If we send a POST request to the login page which contained form errors
(e.g. a too short password), the variable "login_failed" was not set to
true. This condition was tested by the test suite however, so we should
make sure that login_failed is set even if the form failed to validate.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
1) Remove mongo limitations (no 'or' when querying for either username
or email).
2) Lost password function revealed if an user name or email address
is registered, which can be considered a data leak.
Leaking user names is OK, they are public anyway, but don't reveal
lookup success in case the lookup happened by email address.
Simply respond: "If you have an account here, we have send you
your email"?
3) username and email search was case sensitive. Made username search
case insensitive (they are always stored lowercase in the db).
Keep email-address search case sensitive for now. This might need
further discussion
4) Remove a whole bunch of indention in the style of:
if no error:
...
if no error:
...
if no error:
actually do something in the regular case
by restructuring the function.
5) Outsource the sanity checking for username and email fields into the
validator function. This way, we get automatic case sanity checking
and sanitizing for all required fields.
6) Require 5-char password and fix tests
Originally, the Change password form required a password between 6-30
chars while the registration and login form did not require anything
special. This commit introduces a common minimum limit for all forms
which breaks the test suite which uses a 5 char password by
default. :-). As 5 chars seem sensible enough to enforce (people
should be picking much longer ones anyway), just reduce the limit to
5 chars, thereby making all tests pass.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
We were case normalizing the email address for registration, but not at
all for the forgotten password retrieval. Make a
tools.mail.normalize_email helper that can be used to normalize the
email in the same way in all places.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Previously we allowed EVERYTHING, even slashes as slug when editing the media.
Make sure we slugify the input to sanitize it.
(+ string formdata is unicode, so there is no need to convert it)
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
This test fails, because it tries to set a slug with an "="
in it. And tests that the "=" gets replaced by "-".
Well, it currently is not being replaced.
The next (cherry picked) commit by Sebastian Spaeth fixes
this test!
nosetests runs everything that even vaguely looks like a
test case... even our get_test_app. And as it is imported
everywhere... it is run everywhere as a test case. Renaming
it saves us about 10+ tests and a few seconds of time.
When rendering a comment, we had a lot of whitespace. And
some of it made it into the rendered page:
"""<a href=...>abc </a>""" the trailing space gets
rendered and looks ugly.
when linking to a comment in a MediaEntry, the page did not
contain a <a name="comment"> because, well:
We fetched a string comment-id from the routing. And the
pagination code tried to compare that to the int id on the
comment.
Fix is to let routing fetch an int from the url. Easy.
Relatedly remove duplicated comment_id fetching from the
URL in the view.
schendje rightly pointed out that we should not return to the media
homepage if we did not select a collection on the "collect" page, but
should actually return to the collect page.
This is an improvement of the user experience ;-)
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
This feature is absolutely necessary. Now a user can simply define
their default license and quickly go through a form, as opposed to
stopping to click on the select and choosing the same option over
and over again.
Also added DB migration for the field, so that's working now, too.
Rebased by Sebastian and made the default value to be unicode.
Reviewed-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Improve the "delete my account" link location by not placing it outside the
main content bar. It still might require more tweaks.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Delete a user via web interface and see if it works. TODO: this does not test
that related entries are also cleaned up and we should extend the test to
do so.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Add a "Delete user account" template and link to it from the user
account settings page.
Create a delete_account function and fill in most blanks. We can now
successfully delete our own account.
Thanks to Elrond for catching a stray csrf_exempt in a previous iteration
of this patch.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Merging an old branch, I reintroduced an import of db.sql.util rather than
db.util. Fixing the glitch.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Set User.collections to her Collections using the backref feature.
This way we can iterate a user's collections and delete them all.
Delete all MediaEntries/Files/attachments/comments/collections etc
before finally deleting the User object. This is the backend work for
issue 302 (allow a user to delete ones own account)
Deleting a MediaEntry instance will automatically
delete all related comments and files/attachments. This moves
implementation logic out of views.py and allows to make use of this
functionality when e.g. deleting a User() account.
Whenever a MediaEntry entry is deleted, this will also sql-delete
the corresponding MediaFile entry.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
We were reading the complete "medium" "thumbnail" and "original"
in RAM via dst.write(src.read()). Just call the appropriate storage
methods copy_local_to_storage which are responsible for streaming
local files efficiently.
The efficiency of this patch depends on the separate branch that
actually implements chunked copying for Storage().copy_local_to_storage()
1) destroy_self() is a horrible function name, make it "destroy".
workbench.destroy() is descriptive enough.
2) WorkbenchManager.create_workbench() -> WorkbenchManager.create()
We use the pattern "with workbench_manager.create() as workbench:"
No need to mention workbenches three times in a row...
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
This makes workbench getting more convenient by eliminating some
boilerplate and more robust by cleaning the workbench up even if processing
ends with an Exception.
Finally, this fixes the bugs in the ascii and video backends to never call
workbench.destroy, so those workbenches were never cleaned up.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
This passes in a Workbench() via the 'workbench' keyword argument, and
conveniently cleans it up after the function has finished. 2 out of our 5
backends forgot to clean up their workbench, so this is clearly needed :-).
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
This allows us to use "with Workbench() as foo: do_stuff..."
No consumers have been switched yet though.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
- add a route at /u/<user>/collections/ (note trailing 's') that lists
all existing collections
- move there the "Create new collection" link, if the user is logged in
- add a new link "Browse collections" from root.html
The move to werkzeug routing went pretty smooth, but one thing was
broken by accident: URLs without final slash result in a 301
werkzeug.routing.RequestRedirect response. We displayed it as a generic
error page rather than actually sending the redirect. Do that. One thing
it does though is to skip all meddlewares, which should be OK for a 301
response, but might need rework if we decide otherwise. With this, 301
responses with lacking final slash are unbroken again.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
