From ec83c1ff122b7a1d933225335ef962b9c9b8612c Mon Sep 17 00:00:00 2001 From: Philip Sargent Date: Fri, 26 Mar 2021 19:42:58 +0000 Subject: [PATCH] csrf continued --- core/views_survex.py | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/core/views_survex.py b/core/views_survex.py index 491d20d..2928897 100644 --- a/core/views_survex.py +++ b/core/views_survex.py @@ -6,10 +6,12 @@ from pathlib import Path from django import forms from django.http import HttpResponseRedirect, HttpResponse +from django.template import RequestContext from django.shortcuts import render_to_response, render #from django.core.context_processors import csrf from django.template.context_processors import csrf from django.http import HttpResponse, Http404 +from django.views.decorators.csrf import ensure_csrf_cookie from django.core.exceptions import ObjectDoesNotExist, MultipleObjectsReturned @@ -104,7 +106,7 @@ class SvxForm(forms.Form): def GetDiscCode(self): fname = survexdatasetpath / (self.data['filename'] + ".svx") if not os.path.isfile(fname): - print(">>> >>> WARNING - svx file not found, showiung TEMPLATE SVX",fname, flush=True) + print(">>> >>> WARNING - svx file not found, showing TEMPLATE SVX",fname, flush=True) return survextemplatefile fin = open(fname, "rt",encoding='utf8',newline='') svxtext = fin.read() @@ -158,7 +160,12 @@ class SvxForm(forms.Form): return log +@ensure_csrf_cookie def svx(request, survex_file): + '''Displays a singhle survex file in an textarea window (using a javascript online editor to enable + editing) with buttons which allow SAVE, check for DIFFerences from saved, and RUN (which runs the + cavern executable and displays the output below the main textarea). Requires CSRF to be set upcorrect;ly, and requires permission to write to the filesystem. + ''' # get the basic data from the file given in the URL dirname = os.path.split(survex_file)[0] dirname += "/" @@ -177,7 +184,7 @@ def svx(request, survex_file): rcode = rform.cleaned_data['code'] outputtype = rform.cleaned_data['outputtype'] difflist = form.DiffCode(rcode) - #print "ssss", rform.data + #print("ssss ", rform.data) if "revert" in rform.data: pass @@ -193,7 +200,7 @@ def svx(request, survex_file): if request.user.is_authenticated(): message = form.SaveCode(rcode) else: - message = "You do not have authority to save this file" + message = "You do not have authority to save this file. Please log in." if message != "SAVED": form.data['code'] = rcode if "diff" in rform.data: @@ -219,11 +226,14 @@ def svx(request, survex_file): 'logmessage':logmessage, 'form':form} vmap.update(csrf(request)) + if outputtype == "ajax": - return render_to_response('svxfiledifflistonly.html', vmap) - return render_to_response('svxfile.html', vmap) + return render(request, 'svxfiledifflistonly.html', vmap) + + return render(request, 'svxfile.html', vmap) def svxraw(request, survex_file): + '''Used for rendering .log files from survex outputtype''' svx = open(os.path.join(survexdatasetpath / survex_file / ".svx"), "rt",encoding='utf8') return HttpResponse(svx, content_type="text") @@ -260,6 +270,7 @@ def err(request, survex_file): def identifycavedircontents(gcavedir): # find the primary survex file in each cave directory + # this should be in a configuration, not buried in the code... name = os.path.split(gcavedir)[1] subdirs = [ ] subsvx = [ ] @@ -363,7 +374,7 @@ def survexcaveslist(request): elif len(survdirobj) == 1: onefilecaves.append(survdirobj[0]) - return render_to_response('svxfilecavelist.html', {'settings': settings, "onefilecaves":onefilecaves, "multifilecaves":multifilecaves, "subdircaves":subdircaves }) + return render(request, 'svxfilecavelist.html', {'settings': settings, "onefilecaves":onefilecaves, "multifilecaves":multifilecaves, "subdircaves":subdircaves }) def survexcavesingle(request, survex_cave): '''parsing all the survex files of a single cave and showing that it's consistent and can find all @@ -371,10 +382,11 @@ def survexcavesingle(request, survex_cave): kataster numbers are not unique across areas. Fix this. ''' sc = survex_cave - + context = RequestContext(request) + context_dict = {} try: cave = Cave.objects.get(kataster_number=sc) # This may not be unique. - return render_to_response('svxcavesingle.html', {'settings': settings, "cave":cave }) + return render(request, 'svxcavesingle.html', {'settings': settings, "cave":cave }) except ObjectDoesNotExist: # can get here if the survex file is in a directory labelled with unofficial number not kataster number. @@ -382,17 +394,17 @@ def survexcavesingle(request, survex_cave): for unoff in [sc, sc.replace('-','_'), sc.replace('_','-'), sc.replace('-',''), sc.replace('_','')]: try: cave = Cave.objects.get(unofficial_number=unoff) # return on first one we find - return render_to_response('svxcavesingle.html', {'settings': settings, "cave":cave }) + return render(request, 'svxcavesingle.html', {'settings': settings, "cave":cave }) except ObjectDoesNotExist: continue # next attempt in for loop - return render_to_response('svxcavesingle404.html', {'settings': settings, "cave":sc }) + return render(request, 'svxcavesingle404.html', {'settings': settings, "cave":sc }) except MultipleObjectsReturned: caves = Cave.objects.filter(kataster_number=survex_cave) - return render_to_response('svxcaveseveral.html', {'settings': settings, "caves":caves }) + return render(request, 'svxcaveseveral.html', {'settings': settings, "caves":caves }) except: - return render_to_response('svxcavesingle404.html', {'settings': settings, "cave":sc }) + return render(request, 'svxcavesingle404.html', {'settings': settings, "cave":sc }) def check_cave_registered(area, survex_cave):