# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from webob import exc
-from cgi import FieldStorage
from datetime import datetime
+from werkzeug.exceptions import Forbidden
from werkzeug.utils import secure_filename
from mediagoblin import messages
from mediagoblin import mg_globals
-from mediagoblin.auth import lib as auth_lib
+from mediagoblin import auth
from mediagoblin.edit import forms
from mediagoblin.edit.lib import may_edit_media
-from mediagoblin.decorators import require_active_login, get_user_media_entry, \
- user_may_alter_collection, get_user_collection
-from mediagoblin.tools.response import render_to_response, redirect
+from mediagoblin.decorators import (require_active_login, active_user_from_url,
+ get_media_entry_by_id,
+ user_may_alter_collection, get_user_collection)
+from mediagoblin.tools.response import render_to_response, \
+ redirect, redirect_obj
from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.tools.text import (
convert_to_tag_list_of_dicts, media_tags_as_string)
+from mediagoblin.tools.url import slugify
from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used
import mimetypes
-@get_user_media_entry
+@get_media_entry_by_id
@require_active_login
def edit_media(request, media):
if not may_edit_media(request, media):
- return exc.HTTPForbidden()
+ raise Forbidden("User may not edit this media")
defaults = dict(
title=media.title,
if request.method == 'POST' and form.validate():
# Make sure there isn't already a MediaEntry with such a slug
# and userid.
- slug_used = check_media_slug_used(request.db, media.uploader,
- request.form['slug'], media.id)
+ slug = slugify(form.slug.data)
+ slug_used = check_media_slug_used(media.uploader, slug, media.id)
if slug_used:
form.slug.errors.append(
_(u'An entry with that slug already exists for this user.'))
else:
- media.title = unicode(request.form['title'])
- media.description = unicode(request.form.get('description'))
+ media.title = form.title.data
+ media.description = form.description.data
media.tags = convert_to_tag_list_of_dicts(
- request.form.get('tags'))
-
- media.license = unicode(request.form.get('license', '')) or None
-
- media.slug = unicode(request.form['slug'])
+ form.tags.data)
+ media.license = unicode(form.license.data) or None
+ media.slug = slug
media.save()
- return exc.HTTPFound(
- location=media.url_for_self(request.urlgen))
+ return redirect_obj(request, media)
if request.user.is_admin \
- and media.uploader != request.user._id \
+ and media.uploader != request.user.id \
and request.method != 'POST':
messages.add_message(
request, messages.WARNING,
'text/svg+xml']
-@get_user_media_entry
+@get_media_entry_by_id
@require_active_login
def edit_attachments(request, media):
if mg_globals.app_config['allow_attachments']:
form = forms.EditAttachmentsForm()
# Add any attachements
- if ('attachment_file' in request.form
- and isinstance(request.form['attachment_file'], FieldStorage)
- and request.form['attachment_file'].file):
+ if 'attachment_file' in request.files \
+ and request.files['attachment_file']:
# Security measure to prevent attachments from being served as
# text/html, which will be parsed by web clients and pose an XSS
# machine parsing the upload form, and not necessarily the machine
# serving the attachments.
if mimetypes.guess_type(
- request.form['attachment_file'].filename)[0] in \
+ request.files['attachment_file'].filename)[0] in \
UNSAFE_MIMETYPES:
public_filename = secure_filename('{0}.notsafe'.format(
- request.form['attachment_file'].filename))
+ request.files['attachment_file'].filename))
else:
public_filename = secure_filename(
- request.form['attachment_file'].filename)
+ request.files['attachment_file'].filename)
attachment_public_filepath \
= mg_globals.public_store.get_unique_filepath(
- ['media_entries', unicode(media._id), 'attachment',
+ ['media_entries', unicode(media.id), 'attachment',
public_filename])
attachment_public_file = mg_globals.public_store.get_file(
try:
attachment_public_file.write(
- request.form['attachment_file'].file.read())
+ request.files['attachment_file'].stream.read())
finally:
- request.form['attachment_file'].file.close()
+ request.files['attachment_file'].stream.close()
media.attachment_files.append(dict(
- name=request.form['attachment_name'] \
- or request.form['attachment_file'].filename,
+ name=form.attachment_name.data \
+ or request.files['attachment_file'].filename,
filepath=attachment_public_filepath,
created=datetime.utcnow(),
))
messages.add_message(
request, messages.SUCCESS,
- "You added the attachment %s!" \
- % (request.form['attachment_name']
- or request.form['attachment_file'].filename))
+ _("You added the attachment %s!") \
+ % (form.attachment_name.data
+ or request.files['attachment_file'].filename))
- return exc.HTTPFound(
- location=media.url_for_self(request.urlgen))
+ return redirect(request,
+ location=media.url_for_self(request.urlgen))
return render_to_response(
request,
'mediagoblin/edit/attachments.html',
{'media': media,
'form': form})
else:
- return exc.HTTPForbidden()
+ raise Forbidden("Attachments are disabled")
+
+@require_active_login
+def legacy_edit_profile(request):
+ """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
+ username = request.GET.get('username') or request.user.username
+ return redirect(request, 'mediagoblin.edit.profile', user=username)
@require_active_login
-def edit_profile(request):
- # admins may edit any user profile given a username in the querystring
- edit_username = request.GET.get('username')
- if request.user.is_admin and request.user.username != edit_username:
- user = request.db.User.find_one({'username': edit_username})
+@active_user_from_url
+def edit_profile(request, url_user=None):
+ # admins may edit any user profile
+ if request.user.username != url_user.username:
+ if not request.user.is_admin:
+ raise Forbidden(_("You can only edit your own profile."))
+
# No need to warn again if admin just submitted an edited profile
if request.method != 'POST':
messages.add_message(
request, messages.WARNING,
_("You are editing a user's profile. Proceed with caution."))
- else:
- user = request.user
+
+ user = url_user
form = forms.EditProfileForm(request.form,
- url=user.get('url'),
- bio=user.get('bio'))
+ url=user.url,
+ bio=user.bio)
if request.method == 'POST' and form.validate():
- user.url = unicode(request.form['url'])
- user.bio = unicode(request.form['bio'])
+ user.url = unicode(form.url.data)
+ user.bio = unicode(form.bio.data)
user.save()
def edit_account(request):
user = request.user
form = forms.EditAccountForm(request.form,
- wants_comment_notification=user.get('wants_comment_notification'))
+ wants_comment_notification=user.wants_comment_notification,
+ license_preference=user.license_preference)
if request.method == 'POST':
form_validated = form.validate()
- #if the user has not filled in the new or old password fields
- if not form.new_password.data and not form.old_password.data:
- if form.wants_comment_notification.validate(form):
- user.wants_comment_notification = \
- form.wants_comment_notification.data
- user.save()
- messages.add_message(request,
- messages.SUCCESS,
- _("Account settings saved"))
- return redirect(request,
- 'mediagoblin.user_pages.user_home',
- user=user.username)
-
- #so the user has filled in one or both of the password fields
- else:
- if form_validated:
- password_matches = auth_lib.bcrypt_check_password(
- form.old_password.data,
- user.pw_hash)
- if password_matches:
- #the entire form validates and the password matches
- user.pw_hash = auth_lib.bcrypt_gen_password_hash(
- form.new_password.data)
- user.wants_comment_notification = \
- form.wants_comment_notification.data
- user.save()
- messages.add_message(request,
- messages.SUCCESS,
- _("Account settings saved"))
- return redirect(request,
- 'mediagoblin.user_pages.user_home',
- user=user.username)
- else:
- form.old_password.errors.append(_('Wrong password'))
+ if form_validated and \
+ form.wants_comment_notification.validate(form):
+ user.wants_comment_notification = \
+ form.wants_comment_notification.data
+
+ if form_validated and \
+ form.license_preference.validate(form):
+ user.license_preference = \
+ form.license_preference.data
+
+ if form_validated and not form.errors:
+ user.save()
+ messages.add_message(request,
+ messages.SUCCESS,
+ _("Account settings saved"))
+ return redirect(request,
+ 'mediagoblin.user_pages.user_home',
+ user=user.username)
return render_to_response(
request,
'form': form})
+@require_active_login
+def delete_account(request):
+ """Delete a user completely"""
+ user = request.user
+ if request.method == 'POST':
+ if request.form.get(u'confirmed'):
+ # Form submitted and confirmed. Actually delete the user account
+ # Log out user and delete cookies etc.
+ # TODO: Should we be using MG.auth.views.py:logout for this?
+ request.session.delete()
+
+ # Delete user account and all related media files etc....
+ request.user.delete()
+
+ # We should send a message that the user has been deleted
+ # successfully. But we just deleted the session, so we
+ # can't...
+ return redirect(request, 'index')
+
+ else: # Did not check the confirmation box...
+ messages.add_message(
+ request, messages.WARNING,
+ _('You need to confirm the deletion of your account.'))
+
+ # No POST submission or not confirmed, just show page
+ return render_to_response(
+ request,
+ 'mediagoblin/edit/delete_account.html',
+ {'user': user})
+
+
@require_active_login
@user_may_alter_collection
@get_user_collection
if request.method == 'POST' and form.validate():
# Make sure there isn't already a Collection with such a slug
# and userid.
- slug_used = check_collection_slug_used(request.db, collection.creator,
- request.form['slug'], collection.id)
-
+ slug_used = check_collection_slug_used(collection.creator,
+ form.slug.data, collection.id)
+
# Make sure there isn't already a Collection with this title
existing_collection = request.db.Collection.find_one({
- 'creator': request.user._id,
- 'title':request.form['title']})
-
+ 'creator': request.user.id,
+ 'title':form.title.data})
+
if existing_collection and existing_collection.id != collection.id:
messages.add_message(
request, messages.ERROR,
_('You already have a collection called "%s"!') % \
- request.form['title'])
+ form.title.data)
elif slug_used:
form.slug.errors.append(
_(u'A collection with that slug already exists for this user.'))
else:
- collection.title = unicode(request.form['title'])
- collection.description = unicode(request.form.get('description'))
- collection.slug = unicode(request.form['slug'])
+ collection.title = unicode(form.title.data)
+ collection.description = unicode(form.description.data)
+ collection.slug = unicode(form.slug.data)
collection.save()
- return redirect(request, "mediagoblin.user_pages.user_collection",
- user=collection.get_creator.username,
- collection=collection.slug)
+ return redirect_obj(request, collection)
if request.user.is_admin \
- and collection.creator != request.user._id \
+ and collection.creator != request.user.id \
and request.method != 'POST':
messages.add_message(
request, messages.WARNING,
'mediagoblin/edit/edit_collection.html',
{'collection': collection,
'form': form})
+
+
+@require_active_login
+def change_pass(request):
+ form = forms.ChangePassForm(request.form)
+ user = request.user
+
+ if request.method == 'POST' and form.validate():
+
+ if not auth_lib.bcrypt_check_password(
+ form.old_password.data, user.pw_hash):
+ form.old_password.errors.append(
+ _('Wrong password'))
+
+ return render_to_response(
+ request,
+ 'mediagoblin/edit/change_pass.html',
+ {'form': form,
+ 'user': user})
+
+ # Password matches
+ user.pw_hash = auth_lib.bcrypt_gen_password_hash(
+ form.new_password.data)
+ user.save()
+
+ messages.add_message(
+ request, messages.SUCCESS,
+ _('Your password was changed successfully'))
+
+ return redirect(request, 'mediagoblin.edit.account')
+
+ return render_to_response(
+ request,
+ 'mediagoblin/edit/change_pass.html',
+ {'form': form,
+ 'user': user})