1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from cgi
import FieldStorage
18 from datetime
import datetime
20 from werkzeug
.exceptions
import Forbidden
21 from werkzeug
.utils
import secure_filename
23 from mediagoblin
import messages
24 from mediagoblin
import mg_globals
26 from mediagoblin
.auth
import lib
as auth_lib
27 from mediagoblin
.edit
import forms
28 from mediagoblin
.edit
.lib
import may_edit_media
29 from mediagoblin
.decorators
import require_active_login
, get_user_media_entry
, \
30 user_may_alter_collection
, get_user_collection
31 from mediagoblin
.tools
.response
import render_to_response
, redirect
32 from mediagoblin
.tools
.translate
import pass_to_ugettext
as _
33 from mediagoblin
.tools
.text
import (
34 convert_to_tag_list_of_dicts
, media_tags_as_string
)
35 from mediagoblin
.db
.util
import check_media_slug_used
, check_collection_slug_used
42 def edit_media(request
, media
):
43 if not may_edit_media(request
, media
):
44 raise Forbidden("User may not edit this media")
49 description
=media
.description
,
50 tags
=media_tags_as_string(media
.tags
),
51 license
=media
.license
)
53 form
= forms
.EditForm(
57 if request
.method
== 'POST' and form
.validate():
58 # Make sure there isn't already a MediaEntry with such a slug
60 slug_used
= check_media_slug_used(request
.db
, media
.uploader
,
61 request
.form
['slug'], media
.id)
64 form
.slug
.errors
.append(
65 _(u
'An entry with that slug already exists for this user.'))
67 media
.title
= unicode(request
.form
['title'])
68 media
.description
= unicode(request
.form
.get('description'))
69 media
.tags
= convert_to_tag_list_of_dicts(
70 request
.form
.get('tags'))
72 media
.license
= unicode(request
.form
.get('license', '')) or None
74 media
.slug
= unicode(request
.form
['slug'])
78 return redirect(request
,
79 location
=media
.url_for_self(request
.urlgen
))
81 if request
.user
.is_admin \
82 and media
.uploader
!= request
.user
.id \
83 and request
.method
!= 'POST':
85 request
, messages
.WARNING
,
86 _("You are editing another user's media. Proceed with caution."))
88 return render_to_response(
90 'mediagoblin/edit/edit.html',
95 # Mimetypes that browsers parse scripts in.
96 # Content-sniffing isn't taken into consideration.
102 @get_user_media_entry
103 @require_active_login
104 def edit_attachments(request
, media
):
105 if mg_globals
.app_config
['allow_attachments']:
106 form
= forms
.EditAttachmentsForm()
108 # Add any attachements
109 if 'attachment_file' in request
.files \
110 and request
.files
['attachment_file']:
112 # Security measure to prevent attachments from being served as
113 # text/html, which will be parsed by web clients and pose an XSS
117 # This method isn't flawless as some browsers may perform
119 # This method isn't flawless as we do the mimetype lookup on the
120 # machine parsing the upload form, and not necessarily the machine
121 # serving the attachments.
122 if mimetypes
.guess_type(
123 request
.files
['attachment_file'].filename
)[0] in \
125 public_filename
= secure_filename('{0}.notsafe'.format(
126 request
.files
['attachment_file'].filename
))
128 public_filename
= secure_filename(
129 request
.files
['attachment_file'].filename
)
131 attachment_public_filepath \
132 = mg_globals
.public_store
.get_unique_filepath(
133 ['media_entries', unicode(media
.id), 'attachment',
136 attachment_public_file
= mg_globals
.public_store
.get_file(
137 attachment_public_filepath
, 'wb')
140 attachment_public_file
.write(
141 request
.files
['attachment_file'].stream
.read())
143 request
.files
['attachment_file'].stream
.close()
145 media
.attachment_files
.append(dict(
146 name
=request
.form
['attachment_name'] \
147 or request
.files
['attachment_file'].filename
,
148 filepath
=attachment_public_filepath
,
149 created
=datetime
.utcnow(),
154 messages
.add_message(
155 request
, messages
.SUCCESS
,
156 _("You added the attachment %s!") \
157 % (request
.form
['attachment_name']
158 or request
.files
['attachment_file'].filename
))
160 return redirect(request
,
161 location
=media
.url_for_self(request
.urlgen
))
162 return render_to_response(
164 'mediagoblin/edit/attachments.html',
168 raise Forbidden("Attachments are disabled")
171 @require_active_login
172 def edit_profile(request
):
173 # admins may edit any user profile given a username in the querystring
174 edit_username
= request
.GET
.get('username')
175 if request
.user
.is_admin
and request
.user
.username
!= edit_username
:
176 user
= request
.db
.User
.find_one({'username': edit_username
})
177 # No need to warn again if admin just submitted an edited profile
178 if request
.method
!= 'POST':
179 messages
.add_message(
180 request
, messages
.WARNING
,
181 _("You are editing a user's profile. Proceed with caution."))
185 form
= forms
.EditProfileForm(request
.form
,
189 if request
.method
== 'POST' and form
.validate():
190 user
.url
= unicode(request
.form
['url'])
191 user
.bio
= unicode(request
.form
['bio'])
195 messages
.add_message(request
,
197 _("Profile changes saved"))
198 return redirect(request
,
199 'mediagoblin.user_pages.user_home',
202 return render_to_response(
204 'mediagoblin/edit/edit_profile.html',
209 @require_active_login
210 def edit_account(request
):
212 form
= forms
.EditAccountForm(request
.form
,
213 wants_comment_notification
=user
.get('wants_comment_notification'))
215 if request
.method
== 'POST':
216 form_validated
= form
.validate()
218 #if the user has not filled in the new or old password fields
219 if not form
.new_password
.data
and not form
.old_password
.data
:
220 if form
.wants_comment_notification
.validate(form
):
221 user
.wants_comment_notification
= \
222 form
.wants_comment_notification
.data
224 messages
.add_message(request
,
226 _("Account settings saved"))
227 return redirect(request
,
228 'mediagoblin.user_pages.user_home',
231 #so the user has filled in one or both of the password fields
234 password_matches
= auth_lib
.bcrypt_check_password(
235 form
.old_password
.data
,
238 #the entire form validates and the password matches
239 user
.pw_hash
= auth_lib
.bcrypt_gen_password_hash(
240 form
.new_password
.data
)
241 user
.wants_comment_notification
= \
242 form
.wants_comment_notification
.data
244 messages
.add_message(request
,
246 _("Account settings saved"))
247 return redirect(request
,
248 'mediagoblin.user_pages.user_home',
251 form
.old_password
.errors
.append(_('Wrong password'))
253 return render_to_response(
255 'mediagoblin/edit/edit_account.html',
260 @require_active_login
261 @user_may_alter_collection
263 def edit_collection(request
, collection
):
265 title
=collection
.title
,
266 slug
=collection
.slug
,
267 description
=collection
.description
)
269 form
= forms
.EditCollectionForm(
273 if request
.method
== 'POST' and form
.validate():
274 # Make sure there isn't already a Collection with such a slug
276 slug_used
= check_collection_slug_used(request
.db
, collection
.creator
,
277 request
.form
['slug'], collection
.id)
279 # Make sure there isn't already a Collection with this title
280 existing_collection
= request
.db
.Collection
.find_one({
281 'creator': request
.user
.id,
282 'title':request
.form
['title']})
284 if existing_collection
and existing_collection
.id != collection
.id:
285 messages
.add_message(
286 request
, messages
.ERROR
,
287 _('You already have a collection called "%s"!') % \
288 request
.form
['title'])
290 form
.slug
.errors
.append(
291 _(u
'A collection with that slug already exists for this user.'))
293 collection
.title
= unicode(request
.form
['title'])
294 collection
.description
= unicode(request
.form
.get('description'))
295 collection
.slug
= unicode(request
.form
['slug'])
299 return redirect(request
, "mediagoblin.user_pages.user_collection",
300 user
=collection
.get_creator
.username
,
301 collection
=collection
.slug
)
303 if request
.user
.is_admin \
304 and collection
.creator
!= request
.user
.id \
305 and request
.method
!= 'POST':
306 messages
.add_message(
307 request
, messages
.WARNING
,
308 _("You are editing another user's collection. Proceed with caution."))
310 return render_to_response(
312 'mediagoblin/edit/edit_collection.html',
313 {'collection': collection
,