isso/isso/views/comment.py

# -*- encoding: utf-8 -*-
#
# Copyright 2012, Martin Zimmermann <info@posativ.org>. All rights reserved.
# License: BSD Style, 2 clauses. see isso/__init__.py

import cgi
import json
import thread
import hashlib
import sqlite3
import logging

from itsdangerous import SignatureExpired, BadSignature

from werkzeug.wrappers import Response
from werkzeug.exceptions import abort, BadRequest

from isso import models, utils, notify


class requires:

    def __init__(self, type, param):
        self.param = param
        self.type = type

    def __call__(self, func):
        def dec(app, env, req, *args, **kwargs):

            if self.param not in req.args:
                raise BadRequest("missing %s query" % self.param)

            try:
                kwargs[self.param] = self.type(req.args[self.param])
            except TypeError:
                raise BadRequest("invalid type for %s, expected %s" % (self.param, self.type))

            return func(app, env, req, *args, **kwargs)

        return dec


@requires(str, 'uri')
def create(app, environ, request, uri):

    if app.db.threads.get(uri) is None and not utils.urlexists(app.ORIGIN, uri):
        return Response('URI does not exist', 404)

    try:
        data = json.loads(request.data)
    except ValueError:
        return Response("No JSON object could be decoded", 400)

    if not data.get("text"):
        return Response("No text given.", 400)

    if "id" in data and not isinstance(data["id"], int):
        return Response("Parent ID must be an integer.")

    if data.get("email"):
        hash = data["email"]
    else:
        hash = utils.salt(utils.anonymize(unicode(request.remote_addr)))

    comment = models.Comment(
        text=data["text"], parent=data.get("parent"),

        author=data.get("author") and cgi.escape(data.get("author")),
        website=data.get("website") and cgi.escape(data.get("website")),

        hash=hashlib.md5(hash).hexdigest())

    title = app.db.threads.get(uri)
    if title is None:
        title = app.db.threads.add(uri, utils.heading(app.ORIGIN, uri))

    try:
        rv = app.db.add(uri, comment, request.remote_addr)
    except sqlite3.Error:
        logging.exception('uncaught SQLite3 exception')
        abort(400)
    else:
        rv["text"] = app.markdown(rv["text"])

    href = (app.ORIGIN.rstrip("/") + uri + "#isso-%i" % rv["id"])
    thread.start_new_thread(app.notify, notify.create(comment, title, href, request.remote_addr))

    resp = Response(app.dumps(rv), 202 if rv.pending else 201,
        content_type='application/json')
    resp.set_cookie('%s-%s' % (uri, rv["id"]), app.sign([uri, rv["id"], rv.md5]),
       max_age=app.MAX_AGE, path='/')
    return resp


@requires(str, 'uri')
def get(app, environ, request, uri):

    id = request.args.get('id', None)

    rv = list(app.db.retrieve(uri)) if id is None else app.db.get(uri, id)
    if not rv:
        abort(404)

    if request.args.get('plain', '0') == '0':
        if isinstance(rv, list):
            for item in rv:
                item['text'] = app.markdown(item['text'])
        else:
            rv['text'] = app.markdown(rv['text'])

    return Response(app.dumps(rv), 200, content_type='application/json')


@requires(str, 'uri')
@requires(int, 'id')
def modify(app, environ, request, uri, id):

    try:
        rv = app.unsign(request.cookies.get('%s-%s' % (uri, id), ''))
    except (SignatureExpired, BadSignature):
        try:
            rv = app.unsign(request.cookies.get('admin', ''))
        except (SignatureExpired, BadSignature):
            abort(403)

    # verify checksum, mallory might skip cookie deletion when he deletes a comment
    if not (rv == '*' or rv[0:2] == [uri, id] or app.db.get(uri, id).md5 != rv[2]):
        abort(403)

    if request.method == 'PUT':
        try:
            data = json.loads(request.data)
        except ValueError:
            return Response("No JSON object could be decoded", 400)

        if not data.get("text"):
            return Response("No text given.", 400)

        for key in data.keys():
            if key not in ("text", "author", "website"):
                data.pop(key)

        try:
            rv = app.db.update(uri, id, data)
        except sqlite3.Error:
            logging.exception('uncaught SQLite3 exception')
            abort(400)

        rv["text"] = app.markdown(rv["text"])
        return Response(app.dumps(rv), 200, content_type='application/json')

    if request.method == 'DELETE':
        rv = app.db.delete(uri, id)

        resp = Response(app.dumps(rv), 200, content_type='application/json')
        resp.delete_cookie(uri + '-' + str(id), path='/')
        return resp


@requires(str, 'uri')
@requires(int, 'id')
def like(app, environ, request, uri, id):

    nv = app.db.like(uri, id, request.remote_addr)
    return Response(str(nv), 200)


def approve(app, environ, request, path, id):

    try:
        if app.unsign(request.cookies.get('admin', '')) != '*':
            abort(403)
    except (SignatureExpired, BadSignature):
        abort(403)

    app.db.activate(path, id)
    return Response(app.dumps(app.db.get(path, id)), 200,
        content_type='application/json')


@requires(str, 'uri')
def count(app, environ, request, uri):

    rv = app.db.count(uri, mode=1)[0]

    if rv == 0:
        abort(404)

    return Response(json.dumps(rv), 200, content_type='application/json')
add license decoration 12 years ago			`# -- encoding: utf-8 --`
			`#`
			`# Copyright 2012, Martin Zimmermann <info@posativ.org>. All rights reserved.`
			`# License: BSD Style, 2 clauses. see isso/__init__.py`
clean json fuckup and add create and get views 12 years ago
basic XSS protection m) 12 years ago			`import cgi`
clean db interface and comment model 11 years ago			`import json`
send notification for new comments This commit also introduces a new db which maps path to thread title. The title is read by parsing the HTML for a related <h1> tag using `html5lib`. You can set up SMTP in your configuration (here the defaults): [SMTP] host = localhost port = 465 ssl = on username = password = recipient = sender = In short, by default Isso uses a local SMTP server using SSL without any authentication. An email is send on comment creation to "recipient" from "Ich schrei sonst <sender>". This commit also uses a simple ANSI colorization module from my static blog compiler project. On server startup, Isso will connect to the SMTP server and fall back to a null mailer. It also tries to connect to your website, so if that doesn't work, you probably can't comment on your website either. 11 years ago			`import thread`
clean db interface and comment model 11 years ago			`import hashlib`
			`import sqlite3`
			`import logging`
basic XSS protection m) 12 years ago
use itsdangerous 12 years ago			`from itsdangerous import SignatureExpired, BadSignature`

refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`from werkzeug.wrappers import Response`
commit work in progress completely revamp JS client because JS sucks^W^W^W to feature AMD, require.js, promises and HTML.js. The comment listing is now more like Disqus and for now comment retrieval, comment creation and deletion works. Form validation is rudimentary implemented as well. replaced Mako with Jinja2 (because... I forgot.), admin interface will use Bootstrap™ but is not functional yet. features a progress indicator in case you're sqlite db performs really bad 11 years ago			`from werkzeug.exceptions import abort, BadRequest`
clean json fuckup and add create and get views 12 years ago
send notification for new comments This commit also introduces a new db which maps path to thread title. The title is read by parsing the HTML for a related <h1> tag using `html5lib`. You can set up SMTP in your configuration (here the defaults): [SMTP] host = localhost port = 465 ssl = on username = password = recipient = sender = In short, by default Isso uses a local SMTP server using SSL without any authentication. An email is send on comment creation to "recipient" from "Ich schrei sonst <sender>". This commit also uses a simple ANSI colorization module from my static blog compiler project. On server startup, Isso will connect to the SMTP server and fall back to a null mailer. It also tries to connect to your website, so if that doesn't work, you probably can't comment on your website either. 11 years ago			`from isso import models, utils, notify`
clean json fuckup and add create and get views 12 years ago

refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`class requires:`

			`def __init__(self, type, param):`
			`self.param = param`
			`self.type = type`

			`def __call__(self, func):`
			`def dec(app, env, req, args, *kwargs):`

			`if self.param not in req.args:`
commit work in progress completely revamp JS client because JS sucks^W^W^W to feature AMD, require.js, promises and HTML.js. The comment listing is now more like Disqus and for now comment retrieval, comment creation and deletion works. Form validation is rudimentary implemented as well. replaced Mako with Jinja2 (because... I forgot.), admin interface will use Bootstrap™ but is not functional yet. features a progress indicator in case you're sqlite db performs really bad 11 years ago			`raise BadRequest("missing %s query" % self.param)`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago
			`try:`
			`kwargs[self.param] = self.type(req.args[self.param])`
			`except TypeError:`
commit work in progress completely revamp JS client because JS sucks^W^W^W to feature AMD, require.js, promises and HTML.js. The comment listing is now more like Disqus and for now comment retrieval, comment creation and deletion works. Form validation is rudimentary implemented as well. replaced Mako with Jinja2 (because... I forgot.), admin interface will use Bootstrap™ but is not functional yet. features a progress indicator in case you're sqlite db performs really bad 11 years ago			`raise BadRequest("invalid type for %s, expected %s" % (self.param, self.type))`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago
			`return func(app, env, req, args, *kwargs)`

			`return dec`


			`@requires(str, 'uri')`
			`def create(app, environ, request, uri):`

improve url exists detection for new comment threads 11 years ago			`if app.db.threads.get(uri) is None and not utils.urlexists(app.ORIGIN, uri):`
return 404 when creating a comment for a non-existing URI 11 years ago			`return Response('URI does not exist', 404)`
check if url exists before creating a comment 12 years ago
clean json fuckup and add create and get views 12 years ago			`try:`
clean db interface and comment model 11 years ago			`data = json.loads(request.data)`
			`except ValueError:`
			`return Response("No JSON object could be decoded", 400)`
basic XSS protection m) 12 years ago
clean db interface and comment model 11 years ago			`if not data.get("text"):`
			`return Response("No text given.", 400)`

			`if "id" in data and not isinstance(data["id"], int):`
			`return Response("Parent ID must be an integer.")`

anonymize IP if passed as ::ffff.1.2.3.4 correctly 11 years ago			`if data.get("email"):`
clean db interface and comment model 11 years ago			`hash = data["email"]`
			`else:`
REMOTE_ADDR is not unicode 11 years ago			`hash = utils.salt(utils.anonymize(unicode(request.remote_addr)))`
clean db interface and comment model 11 years ago
			`comment = models.Comment(`
			`text=data["text"], parent=data.get("parent"),`

			`author=data.get("author") and cgi.escape(data.get("author")),`
			`website=data.get("website") and cgi.escape(data.get("website")),`

			`hash=hashlib.md5(hash).hexdigest())`
basic XSS protection m) 12 years ago
improve url exists detection for new comment threads 11 years ago			`title = app.db.threads.get(uri)`
			`if title is None:`
send notification for new comments This commit also introduces a new db which maps path to thread title. The title is read by parsing the HTML for a related <h1> tag using `html5lib`. You can set up SMTP in your configuration (here the defaults): [SMTP] host = localhost port = 465 ssl = on username = password = recipient = sender = In short, by default Isso uses a local SMTP server using SSL without any authentication. An email is send on comment creation to "recipient" from "Ich schrei sonst <sender>". This commit also uses a simple ANSI colorization module from my static blog compiler project. On server startup, Isso will connect to the SMTP server and fall back to a null mailer. It also tries to connect to your website, so if that doesn't work, you probably can't comment on your website either. 11 years ago			`title = app.db.threads.add(uri, utils.heading(app.ORIGIN, uri))`

basic XSS protection m) 12 years ago			`try:`
improve url exists detection for new comment threads 11 years ago			`rv = app.db.add(uri, comment, request.remote_addr)`
clean db interface and comment model 11 years ago			`except sqlite3.Error:`
			`logging.exception('uncaught SQLite3 exception')`
			`abort(400)`
send notification for new comments This commit also introduces a new db which maps path to thread title. The title is read by parsing the HTML for a related <h1> tag using `html5lib`. You can set up SMTP in your configuration (here the defaults): [SMTP] host = localhost port = 465 ssl = on username = password = recipient = sender = In short, by default Isso uses a local SMTP server using SSL without any authentication. An email is send on comment creation to "recipient" from "Ich schrei sonst <sender>". This commit also uses a simple ANSI colorization module from my static blog compiler project. On server startup, Isso will connect to the SMTP server and fall back to a null mailer. It also tries to connect to your website, so if that doesn't work, you probably can't comment on your website either. 11 years ago			`else:`
			`rv["text"] = app.markdown(rv["text"])`
clean json fuckup and add create and get views 12 years ago
send notification for new comments This commit also introduces a new db which maps path to thread title. The title is read by parsing the HTML for a related <h1> tag using `html5lib`. You can set up SMTP in your configuration (here the defaults): [SMTP] host = localhost port = 465 ssl = on username = password = recipient = sender = In short, by default Isso uses a local SMTP server using SSL without any authentication. An email is send on comment creation to "recipient" from "Ich schrei sonst <sender>". This commit also uses a simple ANSI colorization module from my static blog compiler project. On server startup, Isso will connect to the SMTP server and fall back to a null mailer. It also tries to connect to your website, so if that doesn't work, you probably can't comment on your website either. 11 years ago			`href = (app.ORIGIN.rstrip("/") + uri + "#isso-%i" % rv["id"])`
			`thread.start_new_thread(app.notify, notify.create(comment, title, href, request.remote_addr))`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago
			`resp = Response(app.dumps(rv), 202 if rv.pending else 201,`
			`content_type='application/json')`
clean db interface and comment model 11 years ago			`resp.set_cookie('%s-%s' % (uri, rv["id"]), app.sign([uri, rv["id"], rv.md5]),`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`max_age=app.MAX_AGE, path='/')`
			`return resp`
fix an edge case, where mallory can delete comments by bo 12 years ago
clean json fuckup and add create and get views 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`@requires(str, 'uri')`
			`def get(app, environ, request, uri):`
clean json fuckup and add create and get views 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`id = request.args.get('id', None)`
clean json fuckup and add create and get views 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = list(app.db.retrieve(uri)) if id is None else app.db.get(uri, id)`
return 404 if none found 12 years ago			`if not rv:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(404)`
markdown support (using misaka) 12 years ago
show markdown by default 11 years ago			`if request.args.get('plain', '0') == '0':`
modify can return plain text and marked up content 12 years ago			`if isinstance(rv, list):`
			`for item in rv:`
show markdown by default 11 years ago			`item['text'] = app.markdown(item['text'])`
modify can return plain text and marked up content 12 years ago			`else:`
show markdown by default 11 years ago			`rv['text'] = app.markdown(rv['text'])`
markdown support (using misaka) 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`return Response(app.dumps(rv), 200, content_type='application/json')`
add update and delete views 12 years ago

refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`@requires(str, 'uri')`
			`@requires(int, 'id')`
			`def modify(app, environ, request, uri, id):`
add update and delete views 12 years ago
use itsdangerous 12 years ago			`try:`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = app.unsign(request.cookies.get('%s-%s' % (uri, id), ''))`
clean db interface and comment model 11 years ago			`except (SignatureExpired, BadSignature):`
admin interface can delete comments :> 12 years ago			`try:`
rewrite using NIH 12 years ago			`rv = app.unsign(request.cookies.get('admin', ''))`
admin interface can delete comments :> 12 years ago			`except (SignatureExpired, BadSignature):`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(403)`
use itsdangerous 12 years ago
fix an edge case, where mallory can delete comments by bo 12 years ago			`# verify checksum, mallory might skip cookie deletion when he deletes a comment`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`if not (rv == '*' or rv[0:2] == [uri, id] or app.db.get(uri, id).md5 != rv[2]):`
			`abort(403)`
use itsdangerous 12 years ago
add update and delete views 12 years ago			`if request.method == 'PUT':`
			`try:`
clean db interface and comment model 11 years ago			`data = json.loads(request.data)`
			`except ValueError:`
			`return Response("No JSON object could be decoded", 400)`

			`if not data.get("text"):`
			`return Response("No text given.", 400)`

			`for key in data.keys():`
			`if key not in ("text", "author", "website"):`
			`data.pop(key)`

			`try:`
			`rv = app.db.update(uri, id, data)`
			`except sqlite3.Error:`
			`logging.exception('uncaught SQLite3 exception')`
			`abort(400)`

			`rv["text"] = app.markdown(rv["text"])`
			`return Response(app.dumps(rv), 200, content_type='application/json')`
fix an edge case, where mallory can delete comments by bo 12 years ago
			`if request.method == 'DELETE':`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`rv = app.db.delete(uri, id)`
fix an edge case, where mallory can delete comments by bo 12 years ago
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`resp = Response(app.dumps(rv), 200, content_type='application/json')`
			`resp.delete_cookie(uri + '-' + str(id), path='/')`
			`return resp`
approve comments 12 years ago

implement db backend for votes/likes #5 11 years ago			`@requires(str, 'uri')`
			`@requires(int, 'id')`
			`def like(app, environ, request, uri, id):`

			`nv = app.db.like(uri, id, request.remote_addr)`
			`return Response(str(nv), 200)`


approve comments 12 years ago			`def approve(app, environ, request, path, id):`

			`try:`
rewrite using NIH 12 years ago			`if app.unsign(request.cookies.get('admin', '')) != '*':`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(403)`
approve comments 12 years ago			`except (SignatureExpired, BadSignature):`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`abort(403)`
approve comments 12 years ago
			`app.db.activate(path, id)`
refactor all the things (use werkzeug instead of NIH to handle WSGI) Also: use ?uri=%2Fpath%2F as path indicator. 11 years ago			`return Response(app.dumps(app.db.get(path, id)), 200,`
			`content_type='application/json')`
new /count?uri=path and count.js A separate (minified) JS to load only the comment count for each `<a href="...#isso-thread">...</a>` link. If there are no comments, return a 404, otherwise return the number JSON formatted. To built `count.ks`, run `r.js -o build.count.js`. 11 years ago

			`@requires(str, 'uri')`
			`def count(app, environ, request, uri):`

			`rv = app.db.count(uri, mode=1)[0]`

			`if rv == 0:`
			`abort(404)`

			`return Response(json.dumps(rv), 200, content_type='application/json')`