1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from datetime
import datetime
19 from werkzeug
.exceptions
import Forbidden
20 from werkzeug
.utils
import secure_filename
22 from mediagoblin
import messages
23 from mediagoblin
import mg_globals
25 from mediagoblin
import auth
26 from mediagoblin
.edit
import forms
27 from mediagoblin
.edit
.lib
import may_edit_media
28 from mediagoblin
.decorators
import (require_active_login
, active_user_from_url
,
29 get_media_entry_by_id
,
30 user_may_alter_collection
, get_user_collection
)
31 from mediagoblin
.tools
.response
import render_to_response
, \
32 redirect
, redirect_obj
33 from mediagoblin
.tools
.translate
import pass_to_ugettext
as _
34 from mediagoblin
.tools
.text
import (
35 convert_to_tag_list_of_dicts
, media_tags_as_string
)
36 from mediagoblin
.tools
.url
import slugify
37 from mediagoblin
.db
.util
import check_media_slug_used
, check_collection_slug_used
42 @get_media_entry_by_id
44 def edit_media(request
, media
):
45 if not may_edit_media(request
, media
):
46 raise Forbidden("User may not edit this media")
51 description
=media
.description
,
52 tags
=media_tags_as_string(media
.tags
),
53 license
=media
.license
)
55 form
= forms
.EditForm(
59 if request
.method
== 'POST' and form
.validate():
60 # Make sure there isn't already a MediaEntry with such a slug
62 slug
= slugify(form
.slug
.data
)
63 slug_used
= check_media_slug_used(media
.uploader
, slug
, media
.id)
66 form
.slug
.errors
.append(
67 _(u
'An entry with that slug already exists for this user.'))
69 media
.title
= form
.title
.data
70 media
.description
= form
.description
.data
71 media
.tags
= convert_to_tag_list_of_dicts(
74 media
.license
= unicode(form
.license
.data
) or None
78 return redirect_obj(request
, media
)
80 if request
.user
.is_admin \
81 and media
.uploader
!= request
.user
.id \
82 and request
.method
!= 'POST':
84 request
, messages
.WARNING
,
85 _("You are editing another user's media. Proceed with caution."))
87 return render_to_response(
89 'mediagoblin/edit/edit.html',
94 # Mimetypes that browsers parse scripts in.
95 # Content-sniffing isn't taken into consideration.
101 @get_media_entry_by_id
102 @require_active_login
103 def edit_attachments(request
, media
):
104 if mg_globals
.app_config
['allow_attachments']:
105 form
= forms
.EditAttachmentsForm()
107 # Add any attachements
108 if 'attachment_file' in request
.files \
109 and request
.files
['attachment_file']:
111 # Security measure to prevent attachments from being served as
112 # text/html, which will be parsed by web clients and pose an XSS
116 # This method isn't flawless as some browsers may perform
118 # This method isn't flawless as we do the mimetype lookup on the
119 # machine parsing the upload form, and not necessarily the machine
120 # serving the attachments.
121 if mimetypes
.guess_type(
122 request
.files
['attachment_file'].filename
)[0] in \
124 public_filename
= secure_filename('{0}.notsafe'.format(
125 request
.files
['attachment_file'].filename
))
127 public_filename
= secure_filename(
128 request
.files
['attachment_file'].filename
)
130 attachment_public_filepath \
131 = mg_globals
.public_store
.get_unique_filepath(
132 ['media_entries', unicode(media
.id), 'attachment',
135 attachment_public_file
= mg_globals
.public_store
.get_file(
136 attachment_public_filepath
, 'wb')
139 attachment_public_file
.write(
140 request
.files
['attachment_file'].stream
.read())
142 request
.files
['attachment_file'].stream
.close()
144 media
.attachment_files
.append(dict(
145 name
=form
.attachment_name
.data \
146 or request
.files
['attachment_file'].filename
,
147 filepath
=attachment_public_filepath
,
148 created
=datetime
.utcnow(),
153 messages
.add_message(
154 request
, messages
.SUCCESS
,
155 _("You added the attachment %s!") \
156 % (form
.attachment_name
.data
157 or request
.files
['attachment_file'].filename
))
159 return redirect(request
,
160 location
=media
.url_for_self(request
.urlgen
))
161 return render_to_response(
163 'mediagoblin/edit/attachments.html',
167 raise Forbidden("Attachments are disabled")
169 @require_active_login
170 def legacy_edit_profile(request
):
171 """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
172 username
= request
.GET
.get('username') or request
.user
.username
173 return redirect(request
, 'mediagoblin.edit.profile', user
=username
)
176 @require_active_login
177 @active_user_from_url
178 def edit_profile(request
, url_user
=None):
179 # admins may edit any user profile
180 if request
.user
.username
!= url_user
.username
:
181 if not request
.user
.is_admin
:
182 raise Forbidden(_("You can only edit your own profile."))
184 # No need to warn again if admin just submitted an edited profile
185 if request
.method
!= 'POST':
186 messages
.add_message(
187 request
, messages
.WARNING
,
188 _("You are editing a user's profile. Proceed with caution."))
192 form
= forms
.EditProfileForm(request
.form
,
196 if request
.method
== 'POST' and form
.validate():
197 user
.url
= unicode(form
.url
.data
)
198 user
.bio
= unicode(form
.bio
.data
)
202 messages
.add_message(request
,
204 _("Profile changes saved"))
205 return redirect(request
,
206 'mediagoblin.user_pages.user_home',
209 return render_to_response(
211 'mediagoblin/edit/edit_profile.html',
216 @require_active_login
217 def edit_account(request
):
219 form
= forms
.EditAccountForm(request
.form
,
220 wants_comment_notification
=user
.wants_comment_notification
,
221 license_preference
=user
.license_preference
)
223 if request
.method
== 'POST':
224 form_validated
= form
.validate()
226 if form_validated
and \
227 form
.wants_comment_notification
.validate(form
):
228 user
.wants_comment_notification
= \
229 form
.wants_comment_notification
.data
231 if form_validated
and \
232 form
.license_preference
.validate(form
):
233 user
.license_preference
= \
234 form
.license_preference
.data
236 if form_validated
and not form
.errors
:
238 messages
.add_message(request
,
240 _("Account settings saved"))
241 return redirect(request
,
242 'mediagoblin.user_pages.user_home',
245 return render_to_response(
247 'mediagoblin/edit/edit_account.html',
252 @require_active_login
253 def delete_account(request
):
254 """Delete a user completely"""
256 if request
.method
== 'POST':
257 if request
.form
.get(u
'confirmed'):
258 # Form submitted and confirmed. Actually delete the user account
259 # Log out user and delete cookies etc.
260 # TODO: Should we be using MG.auth.views.py:logout for this?
261 request
.session
.delete()
263 # Delete user account and all related media files etc....
264 request
.user
.delete()
266 # We should send a message that the user has been deleted
267 # successfully. But we just deleted the session, so we
269 return redirect(request
, 'index')
271 else: # Did not check the confirmation box...
272 messages
.add_message(
273 request
, messages
.WARNING
,
274 _('You need to confirm the deletion of your account.'))
276 # No POST submission or not confirmed, just show page
277 return render_to_response(
279 'mediagoblin/edit/delete_account.html',
283 @require_active_login
284 @user_may_alter_collection
286 def edit_collection(request
, collection
):
288 title
=collection
.title
,
289 slug
=collection
.slug
,
290 description
=collection
.description
)
292 form
= forms
.EditCollectionForm(
296 if request
.method
== 'POST' and form
.validate():
297 # Make sure there isn't already a Collection with such a slug
299 slug_used
= check_collection_slug_used(collection
.creator
,
300 form
.slug
.data
, collection
.id)
302 # Make sure there isn't already a Collection with this title
303 existing_collection
= request
.db
.Collection
.find_one({
304 'creator': request
.user
.id,
305 'title':form
.title
.data
})
307 if existing_collection
and existing_collection
.id != collection
.id:
308 messages
.add_message(
309 request
, messages
.ERROR
,
310 _('You already have a collection called "%s"!') % \
313 form
.slug
.errors
.append(
314 _(u
'A collection with that slug already exists for this user.'))
316 collection
.title
= unicode(form
.title
.data
)
317 collection
.description
= unicode(form
.description
.data
)
318 collection
.slug
= unicode(form
.slug
.data
)
322 return redirect_obj(request
, collection
)
324 if request
.user
.is_admin \
325 and collection
.creator
!= request
.user
.id \
326 and request
.method
!= 'POST':
327 messages
.add_message(
328 request
, messages
.WARNING
,
329 _("You are editing another user's collection. Proceed with caution."))
331 return render_to_response(
333 'mediagoblin/edit/edit_collection.html',
334 {'collection': collection
,
338 @require_active_login
339 def change_pass(request
):
340 form
= forms
.ChangePassForm(request
.form
)
343 if request
.method
== 'POST' and form
.validate():
345 if not auth
.check_password(
346 form
.old_password
.data
, user
.pw_hash
):
347 form
.old_password
.errors
.append(
350 return render_to_response(
352 'mediagoblin/edit/change_pass.html',
357 user
.pw_hash
= auth
.gen_password_hash(
358 form
.new_password
.data
)
361 messages
.add_message(
362 request
, messages
.SUCCESS
,
363 _('Your password was changed successfully'))
365 return redirect(request
, 'mediagoblin.edit.account')
367 return render_to_response(
369 'mediagoblin/edit/change_pass.html',