isso/isso/views/comment.py

# -*- encoding: utf-8 -*-
#
# Copyright 2012, Martin Zimmermann <info@posativ.org>. All rights reserved.
# License: BSD Style, 2 clauses. see isso/__init__.py

import cgi
import urllib

from itsdangerous import SignatureExpired, BadSignature

from werkzeug.wrappers import Response
from werkzeug.exceptions import abort, BadRequest

from isso import models, utils


class requires:

    def __init__(self, type, param):
        self.param = param
        self.type = type

    def __call__(self, func):
        def dec(app, env, req, *args, **kwargs):

            if self.param not in req.args:
                raise BadRequest("missing %s query" % self.param)

            try:
                kwargs[self.param] = self.type(req.args[self.param])
            except TypeError:
                raise BadRequest("invalid type for %s, expected %s" % (self.param, self.type))

            return func(app, env, req, *args, **kwargs)

        return dec


@requires(str, 'uri')
def create(app, environ, request, uri):

    if app.PRODUCTION and not utils.urlexists(app.HOST, uri):
        return Response('URI does not exist', 400)

    try:
        comment = models.Comment.fromjson(request.data, ip=request.remote_addr)
    except ValueError as e:
        return Response(unicode(e), 400)

    for attr in 'author', 'website':
        if getattr(comment, attr) is not None:
            try:
                setattr(comment, attr, cgi.escape(getattr(comment, attr)))
            except AttributeError:
                Response('', 400)

    try:
        rv = app.db.add(uri, comment)
    except ValueError:
        abort(400)  # FIXME: custom exception class, error descr

    md5 = rv.md5
    rv.text = app.markdown(rv.text)

    resp = Response(app.dumps(rv), 202 if rv.pending else 201,
        content_type='application/json')
    resp.set_cookie('%s-%s' % (uri, rv.id), app.sign([uri, rv.id, md5]),
       max_age=app.MAX_AGE, path='/')
    return resp


@requires(str, 'uri')
def get(app, environ, request, uri):

    id = request.args.get('id', None)

    rv = list(app.db.retrieve(uri)) if id is None else app.db.get(uri, id)
    if not rv:
        abort(404)

    if request.args.get('plain', '1') == '0':
        if isinstance(rv, list):
            for item in rv:
                item.text = app.markdown(item.text)
        else:
            rv.text = app.markdown(rv.text)

    return Response(app.dumps(rv), 200, content_type='application/json')


@requires(str, 'uri')
@requires(int, 'id')
def modify(app, environ, request, uri, id):

    try:
        rv = app.unsign(request.cookies.get('%s-%s' % (uri, id), ''))
    except (SignatureExpired, BadSignature) as e:
        try:
            rv = app.unsign(request.cookies.get('admin', ''))
        except (SignatureExpired, BadSignature):
            abort(403)

    # verify checksum, mallory might skip cookie deletion when he deletes a comment
    if not (rv == '*' or rv[0:2] == [uri, id] or app.db.get(uri, id).md5 != rv[2]):
        abort(403)

    if request.method == 'PUT':
        try:
            rv = app.db.update(uri, id, models.Comment.fromjson(request.data))
            rv.text = app.markdown(rv.text)
            return Response(app.dumps(rv), 200, content_type='application/json')
        except ValueError as e:
            return Response(unicode(e), 400) # FIXME: custom exception and error descr

    if request.method == 'DELETE':
        rv = app.db.delete(uri, id)

        resp = Response(app.dumps(rv), 200, content_type='application/json')
        resp.delete_cookie(uri + '-' + str(id), path='/')
        return resp


def approve(app, environ, request, path, id):

    try:
        if app.unsign(request.cookies.get('admin', '')) != '*':
            abort(403)
    except (SignatureExpired, BadSignature):
        abort(403)

    app.db.activate(path, id)
    return Response(app.dumps(app.db.get(path, id)), 200,
        content_type='application/json')
add license decoration 12 years ago			`# -- encoding: utf-8 --`
			`#`
			`# Copyright 2012, Martin Zimmermann <info@posativ.org>. All rights reserved.`
			`# License: BSD Style, 2 clauses. see isso/__init__.py`
clean json fuckup and add create and get views 12 years ago
basic XSS protection m) 12 years ago			`import cgi`
use unique cookie name 12 years ago			`import urllib`
basic XSS protection m) 12 years ago
use itsdangerous 12 years ago			`from itsdangerous import SignatureExpired, BadSignature`

refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`from werkzeug.wrappers import Response`
commit work in progress completely revamp JS client because JS sucks^W^W^W to feature AMD, require.js, promises and HTML.js. The comment listing is now more like Disqus and for now comment retrieval, comment creation and deletion works. Form validation is rudimentary implemented as well. replaced Mako with Jinja2 (because... I forgot.), admin interface will use Bootstrap™ but is not functional yet. features a progress indicator in case you're sqlite db performs really bad 11 years ago			`from werkzeug.exceptions import abort, BadRequest`
clean json fuckup and add create and get views 12 years ago
move code around™ 11 years ago			`from isso import models, utils`
clean json fuckup and add create and get views 12 years ago

refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`class requires:`

			`def __init__(self, type, param):`
			`self.param = param`
			`self.type = type`

			`def __call__(self, func):`
			`def dec(app, env, req, args, *kwargs):`

			`if self.param not in req.args:`
commit work in progress completely revamp JS client because JS sucks^W^W^W to feature AMD, require.js, promises and HTML.js. The comment listing is now more like Disqus and for now comment retrieval, comment creation and deletion works. Form validation is rudimentary implemented as well. replaced Mako with Jinja2 (because... I forgot.), admin interface will use Bootstrap™ but is not functional yet. features a progress indicator in case you're sqlite db performs really bad 11 years ago			`raise BadRequest("missing %s query" % self.param)`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago
			`try:`
			`kwargs[self.param] = self.type(req.args[self.param])`
			`except TypeError:`
commit work in progress completely revamp JS client because JS sucks^W^W^W to feature AMD, require.js, promises and HTML.js. The comment listing is now more like Disqus and for now comment retrieval, comment creation and deletion works. Form validation is rudimentary implemented as well. replaced Mako with Jinja2 (because... I forgot.), admin interface will use Bootstrap™ but is not functional yet. features a progress indicator in case you're sqlite db performs really bad 11 years ago			`raise BadRequest("invalid type for %s, expected %s" % (self.param, self.type))`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago
			`return func(app, env, req, args, *kwargs)`

			`return dec`


			`@requires(str, 'uri')`
			`def create(app, environ, request, uri):`

			`if app.PRODUCTION and not utils.urlexists(app.HOST, uri):`
			`return Response('URI does not exist', 400)`
check if url exists before creating a comment 12 years ago
clean json fuckup and add create and get views 12 years ago			`try:`
add comment.hash to recognize user by email or ip fallback also: fixed test_comment json.dumps(json.loads(json.dumps(...))) madness. 11 years ago			`comment = models.Comment.fromjson(request.data, ip=request.remote_addr)`
rewrite using NIH 12 years ago			`except ValueError as e:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`return Response(unicode(e), 400)`
basic XSS protection m) 12 years ago
add comment.hash to recognize user by email or ip fallback also: fixed test_comment json.dumps(json.loads(json.dumps(...))) madness. 11 years ago			`for attr in 'author', 'website':`
basic XSS protection m) 12 years ago			`if getattr(comment, attr) is not None:`
			`try:`
			`setattr(comment, attr, cgi.escape(getattr(comment, attr)))`
			`except AttributeError:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`Response('', 400)`
basic XSS protection m) 12 years ago
			`try:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = app.db.add(uri, comment)`
check if url exists before creating a comment 12 years ago			`except ValueError:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(400) # FIXME: custom exception class, error descr`
clean json fuckup and add create and get views 12 years ago
fix an edge case, where mallory can delete comments by bo 12 years ago			`md5 = rv.md5`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv.text = app.markdown(rv.text)`

			`resp = Response(app.dumps(rv), 202 if rv.pending else 201,`
			`content_type='application/json')`
			`resp.set_cookie('%s-%s' % (uri, rv.id), app.sign([uri, rv.id, md5]),`
			`max_age=app.MAX_AGE, path='/')`
			`return resp`
fix an edge case, where mallory can delete comments by bo 12 years ago
clean json fuckup and add create and get views 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`@requires(str, 'uri')`
			`def get(app, environ, request, uri):`
clean json fuckup and add create and get views 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`id = request.args.get('id', None)`
clean json fuckup and add create and get views 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = list(app.db.retrieve(uri)) if id is None else app.db.get(uri, id)`
return 404 if none found 12 years ago			`if not rv:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(404)`
markdown support (using misaka) 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`if request.args.get('plain', '1') == '0':`
modify can return plain text and marked up content 12 years ago			`if isinstance(rv, list):`
			`for item in rv:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`item.text = app.markdown(item.text)`
modify can return plain text and marked up content 12 years ago			`else:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv.text = app.markdown(rv.text)`
markdown support (using misaka) 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`return Response(app.dumps(rv), 200, content_type='application/json')`
add update and delete views 12 years ago

refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`@requires(str, 'uri')`
			`@requires(int, 'id')`
			`def modify(app, environ, request, uri, id):`
add update and delete views 12 years ago
use itsdangerous 12 years ago			`try:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = app.unsign(request.cookies.get('%s-%s' % (uri, id), ''))`
rewrite using NIH 12 years ago			`except (SignatureExpired, BadSignature) as e:`
admin interface can delete comments :> 12 years ago			`try:`
rewrite using NIH 12 years ago			`rv = app.unsign(request.cookies.get('admin', ''))`
admin interface can delete comments :> 12 years ago			`except (SignatureExpired, BadSignature):`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(403)`
use itsdangerous 12 years ago
fix an edge case, where mallory can delete comments by bo 12 years ago			`# verify checksum, mallory might skip cookie deletion when he deletes a comment`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`if not (rv == '*' or rv[0:2] == [uri, id] or app.db.get(uri, id).md5 != rv[2]):`
			`abort(403)`
use itsdangerous 12 years ago
add update and delete views 12 years ago			`if request.method == 'PUT':`
			`try:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = app.db.update(uri, id, models.Comment.fromjson(request.data))`
			`rv.text = app.markdown(rv.text)`
			`return Response(app.dumps(rv), 200, content_type='application/json')`
add update and delete views 12 years ago			`except ValueError as e:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`return Response(unicode(e), 400) # FIXME: custom exception and error descr`
fix an edge case, where mallory can delete comments by bo 12 years ago
			`if request.method == 'DELETE':`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = app.db.delete(uri, id)`
fix an edge case, where mallory can delete comments by bo 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`resp = Response(app.dumps(rv), 200, content_type='application/json')`
			`resp.delete_cookie(uri + '-' + str(id), path='/')`
			`return resp`
approve comments 12 years ago

			`def approve(app, environ, request, path, id):`

			`try:`
rewrite using NIH 12 years ago			`if app.unsign(request.cookies.get('admin', '')) != '*':`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(403)`
approve comments 12 years ago			`except (SignatureExpired, BadSignature):`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(403)`
approve comments 12 years ago
			`app.db.activate(path, id)`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`return Response(app.dumps(app.db.get(path, id)), 200,`
			`content_type='application/json')`