1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from datetime
import datetime
19 from itsdangerous
import BadSignature
20 from werkzeug
.exceptions
import Forbidden
21 from werkzeug
.utils
import secure_filename
23 from mediagoblin
import messages
24 from mediagoblin
import mg_globals
26 from mediagoblin
import auth
27 from mediagoblin
.auth
import tools
as auth_tools
28 from mediagoblin
.edit
import forms
29 from mediagoblin
.edit
.lib
import may_edit_media
30 from mediagoblin
.decorators
import (require_active_login
, active_user_from_url
,
31 get_media_entry_by_id
, user_may_alter_collection
,
33 from mediagoblin
.tools
.crypto
import get_timed_signer_url
34 from mediagoblin
.tools
.mail
import email_debug_message
35 from mediagoblin
.tools
.response
import (render_to_response
,
36 redirect
, redirect_obj
, render_404
)
37 from mediagoblin
.tools
.translate
import pass_to_ugettext
as _
38 from mediagoblin
.tools
.template
import render_template
39 from mediagoblin
.tools
.text
import (
40 convert_to_tag_list_of_dicts
, media_tags_as_string
)
41 from mediagoblin
.tools
.url
import slugify
42 from mediagoblin
.db
.util
import check_media_slug_used
, check_collection_slug_used
43 from mediagoblin
.db
.models
import User
48 @get_media_entry_by_id
50 def edit_media(request
, media
):
51 if not may_edit_media(request
, media
):
52 raise Forbidden("User may not edit this media")
57 description
=media
.description
,
58 tags
=media_tags_as_string(media
.tags
),
59 license
=media
.license
)
61 form
= forms
.EditForm(
65 if request
.method
== 'POST' and form
.validate():
66 # Make sure there isn't already a MediaEntry with such a slug
68 slug
= slugify(form
.slug
.data
)
69 slug_used
= check_media_slug_used(media
.uploader
, slug
, media
.id)
72 form
.slug
.errors
.append(
73 _(u
'An entry with that slug already exists for this user.'))
75 media
.title
= form
.title
.data
76 media
.description
= form
.description
.data
77 media
.tags
= convert_to_tag_list_of_dicts(
80 media
.license
= unicode(form
.license
.data
) or None
84 return redirect_obj(request
, media
)
86 if request
.user
.is_admin \
87 and media
.uploader
!= request
.user
.id \
88 and request
.method
!= 'POST':
90 request
, messages
.WARNING
,
91 _("You are editing another user's media. Proceed with caution."))
93 return render_to_response(
95 'mediagoblin/edit/edit.html',
100 # Mimetypes that browsers parse scripts in.
101 # Content-sniffing isn't taken into consideration.
107 @get_media_entry_by_id
108 @require_active_login
109 def edit_attachments(request
, media
):
110 if mg_globals
.app_config
['allow_attachments']:
111 form
= forms
.EditAttachmentsForm()
113 # Add any attachements
114 if 'attachment_file' in request
.files \
115 and request
.files
['attachment_file']:
117 # Security measure to prevent attachments from being served as
118 # text/html, which will be parsed by web clients and pose an XSS
122 # This method isn't flawless as some browsers may perform
124 # This method isn't flawless as we do the mimetype lookup on the
125 # machine parsing the upload form, and not necessarily the machine
126 # serving the attachments.
127 if mimetypes
.guess_type(
128 request
.files
['attachment_file'].filename
)[0] in \
130 public_filename
= secure_filename('{0}.notsafe'.format(
131 request
.files
['attachment_file'].filename
))
133 public_filename
= secure_filename(
134 request
.files
['attachment_file'].filename
)
136 attachment_public_filepath \
137 = mg_globals
.public_store
.get_unique_filepath(
138 ['media_entries', unicode(media
.id), 'attachment',
141 attachment_public_file
= mg_globals
.public_store
.get_file(
142 attachment_public_filepath
, 'wb')
145 attachment_public_file
.write(
146 request
.files
['attachment_file'].stream
.read())
148 request
.files
['attachment_file'].stream
.close()
150 media
.attachment_files
.append(dict(
151 name
=form
.attachment_name
.data \
152 or request
.files
['attachment_file'].filename
,
153 filepath
=attachment_public_filepath
,
154 created
=datetime
.utcnow(),
159 messages
.add_message(
160 request
, messages
.SUCCESS
,
161 _("You added the attachment %s!") \
162 % (form
.attachment_name
.data
163 or request
.files
['attachment_file'].filename
))
165 return redirect(request
,
166 location
=media
.url_for_self(request
.urlgen
))
167 return render_to_response(
169 'mediagoblin/edit/attachments.html',
173 raise Forbidden("Attachments are disabled")
175 @require_active_login
176 def legacy_edit_profile(request
):
177 """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
178 username
= request
.GET
.get('username') or request
.user
.username
179 return redirect(request
, 'mediagoblin.edit.profile', user
=username
)
182 @require_active_login
183 @active_user_from_url
184 def edit_profile(request
, url_user
=None):
185 # admins may edit any user profile
186 if request
.user
.username
!= url_user
.username
:
187 if not request
.user
.is_admin
:
188 raise Forbidden(_("You can only edit your own profile."))
190 # No need to warn again if admin just submitted an edited profile
191 if request
.method
!= 'POST':
192 messages
.add_message(
193 request
, messages
.WARNING
,
194 _("You are editing a user's profile. Proceed with caution."))
198 form
= forms
.EditProfileForm(request
.form
,
202 if request
.method
== 'POST' and form
.validate():
203 user
.url
= unicode(form
.url
.data
)
204 user
.bio
= unicode(form
.bio
.data
)
208 messages
.add_message(request
,
210 _("Profile changes saved"))
211 return redirect(request
,
212 'mediagoblin.user_pages.user_home',
215 return render_to_response(
217 'mediagoblin/edit/edit_profile.html',
221 EMAIL_VERIFICATION_TEMPLATE
= (
223 u
'token={verification_key}')
226 @require_active_login
227 def edit_account(request
):
229 form
= forms
.EditAccountForm(request
.form
,
230 wants_comment_notification
=user
.wants_comment_notification
,
231 license_preference
=user
.license_preference
,
232 wants_notifications
=user
.wants_notifications
)
234 if request
.method
== 'POST' and form
.validate():
235 user
.wants_comment_notification
= form
.wants_comment_notification
.data
236 user
.wants_notifications
= form
.wants_notifications
.data
238 user
.license_preference
= form
.license_preference
.data
240 if form
.new_email
.data
:
241 _update_email(request
, form
, user
)
245 messages
.add_message(request
,
247 _("Account settings saved"))
248 return redirect(request
,
249 'mediagoblin.user_pages.user_home',
252 return render_to_response(
254 'mediagoblin/edit/edit_account.html',
259 @require_active_login
260 def delete_account(request
):
261 """Delete a user completely"""
263 if request
.method
== 'POST':
264 if request
.form
.get(u
'confirmed'):
265 # Form submitted and confirmed. Actually delete the user account
266 # Log out user and delete cookies etc.
267 # TODO: Should we be using MG.auth.views.py:logout for this?
268 request
.session
.delete()
270 # Delete user account and all related media files etc....
271 request
.user
.delete()
273 # We should send a message that the user has been deleted
274 # successfully. But we just deleted the session, so we
276 return redirect(request
, 'index')
278 else: # Did not check the confirmation box...
279 messages
.add_message(
280 request
, messages
.WARNING
,
281 _('You need to confirm the deletion of your account.'))
283 # No POST submission or not confirmed, just show page
284 return render_to_response(
286 'mediagoblin/edit/delete_account.html',
290 @require_active_login
291 @user_may_alter_collection
293 def edit_collection(request
, collection
):
295 title
=collection
.title
,
296 slug
=collection
.slug
,
297 description
=collection
.description
)
299 form
= forms
.EditCollectionForm(
303 if request
.method
== 'POST' and form
.validate():
304 # Make sure there isn't already a Collection with such a slug
306 slug_used
= check_collection_slug_used(collection
.creator
,
307 form
.slug
.data
, collection
.id)
309 # Make sure there isn't already a Collection with this title
310 existing_collection
= request
.db
.Collection
.query
.filter_by(
311 creator
=request
.user
.id,
312 title
=form
.title
.data
).first()
314 if existing_collection
and existing_collection
.id != collection
.id:
315 messages
.add_message(
316 request
, messages
.ERROR
,
317 _('You already have a collection called "%s"!') % \
320 form
.slug
.errors
.append(
321 _(u
'A collection with that slug already exists for this user.'))
323 collection
.title
= unicode(form
.title
.data
)
324 collection
.description
= unicode(form
.description
.data
)
325 collection
.slug
= unicode(form
.slug
.data
)
329 return redirect_obj(request
, collection
)
331 if request
.user
.is_admin \
332 and collection
.creator
!= request
.user
.id \
333 and request
.method
!= 'POST':
334 messages
.add_message(
335 request
, messages
.WARNING
,
336 _("You are editing another user's collection. Proceed with caution."))
338 return render_to_response(
340 'mediagoblin/edit/edit_collection.html',
341 {'collection': collection
,
345 @require_active_login
346 def change_pass(request
):
347 # If no password authentication, no need to change your password
348 if 'pass_auth' not in request
.template_env
.globals:
349 return redirect(request
, 'index')
351 form
= forms
.ChangePassForm(request
.form
)
354 if request
.method
== 'POST' and form
.validate():
356 if not auth
.check_password(
357 form
.old_password
.data
, user
.pw_hash
):
358 form
.old_password
.errors
.append(
361 return render_to_response(
363 'mediagoblin/edit/change_pass.html',
368 user
.pw_hash
= auth
.gen_password_hash(
369 form
.new_password
.data
)
372 messages
.add_message(
373 request
, messages
.SUCCESS
,
374 _('Your password was changed successfully'))
376 return redirect(request
, 'mediagoblin.edit.account')
378 return render_to_response(
380 'mediagoblin/edit/change_pass.html',
385 def verify_email(request
):
387 Email verification view for changing email address
389 # If no token, we can't do anything
390 if not 'token' in request
.GET
:
391 return render_404(request
)
393 # Catch error if token is faked or expired
396 token
= get_timed_signer_url("mail_verification_token") \
397 .loads(request
.GET
['token'], max_age
=10*24*3600)
399 messages
.add_message(
402 _('The verification key or user id is incorrect.'))
408 user
= User
.query
.filter_by(id=int(token
['user'])).first()
411 user
.email
= token
['email']
414 messages
.add_message(
417 _('Your email address has been verified.'))
420 messages
.add_message(
423 _('The verification key or user id is incorrect.'))
426 request
, 'mediagoblin.user_pages.user_home',
430 def _update_email(request
, form
, user
):
431 new_email
= form
.new_email
.data
432 users_with_email
= User
.query
.filter_by(
433 email
=new_email
).count()
436 form
.new_email
.errors
.append(
437 _('Sorry, a user with that email address'
440 elif not users_with_email
:
441 verification_key
= get_timed_signer_url(
442 'mail_verification_token').dumps({
446 rendered_email
= render_template(
447 request
, 'mediagoblin/edit/verification.txt',
448 {'username': user
.username
,
449 'verification_url': EMAIL_VERIFICATION_TEMPLATE
.format(
450 uri
=request
.urlgen('mediagoblin.edit.verify_email',
452 verification_key
=verification_key
)})
454 email_debug_message(request
)
455 auth_tools
.send_verification_email(user
, request
, new_email
,