expo/troggle
2
0
Fork 1
mirror of https://expo.survex.com/repositories/troggle/.git synced 2025-12-16 17:27:10 +00:00
Code Issues 18 Projects 3 Activity

moved textedit from uploads to expo

Browse Source
This commit is contained in:
Philip Sargent
2025-02-13 16:55:12 +00:00
parent a976497b3a
commit ae36f1a9ce
2 changed files with 110 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
core/views/expo.py
View File

@@ -25,7 +25,6 @@ from troggle.core.utils import (
is_identified_user
)
from troggle.core.views.editor_helpers import HTMLarea
from troggle.core.views.uploads import edittxtpage
from .auth import login_required_if_public
@@ -527,8 +526,105 @@ def editexpopage(request, path):
"path": path,
"form": pageform,
},
)
)
@login_required_if_public
def edittxtpage(request, path, filepath):
"""Editing a .txt file on expoweb/
Yes this is a security hazard as arbitrary text can be uploaded and it is not enclosed in any HTML furniture.
"""
def simple_get(viewtext):
print(f"simple_get {editor=}")
form = ExpotextfileForm(initial={"identified_login": identified_login, "who_are_you":editor})
if identified_login:
# disable editing the git id string as we get it from the logged-on user data
form.fields["who_are_you"].widget.attrs["readonly"]="readonly"
return render(
request,
"textfileform.html",
{
"form": form,
"path": path,
"message": message,
"filepath": filepath,
"text": viewtext,
},
)
message=""
if not filepath.is_file():
message = f"File not found '{filepath}\n\nfailure detected in expowebpage() in views.expo.py"
print(f"Not a file: {filepath}")
return render(request, "errors/generic.html", {"message": message})
try:
with open(filepath, "r") as f:
originaltext = f.read()
except IOError:
message = f'Cannot open {filepath} for text file reading even though it is a file.'
print(message)
return render(request, "errors/generic.html", {"message": message})
identified_login = is_identified_user(request.user)
editor = get_editor(request)
if request.method == "GET":
return simple_get(originaltext)
elif request.method == "POST":
form = ExpotextfileForm(request.POST)
if not form.is_valid():
message = f'Invalid form response for text file editing "{request.POST}"'
print(message)
return render(request, "errors/generic.html", {"message": message})
else:
editor = form.cleaned_data["who_are_you"]
editor = git_string(editor)
# for i in request.POST:
# print(":: ",i, " => ", request.POST[i])
newtext = request.POST["text"]
print("POST")
if "Cancel" in request.POST:
print("cancel")
return simple_get(originaltext)
if "Save" in request.POST:
print("submitted for saving..")
# should insert sanitization in here
# but user cannot rename the file, and cannot create new files
# and this is only used for .txt files
if newtext != originaltext: # Check if content has changed at all
print("text changed.. saving and committing")
try:
write_and_commit([(filepath, newtext, "utf-8")], f"Online edit of {path}", editor)
except WriteAndCommitError as e:
return render(request, "errors/generic.html", {"message": e.message})
print("re-reading from file..")
try:
with open(filepath) as f:
rereadtext = f.read()
except:
print("### File reading failure, but it exists.. ### ", filepath)
return render(request, "errors/generic.html", {"message": e.message})
savepath = "/" + path
print(f"redirect {savepath}")
response = redirect(savepath) # Redirect after POST
response.set_cookie('editor_id', editor, max_age=COOKIE_MAX_AGE) # cookie expires after COOKIE_MAX_AGE seconds
return response
else:
# no changes
pass
return simple_get(originaltext)
else:
# mistake not POST or GET
message="Something went wrong"
print(message)
return simple_get(originaltext)
class ExpoPageForm(forms.Form):
"""The form used by the editexpopage function"""
@@ -557,4 +653,15 @@ class ExpoPageForm(forms.Form):
}),
label = "Editor",
)
class ExpotextfileForm(forms.Form): # not a model-form, just a form-form
"""Editing .txt files on /expoweb/ which is in a git repo"""
text = forms.CharField(strip=True, required=False)
identified_login = forms.BooleanField(required=False,widget=forms.CheckboxInput(attrs={"onclick":"return false"})) # makes it readonly
who_are_you = forms.CharField(
widget=forms.TextInput(
attrs={"size": 100, "placeholder": "You are editing this page, who are you ? e.g. 'Wookey' or 'Animal <mta@gasthof.expo>'",
"style": "vertical-align: text-top;"}
)
)

108
core/views/uploads.py
View File

@@ -86,115 +86,7 @@ class FilesRenameForm(forms.Form): # not a model-form, just a form-form
class ExpofileRenameForm(forms.Form): # not a model-form, just a form-form
renameto = forms.CharField(strip=True, required=False)
class ExpotextfileForm(forms.Form): # not a model-form, just a form-form
"""Editing .txt files on /expoweb/ which is in a git repo"""
text = forms.CharField(strip=True, required=False)
identified_login = forms.BooleanField(required=False,widget=forms.CheckboxInput(attrs={"onclick":"return false"})) # makes it readonly
who_are_you = forms.CharField(
widget=forms.TextInput(
attrs={"size": 100, "placeholder": "You are editing this page, who are you ? e.g. 'Wookey' or 'Animal <mta@gasthof.expo>'",
"style": "vertical-align: text-top;"}
)
)
@login_required_if_public
def edittxtpage(request, path, filepath):
"""Editing a .txt file on expoweb/
Yes this is a security hazard as arbitrary text can be uploaded and it is not enclosed in any HTML furniture.
"""
def simple_get(viewtext):
print(f"simple_get {editor=}")
form = ExpotextfileForm(initial={"identified_login": identified_login, "who_are_you":editor})
if identified_login:
# disable editing the git id string as we get it from the logged-on user data
form.fields["who_are_you"].widget.attrs["readonly"]="readonly"
return render(
request,
"textfileform.html",
{
"form": form,
"path": path,
"message": message,
"filepath": filepath,
"text": viewtext,
},
)
message=""
if not filepath.is_file():
message = f"File not found '{filepath}\n\nfailure detected in expowebpage() in views.expo.py"
print(f"Not a file: {filepath}")
return render(request, "errors/generic.html", {"message": message})
try:
with open(filepath, "r") as f:
originaltext = f.read()
except IOError:
message = f'Cannot open {filepath} for text file reading even though it is a file.'
print(message)
return render(request, "errors/generic.html", {"message": message})
identified_login = is_identified_user(request.user)
editor = get_editor(request)
if request.method == "GET":
return simple_get(originaltext)
elif request.method == "POST":
form = ExpotextfileForm(request.POST)
if not form.is_valid():
message = f'Invalid form response for text file editing "{request.POST}"'
print(message)
return render(request, "errors/generic.html", {"message": message})
else:
editor = form.cleaned_data["who_are_you"]
editor = git_string(editor)
# for i in request.POST:
# print(":: ",i, " => ", request.POST[i])
newtext = request.POST["text"]
print("POST")
if "Cancel" in request.POST:
print("cancel")
return simple_get(originaltext)
if "Save" in request.POST:
print("submitted for saving..")
# should insert sanitization in here
# but user cannot rename the file, and cannot create new files
# and this is only used for .txt files
if newtext != originaltext: # Check if content has changed at all
print("text changed.. saving and committing")
try:
write_and_commit([(filepath, newtext, "utf-8")], f"Online edit of {path}", editor)
except WriteAndCommitError as e:
return render(request, "errors/generic.html", {"message": e.message})
print("re-reading from file..")
try:
with open(filepath) as f:
rereadtext = f.read()
except:
print("### File reading failure, but it exists.. ### ", filepath)
return render(request, "errors/generic.html", {"message": e.message})
savepath = "/" + path
print(f"redirect {savepath}")
response = redirect(savepath) # Redirect after POST
response.set_cookie('editor_id', editor, max_age=COOKIE_MAX_AGE) # cookie expires after COOKIE_MAX_AGE seconds
return response
else:
# no changes
pass
return simple_get(originaltext)
else:
# mistake not POST or GET
message="Something went wrong"
print(message)
return simple_get(originaltext)
@login_required_if_public