changeset 3152:719c5bf80150

AttachFile: move ACL processing to handlers, simplify
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Thu, 28 Feb 2008 22:26:08 +0100
parents 863d90c05507
children 5a71d373fe8f
files MoinMoin/action/AttachFile.py
diffstat 1 files changed, 75 insertions(+), 109 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Thu Feb 28 21:48:10 2008 +0100
+++ b/MoinMoin/action/AttachFile.py	Thu Feb 28 22:26:08 2008 +0100
@@ -83,7 +83,7 @@
         qs = ''
     return "%s/%s%s" % (request.getScriptname(), wikiutil.quoteWikinameURL(pagename), qs)
 
-    
+
 def getAttachUrl(pagename, filename, request, addts=0, escaped=0, do='get', drawing='', upload=False):
     """ Get URL that points to attachment `filename` of page `pagename`. """
     if upload:
@@ -523,96 +523,20 @@
         error_msg(pagename, request, msg)
         return
 
-    do = request.form.get('do')
-    if do is None:
-        upload_form(pagename, request)
-        return
-
-    msg = None
-    do = do[0]
-
-    # First handle read-only access to attachments:
-    if do == 'get':
-        if request.user.may.read(pagename):
-            get_file(pagename, request)
-        else:
-            msg = _('You are not allowed to get attachments from this page.')
-    elif do == 'view':
-        if request.user.may.read(pagename):
-            view_file(pagename, request)
-        else:
-            msg = _('You are not allowed to view attachments of this page.')
-    elif do == 'move':
-        if request.user.may.delete(pagename):
-            send_moveform(pagename, request)
-        else:
-            msg = _('You are not allowed to move attachments from this page.')
-
-    # Second handle write access:
-    elif do == 'upload':
-        # Currently we only check TextCha for upload (this is what spammers ususally do),
-        # but it could be extended to more/all attachment write access
-        if not TextCha(request).check_answer_from_form():
-            msg = _('TextCha: Wrong answer! Go back and try again...')
-        else:
-            overwrite = 0
-            if 'overwrite' in request.form:
-                try:
-                    overwrite = int(request.form['overwrite'][0])
-                except:
-                    pass
-            if (not overwrite and request.user.may.write(pagename)) or \
-               (overwrite and request.user.may.write(pagename) and request.user.may.delete(pagename)):
-                if 'file' in request.form:
-                    do_upload(pagename, request, overwrite)
-                else:
-                    # This might happen when trying to upload file names
-                    # with non-ascii characters on Safari.
-                    msg = _("No file content. Delete non ASCII characters from the file name and try again.")
-            else:
-                msg = _('You are not allowed to attach a file to this page.')
-    elif do == 'savedrawing':
-        if request.user.may.write(pagename):
-            save_drawing(pagename, request)
-            request.emit_http_headers()
-            request.write("OK")
-        else:
-            msg = _('You are not allowed to save a drawing on this page.')
-    elif do == 'del':
-        if request.user.may.delete(pagename):
-            del_file(pagename, request)
-        else:
-            msg = _('You are not allowed to delete attachments on this page.')
-    elif do == 'attachment_move':
-        if 'cancel' in request.form:
-            msg = _('Move aborted!')
-            error_msg(pagename, request, msg)
-            return
-        if not wikiutil.checkTicket(request, request.form['ticket'][0]):
-            msg = _('Please use the interactive user interface to move attachments!')
-            error_msg(pagename, request, msg)
-            return
-        if request.user.may.delete(pagename):
-            attachment_move(pagename, request)
-        else:
-            msg = _('You are not allowed to move attachments from this page.')
-    elif do == 'unzip':
-        if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename):
-            unzip_file(pagename, request)
-        else:
-            msg = _('You are not allowed to unzip attachments of this page.')
-    elif do == 'install':
-        if request.user.isSuperUser():
-            install_package(pagename, request)
-        else:
-            msg = _('You are not allowed to install files.')
+    do = request.form.get('do', ['upload_form'])
+    handler = globals().get('_do_%s' % do[0])
+    if handler:
+        msg = handler(pagename, request)
     else:
-        msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do), )
-
+        msg = _('Unsupported AttachFile sub-action: %s', formatted=False) % (wikiutil.escape(do[0]), )
     if msg:
         error_msg(pagename, request, msg)
 
 
+def _do_upload_form(pagename, request):
+    upload_form(pagename, request)
+
+
 def upload_form(pagename, request, msg=''):
     _ = request.getText
 
@@ -628,16 +552,33 @@
     request.theme.send_closing_html()
 
 
-def do_upload(pagename, request, overwrite):
+def _do_upload(pagename, request):
     _ = request.getText
+    # Currently we only check TextCha for upload (this is what spammers ususally do),
+    # but it could be extended to more/all attachment write access
+    if not TextCha(request).check_answer_from_form():
+        return _('TextCha: Wrong answer! Go back and try again...')
+
+    overwrite = request.form.get('overwrite', ['0'])[0]
+    try:
+        overwrite = int(overwrite)
+    except:
+        overwrite = 0
+
+    if (overwrite or not request.user.may.write(pagename)) and \
+       (not overwrite or not request.user.may.write(pagename) or not request.user.may.delete(pagename)):
+        return _('You are not allowed to attach a file to this page.')
+
+    if 'file' not in request.form:
+        # This might happen when trying to upload file names
+        # with non-ascii characters on Safari.
+        return _("No file content. Delete non ASCII characters from the file name and try again.")
 
     # make filename
-    filename = None
-    if 'file__filename__' in request.form:
-        filename = request.form['file__filename__']
-    rename = None
-    if 'rename' in request.form:
-        rename = request.form['rename'][0].strip()
+    filename = request.form.get('file__filename__')
+    rename = request.form.get('rename', [None])[0]
+    if rename:
+        rename = rename.strip()
 
     # if we use twisted, "rename" field is NOT optional, because we
     # can't access the client filename
@@ -648,8 +589,7 @@
     elif filename:
         target = filename
     else:
-        error_msg(pagename, request, _("Filename of attachment not specified!"))
-        return
+        return _("Filename of attachment not specified!")
 
     # get file content
     filecontent = request.form['file'][0]
@@ -677,7 +617,9 @@
     upload_form(pagename, request, msg)
 
 
-def save_drawing(pagename, request):
+def _do_savedrawing(pagename, request):
+    if not request.user.may.write(pagename):
+        return _('You are not allowed to save a drawing on this page.')
 
     filename = request.form['filename'][0]
     filecontent = request.form['filepath'][0]
@@ -711,11 +653,16 @@
     if ext == '.map':
         os.utime(getAttachDir(request, pagename), None)
 
+    request.emit_http_headers()
+    request.write("OK")
 
-def del_file(pagename, request):
+
+def _do_del(pagename, request):
     _ = request.getText
 
-    filename, fpath = _access_file(pagename, request)
+    pagename, filename, fpath = _access_file(pagename, request)
+    if not request.user.may.delete(pagename):
+        return _('You are not allowed to delete attachments on this page.')
     if not filename:
         return # error msg already sent in _access_file
 
@@ -762,8 +709,16 @@
             'newpagename': new_pagename})
 
 
-def attachment_move(pagename, request):
+def _do_attachment_move(pagename, request):
     _ = request.getText
+
+    if 'cancel' in request.form:
+        return _('Move aborted!')
+    if not wikiutil.checkTicket(request, request.form['ticket'][0]):
+        return _('Please use the interactive user interface to move attachments!')
+    if not request.user.may.delete(pagename):
+        return _('You are not allowed to move attachments from this page.')
+
     if 'newpagename' in request.form:
         new_pagename = request.form.get('newpagename')[0]
     else:
@@ -781,10 +736,12 @@
     move_file(request, pagename, new_pagename, attachment, new_attachment)
 
 
-def send_moveform(pagename, request):
+def _do_move(pagename, request):
     _ = request.getText
 
-    filename, fpath = _access_file(pagename, request)
+    pagename, filename, fpath = _access_file(pagename, request)
+    if not request.user.may.delete(pagename):
+        return _('You are not allowed to move attachments from this page.')
     if not filename:
         return # error msg already sent in _access_file
 
@@ -834,10 +791,12 @@
     return thispage.send_page()
 
 
-def get_file(pagename, request):
+def _do_get(pagename, request):
     import shutil
 
-    filename, fpath = _access_file(pagename, request)
+    pagename, filename, fpath = _access_file(pagename, request)
+    if not request.user.may.read(pagename):
+        return _('You are not allowed to get attachments from this page.')
     if not filename:
         return # error msg already sent in _access_file
 
@@ -870,10 +829,12 @@
         shutil.copyfileobj(open(fpath, 'rb'), request, 8192)
 
 
-def install_package(pagename, request):
+def _do_install(pagename, request):
     _ = request.getText
 
-    target, targetpath = _access_file(pagename, request)
+    pagename, target, targetpath = _access_file(pagename, request)
+    if not request.user.isSuperUser():
+        return _('You are not allowed to install files.')
     if not target:
         return
 
@@ -892,11 +853,13 @@
     upload_form(pagename, request, msg=msg)
 
 
-def unzip_file(pagename, request):
+def _do_unzip(pagename, request):
     _ = request.getText
     valid_pathname = lambda name: ('/' not in name) and ('\\' not in name)
 
-    filename, fpath = _access_file(pagename, request)
+    pagename, filename, fpath = _access_file(pagename, request)
+    if not (request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename)):
+        return _('You are not allowed to unzip attachments of this page.')
     if not filename:
         return # error msg already sent in _access_file
 
@@ -1056,10 +1019,13 @@
     return
 
 
-def view_file(pagename, request):
+def _do_view(pagename, request):
     _ = request.getText
 
-    filename, fpath = _access_file(pagename, request)
+    orig_pagename = pagename
+    pagename, filename, fpath = _access_file(pagename, request)
+    if not request.user.may.read(pagename):
+        return _('You are not allowed to view attachments of this page.')
     if not filename:
         return