1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from cgi
import FieldStorage
18 from datetime
import datetime
20 from werkzeug
.exceptions
import Forbidden
21 from werkzeug
.utils
import secure_filename
23 from mediagoblin
import messages
24 from mediagoblin
import mg_globals
26 from mediagoblin
.auth
import lib
as auth_lib
27 from mediagoblin
.edit
import forms
28 from mediagoblin
.edit
.lib
import may_edit_media
29 from mediagoblin
.decorators
import (require_active_login
, active_user_from_url
,
30 get_media_entry_by_id
,
31 get_user_media_entry
, user_may_alter_collection
, get_user_collection
)
32 from mediagoblin
.tools
.response
import render_to_response
, redirect
33 from mediagoblin
.tools
.translate
import pass_to_ugettext
as _
34 from mediagoblin
.tools
.text
import (
35 convert_to_tag_list_of_dicts
, media_tags_as_string
)
36 from mediagoblin
.db
.util
import check_media_slug_used
, check_collection_slug_used
41 @get_media_entry_by_id
43 def edit_media(request
, media
):
44 if not may_edit_media(request
, media
):
45 raise Forbidden("User may not edit this media")
50 description
=media
.description
,
51 tags
=media_tags_as_string(media
.tags
),
52 license
=media
.license
)
54 form
= forms
.EditForm(
58 if request
.method
== 'POST' and form
.validate():
59 # Make sure there isn't already a MediaEntry with such a slug
61 slug_used
= check_media_slug_used(media
.uploader
, request
.form
['slug'],
65 form
.slug
.errors
.append(
66 _(u
'An entry with that slug already exists for this user.'))
68 media
.title
= unicode(request
.form
['title'])
69 media
.description
= unicode(request
.form
.get('description'))
70 media
.tags
= convert_to_tag_list_of_dicts(
71 request
.form
.get('tags'))
73 media
.license
= unicode(request
.form
.get('license', '')) or None
75 media
.slug
= unicode(request
.form
['slug'])
79 return redirect(request
,
80 location
=media
.url_for_self(request
.urlgen
))
82 if request
.user
.is_admin \
83 and media
.uploader
!= request
.user
.id \
84 and request
.method
!= 'POST':
86 request
, messages
.WARNING
,
87 _("You are editing another user's media. Proceed with caution."))
89 return render_to_response(
91 'mediagoblin/edit/edit.html',
96 # Mimetypes that browsers parse scripts in.
97 # Content-sniffing isn't taken into consideration.
103 @get_user_media_entry
104 @require_active_login
105 def edit_attachments(request
, media
):
106 if mg_globals
.app_config
['allow_attachments']:
107 form
= forms
.EditAttachmentsForm()
109 # Add any attachements
110 if 'attachment_file' in request
.files \
111 and request
.files
['attachment_file']:
113 # Security measure to prevent attachments from being served as
114 # text/html, which will be parsed by web clients and pose an XSS
118 # This method isn't flawless as some browsers may perform
120 # This method isn't flawless as we do the mimetype lookup on the
121 # machine parsing the upload form, and not necessarily the machine
122 # serving the attachments.
123 if mimetypes
.guess_type(
124 request
.files
['attachment_file'].filename
)[0] in \
126 public_filename
= secure_filename('{0}.notsafe'.format(
127 request
.files
['attachment_file'].filename
))
129 public_filename
= secure_filename(
130 request
.files
['attachment_file'].filename
)
132 attachment_public_filepath \
133 = mg_globals
.public_store
.get_unique_filepath(
134 ['media_entries', unicode(media
.id), 'attachment',
137 attachment_public_file
= mg_globals
.public_store
.get_file(
138 attachment_public_filepath
, 'wb')
141 attachment_public_file
.write(
142 request
.files
['attachment_file'].stream
.read())
144 request
.files
['attachment_file'].stream
.close()
146 media
.attachment_files
.append(dict(
147 name
=request
.form
['attachment_name'] \
148 or request
.files
['attachment_file'].filename
,
149 filepath
=attachment_public_filepath
,
150 created
=datetime
.utcnow(),
155 messages
.add_message(
156 request
, messages
.SUCCESS
,
157 _("You added the attachment %s!") \
158 % (request
.form
['attachment_name']
159 or request
.files
['attachment_file'].filename
))
161 return redirect(request
,
162 location
=media
.url_for_self(request
.urlgen
))
163 return render_to_response(
165 'mediagoblin/edit/attachments.html',
169 raise Forbidden("Attachments are disabled")
171 @require_active_login
172 def legacy_edit_profile(request
):
173 """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
174 username
= request
.GET
.get('username') or request
.user
.username
175 return redirect(request
, 'mediagoblin.edit.profile', user
=username
)
178 @require_active_login
179 @active_user_from_url
180 def edit_profile(request
, url_user
=None):
181 # admins may edit any user profile
182 if request
.user
.username
!= url_user
.username
:
183 if not request
.user
.is_admin
:
184 raise Forbidden(_("You can only edit your own profile."))
186 # No need to warn again if admin just submitted an edited profile
187 if request
.method
!= 'POST':
188 messages
.add_message(
189 request
, messages
.WARNING
,
190 _("You are editing a user's profile. Proceed with caution."))
194 form
= forms
.EditProfileForm(request
.form
,
198 if request
.method
== 'POST' and form
.validate():
199 user
.url
= unicode(request
.form
['url'])
200 user
.bio
= unicode(request
.form
['bio'])
204 messages
.add_message(request
,
206 _("Profile changes saved"))
207 return redirect(request
,
208 'mediagoblin.user_pages.user_home',
211 return render_to_response(
213 'mediagoblin/edit/edit_profile.html',
218 @require_active_login
219 def edit_account(request
):
221 form
= forms
.EditAccountForm(request
.form
,
222 wants_comment_notification
=user
.get('wants_comment_notification'))
224 if request
.method
== 'POST':
225 form_validated
= form
.validate()
227 #if the user has not filled in the new or old password fields
228 if not form
.new_password
.data
and not form
.old_password
.data
:
229 if form
.wants_comment_notification
.validate(form
):
230 user
.wants_comment_notification
= \
231 form
.wants_comment_notification
.data
233 messages
.add_message(request
,
235 _("Account settings saved"))
236 return redirect(request
,
237 'mediagoblin.user_pages.user_home',
240 #so the user has filled in one or both of the password fields
243 password_matches
= auth_lib
.bcrypt_check_password(
244 form
.old_password
.data
,
247 #the entire form validates and the password matches
248 user
.pw_hash
= auth_lib
.bcrypt_gen_password_hash(
249 form
.new_password
.data
)
250 user
.wants_comment_notification
= \
251 form
.wants_comment_notification
.data
253 messages
.add_message(request
,
255 _("Account settings saved"))
256 return redirect(request
,
257 'mediagoblin.user_pages.user_home',
260 form
.old_password
.errors
.append(_('Wrong password'))
262 return render_to_response(
264 'mediagoblin/edit/edit_account.html',
269 @require_active_login
270 def delete_account(request
):
271 """Delete a user completely"""
273 if request
.method
== 'POST':
274 if request
.form
.get(u
'confirmed'):
275 # Form submitted and confirmed. Actually delete the user account
276 # Log out user and delete cookies etc.
277 # TODO: Should we be using MG.auth.views.py:logout for this?
278 request
.session
.delete()
280 # Delete user account and all related media files etc....
281 request
.user
.delete()
283 # We should send a message that the user has been deleted
284 # successfully. But we just deleted the session, so we
286 return redirect(request
, 'index')
288 else: # Did not check the confirmation box...
289 messages
.add_message(
290 request
, messages
.WARNING
,
291 _('You need to confirm the deletion of your account.'))
293 # No POST submission or not confirmed, just show page
294 return render_to_response(
296 'mediagoblin/edit/delete_account.html',
300 @require_active_login
301 @user_may_alter_collection
303 def edit_collection(request
, collection
):
305 title
=collection
.title
,
306 slug
=collection
.slug
,
307 description
=collection
.description
)
309 form
= forms
.EditCollectionForm(
313 if request
.method
== 'POST' and form
.validate():
314 # Make sure there isn't already a Collection with such a slug
316 slug_used
= check_collection_slug_used(request
.db
, collection
.creator
,
317 request
.form
['slug'], collection
.id)
319 # Make sure there isn't already a Collection with this title
320 existing_collection
= request
.db
.Collection
.find_one({
321 'creator': request
.user
.id,
322 'title':request
.form
['title']})
324 if existing_collection
and existing_collection
.id != collection
.id:
325 messages
.add_message(
326 request
, messages
.ERROR
,
327 _('You already have a collection called "%s"!') % \
328 request
.form
['title'])
330 form
.slug
.errors
.append(
331 _(u
'A collection with that slug already exists for this user.'))
333 collection
.title
= unicode(request
.form
['title'])
334 collection
.description
= unicode(request
.form
.get('description'))
335 collection
.slug
= unicode(request
.form
['slug'])
339 return redirect(request
, "mediagoblin.user_pages.user_collection",
340 user
=collection
.get_creator
.username
,
341 collection
=collection
.slug
)
343 if request
.user
.is_admin \
344 and collection
.creator
!= request
.user
.id \
345 and request
.method
!= 'POST':
346 messages
.add_message(
347 request
, messages
.WARNING
,
348 _("You are editing another user's collection. Proceed with caution."))
350 return render_to_response(
352 'mediagoblin/edit/edit_collection.html',
353 {'collection': collection
,