[mediagoblin.git] / mediagoblin / edit / views.py

# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from datetime import datetime

from itsdangerous import BadSignature
from pyld import jsonld
from werkzeug.exceptions import Forbidden
from werkzeug.utils import secure_filename

from mediagoblin import messages
from mediagoblin import mg_globals

from mediagoblin.auth import (check_password,
                              tools as auth_tools)
from mediagoblin.edit import forms
from mediagoblin.edit.lib import may_edit_media
from mediagoblin.decorators import (require_active_login, active_user_from_url,
                            get_media_entry_by_id, user_may_alter_collection,
                            get_user_collection, user_has_privilege,
                            user_not_banned)
from mediagoblin.tools.crypto import get_timed_signer_url
from mediagoblin.tools.metadata import compact_and_validate
from mediagoblin.tools.mail import email_debug_message
from mediagoblin.tools.response import (render_to_response,
                                        redirect, redirect_obj, render_404)
from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.tools.template import render_template
from mediagoblin.tools.text import (
    convert_to_tag_list_of_dicts, media_tags_as_string)
from mediagoblin.tools.url import slugify
from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used
from mediagoblin.db.models import User

import mimetypes


@get_media_entry_by_id
@require_active_login
def edit_media(request, media):
    if not may_edit_media(request, media):
        raise Forbidden("User may not edit this media")

    defaults = dict(
        title=media.title,
        slug=media.slug,
        description=media.description,
        tags=media_tags_as_string(media.tags),
        license=media.license)

    form = forms.EditForm(
        request.form,
        **defaults)

    if request.method == 'POST' and form.validate():
        # Make sure there isn't already a MediaEntry with such a slug
        # and userid.
        slug = slugify(form.slug.data)
        slug_used = check_media_slug_used(media.uploader, slug, media.id)

        if slug_used:
            form.slug.errors.append(
                _(u'An entry with that slug already exists for this user.'))
        else:
            media.title = form.title.data
            media.description = form.description.data
            media.tags = convert_to_tag_list_of_dicts(
                                   form.tags.data)

            media.license = unicode(form.license.data) or None
            media.slug = slug
            media.save()

            return redirect_obj(request, media)

    if request.user.has_privilege(u'admin') \
            and media.uploader != request.user.id \
            and request.method != 'POST':
        messages.add_message(
            request, messages.WARNING,
            _("You are editing another user's media. Proceed with caution."))

    return render_to_response(
        request,
        'mediagoblin/edit/edit.html',
        {'media': media,
         'form': form})


# Mimetypes that browsers parse scripts in.
# Content-sniffing isn't taken into consideration.
UNSAFE_MIMETYPES = [
        'text/html',
        'text/svg+xml']


@get_media_entry_by_id
@require_active_login
def edit_attachments(request, media):
    if mg_globals.app_config['allow_attachments']:
        form = forms.EditAttachmentsForm()

        # Add any attachements
        if 'attachment_file' in request.files \
            and request.files['attachment_file']:

            # Security measure to prevent attachments from being served as
            # text/html, which will be parsed by web clients and pose an XSS
            # threat.
            #
            # TODO
            # This method isn't flawless as some browsers may perform
            # content-sniffing.
            # This method isn't flawless as we do the mimetype lookup on the
            # machine parsing the upload form, and not necessarily the machine
            # serving the attachments.
            if mimetypes.guess_type(
                    request.files['attachment_file'].filename)[0] in \
                    UNSAFE_MIMETYPES:
                public_filename = secure_filename('{0}.notsafe'.format(
                    request.files['attachment_file'].filename))
            else:
                public_filename = secure_filename(
                        request.files['attachment_file'].filename)

            attachment_public_filepath \
                = mg_globals.public_store.get_unique_filepath(
                ['media_entries', unicode(media.id), 'attachment',
                 public_filename])

            attachment_public_file = mg_globals.public_store.get_file(
                attachment_public_filepath, 'wb')

            try:
                attachment_public_file.write(
                    request.files['attachment_file'].stream.read())
            finally:
                request.files['attachment_file'].stream.close()

            media.attachment_files.append(dict(
                    name=form.attachment_name.data \
                        or request.files['attachment_file'].filename,
                    filepath=attachment_public_filepath,
                    created=datetime.utcnow(),
                    ))

            media.save()

            messages.add_message(
                request, messages.SUCCESS,
                _("You added the attachment %s!") \
                    % (form.attachment_name.data
                       or request.files['attachment_file'].filename))

            return redirect(request,
                            location=media.url_for_self(request.urlgen))
        return render_to_response(
            request,
            'mediagoblin/edit/attachments.html',
            {'media': media,
             'form': form})
    else:
        raise Forbidden("Attachments are disabled")

@require_active_login
def legacy_edit_profile(request):
    """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
    username = request.GET.get('username') or request.user.username
    return redirect(request, 'mediagoblin.edit.profile', user=username)


@require_active_login
@active_user_from_url
def edit_profile(request, url_user=None):
    # admins may edit any user profile
    if request.user.username != url_user.username:
        if not request.user.has_privilege(u'admin'):
            raise Forbidden(_("You can only edit your own profile."))

        # No need to warn again if admin just submitted an edited profile
        if request.method != 'POST':
            messages.add_message(
                request, messages.WARNING,
                _("You are editing a user's profile. Proceed with caution."))

    user = url_user

    form = forms.EditProfileForm(request.form,
        url=user.url,
        bio=user.bio)

    if request.method == 'POST' and form.validate():
        user.url = unicode(form.url.data)
        user.bio = unicode(form.bio.data)

        user.save()

        messages.add_message(request,
                             messages.SUCCESS,
                             _("Profile changes saved"))
        return redirect(request,
                       'mediagoblin.user_pages.user_home',
                        user=user.username)

    return render_to_response(
        request,
        'mediagoblin/edit/edit_profile.html',
        {'user': user,
         'form': form})

EMAIL_VERIFICATION_TEMPLATE = (
    u'{uri}?'
    u'token={verification_key}')


@require_active_login
def edit_account(request):
    user = request.user
    form = forms.EditAccountForm(request.form,
        wants_comment_notification=user.wants_comment_notification,
        license_preference=user.license_preference,
        wants_notifications=user.wants_notifications)

    if request.method == 'POST' and form.validate():
        user.wants_comment_notification = form.wants_comment_notification.data
        user.wants_notifications = form.wants_notifications.data

        user.license_preference = form.license_preference.data

        user.save()
        messages.add_message(request,
                             messages.SUCCESS,
                             _("Account settings saved"))
        return redirect(request,
                        'mediagoblin.user_pages.user_home',
                        user=user.username)

    return render_to_response(
        request,
        'mediagoblin/edit/edit_account.html',
        {'user': user,
         'form': form})


@require_active_login
def delete_account(request):
    """Delete a user completely"""
    user = request.user
    if request.method == 'POST':
        if request.form.get(u'confirmed'):
            # Form submitted and confirmed. Actually delete the user account
            # Log out user and delete cookies etc.
            # TODO: Should we be using MG.auth.views.py:logout for this?
            request.session.delete()

            # Delete user account and all related media files etc....
            request.user.delete()

            # We should send a message that the user has been deleted
            # successfully. But we just deleted the session, so we
            # can't...
            return redirect(request, 'index')

        else: # Did not check the confirmation box...
            messages.add_message(
                request, messages.WARNING,
                _('You need to confirm the deletion of your account.'))

    # No POST submission or not confirmed, just show page
    return render_to_response(
        request,
        'mediagoblin/edit/delete_account.html',
        {'user': user})


@require_active_login
@user_may_alter_collection
@get_user_collection
def edit_collection(request, collection):
    defaults = dict(
        title=collection.title,
        slug=collection.slug,
        description=collection.description)

    form = forms.EditCollectionForm(
        request.form,
        **defaults)

    if request.method == 'POST' and form.validate():
        # Make sure there isn't already a Collection with such a slug
        # and userid.
        slug_used = check_collection_slug_used(collection.creator,
                form.slug.data, collection.id)

        # Make sure there isn't already a Collection with this title
        existing_collection = request.db.Collection.query.filter_by(
                creator=request.user.id,
                title=form.title.data).first()

        if existing_collection and existing_collection.id != collection.id:
            messages.add_message(
                request, messages.ERROR,
                _('You already have a collection called "%s"!') % \
                    form.title.data)
        elif slug_used:
            form.slug.errors.append(
                _(u'A collection with that slug already exists for this user.'))
        else:
            collection.title = unicode(form.title.data)
            collection.description = unicode(form.description.data)
            collection.slug = unicode(form.slug.data)

            collection.save()

            return redirect_obj(request, collection)

    if request.user.has_privilege(u'admin') \
            and collection.creator != request.user.id \
            and request.method != 'POST':
        messages.add_message(
            request, messages.WARNING,
            _("You are editing another user's collection. Proceed with caution."))

    return render_to_response(
        request,
        'mediagoblin/edit/edit_collection.html',
        {'collection': collection,
         'form': form})


def verify_email(request):
    """
    Email verification view for changing email address
    """
    # If no token, we can't do anything
    if not 'token' in request.GET:
        return render_404(request)

    # Catch error if token is faked or expired
    token = None
    try:
        token = get_timed_signer_url("mail_verification_token") \
                .loads(request.GET['token'], max_age=10*24*3600)
    except BadSignature:
        messages.add_message(
            request,
            messages.ERROR,
            _('The verification key or user id is incorrect.'))

        return redirect(
            request,
            'index')

    user = User.query.filter_by(id=int(token['user'])).first()

    if user:
        user.email = token['email']
        user.save()

        messages.add_message(
            request,
            messages.SUCCESS,
            _('Your email address has been verified.'))

    else:
            messages.add_message(
                request,
                messages.ERROR,
                _('The verification key or user id is incorrect.'))

    return redirect(
        request, 'mediagoblin.user_pages.user_home',
        user=user.username)


def change_email(request):
    """ View to change the user's email """
    form = forms.ChangeEmailForm(request.form)
    user = request.user

    # If no password authentication, no need to enter a password
    if 'pass_auth' not in request.template_env.globals or not user.pw_hash:
        form.__delitem__('password')

    if request.method == 'POST' and form.validate():
        new_email = form.new_email.data
        users_with_email = User.query.filter_by(
            email=new_email).count()

        if users_with_email:
            form.new_email.errors.append(
                _('Sorry, a user with that email address'
                    ' already exists.'))

        if form.password and user.pw_hash and not check_password(
                form.password.data, user.pw_hash):
            form.password.errors.append(
                _('Wrong password'))

        if not form.errors:
            verification_key = get_timed_signer_url(
                'mail_verification_token').dumps({
                    'user': user.id,
                    'email': new_email})

            rendered_email = render_template(
                request, 'mediagoblin/edit/verification.txt',
                {'username': user.username,
                    'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
                    uri=request.urlgen('mediagoblin.edit.verify_email',
                                    qualified=True),
                    verification_key=verification_key)})

            email_debug_message(request)
            auth_tools.send_verification_email(user, request, new_email,
                                            rendered_email)

            return redirect(request, 'mediagoblin.edit.account')

    return render_to_response(
        request,
        'mediagoblin/edit/change_email.html',
        {'form': form,
         'user': user})

@user_has_privilege(u'admin')
@require_active_login
@get_media_entry_by_id
def edit_metadata(request, media):
    form = forms.EditMetaDataForm(request.form)
    if request.method == "POST" and form.validate():
        metadata_dict = dict([(row['identifier'],row['value'])
                            for row in form.media_metadata.data])
        json_ld_metadata = compact_and_validate(metadata_dict)
        media.media_metadata = json_ld_metadata
        media.save()
        return redirect_obj(request, media)

    if media.media_metadata:
        for identifier, value in media.media_metadata.iteritems():
            if identifier == "@context": continue
            form.media_metadata.append_entry({
                'identifier':identifier,
                'value':value})
    else:
        form.media_metadata.append_entry({
            'identifier':"",
            'value':""})
        form.media_metadata.append_entry({
            'identifier':"",
            'value':""})
    return render_to_response(
        request,
        'mediagoblin/edit/metadata.html',
        {'form':form,
         'media':media})
Commit	Line	Data
	1	# GNU MediaGoblin -- federated, autonomous media hosting
	2	# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
	3	#
	4	# This program is free software: you can redistribute it and/or modify
	5	# it under the terms of the GNU Affero General Public License as published by
	6	# the Free Software Foundation, either version 3 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU Affero General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16
	17	from datetime import datetime
	18
	19	from itsdangerous import BadSignature
	20	from pyld import jsonld
	21	from werkzeug.exceptions import Forbidden
	22	from werkzeug.utils import secure_filename
	23
	24	from mediagoblin import messages
	25	from mediagoblin import mg_globals
	26
	27	from mediagoblin.auth import (check_password,
	28	tools as auth_tools)
	29	from mediagoblin.edit import forms
	30	from mediagoblin.edit.lib import may_edit_media
	31	from mediagoblin.decorators import (require_active_login, active_user_from_url,
	32	get_media_entry_by_id, user_may_alter_collection,
	33	get_user_collection, user_has_privilege,
	34	user_not_banned)
	35	from mediagoblin.tools.crypto import get_timed_signer_url
	36	from mediagoblin.tools.metadata import compact_and_validate
	37	from mediagoblin.tools.mail import email_debug_message
	38	from mediagoblin.tools.response import (render_to_response,
	39	redirect, redirect_obj, render_404)
	40	from mediagoblin.tools.translate import pass_to_ugettext as _
	41	from mediagoblin.tools.template import render_template
	42	from mediagoblin.tools.text import (
	43	convert_to_tag_list_of_dicts, media_tags_as_string)
	44	from mediagoblin.tools.url import slugify
	45	from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used
	46	from mediagoblin.db.models import User
	47
	48	import mimetypes
	49
	50
	51	@get_media_entry_by_id
	52	@require_active_login
	53	def edit_media(request, media):
	54	if not may_edit_media(request, media):
	55	raise Forbidden("User may not edit this media")
	56
	57	defaults = dict(
	58	title=media.title,
	59	slug=media.slug,
	60	description=media.description,
	61	tags=media_tags_as_string(media.tags),
	62	license=media.license)
	63
	64	form = forms.EditForm(
	65	request.form,
	66	**defaults)
	67
	68	if request.method == 'POST' and form.validate():
	69	# Make sure there isn't already a MediaEntry with such a slug
	70	# and userid.
	71	slug = slugify(form.slug.data)
	72	slug_used = check_media_slug_used(media.uploader, slug, media.id)
	73
	74	if slug_used:
	75	form.slug.errors.append(
	76	_(u'An entry with that slug already exists for this user.'))
	77	else:
	78	media.title = form.title.data
	79	media.description = form.description.data
	80	media.tags = convert_to_tag_list_of_dicts(
	81	form.tags.data)
	82
	83	media.license = unicode(form.license.data) or None
	84	media.slug = slug
	85	media.save()
	86
	87	return redirect_obj(request, media)
	88
	89	if request.user.has_privilege(u'admin') \
	90	and media.uploader != request.user.id \
	91	and request.method != 'POST':
	92	messages.add_message(
	93	request, messages.WARNING,
	94	_("You are editing another user's media. Proceed with caution."))
	95
	96	return render_to_response(
	97	request,
	98	'mediagoblin/edit/edit.html',
	99	{'media': media,
	100	'form': form})
	101
	102
	103	# Mimetypes that browsers parse scripts in.
	104	# Content-sniffing isn't taken into consideration.
	105	UNSAFE_MIMETYPES = [
	106	'text/html',
	107	'text/svg+xml']
	108
	109
	110	@get_media_entry_by_id
	111	@require_active_login
	112	def edit_attachments(request, media):
	113	if mg_globals.app_config['allow_attachments']:
	114	form = forms.EditAttachmentsForm()
	115
	116	# Add any attachements
	117	if 'attachment_file' in request.files \
	118	and request.files['attachment_file']:
	119
	120	# Security measure to prevent attachments from being served as
	121	# text/html, which will be parsed by web clients and pose an XSS
	122	# threat.
	123	#
	124	# TODO
	125	# This method isn't flawless as some browsers may perform
	126	# content-sniffing.
	127	# This method isn't flawless as we do the mimetype lookup on the
	128	# machine parsing the upload form, and not necessarily the machine
	129	# serving the attachments.
	130	if mimetypes.guess_type(
	131	request.files['attachment_file'].filename)[0] in \
	132	UNSAFE_MIMETYPES:
	133	public_filename = secure_filename('{0}.notsafe'.format(
	134	request.files['attachment_file'].filename))
	135	else:
	136	public_filename = secure_filename(
	137	request.files['attachment_file'].filename)
	138
	139	attachment_public_filepath \
	140	= mg_globals.public_store.get_unique_filepath(
	141	['media_entries', unicode(media.id), 'attachment',
	142	public_filename])
	143
	144	attachment_public_file = mg_globals.public_store.get_file(
	145	attachment_public_filepath, 'wb')
	146
	147	try:
	148	attachment_public_file.write(
	149	request.files['attachment_file'].stream.read())
	150	finally:
	151	request.files['attachment_file'].stream.close()
	152
	153	media.attachment_files.append(dict(
	154	name=form.attachment_name.data \
	155	or request.files['attachment_file'].filename,
	156	filepath=attachment_public_filepath,
	157	created=datetime.utcnow(),
	158	))
	159
	160	media.save()
	161
	162	messages.add_message(
	163	request, messages.SUCCESS,
	164	_("You added the attachment %s!") \
	165	% (form.attachment_name.data
	166	or request.files['attachment_file'].filename))
	167
	168	return redirect(request,
	169	location=media.url_for_self(request.urlgen))
	170	return render_to_response(
	171	request,
	172	'mediagoblin/edit/attachments.html',
	173	{'media': media,
	174	'form': form})
	175	else:
	176	raise Forbidden("Attachments are disabled")
	177
	178	@require_active_login
	179	def legacy_edit_profile(request):
	180	"""redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
	181	username = request.GET.get('username') or request.user.username
	182	return redirect(request, 'mediagoblin.edit.profile', user=username)
	183
	184
	185	@require_active_login
	186	@active_user_from_url
	187	def edit_profile(request, url_user=None):
	188	# admins may edit any user profile
	189	if request.user.username != url_user.username:
	190	if not request.user.has_privilege(u'admin'):
	191	raise Forbidden(_("You can only edit your own profile."))
	192
	193	# No need to warn again if admin just submitted an edited profile
	194	if request.method != 'POST':
	195	messages.add_message(
	196	request, messages.WARNING,
	197	_("You are editing a user's profile. Proceed with caution."))
	198
	199	user = url_user
	200
	201	form = forms.EditProfileForm(request.form,
	202	url=user.url,
	203	bio=user.bio)
	204
	205	if request.method == 'POST' and form.validate():
	206	user.url = unicode(form.url.data)
	207	user.bio = unicode(form.bio.data)
	208
	209	user.save()
	210
	211	messages.add_message(request,
	212	messages.SUCCESS,
	213	_("Profile changes saved"))
	214	return redirect(request,
	215	'mediagoblin.user_pages.user_home',
	216	user=user.username)
	217
	218	return render_to_response(
	219	request,
	220	'mediagoblin/edit/edit_profile.html',
	221	{'user': user,
	222	'form': form})
	223
	224	EMAIL_VERIFICATION_TEMPLATE = (
	225	u'{uri}?'
	226	u'token={verification_key}')
	227
	228
	229	@require_active_login
	230	def edit_account(request):
	231	user = request.user
	232	form = forms.EditAccountForm(request.form,
	233	wants_comment_notification=user.wants_comment_notification,
	234	license_preference=user.license_preference,
	235	wants_notifications=user.wants_notifications)
	236
	237	if request.method == 'POST' and form.validate():
	238	user.wants_comment_notification = form.wants_comment_notification.data
	239	user.wants_notifications = form.wants_notifications.data
	240
	241	user.license_preference = form.license_preference.data
	242
	243	user.save()
	244	messages.add_message(request,
	245	messages.SUCCESS,
	246	_("Account settings saved"))
	247	return redirect(request,
	248	'mediagoblin.user_pages.user_home',
	249	user=user.username)
	250
	251	return render_to_response(
	252	request,
	253	'mediagoblin/edit/edit_account.html',
	254	{'user': user,
	255	'form': form})
	256
	257
	258	@require_active_login
	259	def delete_account(request):
	260	"""Delete a user completely"""
	261	user = request.user
	262	if request.method == 'POST':
	263	if request.form.get(u'confirmed'):
	264	# Form submitted and confirmed. Actually delete the user account
	265	# Log out user and delete cookies etc.
	266	# TODO: Should we be using MG.auth.views.py:logout for this?
	267	request.session.delete()
	268
	269	# Delete user account and all related media files etc....
	270	request.user.delete()
	271
	272	# We should send a message that the user has been deleted
	273	# successfully. But we just deleted the session, so we
	274	# can't...
	275	return redirect(request, 'index')
	276
	277	else: # Did not check the confirmation box...
	278	messages.add_message(
	279	request, messages.WARNING,
	280	_('You need to confirm the deletion of your account.'))
	281
	282	# No POST submission or not confirmed, just show page
	283	return render_to_response(
	284	request,
	285	'mediagoblin/edit/delete_account.html',
	286	{'user': user})
	287
	288
	289	@require_active_login
	290	@user_may_alter_collection
	291	@get_user_collection
	292	def edit_collection(request, collection):
	293	defaults = dict(
	294	title=collection.title,
	295	slug=collection.slug,
	296	description=collection.description)
	297
	298	form = forms.EditCollectionForm(
	299	request.form,
	300	**defaults)
	301
	302	if request.method == 'POST' and form.validate():
	303	# Make sure there isn't already a Collection with such a slug
	304	# and userid.
	305	slug_used = check_collection_slug_used(collection.creator,
	306	form.slug.data, collection.id)
	307
	308	# Make sure there isn't already a Collection with this title
	309	existing_collection = request.db.Collection.query.filter_by(
	310	creator=request.user.id,
	311	title=form.title.data).first()
	312
	313	if existing_collection and existing_collection.id != collection.id:
	314	messages.add_message(
	315	request, messages.ERROR,
	316	_('You already have a collection called "%s"!') % \
	317	form.title.data)
	318	elif slug_used:
	319	form.slug.errors.append(
	320	_(u'A collection with that slug already exists for this user.'))
	321	else:
	322	collection.title = unicode(form.title.data)
	323	collection.description = unicode(form.description.data)
	324	collection.slug = unicode(form.slug.data)
	325
	326	collection.save()
	327
	328	return redirect_obj(request, collection)
	329
	330	if request.user.has_privilege(u'admin') \
	331	and collection.creator != request.user.id \
	332	and request.method != 'POST':
	333	messages.add_message(
	334	request, messages.WARNING,
	335	_("You are editing another user's collection. Proceed with caution."))
	336
	337	return render_to_response(
	338	request,
	339	'mediagoblin/edit/edit_collection.html',
	340	{'collection': collection,
	341	'form': form})
	342
	343
	344	def verify_email(request):
	345	"""
	346	Email verification view for changing email address
	347	"""
	348	# If no token, we can't do anything
	349	if not 'token' in request.GET:
	350	return render_404(request)
	351
	352	# Catch error if token is faked or expired
	353	token = None
	354	try:
	355	token = get_timed_signer_url("mail_verification_token") \
	356	.loads(request.GET['token'], max_age=10243600)
	357	except BadSignature:
	358	messages.add_message(
	359	request,
	360	messages.ERROR,
	361	_('The verification key or user id is incorrect.'))
	362
	363	return redirect(
	364	request,
	365	'index')
	366
	367	user = User.query.filter_by(id=int(token['user'])).first()
	368
	369	if user:
	370	user.email = token['email']
	371	user.save()
	372
	373	messages.add_message(
	374	request,
	375	messages.SUCCESS,
	376	_('Your email address has been verified.'))
	377
	378	else:
	379	messages.add_message(
	380	request,
	381	messages.ERROR,
	382	_('The verification key or user id is incorrect.'))
	383
	384	return redirect(
	385	request, 'mediagoblin.user_pages.user_home',
	386	user=user.username)
	387
	388
	389	def change_email(request):
	390	""" View to change the user's email """
	391	form = forms.ChangeEmailForm(request.form)
	392	user = request.user
	393
	394	# If no password authentication, no need to enter a password
	395	if 'pass_auth' not in request.template_env.globals or not user.pw_hash:
	396	form.__delitem__('password')
	397
	398	if request.method == 'POST' and form.validate():
	399	new_email = form.new_email.data
	400	users_with_email = User.query.filter_by(
	401	email=new_email).count()
	402
	403	if users_with_email:
	404	form.new_email.errors.append(
	405	_('Sorry, a user with that email address'
	406	' already exists.'))
	407
	408	if form.password and user.pw_hash and not check_password(
	409	form.password.data, user.pw_hash):
	410	form.password.errors.append(
	411	_('Wrong password'))
	412
	413	if not form.errors:
	414	verification_key = get_timed_signer_url(
	415	'mail_verification_token').dumps({
	416	'user': user.id,
	417	'email': new_email})
	418
	419	rendered_email = render_template(
	420	request, 'mediagoblin/edit/verification.txt',
	421	{'username': user.username,
	422	'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
	423	uri=request.urlgen('mediagoblin.edit.verify_email',
	424	qualified=True),
	425	verification_key=verification_key)})
	426
	427	email_debug_message(request)
	428	auth_tools.send_verification_email(user, request, new_email,
	429	rendered_email)
	430
	431	return redirect(request, 'mediagoblin.edit.account')
	432
	433	return render_to_response(
	434	request,
	435	'mediagoblin/edit/change_email.html',
	436	{'form': form,
	437	'user': user})
	438
	439	@user_has_privilege(u'admin')
	440	@require_active_login
	441	@get_media_entry_by_id
	442	def edit_metadata(request, media):
	443	form = forms.EditMetaDataForm(request.form)
	444	if request.method == "POST" and form.validate():
	445	metadata_dict = dict([(row['identifier'],row['value'])
	446	for row in form.media_metadata.data])
	447	json_ld_metadata = compact_and_validate(metadata_dict)
	448	media.media_metadata = json_ld_metadata
	449	media.save()
	450	return redirect_obj(request, media)
	451
	452	if media.media_metadata:
	453	for identifier, value in media.media_metadata.iteritems():
	454	if identifier == "@context": continue
	455	form.media_metadata.append_entry({
	456	'identifier':identifier,
	457	'value':value})
	458	else:
	459	form.media_metadata.append_entry({
	460	'identifier':"",
	461	'value':""})
	462	form.media_metadata.append_entry({
	463	'identifier':"",
	464	'value':""})
	465	return render_to_response(
	466	request,
	467	'mediagoblin/edit/metadata.html',
	468	{'form':form,
	469	'media':media})