Merge remote branch 'remotes/jwandborg/f403_ability_to_delete'
This commit is contained in:
commit
2886b340d3
@ -44,11 +44,12 @@ def register(request):
|
||||
|
||||
if request.method == 'POST' and register_form.validate():
|
||||
# TODO: Make sure the user doesn't exist already
|
||||
|
||||
username = unicode(request.POST['username'].lower())
|
||||
email = unicode(request.POST['email'].lower())
|
||||
users_with_username = request.db.User.find(
|
||||
{'username': request.POST['username'].lower()}).count()
|
||||
{'username': username}).count()
|
||||
users_with_email = request.db.User.find(
|
||||
{'email': request.POST['email'].lower()}).count()
|
||||
{'email': email}).count()
|
||||
|
||||
extra_validation_passes = True
|
||||
|
||||
@ -64,8 +65,8 @@ def register(request):
|
||||
if extra_validation_passes:
|
||||
# Create the user
|
||||
user = request.db.User()
|
||||
user['username'] = request.POST['username'].lower()
|
||||
user['email'] = request.POST['email'].lower()
|
||||
user['username'] = username
|
||||
user['email'] = email
|
||||
user['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
|
||||
request.POST['password'])
|
||||
user.save(validate=True)
|
||||
|
@ -51,6 +51,31 @@ def require_active_login(controller):
|
||||
|
||||
return _make_safe(new_controller_func, controller)
|
||||
|
||||
def user_may_delete_media(controller):
|
||||
"""
|
||||
Require user ownership of the MediaEntry
|
||||
|
||||
Originally:
|
||||
def may_delete_media(request, media):
|
||||
\"\"\"
|
||||
Check, if the request's user may edit the media details
|
||||
\"\"\"
|
||||
if media['uploader'] == request.user['_id']:
|
||||
return True
|
||||
if request.user['is_admin']:
|
||||
return True
|
||||
return False
|
||||
"""
|
||||
def wrapper(request, *args, **kwargs):
|
||||
if not request.user['_id'] == request.db.MediaEntry.find_one(
|
||||
{'_id': ObjectId(
|
||||
request.matchdict['media'])}).uploader()['_id']:
|
||||
return exc.HTTPForbidden()
|
||||
|
||||
return controller(request, *args, **kwargs)
|
||||
|
||||
return _make_safe(wrapper, controller)
|
||||
|
||||
|
||||
def uses_pagination(controller):
|
||||
"""
|
||||
@ -122,3 +147,4 @@ def get_media_entry_by_id(controller):
|
||||
return controller(request, media=media, *args, **kwargs)
|
||||
|
||||
return _make_safe(wrapper, controller)
|
||||
|
||||
|
@ -14,6 +14,7 @@
|
||||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import uuid
|
||||
|
||||
from webob import exc
|
||||
from string import split
|
||||
@ -64,8 +65,8 @@ def edit_media(request, media):
|
||||
form.slug.errors.append(
|
||||
_(u'An entry with that slug already exists for this user.'))
|
||||
else:
|
||||
media['title'] = request.POST['title']
|
||||
media['description'] = request.POST.get('description')
|
||||
media['title'] = unicode(request.POST['title'])
|
||||
media['description'] = unicode(request.POST.get('description'))
|
||||
media['tags'] = convert_to_tag_list_of_dicts(
|
||||
request.POST.get('tags'))
|
||||
|
||||
@ -80,7 +81,7 @@ def edit_media(request, media):
|
||||
and 'y' == request.POST['attachment_delete']:
|
||||
del media['attachment_files'][0]
|
||||
|
||||
media['slug'] = request.POST['slug']
|
||||
media['slug'] = unicode(request.POST['slug'])
|
||||
media.save()
|
||||
|
||||
return redirect(request, "mediagoblin.user_pages.media_home",
|
||||
@ -171,8 +172,8 @@ def edit_profile(request):
|
||||
bio=user.get('bio'))
|
||||
|
||||
if request.method == 'POST' and form.validate():
|
||||
user['url'] = request.POST['url']
|
||||
user['bio'] = request.POST['bio']
|
||||
user['url'] = unicode(request.POST['url'])
|
||||
user['bio'] = unicode(request.POST['bio'])
|
||||
|
||||
user['bio_html'] = cleaned_markdown_conversion(user['bio'])
|
||||
|
||||
|
@ -21,6 +21,7 @@ from mediagoblin.submit.routing import submit_routes
|
||||
from mediagoblin.user_pages.routing import user_routes
|
||||
from mediagoblin.edit.routing import edit_routes
|
||||
from mediagoblin.listings.routing import tag_routes
|
||||
from mediagoblin.confirm.routing import confirm_routes
|
||||
|
||||
|
||||
def get_mapper():
|
||||
|
@ -281,7 +281,8 @@ class CloudFilesStorage(StorageInterface):
|
||||
def delete_file(self, filepath):
|
||||
# TODO: Also delete unused directories if empty (safely, with
|
||||
# checks to avoid race conditions).
|
||||
self.container.delete_object(filepath)
|
||||
self.container.delete_object(
|
||||
self._resolve_filepath(filepath))
|
||||
|
||||
def file_url(self, filepath):
|
||||
return '/'.join([
|
||||
|
@ -55,10 +55,10 @@ def submit_start(request):
|
||||
entry = request.db.MediaEntry()
|
||||
entry['_id'] = ObjectId()
|
||||
entry['title'] = (
|
||||
request.POST['title']
|
||||
unicode(request.POST['title'])
|
||||
or unicode(splitext(filename)[0]))
|
||||
|
||||
entry['description'] = request.POST.get('description')
|
||||
entry['description'] = unicode(request.POST.get('description'))
|
||||
entry['description_html'] = cleaned_markdown_conversion(
|
||||
entry['description'])
|
||||
|
||||
|
@ -128,8 +128,11 @@
|
||||
class="media_icon" />edit</a>
|
||||
</p>
|
||||
<p>
|
||||
<img src="{{ request.staticdirect('/images/icon_delete.png') }}"
|
||||
class="media_icon" />{% trans %}delete{% endtrans %}
|
||||
<a href="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
|
||||
user= media.uploader().username,
|
||||
media= media._id) }}"
|
||||
><img src="{{ request.staticdirect('/images/icon_delete.png') }}"
|
||||
class="media_icon" />{% trans %}delete{% endtrans %}</a>
|
||||
</p>
|
||||
{% endif %}
|
||||
|
||||
|
@ -0,0 +1,48 @@
|
||||
{#
|
||||
# GNU MediaGoblin -- federated, autonomous media hosting
|
||||
# Copyright (C) 2011 Free Software Foundation, Inc
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Affero General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Affero General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#}
|
||||
{% extends "mediagoblin/base.html" %}
|
||||
|
||||
{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
|
||||
|
||||
{% block mediagoblin_content %}
|
||||
|
||||
<form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
|
||||
user=media.uploader().username,
|
||||
media=media._id) }}"
|
||||
method="POST" enctype="multipart/form-data">
|
||||
<div class="grid_8 prefix_1 suffix_1 edit_box form_box">
|
||||
<h1>
|
||||
{%- trans title=media['title'] -%}
|
||||
Really delete {{ title }}?
|
||||
{%- endtrans %}
|
||||
</h1>
|
||||
<p>
|
||||
<em>
|
||||
{%- trans -%}
|
||||
If you choose yes, the media entry will be deleted <strong>permanently.</strong>
|
||||
{%- endtrans %}
|
||||
</em>
|
||||
</p>
|
||||
|
||||
{{ wtforms_util.render_divs(form) }}
|
||||
<div class="form_submit_buttons">
|
||||
<input type="submit" value="{% trans %}Save changes{% endtrans %}" class="button" />
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
{% endblock %}
|
@ -17,7 +17,7 @@
|
||||
import urlparse
|
||||
import pkg_resources
|
||||
|
||||
from nose.tools import assert_equal
|
||||
from nose.tools import assert_equal, assert_true, assert_false
|
||||
|
||||
from mediagoblin.auth import lib as auth_lib
|
||||
from mediagoblin.tests.tools import setup_fresh_app, get_test_app
|
||||
@ -53,6 +53,8 @@ class TestSubmission:
|
||||
test_user['pw_hash'] = auth_lib.bcrypt_gen_password_hash('toast')
|
||||
test_user.save()
|
||||
|
||||
self.test_user = test_user
|
||||
|
||||
self.test_app.post(
|
||||
'/auth/login/', {
|
||||
'username': u'chris',
|
||||
@ -150,6 +152,63 @@ class TestSubmission:
|
||||
u'Tags must be shorter than 50 characters. Tags that are too long'\
|
||||
': ffffffffffffffffffffffffffuuuuuuuuuuuuuuuuuuuuuuuuuu']
|
||||
|
||||
def test_delete(self):
|
||||
util.clear_test_template_context()
|
||||
response = self.test_app.post(
|
||||
'/submit/', {
|
||||
'title': 'Balanced Goblin',
|
||||
}, upload_files=[(
|
||||
'file', GOOD_JPG)])
|
||||
|
||||
# Post image
|
||||
response.follow()
|
||||
|
||||
request = util.TEMPLATE_TEST_CONTEXT[
|
||||
'mediagoblin/user_pages/user.html']['request']
|
||||
|
||||
media = request.db.MediaEntry.find({'title': 'Balanced Goblin'})[0]
|
||||
|
||||
# Does media entry exist?
|
||||
assert_true(media)
|
||||
|
||||
# Do not confirm deletion
|
||||
# ---------------------------------------------------
|
||||
response = self.test_app.post(
|
||||
request.urlgen('mediagoblin.user_pages.media_confirm_delete',
|
||||
# No work: user=media.uploader().username,
|
||||
user=self.test_user['username'],
|
||||
media=media['_id']),
|
||||
{'confirm': 'False'})
|
||||
|
||||
response.follow()
|
||||
|
||||
request = util.TEMPLATE_TEST_CONTEXT[
|
||||
'mediagoblin/user_pages/user.html']['request']
|
||||
|
||||
media = request.db.MediaEntry.find({'title': 'Balanced Goblin'})[0]
|
||||
|
||||
# Does media entry still exist?
|
||||
assert_true(media)
|
||||
|
||||
# Confirm deletion
|
||||
# ---------------------------------------------------
|
||||
response = self.test_app.post(
|
||||
request.urlgen('mediagoblin.user_pages.media_confirm_delete',
|
||||
# No work: user=media.uploader().username,
|
||||
user=self.test_user['username'],
|
||||
media=media['_id']),
|
||||
{'confirm': 'True'})
|
||||
|
||||
response.follow()
|
||||
|
||||
request = util.TEMPLATE_TEST_CONTEXT[
|
||||
'mediagoblin/user_pages/user.html']['request']
|
||||
|
||||
# Does media entry still exist?
|
||||
assert_false(
|
||||
request.db.MediaEntry.find(
|
||||
{'_id': media['_id']}).count())
|
||||
|
||||
def test_malicious_uploads(self):
|
||||
# Test non-suppoerted file with non-supported extension
|
||||
# -----------------------------------------------------
|
||||
|
@ -23,3 +23,10 @@ class MediaCommentForm(wtforms.Form):
|
||||
comment_content = wtforms.TextAreaField(
|
||||
_('Comment'),
|
||||
[wtforms.validators.Required()])
|
||||
|
||||
|
||||
class ConfirmDeleteForm(wtforms.Form):
|
||||
confirm = wtforms.RadioField('Confirm',
|
||||
default='False',
|
||||
choices=[('False', 'No, I made a mistake!'),
|
||||
('True', 'Yes, delete it!')])
|
||||
|
@ -32,6 +32,9 @@ user_routes = [
|
||||
Route('mediagoblin.edit.attachments',
|
||||
'/{user}/m/{media}/attachments/',
|
||||
controller="mediagoblin.edit.views:edit_attachments"),
|
||||
Route('mediagoblin.user_pages.media_confirm_delete',
|
||||
"/{user}/m/{media}/confirm-delete/",
|
||||
controller="mediagoblin.user_pages.views:media_confirm_delete"),
|
||||
Route('mediagoblin.user_pages.atom_feed', '/{user}/atom/',
|
||||
controller="mediagoblin.user_pages.views:atom_feed"),
|
||||
Route('mediagoblin.user_pages.media_post_comment',
|
||||
|
@ -20,11 +20,11 @@ from mediagoblin import messages, mg_globals
|
||||
from mediagoblin.db.util import DESCENDING, ObjectId
|
||||
from mediagoblin.util import (
|
||||
Pagination, render_to_response, redirect, cleaned_markdown_conversion,
|
||||
render_404)
|
||||
render_404, delete_media_files)
|
||||
from mediagoblin.user_pages import forms as user_forms
|
||||
|
||||
from mediagoblin.decorators import (uses_pagination, get_user_media_entry,
|
||||
require_active_login)
|
||||
require_active_login, user_may_delete_media)
|
||||
|
||||
from werkzeug.contrib.atom import AtomFeed
|
||||
|
||||
@ -130,7 +130,7 @@ def media_post_comment(request):
|
||||
comment = request.db.MediaComment()
|
||||
comment['media_entry'] = ObjectId(request.matchdict['media'])
|
||||
comment['author'] = request.user['_id']
|
||||
comment['content'] = request.POST['comment_content']
|
||||
comment['content'] = unicode(request.POST['comment_content'])
|
||||
|
||||
comment['content_html'] = cleaned_markdown_conversion(comment['content'])
|
||||
|
||||
@ -145,6 +145,36 @@ def media_post_comment(request):
|
||||
user = request.matchdict['user'])
|
||||
|
||||
|
||||
@get_user_media_entry
|
||||
@require_active_login
|
||||
@user_may_delete_media
|
||||
def media_confirm_delete(request, media):
|
||||
|
||||
form = user_forms.ConfirmDeleteForm(request.POST)
|
||||
|
||||
if request.method == 'POST' and form.validate():
|
||||
if request.POST.get('confirm') == 'True':
|
||||
username = media.uploader()['username']
|
||||
|
||||
# Delete all files on the public storage
|
||||
delete_media_files(media)
|
||||
|
||||
media.delete()
|
||||
|
||||
return redirect(request, "mediagoblin.user_pages.user_home",
|
||||
user=username)
|
||||
else:
|
||||
return redirect(request, "mediagoblin.user_pages.media_home",
|
||||
user=media.uploader()['username'],
|
||||
media=media['slug'])
|
||||
|
||||
return render_to_response(
|
||||
request,
|
||||
'mediagoblin/user_pages/media_confirm_delete.html',
|
||||
{'media': media,
|
||||
'form': form})
|
||||
|
||||
|
||||
ATOM_DEFAULT_NR_OF_UPDATED_ITEMS = 15
|
||||
|
||||
def atom_feed(request):
|
||||
|
@ -681,3 +681,18 @@ def render_404(request):
|
||||
"""
|
||||
return render_to_response(
|
||||
request, 'mediagoblin/404.html', {}, status=400)
|
||||
|
||||
def delete_media_files(media):
|
||||
"""
|
||||
Delete all files associated with a MediaEntry
|
||||
|
||||
Arguments:
|
||||
- media: A MediaEntry document
|
||||
"""
|
||||
for handle, listpath in media['media_files'].items():
|
||||
mg_globals.public_store.delete_file(
|
||||
listpath)
|
||||
|
||||
for attachment in media['attachment_files']:
|
||||
mg_globals.public_store.delete_file(
|
||||
attachment['filepath'])
|
||||
|
Loading…
x
Reference in New Issue
Block a user