1. Our session cookies only need to be available to http, so
mark them appropiately.
2. Send the cookie to the subpath for mediagoblin.
And instantiate a session manager on the app, once.
The previous code was theoretically subject to timing attacks, where
an attacker could read the key in between the time it was saved to the
file and when the chmod happened. This version prevents that by using
umasks to ensure the files always have the right permissions.
This version also avoids using a key that cannot be saved due to some
system setup bug.
This makes session.__init__ slightly more complicated but probably
simplifies everything else, especially if we make the class smarter
later by having it track changes itself.
- Update get_display_media in several ways:
- now uses the media type's own declaration of the order of things
- returns both the media_size and the media_path, as per the docstring
- implicitly uses self.media_files as opposed to forcing you to pass it in
- update videos to use get_display_media
- update images to declare media_fetch_order in the media manager (videos also)
- update stl to use media.media_files['original'] instead of weird
use of get_display_media
- update sidebar to only conditionally show webm_640
TODO still: identify video type information *during* processing, show
that in the <video><source /></video> element.
This commit sponsored by Nathan Yergler. Thanks, nyergler!
If one deletes a media with attachments, there have been
various problems:
1) If the file in the storage did not exist any more (maybe
because due to a previous deletion attempt?), the error
propagation failed, because the wrong thing was
gathered.
2) The attachment database entries were not deleted.
Using cascade for this, for now.
Also add a simple unit test, that tests both by having a
broken attachment on a media.
- I'm having trouble seeing if the geolocation stuff actually works,
but plugins are included
- including a list of template hooks works, however the macro to
include them does not, so it's kinda verbose
- Added start of template hook code to pluginapi.py
- Started to break openstreetmap into plugin; moved templates
- Added plugin hooks in media and image media templates
... almost certainly, none of this works yet. :)
py3 does not have dict.has_key any more. You have to use
"key in dict" instead. As that works in python2 as well,
let's use that.
Also some small bits of pep8.
We were case normalizing the email address for registration, but not at
all for the forgotten password retrieval. Make a
tools.mail.normalize_email helper that can be used to normalize the
email in the same way in all places.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
