heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote branch 'remotes/jwandborg/f403_ability_to_delete'

Browse Source
This commit is contained in:
Christopher Allan Webber 2011-08-30 20:16:47 -05:00
commit 2886b340d3
13 changed files with 214 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
mediagoblin/auth/views.py
View File

@ -44,11 +44,12 @@ def register(request):
if request.method == 'POST' and register_form.validate(): if request.method == 'POST' and register_form.validate():
# TODO: Make sure the user doesn't exist already # TODO: Make sure the user doesn't exist already
username = unicode(request.POST['username'].lower())
email = unicode(request.POST['email'].lower())
users_with_username = request.db.User.find( users_with_username = request.db.User.find(
{'username': request.POST['username'].lower()}).count() {'username': username}).count()
users_with_email = request.db.User.find( users_with_email = request.db.User.find(
{'email': request.POST['email'].lower()}).count() {'email': email}).count()
extra_validation_passes = True extra_validation_passes = True
@ -64,8 +65,8 @@ def register(request):
if extra_validation_passes: if extra_validation_passes:
# Create the user # Create the user
user = request.db.User() user = request.db.User()
user['username'] = request.POST['username'].lower() user['username'] = username
user['email'] = request.POST['email'].lower() user['email'] = email
user['pw_hash'] = auth_lib.bcrypt_gen_password_hash( user['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
request.POST['password']) request.POST['password'])
user.save(validate=True) user.save(validate=True)

26
mediagoblin/decorators.py
View File

@ -51,6 +51,31 @@ def require_active_login(controller):
return _make_safe(new_controller_func, controller) return _make_safe(new_controller_func, controller)
def user_may_delete_media(controller):
"""
Require user ownership of the MediaEntry
Originally:
def may_delete_media(request, media):
\"\"\"
Check, if the request's user may edit the media details
\"\"\"
if media['uploader'] == request.user['_id']:
return True
if request.user['is_admin']:
return True
return False
"""
def wrapper(request, *args, **kwargs):
if not request.user['_id'] == request.db.MediaEntry.find_one(
{'_id': ObjectId(
request.matchdict['media'])}).uploader()['_id']:
return exc.HTTPForbidden()
return controller(request, *args, **kwargs)
return _make_safe(wrapper, controller)
def uses_pagination(controller): def uses_pagination(controller):
""" """
@ -122,3 +147,4 @@ def get_media_entry_by_id(controller):
return controller(request, media=media, *args, **kwargs) return controller(request, media=media, *args, **kwargs)
return _make_safe(wrapper, controller) return _make_safe(wrapper, controller)

11
mediagoblin/edit/views.py
View File

@ -14,6 +14,7 @@
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import uuid
from webob import exc from webob import exc
from string import split from string import split
@ -64,8 +65,8 @@ def edit_media(request, media):
form.slug.errors.append( form.slug.errors.append(
_(u'An entry with that slug already exists for this user.')) _(u'An entry with that slug already exists for this user.'))
else: else:
media['title'] = request.POST['title'] media['title'] = unicode(request.POST['title'])
media['description'] = request.POST.get('description') media['description'] = unicode(request.POST.get('description'))
media['tags'] = convert_to_tag_list_of_dicts( media['tags'] = convert_to_tag_list_of_dicts(
request.POST.get('tags')) request.POST.get('tags'))
@ -80,7 +81,7 @@ def edit_media(request, media):
and 'y' == request.POST['attachment_delete']: and 'y' == request.POST['attachment_delete']:
del media['attachment_files'][0] del media['attachment_files'][0]
media['slug'] = request.POST['slug'] media['slug'] = unicode(request.POST['slug'])
media.save() media.save()
return redirect(request, "mediagoblin.user_pages.media_home", return redirect(request, "mediagoblin.user_pages.media_home",
@ -171,8 +172,8 @@ def edit_profile(request):
bio=user.get('bio')) bio=user.get('bio'))
if request.method == 'POST' and form.validate(): if request.method == 'POST' and form.validate():
user['url'] = request.POST['url'] user['url'] = unicode(request.POST['url'])
user['bio'] = request.POST['bio'] user['bio'] = unicode(request.POST['bio'])
user['bio_html'] = cleaned_markdown_conversion(user['bio']) user['bio_html'] = cleaned_markdown_conversion(user['bio'])

1
mediagoblin/routing.py
View File

@ -21,6 +21,7 @@ from mediagoblin.submit.routing import submit_routes
from mediagoblin.user_pages.routing import user_routes from mediagoblin.user_pages.routing import user_routes
from mediagoblin.edit.routing import edit_routes from mediagoblin.edit.routing import edit_routes
from mediagoblin.listings.routing import tag_routes from mediagoblin.listings.routing import tag_routes
from mediagoblin.confirm.routing import confirm_routes
def get_mapper(): def get_mapper():

3
mediagoblin/storage.py
View File

@ -281,7 +281,8 @@ class CloudFilesStorage(StorageInterface):
def delete_file(self, filepath): def delete_file(self, filepath):
# TODO: Also delete unused directories if empty (safely, with # TODO: Also delete unused directories if empty (safely, with
# checks to avoid race conditions). # checks to avoid race conditions).
self.container.delete_object(filepath) self.container.delete_object(
self._resolve_filepath(filepath))
def file_url(self, filepath): def file_url(self, filepath):
return '/'.join([ return '/'.join([

4
mediagoblin/submit/views.py
View File

@ -55,10 +55,10 @@ def submit_start(request):
entry = request.db.MediaEntry() entry = request.db.MediaEntry()
entry['_id'] = ObjectId() entry['_id'] = ObjectId()
entry['title'] = ( entry['title'] = (
request.POST['title'] unicode(request.POST['title'])
or unicode(splitext(filename)[0])) or unicode(splitext(filename)[0]))
entry['description'] = request.POST.get('description') entry['description'] = unicode(request.POST.get('description'))
entry['description_html'] = cleaned_markdown_conversion( entry['description_html'] = cleaned_markdown_conversion(
entry['description']) entry['description'])

7
mediagoblin/templates/mediagoblin/user_pages/media.html
View File

@ -128,8 +128,11 @@
class="media_icon" />edit</a> class="media_icon" />edit</a>
</p> </p>
<p> <p>
<img src="{{ request.staticdirect('/images/icon_delete.png') }}" <a href="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
class="media_icon" />{% trans %}delete{% endtrans %} user= media.uploader().username,
media= media._id) }}"
><img src="{{ request.staticdirect('/images/icon_delete.png') }}"
class="media_icon" />{% trans %}delete{% endtrans %}</a>
</p> </p>
{% endif %} {% endif %}

48
mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html Normal file
View File

@ -0,0 +1,48 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011 Free Software Foundation, Inc
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{% extends "mediagoblin/base.html" %}
{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
{% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
user=media.uploader().username,
media=media._id) }}"
method="POST" enctype="multipart/form-data">
<div class="grid_8 prefix_1 suffix_1 edit_box form_box">
<h1>
{%- trans title=media['title'] -%}
Really delete {{ title }}?
{%- endtrans %}
</h1>
<p>
<em>
{%- trans -%}
If you choose yes, the media entry will be deleted <strong>permanently.</strong>
{%- endtrans %}
</em>
</p>
{{ wtforms_util.render_divs(form) }}
<div class="form_submit_buttons">
<input type="submit" value="{% trans %}Save changes{% endtrans %}" class="button" />
</div>
</div>
</form>
{% endblock %}

61
mediagoblin/tests/test_submission.py
View File

@ -17,7 +17,7 @@
import urlparse import urlparse
import pkg_resources import pkg_resources
from nose.tools import assert_equal from nose.tools import assert_equal, assert_true, assert_false
from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import lib as auth_lib
from mediagoblin.tests.tools import setup_fresh_app, get_test_app from mediagoblin.tests.tools import setup_fresh_app, get_test_app
@ -53,6 +53,8 @@ class TestSubmission:
test_user['pw_hash'] = auth_lib.bcrypt_gen_password_hash('toast') test_user['pw_hash'] = auth_lib.bcrypt_gen_password_hash('toast')
test_user.save() test_user.save()
self.test_user = test_user
self.test_app.post( self.test_app.post(
'/auth/login/', { '/auth/login/', {
'username': u'chris', 'username': u'chris',
@ -150,6 +152,63 @@ class TestSubmission:
u'Tags must be shorter than 50 characters. Tags that are too long'\ u'Tags must be shorter than 50 characters. Tags that are too long'\
': ffffffffffffffffffffffffffuuuuuuuuuuuuuuuuuuuuuuuuuu'] ': ffffffffffffffffffffffffffuuuuuuuuuuuuuuuuuuuuuuuuuu']
def test_delete(self):
util.clear_test_template_context()
response = self.test_app.post(
'/submit/', {
'title': 'Balanced Goblin',
}, upload_files=[(
'file', GOOD_JPG)])
# Post image
response.follow()
request = util.TEMPLATE_TEST_CONTEXT[
'mediagoblin/user_pages/user.html']['request']
media = request.db.MediaEntry.find({'title': 'Balanced Goblin'})[0]
# Does media entry exist?
assert_true(media)
# Do not confirm deletion
# ---------------------------------------------------
response = self.test_app.post(
request.urlgen('mediagoblin.user_pages.media_confirm_delete',
# No work: user=media.uploader().username,
user=self.test_user['username'],
media=media['_id']),
{'confirm': 'False'})
response.follow()
request = util.TEMPLATE_TEST_CONTEXT[
'mediagoblin/user_pages/user.html']['request']
media = request.db.MediaEntry.find({'title': 'Balanced Goblin'})[0]
# Does media entry still exist?
assert_true(media)
# Confirm deletion
# ---------------------------------------------------
response = self.test_app.post(
request.urlgen('mediagoblin.user_pages.media_confirm_delete',
# No work: user=media.uploader().username,
user=self.test_user['username'],
media=media['_id']),
{'confirm': 'True'})
response.follow()
request = util.TEMPLATE_TEST_CONTEXT[
'mediagoblin/user_pages/user.html']['request']
# Does media entry still exist?
assert_false(
request.db.MediaEntry.find(
{'_id': media['_id']}).count())
def test_malicious_uploads(self): def test_malicious_uploads(self):
# Test non-suppoerted file with non-supported extension # Test non-suppoerted file with non-supported extension
# ----------------------------------------------------- # -----------------------------------------------------

7
mediagoblin/user_pages/forms.py
View File

@ -23,3 +23,10 @@ class MediaCommentForm(wtforms.Form):
comment_content = wtforms.TextAreaField( comment_content = wtforms.TextAreaField(
_('Comment'), _('Comment'),
[wtforms.validators.Required()]) [wtforms.validators.Required()])
class ConfirmDeleteForm(wtforms.Form):
confirm = wtforms.RadioField('Confirm',
default='False',
choices=[('False', 'No, I made a mistake!'),
('True', 'Yes, delete it!')])

3
mediagoblin/user_pages/routing.py
View File

@ -32,6 +32,9 @@ user_routes = [
Route('mediagoblin.edit.attachments', Route('mediagoblin.edit.attachments',
'/{user}/m/{media}/attachments/', '/{user}/m/{media}/attachments/',
controller="mediagoblin.edit.views:edit_attachments"), controller="mediagoblin.edit.views:edit_attachments"),
Route('mediagoblin.user_pages.media_confirm_delete',
"/{user}/m/{media}/confirm-delete/",
controller="mediagoblin.user_pages.views:media_confirm_delete"),
Route('mediagoblin.user_pages.atom_feed', '/{user}/atom/', Route('mediagoblin.user_pages.atom_feed', '/{user}/atom/',
controller="mediagoblin.user_pages.views:atom_feed"), controller="mediagoblin.user_pages.views:atom_feed"),
Route('mediagoblin.user_pages.media_post_comment', Route('mediagoblin.user_pages.media_post_comment',

36
mediagoblin/user_pages/views.py
View File

@ -20,11 +20,11 @@ from mediagoblin import messages, mg_globals
from mediagoblin.db.util import DESCENDING, ObjectId from mediagoblin.db.util import DESCENDING, ObjectId
from mediagoblin.util import ( from mediagoblin.util import (
Pagination, render_to_response, redirect, cleaned_markdown_conversion, Pagination, render_to_response, redirect, cleaned_markdown_conversion,
render_404) render_404, delete_media_files)
from mediagoblin.user_pages import forms as user_forms from mediagoblin.user_pages import forms as user_forms
from mediagoblin.decorators import (uses_pagination, get_user_media_entry, from mediagoblin.decorators import (uses_pagination, get_user_media_entry,
require_active_login) require_active_login, user_may_delete_media)
from werkzeug.contrib.atom import AtomFeed from werkzeug.contrib.atom import AtomFeed
@ -130,7 +130,7 @@ def media_post_comment(request):
comment = request.db.MediaComment() comment = request.db.MediaComment()
comment['media_entry'] = ObjectId(request.matchdict['media']) comment['media_entry'] = ObjectId(request.matchdict['media'])
comment['author'] = request.user['_id'] comment['author'] = request.user['_id']
comment['content'] = request.POST['comment_content'] comment['content'] = unicode(request.POST['comment_content'])
comment['content_html'] = cleaned_markdown_conversion(comment['content']) comment['content_html'] = cleaned_markdown_conversion(comment['content'])
@ -145,6 +145,36 @@ def media_post_comment(request):
user = request.matchdict['user']) user = request.matchdict['user'])
@get_user_media_entry
@require_active_login
@user_may_delete_media
def media_confirm_delete(request, media):
form = user_forms.ConfirmDeleteForm(request.POST)
if request.method == 'POST' and form.validate():
if request.POST.get('confirm') == 'True':
username = media.uploader()['username']
# Delete all files on the public storage
delete_media_files(media)
media.delete()
return redirect(request, "mediagoblin.user_pages.user_home",
user=username)
else:
return redirect(request, "mediagoblin.user_pages.media_home",
user=media.uploader()['username'],
media=media['slug'])
return render_to_response(
request,
'mediagoblin/user_pages/media_confirm_delete.html',
{'media': media,
'form': form})
ATOM_DEFAULT_NR_OF_UPDATED_ITEMS = 15 ATOM_DEFAULT_NR_OF_UPDATED_ITEMS = 15
def atom_feed(request): def atom_feed(request):

15
mediagoblin/util.py
View File

@ -681,3 +681,18 @@ def render_404(request):
""" """
return render_to_response( return render_to_response(
request, 'mediagoblin/404.html', {}, status=400) request, 'mediagoblin/404.html', {}, status=400)
def delete_media_files(media):
"""
Delete all files associated with a MediaEntry
Arguments:
- media: A MediaEntry document
"""
for handle, listpath in media['media_files'].items():
mg_globals.public_store.delete_file(
listpath)
for attachment in media['attachment_files']:
mg_globals.public_store.delete_file(
attachment['filepath'])