← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to ivle/dispatch/__init__.py

  • Committer: Matt Giuca
  • Date: 2010-02-25 06:52:48 UTC
  • mto: This revision was merged to the branch mainline in revision 1731.
  • Revision ID: matt.giuca@gmail.com-20100225065248-p1t8oys3olxtwdlg
project-form no longer assumes the type of context; pass an extra projectset value.

Show diffs side-by-side

added added

removed removed

Lines of Context:
ivle/dispatch/__init__.py
30
30
import os
31
31
import os.path
32
32
import urllib
 
33
import urlparse
33
34
import cgi
34
35
import traceback
35
36
import logging
44
45
import ivle.webapp.security
45
46
from ivle.webapp.base.plugins import ViewPlugin, PublicViewPlugin
46
47
from ivle.webapp.base.xhtml import XHTMLView, XHTMLErrorView
47
 
from ivle.webapp.errors import HTTPError, Unauthorized, NotFound
48
 
from ivle.webapp.routing import Router, RoutingError
 
48
from ivle.webapp.errors import BadRequest, HTTPError, NotFound, Unauthorized
 
49
from ivle.webapp.publisher import Publisher, PublishingError
49
50
from ivle.webapp import ApplicationRoot
50
51
 
51
52
config = ivle.config.Config()
52
53
 
53
 
def generate_router(view_plugins, root):
 
54
class ObjectPermissionCheckingPublisher(Publisher):
 
55
    """A specialised publisher that checks object permissions.
 
56
 
 
57
    This publisher verifies that the user holds any permission at all
 
58
    on the model objects through which the resolution path passes. If
 
59
    no permission is held, resolution is aborted with an Unauthorized
 
60
    exception.
 
61
 
 
62
    IMPORTANT: This does NOT check view permissions. It only checks
 
63
    the objects in between the root and the view, exclusive!
 
64
    """
 
65
 
 
66
    def traversed_to_object(self, obj):
 
67
        """Check that the user has any permission at all over the object."""
 
68
        if (hasattr(obj, 'get_permissions') and
 
69
            len(obj.get_permissions(self.root.user, config)) == 0):
 
70
            # Indicate the forbidden object if this is an admin.
 
71
            if self.root.user and self.root.user.admin:
 
72
                raise Unauthorized('Unauthorized: %s' % obj)
 
73
            else:
 
74
                raise Unauthorized()
 
75
 
 
76
 
 
77
def generate_publisher(view_plugins, root, publicmode=False):
54
78
    """
55
79
    Build a Mapper object for doing URL matching using 'routes', based on the
56
80
    given plugin registry.
57
81
    """
58
 
    r = Router(root=root)
 
82
    r = ObjectPermissionCheckingPublisher(root=root)
59
83
 
60
84
    r.add_set_switch('api', 'api')
61
85
 
 
86
    if publicmode:
 
87
        view_attr = 'public_views'
 
88
        forward_route_attr = 'public_forward_routes'
 
89
        reverse_route_attr = 'public_reverse_routes'
 
90
    else:
 
91
        view_attr = 'views'
 
92
        forward_route_attr = 'forward_routes'
 
93
        reverse_route_attr = 'reverse_routes'
 
94
 
 
95
 
62
96
    for plugin in view_plugins:
63
 
        if hasattr(plugin, 'forward_routes'):
64
 
            for fr in plugin.forward_routes:
 
97
        if hasattr(plugin, forward_route_attr):
 
98
            for fr in getattr(plugin, forward_route_attr):
65
99
                # An annotated function can also be passed in directly.
66
100
                if hasattr(fr, '_forward_route_meta'):
67
101
                    r.add_forward_func(fr)
68
102
                else:
69
103
                    r.add_forward(*fr)
70
104
 
71
 
        if hasattr(plugin, 'reverse_routes'):
72
 
            for rr in plugin.reverse_routes:
 
105
        if hasattr(plugin, reverse_route_attr):
 
106
            for rr in getattr(plugin, reverse_route_attr):
73
107
                # An annotated function can also be passed in directly.
74
108
                if hasattr(rr, '_reverse_route_src'):
75
109
                    r.add_reverse_func(rr)
76
110
                else:
77
111
                    r.add_reverse(*rr)
78
112
 
79
 
        if hasattr(plugin, 'views'):
80
 
            for v in plugin.views:
 
113
        if hasattr(plugin, view_attr):
 
114
            for v in getattr(plugin, view_attr):
81
115
                r.add_view(*v)
82
116
 
83
117
    return r
92
126
    # Make the request object into an IVLE request which can be given to views
93
127
    req = Request(apachereq, config)
94
128
 
95
 
    # Hack? Try and get the user login early just in case we throw an error
96
 
    # (most likely 404) to stop us seeing not logged in even when we are.
97
 
    if not req.publicmode:
98
 
        user = ivle.webapp.security.get_user_details(req)
99
 
 
100
 
        # Don't set the user if it is disabled or hasn't accepted the ToS.
101
 
        if user and user.valid:
102
 
            req.user = user
103
 
 
104
 
    if req.publicmode:
105
 
        raise NotImplementedError("no public mode with obtrav yet!")
106
 
 
107
 
    req.router = generate_router(config.plugin_index[ViewPlugin],
108
 
                                 ApplicationRoot(req.config, req.store))
 
129
    req.publisher = generate_publisher(
 
130
        config.plugin_index[ViewPlugin], ApplicationRoot(req),
 
131
        publicmode=req.publicmode)
109
132
 
110
133
    try:
111
 
        obj, viewcls, subpath = req.router.resolve(req.uri.decode('utf-8'))
 
134
        obj, viewcls, subpath = req.publisher.resolve(req.uri.decode('utf-8'))
112
135
        try:
113
136
            # We 404 if we have a subpath but the view forbids it.
114
137
            if not viewcls.subpath_allowed and subpath:
120
143
            # Check that the request (mainly the user) is permitted to access
121
144
            # the view.
122
145
            if not view.authorize(req):
123
 
                raise Unauthorized()
 
146
                # Indicate the forbidden object if this is an admin.
 
147
                if req.user and req.user.admin:
 
148
                    raise Unauthorized('Unauthorized: %s' % view)
 
149
                else:
 
150
                    raise Unauthorized()
 
151
 
 
152
            # Non-GET requests from other sites leave us vulnerable to
 
153
            # CSRFs. Block them.
 
154
            referer = req.headers_in.get('Referer')
 
155
            if (referer is None or
 
156
                urlparse.urlparse(req.headers_in.get('Referer')).netloc !=
 
157
                    req.hostname):
 
158
                if req.method != 'GET' and not view.offsite_posts_allowed:
 
159
                    raise BadRequest(
 
160
                        "Non-GET requests from external sites are forbidden "
 
161
                        "for security reasons.")
 
162
 
124
163
            # Render the output
125
164
            view.render(req)
126
165
        except HTTPError, e:
134
173
                errviewcls = XHTMLView.get_error_view(e)
135
174
 
136
175
            if errviewcls:
137
 
                errview = errviewcls(req, e)
 
176
                errview = errviewcls(req, e, obj)
138
177
                errview.render(req)
139
178
                return req.OK
140
179
            elif e.message:
152
191
            handle_unknown_exception(req, *sys.exc_info())
153
192
            return req.OK
154
193
        else:
155
 
            req.store.commit()
 
194
            # Commit the transaction if we have a store open.
 
195
            req.commit()
156
196
            return req.OK
157
 
    except RoutingError, e:
158
 
        if req.user.admin:
 
197
    except Unauthorized, e:
 
198
        # Resolution failed due to a permission check. Display a pretty
 
199
        # error, or maybe a login page.
 
200
        XHTMLView.get_error_view(e)(req, e, req.publisher.root).render(req)
 
201
        return req.OK
 
202
    except PublishingError, e:
 
203
        req.status = 404
 
204
 
 
205
        if req.user and req.user.admin:
159
206
            XHTMLErrorView(req, NotFound('Not found: ' +
160
 
                                         str(e.args))).render(req)
 
207
                                         str(e.args)), e[0]).render(req)
161
208
        else:
162
 
            XHTMLErrorView(req, NotFound()).render(req)
 
209
            XHTMLErrorView(req, NotFound(), e[0]).render(req)
163
210
 
164
211
        return req.OK
 
212
    finally:
 
213
        # Make sure we close the store.
 
214
        req.cleanup()
165
215
 
166
216
def handle_unknown_exception(req, exc_type, exc_value, exc_traceback):
167
217
    """