargs):
	141	path_sub = request.matchdict['path']
	142
	143	return controller(request, args, path=path_sub, *kwargs)
	144
	145	return wrapper
	146
	147
	148	def user_may_delete_media(controller):
	149	"""
	150	Require user ownership of the MediaEntry to delete.
	151	"""
	152	@wraps(controller)
	153	def wrapper(request, args, *kwargs):
	154	uploader_id = kwargs['media'].actor
	155	if not (request.user.has_privilege(u'admin') or
	156	request.user.id == uploader_id):
	157	raise Forbidden()
	158
	159	return controller(request, args, *kwargs)
	160
	161	return wrapper
	162
	163
	164	def user_may_alter_collection(controller):
	165	"""
	166	Require user ownership of the Collection to modify.
	167	"""
	168	@wraps(controller)
	169	def wrapper(request, args, *kwargs):
	170	creator_id = request.db.LocalUser.query.filter_by(
	171	username=request.matchdict['user']).first().id
	172	if not (request.user.has_privilege(u'admin') or
	173	request.user.id == creator_id):
	174	raise Forbidden()
	175
	176	return controller(request, args, *kwargs)
	177
	178	return wrapper
	179
	180
	181	def uses_pagination(controller):
	182	"""
	183	Check request GET 'page' key for wrong values
	184	"""
	185	@wraps(controller)
	186	def wrapper(request, args, *kwargs):
	187	try:
	188	page = int(request.GET.get('page', 1))
	189	if page < 0:
	190	return render_404(request)
	191	except ValueError:
	192	return render_404(request)
	193
	194	return controller(request, page=page, args, *kwargs)
	195
	196	return wrapper
	197
	198
	199	def get_user_media_entry(controller):
	200	"""
	201	Pass in a MediaEntry based off of a url component
	202	"""
	203	@wraps(controller)
	204	def wrapper(request, args, *kwargs):
	205	user = LocalUser.query.filter_by(username=request.matchdict['user']).first()
	206	if not user:
	207	raise NotFound()
	208
	209	media = None
	210
	211	# might not be a slug, might be an id, but whatever
	212	media_slug = request.matchdict['media']
	213
	214	# if it starts with id: it actually isn't a slug, it's an id.
	215	if media_slug.startswith(u'id:'):
	216	try:
	217	media = MediaEntry.query.filter_by(
	218	id=int(media_slug[3:]),
	219	state=u'processed',
	220	actor=user.id).first()
	221	except ValueError:
	222	raise NotFound()
	223	else:
	224	# no magical id: stuff? It's a slug!
	225	media = MediaEntry.query.filter_by(
	226	slug=media_slug,
	227	state=u'processed',
	228	actor=user.id).first()
	229
	230	if not media:
	231	# Didn't find anything? Okay, 404.
	232	raise NotFound()
	233
	234	return controller(request, media=media, args, *kwargs)
	235
	236	return wrapper
	237
	238
	239	def get_user_collection(controller):
	240	"""
	241	Pass in a Collection based off of a url component
	242	"""
	243	@wraps(controller)
	244	def wrapper(request, args, *kwargs):
	245	user = request.db.LocalUser.query.filter_by(
	246	username=request.matchdict['user']).first()
	247
	248	if not user:
	249	return render_404(request)
	250
	251	collection = request.db.Collection.query.filter_by(
	252	slug=request.matchdict['collection'],
	253	actor=user.id).first()
	254
	255	# Still no collection? Okay, 404.
	256	if not collection:
	257	return render_404(request)
	258
	259	return controller(request, collection=collection, args, *kwargs)
	260
	261	return wrapper
	262
	263
	264	def get_user_collection_item(controller):
	265	"""
	266	Pass in a CollectionItem based off of a url component
	267	"""
	268	@wraps(controller)
	269	def wrapper(request, args, *kwargs):
	270	user = request.db.LocalUser.query.filter_by(
	271	username=request.matchdict['user']).first()
	272
	273	if not user:
	274	return render_404(request)
	275
	276	collection_item = request.db.CollectionItem.query.filter_by(
	277	id=request.matchdict['collection_item']).first()
	278
	279	# Still no collection item? Okay, 404.
	280	if not collection_item:
	281	return render_404(request)
	282
	283	return controller(request, collection_item=collection_item, args, *kwargs)
	284
	285	return wrapper
	286
	287
	288	def get_media_entry_by_id(controller):
	289	"""
	290	Pass in a MediaEntry based off of a url component
	291	"""
	292	@wraps(controller)
	293	def wrapper(request, args, *kwargs):
	294	media = MediaEntry.query.filter_by(
	295	id=request.matchdict['media_id'],
	296	state=u'processed').first()
	297	# Still no media? Okay, 404.
	298	if not media:
	299	return render_404(request)
	300
	301	given_username = request.matchdict.get('user')
	302	if given_username and (given_username != media.get_actor.username):
	303	return render_404(request)
	304
	305	return controller(request, media=media, args, *kwargs)
	306
	307	return wrapper
	308
	309
	310	def get_workbench(func):
	311	"""Decorator, passing in a workbench as kwarg which is cleaned up afterwards"""
	312
	313	@wraps(func)
	314	def new_func(args, *kwargs):
	315	with mgg.workbench_manager.create() as workbench:
	316	return func(args, workbench=workbench, *kwargs)
	317
	318	return new_func
	319
	320
	321	def allow_registration(controller):
	322	""" Decorator for if registration is enabled"""
	323	@wraps(controller)
	324	def wrapper(request, args, *kwargs):
	325	if not mgg.app_config["allow_registration"]:
	326	messages.add_message(
	327	request,
	328	messages.WARNING,
	329	_('Sorry, registration is disabled on this instance.'))
	330	return redirect(request, "index")
	331
	332	return controller(request, args, *kwargs)
	333
	334	return wrapper
	335
	336	def allow_reporting(controller):
	337	""" Decorator for if reporting is enabled"""
	338	@wraps(controller)
	339	def wrapper(request, args, *kwargs):
	340	if not mgg.app_config["allow_reporting"]:
	341	messages.add_message(
	342	request,
	343	messages.WARNING,
	344	_('Sorry, reporting is disabled on this instance.'))
	345	return redirect(request, 'index')
	346
	347	return controller(request, args, *kwargs)
	348
	349	return wrapper
	350
	351	def get_optional_media_comment_by_id(controller):
	352	"""
	353	Pass in a Comment based off of a url component. Because of this decor-
	354	-ator's use in filing Reports, it has two valid outcomes.
	355
	356	:returns The view function being wrapped with kwarg `comment` set to
	357	the Comment who's id is in the URL. If there is a
	358	comment id in the URL and if it is valid.
	359	:returns The view function being wrapped with kwarg `comment` set to
	360	None. If there is no comment id in the URL.
	361	:returns A 404 Error page, if there is a comment if in the URL and it
	362	is invalid.
	363	"""
	364	@wraps(controller)
	365	def wrapper(request, args, *kwargs):
	366	if 'comment' in request.matchdict:
	367	comment = Comment.query.filter_by(
	368	id=request.matchdict['comment']
	369	).first()
	370
	371	if comment is None:
	372	return render_404(request)
	373
	374	return controller(request, comment=comment, args, *kwargs)
	375	else:
	376	return controller(request, comment=None, args, *kwargs)
	377	return wrapper
	378
	379
	380	def auth_enabled(controller):
	381	"""Decorator for if an auth plugin is enabled"""
	382	@wraps(controller)
	383	def wrapper(request, args, *kwargs):
	384	if not mgg.app.auth:
	385	messages.add_message(
	386	request,
	387	messages.WARNING,
	388	_('Sorry, authentication is disabled on this instance.'))
	389	return redirect(request, 'index')
	390
	391	return controller(request, args, *kwargs)
	392
	393	return wrapper
	394
	395	def require_admin_or_moderator_login(controller):
	396	"""
	397	Require a login from an administrator or a moderator.
	398	"""
	399	@wraps(controller)
	400	def new_controller_func(request, args, *kwargs):
	401	if request.user and \
	402	not (request.user.has_privilege(u'admin')
	403	or request.user.has_privilege(u'moderator')):
	404
	405	raise Forbidden()
	406	elif not request.user:
	407	next_url = urljoin(
	408	request.urlgen('mediagoblin.auth.login',
	409	qualified=True),
	410	request.url)
	411
	412	return redirect(request, 'mediagoblin.auth.login',
	413	next=next_url)
	414
	415	return controller(request, args, *kwargs)
	416
	417	return new_controller_func
	418
	419
	420
	421	def oauth_required(controller):
	422	""" Used to wrap API endpoints where oauth is required """
	423	@wraps(controller)
	424	def wrapper(request, args, *kwargs):
	425	data = request.headers
	426	authorization = decode_authorization_header(data)
	427
	428	if authorization == dict():
	429	error = "Missing required parameter."
	430	return json_response({"error": error}, status=400)
	431
	432
	433	request_validator = GMGRequestValidator()
	434	resource_endpoint = ResourceEndpoint(request_validator)
	435	valid, r = resource_endpoint.validate_protected_resource_request(
	436	uri=request.url,
	437	http_method=request.method,
	438	body=request.data,
	439	headers=dict(request.headers),
	440	)
	441
	442	if not valid:
	443	error = "Invalid oauth parameter."
	444	return json_response({"error": error}, status=400)
	445
	446	# Fill user if not already
	447	token = authorization[u"oauth_token"]
	448	request.access_token = AccessToken.query.filter_by(token=token).first()
	449	if request.access_token is not None and request.user is None:
	450	user_id = request.access_token.actor
	451	request.user = LocalUser.query.filter_by(id=user_id).first()
	452
	453	return controller(request, args, *kwargs)
	454
	455	return wrapper