changeset 5522:879674c9320a

AttachFile: add ticketing for all operations that do modifications Tickets for upload (POST), also for every (GET) URL except do=get and do=view. Avoid KeyError if there is no ticket (was a minor issues, because there has to be one). Use the same i18n string for all "Please use the interactive user interface" messages.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 08 Feb 2010 18:56:07 +0100
parents 8a19e015d6b2
children af66afbc9a31 232cad689a08
files MoinMoin/action/AttachFile.py
diffstat 1 files changed, 26 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Mon Feb 08 18:03:40 2010 +0100
+++ b/MoinMoin/action/AttachFile.py	Mon Feb 08 18:56:07 2010 +0100
@@ -79,6 +79,11 @@
 
 def attachUrl(request, pagename, filename=None, **kw):
     # filename is not used yet, but should be used later to make a sub-item url
+    if not (kw.get('do') in ['get', 'view', None]
+            and
+            kw.get('rename') is None):
+        # create a ticket for the not so harmless operations
+        kw['ticket'] = wikiutil.createTicket(request)
     if kw:
         qs = '?%s' % wikiutil.makeQueryString(kw, want_unicode=False)
     else:
@@ -474,6 +479,7 @@
 <p>
 <input type="hidden" name="action" value="%(action_name)s">
 <input type="hidden" name="do" value="upload">
+<input type="hidden" name="ticket" value="%(ticket)s">
 <input type="submit" value="%(upload_button)s">
 </p>
 </form>
@@ -488,6 +494,7 @@
     'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
     'upload_button': _('Upload'),
     'textcha': TextCha(request).render(),
+    'ticket': wikiutil.createTicket(request),
 })
 
     request.write('<h2>' + _("Attached Files") + '</h2>')
@@ -552,6 +559,10 @@
 
 def _do_upload(pagename, request):
     _ = request.getText
+
+    if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
+        return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.upload' }
+
     # Currently we only check TextCha for upload (this is what spammers ususally do),
     # but it could be extended to more/all attachment write access
     if not TextCha(request).check_answer_from_form():
@@ -607,6 +618,9 @@
 def _do_savedrawing(pagename, request):
     _ = request.getText
 
+    if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
+        return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.savedrawing' }
+
     if not request.user.may.write(pagename):
         return _('You are not allowed to save a drawing on this page.')
 
@@ -654,6 +668,9 @@
 def _do_del(pagename, request):
     _ = request.getText
 
+    if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
+        return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.del' }
+
     pagename, filename, fpath = _access_file(pagename, request)
     if not request.user.may.delete(pagename):
         return _('You are not allowed to delete attachments on this page.')
@@ -713,8 +730,8 @@
 
     if 'cancel' in request.form:
         return _('Move aborted!')
-    if not wikiutil.checkTicket(request, request.form['ticket'][0]):
-        return _('Please use the interactive user interface to move attachments!')
+    if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
+        return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.move' }
     if not request.user.may.delete(pagename):
         return _('You are not allowed to move attachments from this page.')
 
@@ -831,6 +848,9 @@
 def _do_install(pagename, request):
     _ = request.getText
 
+    if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
+        return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.install' }
+
     pagename, target, targetpath = _access_file(pagename, request)
     if not request.user.isSuperUser():
         return _('You are not allowed to install files.')
@@ -854,8 +874,11 @@
 
 def _do_unzip(pagename, request, overwrite=False):
     _ = request.getText
+
+    if not wikiutil.checkTicket(request, request.form.get('ticket', [''])[0]):
+        return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'AttachFile.unzip' }
+
     pagename, filename, fpath = _access_file(pagename, request)
-
     if not (request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename)):
         return _('You are not allowed to unzip attachments of this page.')