2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 from datetime
import datetime
21 from itsdangerous
import BadSignature
22 from pyld
import jsonld
23 from werkzeug
.exceptions
import Forbidden
24 from werkzeug
.utils
import secure_filename
25 from jsonschema
import ValidationError
, Draft4Validator
27 from mediagoblin
import messages
28 from mediagoblin
import mg_globals
30 from mediagoblin
.auth
import (check_password
,
32 from mediagoblin
.edit
import forms
33 from mediagoblin
.edit
.lib
import may_edit_media
34 from mediagoblin
.decorators
import (require_active_login
, active_user_from_url
,
35 get_media_entry_by_id
, user_may_alter_collection
,
36 get_user_collection
, user_has_privilege
,
37 user_not_banned
, user_may_delete_media
)
38 from mediagoblin
.tools
.crypto
import get_timed_signer_url
39 from mediagoblin
.tools
.metadata
import (compact_and_validate
, DEFAULT_CHECKER
,
41 from mediagoblin
.tools
.mail
import email_debug_message
42 from mediagoblin
.tools
.response
import (render_to_response
,
43 redirect
, redirect_obj
, render_404
)
44 from mediagoblin
.tools
.translate
import pass_to_ugettext
as _
45 from mediagoblin
.tools
.template
import render_template
46 from mediagoblin
.tools
.text
import (
47 convert_to_tag_list_of_dicts
, media_tags_as_string
)
48 from mediagoblin
.tools
.url
import slugify
49 from mediagoblin
.db
.util
import check_media_slug_used
, check_collection_slug_used
50 from mediagoblin
.db
.models
import User
, LocalUser
, Client
, AccessToken
, Location
55 @get_media_entry_by_id
57 def edit_media(request
, media
):
58 # If media is not processed, return NotFound.
59 if not media
.state
== u
'processed':
60 return render_404(request
)
62 if not may_edit_media(request
, media
):
63 raise Forbidden("User may not edit this media")
68 description
=media
.description
,
69 tags
=media_tags_as_string(media
.tags
),
70 license
=media
.license
)
72 form
= forms
.EditForm(
73 request
.method
=='POST' and request
.form
or None,
76 if request
.method
== 'POST' and form
.validate():
77 # Make sure there isn't already a MediaEntry with such a slug
79 slug
= slugify(form
.slug
.data
)
80 slug_used
= check_media_slug_used(media
.actor
, slug
, media
.id)
83 form
.slug
.errors
.append(
84 _(u
'An entry with that slug already exists for this user.'))
86 media
.title
= form
.title
.data
87 media
.description
= form
.description
.data
88 media
.tags
= convert_to_tag_list_of_dicts(
91 media
.license
= six
.text_type(form
.license
.data
) or None
95 return redirect_obj(request
, media
)
97 if request
.user
.has_privilege(u
'admin') \
98 and media
.actor
!= request
.user
.id \
99 and request
.method
!= 'POST':
100 messages
.add_message(
103 _("You are editing another user's media. Proceed with caution."))
105 return render_to_response(
107 'mediagoblin/edit/edit.html',
112 # Mimetypes that browsers parse scripts in.
113 # Content-sniffing isn't taken into consideration.
119 @get_media_entry_by_id
120 @require_active_login
121 def edit_attachments(request
, media
):
122 # If media is not processed, return NotFound.
123 if not media
.state
== u
'processed':
124 return render_404(request
)
126 if mg_globals
.app_config
['allow_attachments']:
127 form
= forms
.EditAttachmentsForm()
129 # Add any attachements
130 if 'attachment_file' in request
.files \
131 and request
.files
['attachment_file']:
133 # Security measure to prevent attachments from being served as
134 # text/html, which will be parsed by web clients and pose an XSS
138 # This method isn't flawless as some browsers may perform
140 # This method isn't flawless as we do the mimetype lookup on the
141 # machine parsing the upload form, and not necessarily the machine
142 # serving the attachments.
143 if mimetypes
.guess_type(
144 request
.files
['attachment_file'].filename
)[0] in \
146 public_filename
= secure_filename('{0}.notsafe'.format(
147 request
.files
['attachment_file'].filename
))
149 public_filename
= secure_filename(
150 request
.files
['attachment_file'].filename
)
152 attachment_public_filepath \
153 = mg_globals
.public_store
.get_unique_filepath(
154 ['media_entries', six
.text_type(media
.id), 'attachment',
157 attachment_public_file
= mg_globals
.public_store
.get_file(
158 attachment_public_filepath
, 'wb')
161 attachment_public_file
.write(
162 request
.files
['attachment_file'].stream
.read())
164 request
.files
['attachment_file'].stream
.close()
166 media
.attachment_files
.append(dict(
167 name
=form
.attachment_name
.data \
168 or request
.files
['attachment_file'].filename
,
169 filepath
=attachment_public_filepath
,
170 created
=datetime
.utcnow(),
175 messages
.add_message(
178 _("You added the attachment %s!") %
179 (form
.attachment_name
.data
or
180 request
.files
['attachment_file'].filename
))
182 return redirect(request
,
183 location
=media
.url_for_self(request
.urlgen
))
184 return render_to_response(
186 'mediagoblin/edit/attachments.html',
190 raise Forbidden("Attachments are disabled")
192 @require_active_login
193 def legacy_edit_profile(request
):
194 """redirect the old /edit/profile/?username=USER to /u/USER/edit/"""
195 username
= request
.GET
.get('username') or request
.user
.username
196 return redirect(request
, 'mediagoblin.edit.profile', user
=username
)
199 @require_active_login
200 @active_user_from_url
201 def edit_profile(request
, url_user
=None):
202 # admins may edit any user profile
203 if request
.user
.username
!= url_user
.username
:
204 if not request
.user
.has_privilege(u
'admin'):
205 raise Forbidden(_("You can only edit your own profile."))
207 # No need to warn again if admin just submitted an edited profile
208 if request
.method
!= 'POST':
209 messages
.add_message(
212 _("You are editing a user's profile. Proceed with caution."))
216 # Get the location name
217 if user
.location
is None:
220 location
= user
.get_location
.name
222 form
= forms
.EditProfileForm(
223 request
.method
== 'POST' and request
.form
or None,
228 if request
.method
== 'POST' and form
.validate():
229 user
.url
= six
.text_type(form
.url
.data
)
230 user
.bio
= six
.text_type(form
.bio
.data
)
233 if form
.location
.data
and user
.location
is None:
234 user
.get_location
= Location(name
=six
.text_type(form
.location
.data
))
235 elif form
.location
.data
:
236 location
= user
.get_location
237 location
.name
= six
.text_type(form
.location
.data
)
244 messages
.add_message(
247 _("Profile changes saved"))
248 return redirect(request
,
249 'mediagoblin.user_pages.user_home',
252 return render_to_response(
254 'mediagoblin/edit/edit_profile.html',
258 EMAIL_VERIFICATION_TEMPLATE
= (
260 u
'token={verification_key}')
263 @require_active_login
264 def edit_account(request
):
266 form
= forms
.EditAccountForm(
267 request
.method
== 'POST' and request
.form
or None,
268 wants_comment_notification
=user
.wants_comment_notification
,
269 license_preference
=user
.license_preference
,
270 wants_notifications
=user
.wants_notifications
)
272 if request
.method
== 'POST' and form
.validate():
273 user
.wants_comment_notification
= form
.wants_comment_notification
.data
274 user
.wants_notifications
= form
.wants_notifications
.data
276 user
.license_preference
= form
.license_preference
.data
279 messages
.add_message(
282 _("Account settings saved"))
283 return redirect(request
,
284 'mediagoblin.user_pages.user_home',
287 return render_to_response(
289 'mediagoblin/edit/edit_account.html',
293 @require_active_login
294 def deauthorize_applications(request
):
295 """ Deauthroize OAuth applications """
296 if request
.method
== 'POST' and "application" in request
.form
:
297 token
= request
.form
["application"]
298 access_token
= AccessToken
.query
.filter_by(token
=token
).first()
299 if access_token
is None:
300 messages
.add_message(
303 _("Unknown application, not able to deauthorize")
306 access_token
.delete()
307 messages
.add_message(
310 _("Application has been deauthorized")
313 access_tokens
= AccessToken
.query
.filter_by(actor
=request
.user
.id)
314 applications
= [(a
.get_requesttoken
, a
) for a
in access_tokens
]
316 return render_to_response(
318 'mediagoblin/edit/deauthorize_applications.html',
319 {'applications': applications
}
322 @require_active_login
323 def delete_account(request
):
324 """Delete a user completely"""
326 if request
.method
== 'POST':
327 if request
.form
.get(u
'confirmed'):
328 # Form submitted and confirmed. Actually delete the user account
329 # Log out user and delete cookies etc.
330 # TODO: Should we be using MG.auth.views.py:logout for this?
331 request
.session
.delete()
333 # Delete user account and all related media files etc....
334 user
= User
.query
.filter(User
.id==user
.id).first()
337 # We should send a message that the user has been deleted
338 # successfully. But we just deleted the session, so we
340 return redirect(request
, 'index')
342 else: # Did not check the confirmation box...
343 messages
.add_message(
346 _('You need to confirm the deletion of your account.'))
348 # No POST submission or not confirmed, just show page
349 return render_to_response(
351 'mediagoblin/edit/delete_account.html',
355 @require_active_login
356 @user_may_alter_collection
358 def edit_collection(request
, collection
):
360 title
=collection
.title
,
361 slug
=collection
.slug
,
362 description
=collection
.description
)
364 form
= forms
.EditCollectionForm(
365 request
.method
== 'POST' and request
.form
or None,
368 if request
.method
== 'POST' and form
.validate():
369 # Make sure there isn't already a Collection with such a slug
371 slug_used
= check_collection_slug_used(collection
.actor
,
372 form
.slug
.data
, collection
.id)
374 # Make sure there isn't already a Collection with this title
375 existing_collection
= request
.db
.Collection
.query
.filter_by(
376 actor
=request
.user
.id,
377 title
=form
.title
.data
).first()
379 if existing_collection
and existing_collection
.id != collection
.id:
380 messages
.add_message(
383 _('You already have a collection called "%s"!') %
386 form
.slug
.errors
.append(
387 _(u
'A collection with that slug already exists for this user.'))
389 collection
.title
= six
.text_type(form
.title
.data
)
390 collection
.description
= six
.text_type(form
.description
.data
)
391 collection
.slug
= six
.text_type(form
.slug
.data
)
395 return redirect_obj(request
, collection
)
397 if request
.user
.has_privilege(u
'admin') \
398 and collection
.actor
!= request
.user
.id \
399 and request
.method
!= 'POST':
400 messages
.add_message(
403 _("You are editing another user's collection. "
404 "Proceed with caution."))
406 return render_to_response(
408 'mediagoblin/edit/edit_collection.html',
409 {'collection': collection
,
413 def verify_email(request
):
415 Email verification view for changing email address
417 # If no token, we can't do anything
418 if not 'token' in request
.GET
:
419 return render_404(request
)
421 # Catch error if token is faked or expired
424 token
= get_timed_signer_url("mail_verification_token") \
425 .loads(request
.GET
['token'], max_age
=10*24*3600)
427 messages
.add_message(
430 _('The verification key or user id is incorrect.'))
436 user
= User
.query
.filter_by(id=int(token
['user'])).first()
439 user
.email
= token
['email']
442 messages
.add_message(
445 _('Your email address has been verified.'))
448 messages
.add_message(
451 _('The verification key or user id is incorrect.'))
454 request
, 'mediagoblin.user_pages.user_home',
458 @require_active_login
459 def change_email(request
):
460 """ View to change the user's email """
461 form
= forms
.ChangeEmailForm(
462 request
.method
== 'POST' and request
.form
or None)
465 # If no password authentication, no need to enter a password
466 if 'pass_auth' not in request
.template_env
.globals or not user
.pw_hash
:
467 form
.__delitem
__('password')
469 if request
.method
== 'POST' and form
.validate():
470 new_email
= form
.new_email
.data
471 users_with_email
= User
.query
.filter(
472 LocalUser
.email
==new_email
476 form
.new_email
.errors
.append(
477 _('Sorry, a user with that email address'
480 if form
.password
and user
.pw_hash
and not check_password(
481 form
.password
.data
, user
.pw_hash
):
482 form
.password
.errors
.append(
486 verification_key
= get_timed_signer_url(
487 'mail_verification_token').dumps({
491 rendered_email
= render_template(
492 request
, 'mediagoblin/edit/verification.txt',
493 {'username': user
.username
,
494 'verification_url': EMAIL_VERIFICATION_TEMPLATE
.format(
495 uri
=request
.urlgen('mediagoblin.edit.verify_email',
497 verification_key
=verification_key
)})
499 email_debug_message(request
)
500 auth_tools
.send_verification_email(user
, request
, new_email
,
503 return redirect(request
, 'mediagoblin.edit.account')
505 return render_to_response(
507 'mediagoblin/edit/change_email.html',
511 @user_has_privilege(u
'admin')
512 @require_active_login
513 @get_media_entry_by_id
514 def edit_metadata(request
, media
):
515 # If media is not processed, return NotFound.
516 if not media
.state
== u
'processed':
517 return render_404(request
)
519 form
= forms
.EditMetaDataForm(
520 request
.method
== 'POST' and request
.form
or None)
521 if request
.method
== "POST" and form
.validate():
522 metadata_dict
= dict([(row
['identifier'],row
['value'])
523 for row
in form
.media_metadata
.data
])
524 json_ld_metadata
= None
525 json_ld_metadata
= compact_and_validate(metadata_dict
)
526 media
.media_metadata
= json_ld_metadata
528 return redirect_obj(request
, media
)
530 if len(form
.media_metadata
) == 0:
531 for identifier
, value
in six
.iteritems(media
.media_metadata
):
532 if identifier
== "@context": continue
533 form
.media_metadata
.append_entry({
534 'identifier':identifier
,
537 return render_to_response(
539 'mediagoblin/edit/metadata.html',