Mercurial > libervia-web
view server_side/blog.py @ 215:e830a0c60d32
server side: added the security_limit to setParam
- in addition to the check which is done by the core, libervia checks if the param to be modified was really part of the XML that has been returned by getParams with security_limit = 0.
author | souliane <souliane@mailoo.org> |
---|---|
date | Sat, 07 Sep 2013 02:07:07 +0200 |
parents | b9edfa058786 |
children | 6efd189e8d78 |
line wrap: on
line source
#!/usr/bin/python # -*- coding: utf-8 -*- """ Libervia: a Salut à Toi frontend Copyright (C) 2011, 2012, 2013 Jérôme Poisson <goffi@goffi.org> This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. """ from server_side.html_tools import sanitizeHtml from twisted.internet import reactor, defer from twisted.web import server from twisted.web.resource import Resource from twisted.words.protocols.jabber.jid import JID from datetime import datetime class MicroBlog(Resource): isLeaf = True ERROR_TEMPLATE = """ <html> <head> <title>MICROBLOG ERROR</title> </head> <body> <h1 style='text-align: center; color: red;'>%s</h1> </body> </html> """ def __init__(self,host): self.host = host Resource.__init__(self) if not host.bridge.isConnected("libervia"): #FIXME: hard coded value for test host.bridge.connect("libervia") def render_GET(self, request): if not request.postpath: return MicroBlog.ERROR_TEMPLATE % "You must indicate a nickname" else: prof_requested = request.postpath[0] #TODO: char check: only use alphanumerical chars + some extra(_,-,...) here prof_found = self.host.bridge.getProfileName(prof_requested) if not prof_found or prof_found=='libervia': return MicroBlog.ERROR_TEMPLATE % "Invalid nickname" else: def got_jid(pub_jid_s): pub_jid = JID(pub_jid_s) d2 = defer.Deferred() d2.addCallbacks(self.render_html_blog, self.render_error_blog, [request, prof_found], None, [request, prof_found], None) self.host.bridge.getLastGroupBlogs(pub_jid.userhost(), 10, 'libervia', d2.callback, d2.errback) d1 = defer.Deferred() JID(self.host.bridge.asyncGetParamA('JabberID', 'Connection', 'value', prof_found, callback=d1.callback, errback=d1.errback)) d1.addCallbacks(got_jid) return server.NOT_DONE_YET def render_html_blog(self, mblog_data, request, profile): user = sanitizeHtml(profile).encode('utf-8') request.write(""" <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link rel="stylesheet" type="text/css" href="../css/blog.css" /> <title>%(user)s's microblog</title> </head> <body> <div class='mblog_title'>%(user)s</div> """ % {'user':user}) #mblog_data.reverse() for entry in mblog_data: timestamp = float(entry.get('timestamp',0)) _datetime = datetime.fromtimestamp(timestamp) request.write("<div class='mblog_content'><span class='mblog_timestamp'>%(date)s</span>%(content)s</div>" % { 'date':_datetime, 'content':sanitizeHtml(entry['content']).encode('utf-8')}) request.write('</body></html>') request.finish() def render_error_blog(self, error, request, profile): request.write(MicroBlog.ERROR_TEMPLATE % "Can't access requested data") request.finish()