Attachment 'DropBox-1.1.py'
Download 1 # -*- coding: iso-8859-1 -*-
2 """
3 MoinMoin - DropBox action Version 1.1, 02.07.2014
4 [a modification of AttachFile action]
5
6 For documentation and examples see:
7
8 http://rileylink.local/pb/MoinMoin_Matters
9
10 History:
11
12 Version 1.1 - 02.07.2014: added sort option; case sensitivity of option
13 values removed.
14 Version 1.0 - 15.05.2011: initial version.
15
16 @copyright: 2011, 2014 Ian Riley <ian@riley.asia>
17 @license: GNU GPL, see COPYING for details.
18
19 Based on AttachFile action
20
21 @copyright: 2001 by Ken Sugino (sugino@mediaone.net),
22 2001-2004 by Juergen Hermann <jh@web.de>,
23 2005 MoinMoin:AlexanderSchremmer,
24 2005 DiegoOngaro at ETSZONE (diego@etszone.com),
25 2005-2007 MoinMoin:ReimarBauer,
26 2007-2008 MoinMoin:ThomasWaldmann
27 @license: GNU GPL, see COPYING for details.
28 """
29
30 from operator import itemgetter
31 from MoinMoin.action.AttachFile import *
32
33 action_name = __name__.split('.')[-1]
34
35 #############################################################################
36 ### External interface - these are called from the core code
37 #############################################################################
38
39 def get_action(request, filename, do):
40 generic_do_mapping = {
41 # do -> action
42 'get': action_name,
43 'view': action_name,
44 'del': action_name,
45 'upload_form': action_name,
46 }
47 basename, ext = os.path.splitext(filename)
48 do_mapping = request.cfg.extensions_mapping.get(ext, {})
49 action = do_mapping.get(do, None)
50 if action is None:
51 # we have no special support for this,
52 # look up whether we have generic support:
53 action = generic_do_mapping.get(do, None)
54 return action
55
56 def getAttachUrl(pagename, filename, request, addts=0, do='get'):
57 """ Get URL that points to attachment `filename` of page `pagename`.
58 For upload url, call with do='upload_form'.
59 Returns the URL to do the specified "do" action or None,
60 if this action is not supported.
61 """
62 action = get_action(request, filename, do)
63 if action:
64 args = dict(action=action, do=do, target=filename)
65 if do not in ['get', 'view', # harmless
66 'modify', # just renders the applet html, which has own ticket
67 'move', # renders rename form, which has own ticket
68 ]:
69 # create a ticket for the not so harmless operations
70 # we need action= here because the current action (e.g. "show" page
71 # with a macro AttachList) may not be the linked-to action, e.g.
72 # "AttachFile". Also, AttachList can list attachments of another page,
73 # thus we need to give pagename= also.
74 args['ticket'] = wikiutil.createTicket(request,
75 pagename=pagename, action=action_name)
76 url = request.href(pagename, **args)
77 return url
78
79 #############################################################################
80 ### Internal helpers
81 #############################################################################
82 def _get_filesource(request, pagename, filename):
83 """ Look up the user who attached the file
84
85 Returns userid and username tuple.
86 """
87 from MoinMoin.logfile import editlog
88 from MoinMoin import user
89
90 log = editlog.EditLog(request, rootpagename=pagename)
91 result = '', ''
92 count = 0
93 for line in log.reverse():
94 count += 1
95 if line.action in ('ATTNEW', 'ATTDEL', ):
96 foundname = wikiutil.url_unquote(line.extra)
97 if foundname == filename:
98 # just the user's name
99 result = line.userid, user.User(request, line.userid, auth_method="editlog:53").name
100
101 # link to user's homepage or email depending on preferences
102 # this would be OK if users all had homepages.
103 #result = line.userid, line.getEditor(request)
104
105 # unknown user
106 if '' in result:
107 result = None,'unknown user'
108 break
109 return result
110
111 def _access_file(pagename, request):
112 """ Check form parameter `target` and return a tuple of
113 `(pagename, filename, filepath)` for an existing attachment.
114
115 Return `(pagename, None, None)` if an error occurs.
116 """
117 _ = request.getText
118
119 error = None
120 if not request.values.get('target'):
121 error = _("Filename of upload not specified!")
122 else:
123 filename = wikiutil.taintfilename(request.values['target'])
124 fpath = getFilename(request, pagename, filename)
125
126 if os.path.isfile(fpath):
127 return (pagename, filename, fpath)
128 error = _("Upload '%(filename)s' does not exist!") % {'filename': filename}
129
130 error_msg(pagename, request, error)
131 return (pagename, None, None)
132
133 def _build_filelist(request, pagename, sumonly, readonly, mime_type='*',
134 owners='*', sort='*'):
135 _ = request.getText
136 fmt = request.html_formatter
137
138 import urlparse
139 qs = urlparse.parse_qs(request.environ.get('QUERY_STRING'))
140 owners = owners.lower()
141 sort = sort.lower()
142 if owners == '*':
143 if 'owners' in qs:
144 owners = qs['owners'][0]
145 else:
146 owners = 'all'
147 if sort == '*':
148 if 'sort' in qs:
149 sort = qs['sort'][0]
150
151 user_id = request.user.valid and request.user.id or ''
152
153 # access directory
154 attach_dir = getAttachDir(request, pagename)
155 files = _get_files(request, pagename)
156
157 if mime_type != '*':
158 files = [fname for fname in files if mime_type == mimetypes.guess_type(fname)[0]]
159
160 label_del = _("del")
161 label_get = _("get")
162 label_view = _("view")
163
164 may_read = request.user.may.read(pagename)
165 may_attach = request.user.may.attach(pagename)
166 may_delete = request.user.may.delete(pagename)
167 may_detach = request.user.may.detach(pagename)
168
169 links = []
170 html = []
171
172 if files:
173 flist = []
174 index = -1
175 space = 0
176 latest_time = None
177 latest_file = 0
178 count = 0
179
180 for file in files:
181 owner = _get_filesource(request, pagename, file)
182 usersfile = owner[0] == user_id
183 ownercheck = (usersfile and (owners in ["self", "all"])) or \
184 ((not usersfile) and (owners in ["other", "all"]))
185 if not ownercheck:
186 continue
187 index += 1
188 mt = wikiutil.MimeType(filename=file)
189 fullpath = os.path.join(attach_dir, file).encode(config.charset)
190 st = os.stat(fullpath)
191 if st.st_mtime > latest_time:
192 latest_time = st.st_mtime
193 latest_file = index
194 fdict= {'i': index,
195 'file': wikiutil.escape(file),
196 'owner_id': owner[0],
197 'ownername': owner[1],
198 'usersfile': usersfile,
199 'ownercheck': ownercheck,
200 'fullpath': fullpath,
201 'viewlink': (fmt.url(1, getAttachUrl(pagename, file, request, do='view')) +
202 fmt.text(wikiutil.escape(file)) +
203 fmt.url(0)),
204 'base': os.path.splitext(file)[0],
205 'ext': os.path.splitext(file)[1],
206 'fsize': float(st.st_size) / 1024,
207 'fmtime': request.user.getFormattedDateTime(st.st_mtime),
208 'latest': False,
209 'deletable': (may_delete or
210 (may_detach and usersfile)) and
211 not readonly,
212 }
213 flist.append(fdict)
214
215 if flist:
216 flist[latest_file]['latest'] = True
217
218 if sort == 'date':
219 flist = sorted(flist, key=itemgetter('fmtime'))
220 elif sort == 'size':
221 flist = sorted(flist, key=itemgetter('fsize'))
222 elif sort == 'type':
223 flist = sorted(flist, key=itemgetter('ext', 'file'))
224 elif sort == 'owner':
225 flist = sorted(flist, key=itemgetter('ownername', 'file'))
226
227 if not sumonly:
228 html.append(fmt.bullet_list(1))
229
230 for fdict in flist:
231 if not fdict['ownercheck']:
232 continue
233 count += 1
234 space += fdict['fsize']
235 if fdict['latest']:
236 latest = fdict['fmtime']
237 if fdict['deletable']:
238 links.append(fmt.url(1, getAttachUrl(pagename, file, request, do='del')) +
239 fmt.text(label_del) +
240 fmt.url(0))
241
242 links.append(fmt.url(1, getAttachUrl(pagename, file, request)) +
243 fmt.text(label_get) +
244 fmt.url(0))
245
246 links.append(fmt.url(1, getAttachUrl(pagename, file, request, do='view')) +
247 fmt.text(label_view) +
248 fmt.url(0))
249
250 if not sumonly:
251 html.append(fmt.listitem(1))
252 html.append("%(viewlink)s " % fdict)
253 html.append("[ %s ]" % " | ".join(links))
254 html.append(" %(fmtime)s, %(fsize).1f KB" % fdict)
255 html.append(", uploaded by %(ownername)s" % fdict)
256 html.append(fmt.listitem(0))
257 links = []
258 if not sumonly:
259 html.append(fmt.bullet_list(0))
260 if count == 1:
261 uploadtxt = 'upload'
262 else:
263 uploadtxt = 'uploads'
264 html.append(fmt.text(_("%(count)s %(uploadtxt)s stored, \
265 totalling %(fsize)s KB, \
266 latest dated %(fmttime)s") % {
267 'count': count,
268 'uploadtxt': uploadtxt,
269 'fsize': "%.1f" % space,
270 'fmttime': latest}))
271 else:
272 html.append("%s %s stored" % (0, 'uploads'))
273 else:
274 html.append("%s %s stored" % (0, 'uploads'))
275
276 return ''.join(html)
277
278 def _get_files(request, pagename):
279 attach_dir = getAttachDir(request, pagename)
280 if os.path.isdir(attach_dir):
281 files = [fn.decode(config.charset) for fn in os.listdir(attach_dir)]
282 files.sort()
283 else:
284 files = []
285 return files
286
287 def _get_filelist(request, pagename, mime_type='*', owners='*', sort='*'):
288 # set sumonly=0, ie false
289 return _build_filelist(request, pagename, 0, 0, mime_type, owners, sort)
290
291 def _get_info(request, pagename, mime_type='*', owners='*', sort='*'):
292 # set sumonly=1, ie true
293 return _build_filelist(request, pagename, 1, 0, mime_type, owners, sort)
294
295 #############################################################################
296 ### Create parts of the Web interface
297 #############################################################################
298
299 def send_uploadform(pagename, request):
300 """ Send the HTML code for the list of already stored attachments and
301 the file upload form.
302 """
303 _ = request.getText
304
305 if not request.user.may.read(pagename):
306 request.write('<p>%s</p>' % _('You are not allowed to view this page.'))
307 return
308
309 writeable = request.user.may.attach(pagename)
310 overwriteable = request.user.may.detach(pagename)
311 may_delete = request.user.may.delete(pagename)
312
313 # First send out the upload new attachment form on top of everything else.
314 # This avoids usability issues if you have to scroll down a lot to upload
315 # a new file when the page already has lots of attachments:
316 if writeable:
317 request.write('<h2>' + _("New Upload") + '</h2>')
318 if writeable and not overwriteable:
319 request.write("""
320 <form action="%(url)s" method="POST" enctype="multipart/form-data">
321 <dl>
322 <dt>%(upload_label_file)s</dt>
323 <dd><input type="file" name="file" size="50"></dd>
324 <dt>%(upload_label_target)s</dt>
325 <dd><input type="text" name="target" size="50" value="%(target)s"></dd>
326 </dl>
327 %(textcha)s
328 <p>
329 <input type="hidden" name="action" value="%(action_name)s">
330 <input type="hidden" name="do" value="upload">
331 <input type="hidden" name="ticket" value="%(ticket)s">
332 <input type="submit" value="%(upload_button)s">
333 </p>
334 </form>
335 """ % {
336 'url': request.href(pagename),
337 'action_name': action_name,
338 'upload_label_file': _('File to upload'),
339 'upload_label_target': _('Rename to'),
340 'target': wikiutil.escape(request.values.get('target', ''), 1),
341 'upload_button': _('Upload'),
342 'textcha': TextCha(request).render(),
343 'ticket': wikiutil.createTicket(request),
344 })
345 if overwriteable:
346 request.write("""
347 <form action="%(url)s" method="POST" enctype="multipart/form-data">
348 <dl>
349 <dt>%(upload_label_file)s</dt>
350 <dd><input type="file" name="file" size="50"></dd>
351 <dt>%(upload_label_target)s</dt>
352 <dd><input type="text" name="target" size="50" value="%(target)s"></dd>
353 <dt>%(upload_label_overwrite)s</dt>
354 <dd><input type="checkbox" name="overwrite" value="1" %(overwrite_checked)s></dd>
355 </dl>
356 %(textcha)s
357 <p>
358 <input type="hidden" name="action" value="%(action_name)s">
359 <input type="hidden" name="do" value="upload">
360 <input type="hidden" name="ticket" value="%(ticket)s">
361 <input type="submit" value="%(upload_button)s">
362 </p>
363 </form>
364 """ % {
365 'url': request.href(pagename),
366 'action_name': action_name,
367 'upload_label_file': _('File to upload'),
368 'upload_label_target': _('Rename to'),
369 'target': wikiutil.escape(request.values.get('target', ''), 1),
370 'upload_label_overwrite': _('Overwrite existing upload of same name'),
371 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', '0') == '1'],
372 'upload_button': _('Upload'),
373 'textcha': TextCha(request).render(),
374 'ticket': wikiutil.createTicket(request),
375 })
376
377 request.write('<h2>' + _("Uploaded Files") + '</h2>')
378 if writeable and overwriteable and may_delete:
379 request.write('<p>%s</p>' % _('You can upload, download and delete files.'))
380 request.write('<h3>' + _("Your uploads") + '</h3>')
381 request.write(_get_filelist(request, pagename, owners="Self", sort="*"))
382 request.write('<h3>' + _("Other uploads") + '</h3>')
383 request.write(_get_filelist(request, pagename, owners="Other", sort="*"))
384 elif writeable and overwriteable :
385 request.write('<p>%s</p>' % _('You can upload and download files, and delete your own files.'))
386 request.write('<h3>' + _("Your uploads") + '</h3>')
387 request.write(_get_filelist(request, pagename, owners="Self", sort="*"))
388 request.write('<h3>' + _("Other uploads") + '</h3>')
389 request.write(_get_filelist(request, pagename, owners="Other", sort="*"))
390 elif writeable:
391 request.write('<p>%s</p>' % _('You can upload and download, but not delete files.'))
392 request.write(_get_filelist(request, pagename))
393 elif not writeable:
394 request.write('<p>%s</p>' % _('You can download, but not upload or delete files.'))
395 request.write(_get_filelist(request, pagename))
396
397 #############################################################################
398 ### Web interface for file upload, viewing and deletion
399 #############################################################################
400
401 def execute(pagename, request):
402 """ Main dispatcher for the 'DropBox' action. """
403 _ = request.getText
404
405 do = request.values.get('do', 'upload_form')
406 handler = globals().get('_do_%s' % do)
407 if handler:
408 msg = handler(pagename, request)
409 else:
410 msg = _('Unsupported DropBox sub-action: %s') % do
411 if msg:
412 error_msg(pagename, request, msg)
413
414
415 def _do_upload_form(pagename, request):
416 upload_form(pagename, request)
417
418 def upload_form(pagename, request, msg=''):
419 if msg:
420 msg = wikiutil.escape(msg)
421 _ = request.getText
422
423 # Use user interface language for this generated page
424 request.setContentLanguage(request.lang)
425 request.theme.add_msg(msg, "dialog")
426 request.theme.send_title(_('Uploads for "%(pagename)s"') % {'pagename': pagename}, pagename=pagename)
427 request.write('<div id="content">\n') # start content div
428 send_uploadform(pagename, request)
429 request.write('</div>\n') # end content div
430 request.theme.send_footer(pagename)
431 request.theme.send_closing_html()
432
433 def _do_upload(pagename, request):
434 _ = request.getText
435
436 if not wikiutil.checkTicket(request, request.form.get('ticket', '')):
437 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'DropBox.upload' }
438
439 # Currently we only check TextCha for upload (this is what spammers ususally do),
440 # but it could be extended to more/all attachment write access
441 if not TextCha(request).check_answer_from_form():
442 return _('TextCha: Wrong answer! Go back and try again...')
443
444 form = request.form
445
446 file_upload = request.files.get('file')
447 if not file_upload:
448 # This might happen when trying to upload file names
449 # with non-ascii characters on Safari.
450 return _("No file content. Delete non ASCII characters from the file name and try again.")
451
452 try:
453 overwrite = int(form.get('overwrite', '0'))
454 except:
455 overwrite = 0
456
457 if not request.user.may.attach(pagename):
458 return _('You are not allowed to upload a file to this page.')
459
460 if overwrite and not request.user.may.detach(pagename):
461 return _('You are not allowed to overwrite a file previously uploaded to this page.')
462
463 target = form.get('target', u'').strip()
464 if not target:
465 target = file_upload.filename or u''
466
467 target = wikiutil.clean_input(target)
468
469 if not target:
470 return _("Filename of upload not specified!")
471
472 # add the attachment
473 try:
474 target, bytes = add_attachment(request, pagename, target, file_upload.stream, overwrite=overwrite)
475 msg = _("Upload '%(target)s' (remote name '%(filename)s')"
476 " with %(bytes)d bytes saved.") % {
477 'target': target, 'filename': file_upload.filename, 'bytes': bytes}
478 except AttachmentAlreadyExists:
479 msg = _("Upload '%(target)s' (remote name '%(filename)s') already exists.") % {
480 'target': target, 'filename': file_upload.filename}
481
482 # return attachment list
483 upload_form(pagename, request, msg)
484
485
486 def _do_del(pagename, request):
487 _ = request.getText
488
489 if not wikiutil.checkTicket(request, request.args.get('ticket', '')):
490 return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'DropBox.del' }
491
492 pagename, filename, fpath = _access_file(pagename, request)
493 if not request.user.may.detach(pagename):
494 return _('You are not allowed to delete uploads from this page.')
495 if not filename:
496 return # error msg already sent in _access_file
497
498 remove_attachment(request, pagename, filename)
499
500 upload_form(pagename, request, msg=_("Upload '%(filename)s' deleted.") % {'filename': filename})
501
502
503 def _do_get(pagename, request):
504 _ = request.getText
505
506 pagename, filename, fpath = _access_file(pagename, request)
507 if not request.user.may.read(pagename):
508 return _('You are not allowed to download from this page.')
509 if not filename:
510 return # error msg already sent in _access_file
511
512 timestamp = datetime.datetime.fromtimestamp(os.path.getmtime(fpath))
513 if_modified = request.if_modified_since
514 if if_modified and if_modified >= timestamp:
515 request.status_code = 304
516 else:
517 mt = wikiutil.MimeType(filename=filename)
518 content_type = mt.content_type()
519 mime_type = mt.mime_type()
520
521 # TODO: fix the encoding here, plain 8 bit is not allowed according to the RFCs
522 # There is no solution that is compatible to IE except stripping non-ascii chars
523 filename_enc = filename.encode(config.charset)
524
525 # for dangerous files (like .html), when we are in danger of cross-site-scripting attacks,
526 # we just let the user store them to disk ('attachment').
527 # For safe files, we directly show them inline (this also works better for IE).
528 dangerous = mime_type in request.cfg.mimetypes_xss_protect
529 content_dispo = dangerous and 'attachment' or 'inline'
530
531 now = time.time()
532 request.headers['Date'] = http_date(now)
533 request.headers['Content-Type'] = content_type
534 request.headers['Last-Modified'] = http_date(timestamp)
535 request.headers['Expires'] = http_date(now - 365 * 24 * 3600)
536 request.headers['Content-Length'] = os.path.getsize(fpath)
537 content_dispo_string = '%s; filename="%s"' % (content_dispo, filename_enc)
538 request.headers['Content-Disposition'] = content_dispo_string
539
540 # send data
541 request.send_file(open(fpath, 'rb'))
542
543 def send_viewfile(pagename, request):
544 _ = request.getText
545 fmt = request.html_formatter
546
547 pagename, filename, fpath = _access_file(pagename, request)
548 if not filename:
549 return
550
551 request.write('<h2>' + _("Upload '%(filename)s'") % {'filename': filename} + '</h2>')
552 # show a download link above the content
553 label = _('Download')
554 link = (fmt.url(1, getAttachUrl(pagename, filename, request, do='get'), css_class="download") +
555 fmt.text(label) +
556 fmt.url(0))
557 request.write('%s<br><br>' % link)
558
559 if filename.endswith('.tdraw') or filename.endswith('.adraw'):
560 request.write(fmt.attachment_drawing(filename, ''))
561 return
562
563 mt = wikiutil.MimeType(filename=filename)
564
565 # distinguishs if browser needs a plugin in place
566 if mt.major == 'image' and mt.minor in config.browser_supported_images:
567 url = getAttachUrl(pagename, filename, request)
568 request.write('<img src="%s" alt="%s">' % (
569 wikiutil.escape(url, 1),
570 wikiutil.escape(filename, 1)))
571 return
572 elif mt.major == 'text':
573 ext = os.path.splitext(filename)[1]
574 Parser = wikiutil.getParserForExtension(request.cfg, ext)
575 if Parser is not None:
576 try:
577 content = file(fpath, 'r').read()
578 content = wikiutil.decodeUnknownInput(content)
579 colorizer = Parser(content, request, filename=filename)
580 colorizer.format(request.formatter)
581 return
582 except IOError:
583 pass
584
585 request.write(request.formatter.preformatted(1))
586 # If we have text but no colorizing parser we try to decode file contents.
587 content = open(fpath, 'r').read()
588 content = wikiutil.decodeUnknownInput(content)
589 content = wikiutil.escape(content)
590 request.write(request.formatter.text(content))
591 request.write(request.formatter.preformatted(0))
592 return
593
594 try:
595 package = packages.ZipPackage(request, fpath)
596 if package.isPackage():
597 request.write("<pre><b>%s</b>\n%s</pre>" % (_("Package script:"), wikiutil.escape(package.getScript())))
598 return
599
600 if zipfile.is_zipfile(fpath) and mt.minor == 'zip':
601 zf = zipfile.ZipFile(fpath, mode='r')
602 request.write("<pre>%-46s %19s %12s\n" % (_("File Name"), _("Modified")+" "*5, _("Size")))
603 for zinfo in zf.filelist:
604 date = "%d-%02d-%02d %02d:%02d:%02d" % zinfo.date_time
605 request.write(wikiutil.escape("%-46s %s %12d\n" % (zinfo.filename, date, zinfo.file_size)))
606 request.write("</pre>")
607 return
608 except RuntimeError:
609 # We don't want to crash with a traceback here (an exception
610 # here could be caused by an uploaded defective zip file - and
611 # if we crash here, the user does not get a UI to remove the
612 # defective zip file again).
613 # RuntimeError is raised by zipfile stdlib module in case of
614 # problems (like inconsistent slash and backslash usage in the
615 # archive).
616 logging.exception("An exception within zip file upload handling occurred:")
617 return
618
619 from MoinMoin import macro
620 from MoinMoin.parser.text import Parser
621
622 macro.request = request
623 macro.formatter = request.html_formatter
624 p = Parser("##\n", request)
625 m = macro.Macro(p)
626
627 # use EmbedObject to view valid mime types
628 if mt is None:
629 request.write('<p>' + _("Unknown file type, cannot display this upload inline.") + '</p>')
630 link = (fmt.url(1, getAttachUrl(pagename, filename, request)) +
631 fmt.text(filename) +
632 fmt.url(0))
633 request.write('For using an external program follow this link %s' % link)
634 return
635 request.write(m.execute('EmbedObject', u'target="%s", pagename="%s"' % (filename, pagename)))
636 return
637
638 def _do_view(pagename, request):
639 _ = request.getText
640
641 orig_pagename = pagename
642 pagename, filename, fpath = _access_file(pagename, request)
643 if not request.user.may.read(pagename):
644 return _('You are not allowed to view uploads from this page.')
645 if not filename:
646 return
647
648 request.formatter.page = Page(request, pagename)
649
650 # send header & title
651 # Use user interface language for this generated page
652 request.setContentLanguage(request.lang)
653 title = _('upload:%(filename)s of %(pagename)s') % {
654 'filename': filename, 'pagename': pagename}
655 request.theme.send_title(title, pagename=pagename)
656
657 # send body
658 request.write(request.formatter.startContent())
659 send_viewfile(orig_pagename, request)
660 send_uploadform(pagename, request)
661 request.write(request.formatter.endContent())
662
663 request.theme.send_footer(pagename)
664 request.theme.send_closing_html()
You are not allowed to attach a file to this page.