comparison MoinMoin/action/AttachFile.py @ 5522:879674c9320a

AttachFile: add ticketing for all operations that do modifications Tickets for upload (POST), also for every (GET) URL except do=get and do=view. Avoid KeyError if there is no ticket (was a minor issues, because there has to be one). Use the same i18n string for all "Please use the interactive user interface" messages.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 08 Feb 2010 18:56:07 +0100
parents 269a1fbc3ed7
children af66afbc9a31 369a2c879eb6
comparison
equal deleted inserted replaced
5521:8a19e015d6b2 5522:879674c9320a
77 return u"/".join(pieces[:-1]), pieces[-1] 77 return u"/".join(pieces[:-1]), pieces[-1]
78 78
79 79
80 def attachUrl(request, pagename, filename=None, **kw): 80 def attachUrl(request, pagename, filename=None, **kw):
81 # filename is not used yet, but should be used later to make a sub-item url 81 # filename is not used yet, but should be used later to make a sub-item url
82 if not (kw.get('do') in ['get', 'view', None]
83 and
84 kw.get('rename') is None):
85 # create a ticket for the not so harmless operations
86 kw['ticket'] = wikiutil.createTicket(request)
82 if kw: 87 if kw:
83 qs = '?%s' % wikiutil.makeQueryString(kw, want_unicode=False) 88 qs = '?%s' % wikiutil.makeQueryString(kw, want_unicode=False)
84 else: 89 else:
85 qs = '' 90 qs = ''
86 return "%s/%s%s" % (request.getScriptname(), wikiutil.quoteWikinameURL(pagename), qs) 91 return "%s/%s%s" % (request.getScriptname(), wikiutil.quoteWikinameURL(pagename), qs)
472 </dl> 477 </dl>
473 %(textcha)s 478 %(textcha)s
474 <p> 479 <p>
475 <input type="hidden" name="action" value="%(action_name)s"> 480 <input type="hidden" name="action" value="%(action_name)s">
476 <input type="hidden" name="do" value="upload"> 481 <input type="hidden" name="do" value="upload">
482 <input type="hidden" name="ticket" value="%(ticket)s">
477 <input type="submit" value="%(upload_button)s"> 483 <input type="submit" value="%(upload_button)s">
478 </p> 484 </p>
479 </form> 485 </form>
480 """ % { 486 """ % {
481 'baseurl': request.getScriptname(), 487 'baseurl': request.getScriptname(),
486 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1), 492 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
487 'upload_label_overwrite': _('Overwrite existing attachment of same name'), 493 'upload_label_overwrite': _('Overwrite existing attachment of same name'),
488 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'], 494 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
489 'upload_button': _('Upload'), 495 'upload_button': _('Upload'),
490 'textcha': TextCha(request).render(), 496 'textcha': TextCha(request).render(),
497 'ticket': wikiutil.createTicket(request),
491 }) 498 })
492 499
493 request.write('<h2>' + _("Attached Files") + '</h2>') 500 request.write('<h2>' + _("Attached Files") + '</h2>')
494 request.write(_get_filelist(request, pagename)) 501 request.write(_get_filelist(request, pagename))
495 502
550 return filename 557 return filename
551 558
552 559
553 def _do_upload(pagename, request): 560 def _do_upload(pagename, request):
554 _ = request.getText 561 _ = request.getText
562
563 if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
564 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.upload' }
565
555 # Currently we only check TextCha for upload (this is what spammers ususally do), 566 # Currently we only check TextCha for upload (this is what spammers ususally do),
556 # but it could be extended to more/all attachment write access 567 # but it could be extended to more/all attachment write access
557 if not TextCha(request).check_answer_from_form(): 568 if not TextCha(request).check_answer_from_form():
558 return _('TextCha: Wrong answer! Go back and try again...') 569 return _('TextCha: Wrong answer! Go back and try again...')
559 570
605 616
606 617
607 def _do_savedrawing(pagename, request): 618 def _do_savedrawing(pagename, request):
608 _ = request.getText 619 _ = request.getText
609 620
621 if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
622 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.savedrawing' }
623
610 if not request.user.may.write(pagename): 624 if not request.user.may.write(pagename):
611 return _('You are not allowed to save a drawing on this page.') 625 return _('You are not allowed to save a drawing on this page.')
612 626
613 filename = request.form['filename'][0] 627 filename = request.form['filename'][0]
614 filecontent = request.form['filepath'][0] 628 filecontent = request.form['filepath'][0]
651 request.write("OK") 665 request.write("OK")
652 666
653 667
654 def _do_del(pagename, request): 668 def _do_del(pagename, request):
655 _ = request.getText 669 _ = request.getText
670
671 if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
672 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.del' }
656 673
657 pagename, filename, fpath = _access_file(pagename, request) 674 pagename, filename, fpath = _access_file(pagename, request)
658 if not request.user.may.delete(pagename): 675 if not request.user.may.delete(pagename):
659 return _('You are not allowed to delete attachments on this page.') 676 return _('You are not allowed to delete attachments on this page.')
660 if not filename: 677 if not filename:
711 def _do_attachment_move(pagename, request): 728 def _do_attachment_move(pagename, request):
712 _ = request.getText 729 _ = request.getText
713 730
714 if 'cancel' in request.form: 731 if 'cancel' in request.form:
715 return _('Move aborted!') 732 return _('Move aborted!')
716 if not wikiutil.checkTicket(request, request.form['ticket'][0]): 733 if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
717 return _('Please use the interactive user interface to move attachments!') 734 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.move' }
718 if not request.user.may.delete(pagename): 735 if not request.user.may.delete(pagename):
719 return _('You are not allowed to move attachments from this page.') 736 return _('You are not allowed to move attachments from this page.')
720 737
721 if 'newpagename' in request.form: 738 if 'newpagename' in request.form:
722 new_pagename = request.form.get('newpagename')[0] 739 new_pagename = request.form.get('newpagename')[0]
829 846
830 847
831 def _do_install(pagename, request): 848 def _do_install(pagename, request):
832 _ = request.getText 849 _ = request.getText
833 850
851 if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
852 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.install' }
853
834 pagename, target, targetpath = _access_file(pagename, request) 854 pagename, target, targetpath = _access_file(pagename, request)
835 if not request.user.isSuperUser(): 855 if not request.user.isSuperUser():
836 return _('You are not allowed to install files.') 856 return _('You are not allowed to install files.')
837 if not target: 857 if not target:
838 return 858 return
852 upload_form(pagename, request, msg=msg) 872 upload_form(pagename, request, msg=msg)
853 873
854 874
855 def _do_unzip(pagename, request, overwrite=False): 875 def _do_unzip(pagename, request, overwrite=False):
856 _ = request.getText 876 _ = request.getText
877
878 if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
879 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.unzip' }
880
857 pagename, filename, fpath = _access_file(pagename, request) 881 pagename, filename, fpath = _access_file(pagename, request)
858
859 if not (request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename)): 882 if not (request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename)):
860 return _('You are not allowed to unzip attachments of this page.') 883 return _('You are not allowed to unzip attachments of this page.')
861 884
862 if not filename: 885 if not filename:
863 return # error msg already sent in _access_file 886 return # error msg already sent in _access_file