X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=mediagoblin%2Fdecorators.py;h=daeddb3f199352258988eef024d4022b705cce29;hb=283043f14d8fdeb8cccad00b7d7cb7a8cc5a17bd;hp=092356144931b1121d94e2ce380cf3dcd1af9125;hpb=c7d135b6eaad379511cde306043eb3058132e7b7;p=mediagoblin.git diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py index 09235614..daeddb3f 100644 --- a/mediagoblin/decorators.py +++ b/mediagoblin/decorators.py @@ -16,46 +16,103 @@ from functools import wraps -from urlparse import urljoin from werkzeug.exceptions import Forbidden, NotFound -from werkzeug.urls import url_quote +from oauthlib.oauth1 import ResourceEndpoint + +from six.moves.urllib.parse import urljoin from mediagoblin import mg_globals as mgg -from mediagoblin.db.models import MediaEntry, User -from mediagoblin.tools.response import redirect, render_404 +from mediagoblin import messages +from mediagoblin.db.models import MediaEntry, LocalUser, TextComment, \ + AccessToken, Comment +from mediagoblin.tools.response import ( + redirect, render_404, + render_user_banned, json_response) +from mediagoblin.tools.translate import pass_to_ugettext as _ + +from mediagoblin.oauth.tools.request import decode_authorization_header +from mediagoblin.oauth.oauth import GMGRequestValidator + + +def user_not_banned(controller): + """ + Requires that the user has not been banned. Otherwise redirects to the page + explaining why they have been banned + """ + @wraps(controller) + def wrapper(request, *args, **kwargs): + if request.user: + if request.user.is_banned(): + return render_user_banned(request) + return controller(request, *args, **kwargs) + + return wrapper def require_active_login(controller): """ - Require an active login from the user. + Require an active login from the user. If the user is banned, redirects to + the "You are Banned" page. """ @wraps(controller) + @user_not_banned def new_controller_func(request, *args, **kwargs): if request.user and \ - request.user.status == u'needs_email_verification': + not request.user.has_privilege(u'active'): return redirect( request, 'mediagoblin.user_pages.user_home', user=request.user.username) - elif not request.user or request.user.status != u'active': + elif not request.user or not request.user.has_privilege(u'active'): next_url = urljoin( request.urlgen('mediagoblin.auth.login', qualified=True), request.url) return redirect(request, 'mediagoblin.auth.login', - next=url_quote(next_url)) + next=next_url) return controller(request, *args, **kwargs) return new_controller_func + +def user_has_privilege(privilege_name, allow_admin=True): + """ + Requires that a user have a particular privilege in order to access a page. + In order to require that a user have multiple privileges, use this + decorator twice on the same view. This decorator also makes sure that the + user is not banned, or else it redirects them to the "You are Banned" page. + + :param privilege_name A unicode object that is that represents + the privilege object. This object is + the name of the privilege, as assigned + in the Privilege.privilege_name column + + :param allow_admin If this is true then if the user is an admin + it will allow the user even if the user doesn't + have the privilage given in privilage_name. + """ + + def user_has_privilege_decorator(controller): + @wraps(controller) + @require_active_login + def wrapper(request, *args, **kwargs): + if not request.user.has_privilege(privilege_name, allow_admin): + raise Forbidden() + + return controller(request, *args, **kwargs) + + return wrapper + return user_has_privilege_decorator + + def active_user_from_url(controller): - """Retrieve User() from URL pattern and pass in as url_user=... + """Retrieve LocalUser() from URL pattern and pass in as url_user=... Returns a 404 if no such active user has been found""" @wraps(controller) def wrapper(request, *args, **kwargs): - user = User.query.filter_by(username=request.matchdict['user']).first() + user = LocalUser.query.filter_by(username=request.matchdict['user']).first() if user is None: return render_404(request) @@ -70,8 +127,8 @@ def user_may_delete_media(controller): """ @wraps(controller) def wrapper(request, *args, **kwargs): - uploader_id = kwargs['media'].uploader - if not (request.user.is_admin or + uploader_id = kwargs['media'].actor + if not (request.user.has_privilege(u'admin') or request.user.id == uploader_id): raise Forbidden() @@ -86,9 +143,9 @@ def user_may_alter_collection(controller): """ @wraps(controller) def wrapper(request, *args, **kwargs): - creator_id = request.db.User.find_one( - {'username': request.matchdict['user']}).id - if not (request.user.is_admin or + creator_id = request.db.LocalUser.query.filter_by( + username=request.matchdict['user']).first().id + if not (request.user.has_privilege(u'admin') or request.user.id == creator_id): raise Forbidden() @@ -121,28 +178,33 @@ def get_user_media_entry(controller): """ @wraps(controller) def wrapper(request, *args, **kwargs): - user = User.query.filter_by(username=request.matchdict['user']).first() + user = LocalUser.query.filter_by(username=request.matchdict['user']).first() if not user: raise NotFound() - media = MediaEntry.query.filter_by( - slug = request.matchdict['media'], - state = u'processed', - uploader = user.id).first() + media = None - if not media: - # no media via slug? Grab it via object id + # might not be a slug, might be an id, but whatever + media_slug = request.matchdict['media'] + + # if it starts with id: it actually isn't a slug, it's an id. + if media_slug.startswith(u'id:'): try: media = MediaEntry.query.filter_by( - id = int(request.matchdict['media']), - state = u'processed', - uploader = user.id).first() + id=int(media_slug[3:]), + state=u'processed', + actor=user.id).first() except ValueError: - # media "id" was no int raise NotFound() + else: + # no magical id: stuff? It's a slug! + media = MediaEntry.query.filter_by( + slug=media_slug, + state=u'processed', + actor=user.id).first() if not media: - # no media by that id? Okay, 404. + # Didn't find anything? Okay, 404. raise NotFound() return controller(request, media=media, *args, **kwargs) @@ -156,15 +218,15 @@ def get_user_collection(controller): """ @wraps(controller) def wrapper(request, *args, **kwargs): - user = request.db.User.find_one( - {'username': request.matchdict['user']}) + user = request.db.LocalUser.query.filter_by( + username=request.matchdict['user']).first() if not user: return render_404(request) - collection = request.db.Collection.find_one( - {'slug': request.matchdict['collection'], - 'creator': user.id}) + collection = request.db.Collection.query.filter_by( + slug=request.matchdict['collection'], + actor=user.id).first() # Still no collection? Okay, 404. if not collection: @@ -181,18 +243,14 @@ def get_user_collection_item(controller): """ @wraps(controller) def wrapper(request, *args, **kwargs): - user = request.db.User.find_one( - {'username': request.matchdict['user']}) + user = request.db.LocalUser.query.filter_by( + username=request.matchdict['user']).first() if not user: return render_404(request) - collection = request.db.Collection.find_one( - {'slug': request.matchdict['collection'], - 'creator': user.id}) - - collection_item = request.db.CollectionItem.find_one( - {'id': request.matchdict['collection_item'] }) + collection_item = request.db.CollectionItem.query.filter_by( + id=request.matchdict['collection_item']).first() # Still no collection item? Okay, 404. if not collection_item: @@ -217,7 +275,7 @@ def get_media_entry_by_id(controller): return render_404(request) given_username = request.matchdict.get('user') - if given_username and (given_username != media.get_uploader.username): + if given_username and (given_username != media.get_actor.username): return render_404(request) return controller(request, media=media, *args, **kwargs) @@ -234,3 +292,140 @@ def get_workbench(func): return func(*args, workbench=workbench, **kwargs) return new_func + + +def allow_registration(controller): + """ Decorator for if registration is enabled""" + @wraps(controller) + def wrapper(request, *args, **kwargs): + if not mgg.app_config["allow_registration"]: + messages.add_message( + request, + messages.WARNING, + _('Sorry, registration is disabled on this instance.')) + return redirect(request, "index") + + return controller(request, *args, **kwargs) + + return wrapper + +def allow_reporting(controller): + """ Decorator for if reporting is enabled""" + @wraps(controller) + def wrapper(request, *args, **kwargs): + if not mgg.app_config["allow_reporting"]: + messages.add_message( + request, + messages.WARNING, + _('Sorry, reporting is disabled on this instance.')) + return redirect(request, 'index') + + return controller(request, *args, **kwargs) + + return wrapper + +def get_optional_media_comment_by_id(controller): + """ + Pass in a Comment based off of a url component. Because of this decor- + -ator's use in filing Reports, it has two valid outcomes. + + :returns The view function being wrapped with kwarg `comment` set to + the Comment who's id is in the URL. If there is a + comment id in the URL and if it is valid. + :returns The view function being wrapped with kwarg `comment` set to + None. If there is no comment id in the URL. + :returns A 404 Error page, if there is a comment if in the URL and it + is invalid. + """ + @wraps(controller) + def wrapper(request, *args, **kwargs): + if 'comment' in request.matchdict: + comment = Comment.query.filter_by( + id=request.matchdict['comment'] + ).first() + + if comment is None: + return render_404(request) + + return controller(request, comment=comment, *args, **kwargs) + else: + return controller(request, comment=None, *args, **kwargs) + return wrapper + + +def auth_enabled(controller): + """Decorator for if an auth plugin is enabled""" + @wraps(controller) + def wrapper(request, *args, **kwargs): + if not mgg.app.auth: + messages.add_message( + request, + messages.WARNING, + _('Sorry, authentication is disabled on this instance.')) + return redirect(request, 'index') + + return controller(request, *args, **kwargs) + + return wrapper + +def require_admin_or_moderator_login(controller): + """ + Require a login from an administrator or a moderator. + """ + @wraps(controller) + def new_controller_func(request, *args, **kwargs): + if request.user and \ + not (request.user.has_privilege(u'admin') + or request.user.has_privilege(u'moderator')): + + raise Forbidden() + elif not request.user: + next_url = urljoin( + request.urlgen('mediagoblin.auth.login', + qualified=True), + request.url) + + return redirect(request, 'mediagoblin.auth.login', + next=next_url) + + return controller(request, *args, **kwargs) + + return new_controller_func + + + +def oauth_required(controller): + """ Used to wrap API endpoints where oauth is required """ + @wraps(controller) + def wrapper(request, *args, **kwargs): + data = request.headers + authorization = decode_authorization_header(data) + + if authorization == dict(): + error = "Missing required parameter." + return json_response({"error": error}, status=400) + + + request_validator = GMGRequestValidator() + resource_endpoint = ResourceEndpoint(request_validator) + valid, r = resource_endpoint.validate_protected_resource_request( + uri=request.url, + http_method=request.method, + body=request.data, + headers=dict(request.headers), + ) + + if not valid: + error = "Invalid oauth parameter." + return json_response({"error": error}, status=400) + + # Fill user if not already + token = authorization[u"oauth_token"] + request.access_token = AccessToken.query.filter_by(token=token).first() + if request.access_token is not None and request.user is None: + user_id = request.access_token.actor + request.user = LocalUser.query.filter_by(id=user_id).first() + + return controller(request, *args, **kwargs) + + return wrapper