41
42
from ivle import util
43
44
from ivle.dispatch.request import Request
44
45
import ivle.webapp.security
45
46
from ivle.webapp.base.plugins import ViewPlugin, PublicViewPlugin
46
47
from ivle.webapp.base.xhtml import XHTMLView, XHTMLErrorView
47
48
from ivle.webapp.errors import HTTPError, Unauthorized, NotFound
48
from ivle.webapp.publisher import Publisher, PublishingError
49
from ivle.webapp import ApplicationRoot
51
config = ivle.config.Config()
53
class ObjectPermissionCheckingPublisher(Publisher):
54
"""A specialised publisher that checks object permissions.
56
This publisher verifies that the user holds any permission at all
57
on the model objects through which the resolution path passes. If
58
no permission is held, resolution is aborted with an Unauthorized
61
IMPORTANT: This does NOT check view permissions. It only checks
62
the objects in between the root and the view, exclusive!
65
def traversed_to_object(self, obj):
66
"""Check that the user has any permission at all over the object."""
67
if (hasattr(obj, 'get_permissions') and
68
len(obj.get_permissions(self.root.user)) == 0):
69
# Indicate the forbidden object if this is an admin.
70
if self.root.user and self.root.user.admin:
71
raise Unauthorized('Unauthorized: %s' % obj)
76
def generate_publisher(view_plugins, root, publicmode=False):
50
def generate_route_mapper(view_plugins, attr):
78
52
Build a Mapper object for doing URL matching using 'routes', based on the
79
53
given plugin registry.
81
r = ObjectPermissionCheckingPublisher(root=root)
83
r.add_set_switch('api', 'api')
86
view_attr = 'public_views'
87
forward_route_attr = 'public_forward_routes'
88
reverse_route_attr = 'public_reverse_routes'
91
forward_route_attr = 'forward_routes'
92
reverse_route_attr = 'reverse_routes'
55
m = routes.Mapper(explicit=True)
95
56
for plugin in view_plugins:
96
if hasattr(plugin, forward_route_attr):
97
for fr in getattr(plugin, forward_route_attr):
98
# An annotated function can also be passed in directly.
99
if hasattr(fr, '_forward_route_meta'):
100
r.add_forward_func(fr)
104
if hasattr(plugin, reverse_route_attr):
105
for rr in getattr(plugin, reverse_route_attr):
106
# An annotated function can also be passed in directly.
107
if hasattr(rr, '_reverse_route_src'):
108
r.add_reverse_func(rr)
112
if hasattr(plugin, view_attr):
113
for v in getattr(plugin, view_attr):
57
# Establish a URL pattern for each element of plugin.urls
58
assert hasattr(plugin, 'urls'), "%r does not have any urls" % plugin
59
for url in getattr(plugin, attr):
62
kwargs_dict = url[2] if len(url) >= 3 else {}
63
m.connect(routex, view=view_class, **kwargs_dict)
118
66
def handler(apachereq):
119
67
"""Handles an HTTP request.
134
82
if user and user.valid:
137
req.publisher = generate_publisher(
138
config.plugin_index[ViewPlugin],
139
ApplicationRoot(req.config, req.store, req.user),
140
publicmode=req.publicmode)
143
obj, viewcls, subpath = req.publisher.resolve(req.uri.decode('utf-8'))
85
conf = ivle.config.Config()
89
req.mapper = generate_route_mapper(conf.plugin_index[PublicViewPlugin],
92
req.mapper = generate_route_mapper(conf.plugin_index[ViewPlugin],
95
matchdict = req.mapper.match(req.uri)
96
if matchdict is not None:
97
viewcls = matchdict['view']
98
# Get the remaining arguments, less 'view', 'action' and 'controller'
99
# (The latter two seem to be built-in, and we don't want them).
100
kwargs = matchdict.copy()
145
# We 404 if we have a subpath but the view forbids it.
146
if not viewcls.subpath_allowed and subpath:
149
103
# Instantiate the view, which should be a BaseView class
150
view = viewcls(req, obj, subpath)
104
view = viewcls(req, **kwargs)
152
106
# Check that the request (mainly the user) is permitted to access
154
108
if not view.authorize(req):
155
# Indicate the forbidden object if this is an admin.
156
if req.user and req.user.admin:
157
raise Unauthorized('Unauthorized: %s' % view)
160
110
# Render the output
162
112
except HTTPError, e:
191
136
req.store.commit()
193
except Unauthorized, e:
194
# Resolution failed due to a permission check. Display a pretty
195
# error, or maybe a login page.
196
XHTMLView.get_error_view(e)(req, e, req.publisher.root).render(req)
198
except PublishingError, e:
201
if req.user and req.user.admin:
202
XHTMLErrorView(req, NotFound('Not found: ' +
203
str(e.args)), e[0]).render(req)
205
XHTMLErrorView(req, NotFound(), e[0]).render(req)
139
XHTMLErrorView(req, NotFound()).render(req)
209
142
def handle_unknown_exception(req, exc_type, exc_value, exc_traceback):
217
150
the IVLE request is created.
219
152
req.content_type = "text/html"
220
logfile = os.path.join(config['paths']['logs'], 'ivle_error.log')
153
logfile = os.path.join(ivle.conf.log_path, 'ivle_error.log')
223
# XXX: This remains here for ivle.interpret's IVLEErrors. Once we rewrite
224
# fileservice, req.status should always be 500 (ISE) here.
226
156
httpcode = exc_value.httpcode
227
157
req.status = httpcode
228
158
except AttributeError:
230
160
req.status = mod_python.apache.HTTP_INTERNAL_SERVER_ERROR
233
162
publicmode = req.publicmode
234
163
except AttributeError:
257
186
# misbehaves (which is currently very easy, if things aren't set up
259
188
# Write the traceback.
261
# We need to special-case IVLEJailError, as we can get another
189
# If this is a non-4xx IVLEError, get the message and httpcode and
190
# make the error message a bit nicer (but still include the
192
# We also need to special-case IVLEJailError, as we can get another
262
193
# almost-exception out of it.
195
codename, msg = None, None
263
197
if exc_type is util.IVLEJailError:
198
msg = exc_value.type_str + ": " + exc_value.message
264
199
tb = 'Exception information extracted from IVLEJailError:\n'
265
200
tb += urllib.unquote(exc_value.info)
203
codename, msg = req.get_http_codename(httpcode)
204
except AttributeError:
267
207
tb = ''.join(traceback.format_exception(exc_type, exc_value,
270
logging.error('\n' + tb)
210
logging.error('%s\n%s'%(str(msg), tb))
272
212
# Error messages are only displayed is the user is NOT a student,
273
213
# or if there has been a problem logging the error message