diff options
Diffstat (limited to 'index.py')
| -rw-r--r-- | index.py | 367 |
1 files changed, 367 insertions, 0 deletions
diff --git a/index.py b/index.py new file mode 100644 index 0000000..813e79b --- /dev/null +++ b/index.py @@ -0,0 +1,367 @@ +# setup django environment, so we can use their template engine +from django.core.management import setup_environ +from account import settings +setup_environ(settings) + +from django.template import Context +from django.template.loader import render_to_string + +# mod_python session handling and redirects +from mod_python import Session +from mod_python.util import redirect + +# import mysql bindings +import MySQLdb + +# import other common stuff +from random import choice +import base64, cracklib, sha, string, os + + +# render mail template and send it using local sendmail binary +def sendmail(to_addr, template, c): + c['from_addr'] = "dev@spline.de" + c['to_addr'] = to_addr + + msg = render_to_string(template + "_mail.txt", c) + + # open sendmail process for writing + p = os.popen("/usr/sbin/sendmail -t", 'w') + p.write(msg) + + # close will return exit status + # TODO: log error to some file + if p.close(): + return False + + return True + + +# cleanup database connection after every request +def closedb(req): + req.cursor.close() + req.dbc.close() + + +# start a new session and context and register the session dictionary in our +# global template context +def session_start(req, anonymous): + req.dbc = MySQLdb.connect(host="localhost", user="apache", passwd="password", db="trac") + req.cursor = req.dbc.cursor() + req.register_cleanup(closedb, req) + + s = Session.Session(req) + + if not 'login' in s: + s['login'] = None + + s.save() + + req.c = Context() + req.c['session'] = s + + # None means everyone can acccess this URL + # True/False means only anonymous/authenticated users can access this URL + if anonymous != None: + if (anonymous and s['login']) or (not anonymous and not s['login']): + redirect(req, "index") + + return (req.c, s, req.cursor) + + +# generate a htpasswd compatible sha1 digest in base64 encoding +# see: http://httpd.apache.org/docs/2.2/misc/password_encryptions.html +def generate_sha_base64(password): + return "{SHA}" + base64.encodestring(sha.new(password).digest()).rstrip('\n') + + +# generate a new random password, save it to the database and send it to the user +# WARNING: this function will do an implicit commit/rollback to the database! +def set_random_password(req, user_id, length): + req.c['new_password'] = ''.join([choice(string.letters) for i in range(length)]) + + pw_hash = generate_sha_base64(req.c['new_password']) + req.cursor.execute("UPDATE user SET password = %s WHERE id = %s", (pw_hash, user_id)) + + req.cursor.execute("SELECT email FROM user WHERE id = %s", (user_id,)) + result = req.cursor.fetchone() + email = result[0] + + req.cursor.execute("SELECT login FROM user WHERE id = %s AND password NOT NULL", (user_id,)) + result = req.cursor.fetchone() + + if not result: + template = 'registration' + else: + req.c['login'] = result[0] + template = 'password' + + if not sendmail(email, template, req.c): + req.dbc.rollback() + return "failed to send temporary password. sorry." + + # otherwise commit to database and confirm + req.dbc.commit() + return None + + +def validate_and_register(req, login, email): + # check for invalid entries + if not email.endswith('.fu-berlin.de'): + return "you did not give a *.fu-berlin.de address" + + req.cursor.execute("SELECT login FROM user WHERE login = %s", (login, )) + if req.cursor.fetchone(): + return "username already taken, please choose another one" + + req.cursor.execute("SELECT login FROM user WHERE email = %s", (email, )) + if req.cursor.fetchone(): + return 'you already have an account! <a href="password">forgot your password?</a>' + + # entries are valid - generate activation code and prepare insert statements + hash = ''.join([choice(string.letters) for i in range(10)]) + req.cursor.execute("INSERT INTO user (login, email, date_added) VALUES (%s, %s, NOW())", (login, email)) + req.cursor.execute("INSERT INTO activation (hash, user_id) VALUES (%s, LAST_INSERT_ID())", (hash, )) + + # send confirmation email to applicant + req.c['activation_link'] = "https://dev.spline.de/account/activate?hash=" + hash + + # in case of an error, rollback + if not sendmail(email, 'activation', req.c): + req.dbc.rollback() + return "failed to send confirmation link." + + # otherwise commit to database + req.dbc.commit() + return None + + +############################### +# URL handlers start here # +############################### + +# req = request +def index(req): + (c, s, cursor) = session_start(req, None) + return render_to_string("index.html", c) + + +def activate(req, **formdata): + (c, s, cursor) = session_start(req, True) + + # check whether a (correct) hashcode is given in the url + if "hash" in formdata: + cursor.execute("SELECT user_id FROM activation WHERE hash = %s", (formdata['hash'],)) + result = cursor.fetchone() + + if not result: + c['error_msg'] = "invalid activation code" + else: + user_id = result[0] + cursor.execute("DELETE FROM activation WHERE user_id = %s", (user_id,)) + cursor.execute("UPDATE user SET activated = 1 WHERE id = %s", (user_id,)) + + # send email containing a temporary password + c['error_msg'] = set_random_password(req, user_id, 8) + + if not c['error_msg']: + c['info_msg'] = "your account has been activated. you will receive an email with a temporary password." + + # no hash value given + else: + redirect(req, "index") + + return render_to_string("index.html", c) + + +def login(req, **formdata): + (c, s, cursor) = session_start(req, True) + + if req.method == "POST": + pw_hash = generate_sha_base64(formdata['password']) + cursor.execute("SELECT * FROM user WHERE login = %s AND password = %s", (formdata['login'], pw_hash)) + + if not cursor.fetchone(): + c['error_msg'] = "Login failed. Sorry." + return render_to_string("index.html", c) + else: + s['login'] = formdata['login'] + s.save() + + redirect(req, 'index') + + +def logout(req): + (c, s, cursor) = session_start(req, False) + s['login'] = None + s.save() + redirect(req, 'index') + + +def register(req, **formdata): + (c, s, cursor) = session_start(req, True) + + if req.method == "POST": + c['error_msg'] = validate_and_register(req, formdata['login'], formdata['email']) + if not c['error_msg']: + c['info_msg'] = "we have sent an email to " + formdata['email'] + " with your confirmation link" + return render_to_string("index.html", c) + + return render_to_string("register.html", c) + + +def password(req, **formdata): + (c, s, cursor) = session_start(req, True) + + if req.method == 'POST': + cursor.execute("SELECT id FROM user WHERE email = %s", (formdata['email'],)) + result = cursor.fetchone() + + if not result: + c['error_msg'] = "unknown email address" + else: + c['error_msg'] = set_random_password(req, result[0], 8) + + if not c['error_msg']: + c['info_msg'] = "a new temporary password has been sent to your email address" + return render_to_string("index.html", c) + + return render_to_string("password.html", c) + + +def profile(req, **formdata): + (c, s, cursor) = session_start(req, False) + + if req.method == 'POST': + old_pw_hash = generate_sha_base64(formdata['old_pw']) + cursor.execute("SELECT * FROM user WHERE password = %s AND login = %s", (old_pw_hash,s['login'])) + + new_pw_bad = cracklib.FascistCheck(formdata['new_pw1']) + + if not cursor.fetchone(): + c['error_msg'] = "old pasword did not match" + + elif formdata['new_pw1'] != formdata['new_pw2']: + c['error_msg'] = "new passwords did not match" + + elif new_pw_bad: + c['error_msg'] = "cannot accept new password: " + new_pw_bad + + else: + new_pw_hash = generate_sha_base64(formdata['new_pw1']) + cursor.execute("UPDATE user SET password = %s WHERE login = %s", (new_pw_hash, s['login'])) + req.dbc.commit() + + c['info_msg'] = "new password has been set" + return render_to_string("index.html", c) + + cursor.execute("SELECT email FROM user WHERE login = %s", (s['login'],)) + result = cursor.fetchone() + c['email'] = result[0] + + return render_to_string("profile.html", c) + + +def projects(req, **formdata): + (c, s, cursor) = session_start(req, False) + + if "action" in formdata and "proj_name" in formdata: + if formdata['action'] == "leave": + cursor.execute("delete from member where user_id = (select id from user where login = %s) " + + "and project_id = (select id from project where project_name = %s)", (s['login'], formdata['proj_name'])) + req.dbc.commit() + c['info_msg'] = "you left project " + formdata['proj_name'] + + elif formdata['action'] == "delete": + # check whether the person is member of the project he or she wants to delete + cursor.execute("select * from member where user_id = (select id from user where login = %s) " + + "and project_id = (select id from project where project_name = %s)", (s['login'], formdata['proj_name'])) + if cursor.fetchone() != None: + cursor.execute("update project set deleted = 1 where project_name = %s", (formdata['proj_name'],)) + req.dbc.commit() + c['info_msg'] = "you deleted project " + formdata['proj_name'] + c['proj_name'] = formdata['proj_name'] + sendmail("dev@spline.de", "deleted_project", c) + + cursor.execute("select project_name from project p join member m on m.project_id = p.id join user u on u.id = m.user_id where p.deleted <> 1 and u.login = %s", (s['login'],)) + c['projects'] = cursor.fetchall() + + return render_to_string("projects.html", c) + + +def imprint(req): + (c, s, cursor) = session_start(req, None) + return render_to_string("imprint.html", c) + + +def new_project(req, **formdata): + (c, s, cursor) = session_start(req, False) + + if req.method == "POST": + c['name'] = formdata['project_name'] + c['desc'] = formdata['project_desc'] + c['priv'] = formdata['priv'] + + # send message to dev.spline.de + sendmail("dev@spline.de", "new_project", c) + + # confirm to user + c['info_msg'] = "your application has been sent to the dev.spline.de team. you'll receive a message shortly" + return render_to_string("index.html", c) + + return render_to_string("new_project.html", c) + + +def members(req, **formdata): + (c, s, cursor) = session_start(req, False) + + if not "proj_name" in formdata: + redirect(req,"index") + + proj = formdata['proj_name'] + + cursor.execute("select id from project where project_name = %s", (proj,)) + result = cursor.fetchone() + + if not result: + c['error_msg'] = "project '%s' does not exist" % proj + return render_to_string("index.html", c) + + project_id = result[0] + + # if he/she wants to add/delete members, the logged in user must be a member of the project, too + cursor.execute("select * from member where user_id = (select id from user where login = %s) " + + "and project_id = %s", (s['login'], project_id)) + + if cursor.fetchone() == None: + c['error_msg'] = "you are not a member of project '%s'" % proj + + elif "login" in formdata and "action" in formdata: + who = formdata['login'] + what = formdata['action'] + + cursor.execute("select id from user where login = %s", (who, )) + result = cursor.fetchone() + + if result: + user_id = result[0] + + if what == "delete": + cursor.execute("delete from member where user_id = %s and project_id = %s", (user_id, project_id)) + req.dbc.commit() + c['info_msg'] = "you deleted " + who + " from project " + proj + + elif what == "add": + cursor.execute("insert into member (user_id, project_id) values (%s, %s)", (user_id, project_id)) + req.dbc.commit() + c['info_msg'] = "you added " + who + " to project " + proj + + else: + c['error_msg'] = "invalid user name" + + cursor.execute("select login from user u join member m on u.id = m.user_id " + + "where m.project_id = (select id from project where project_name = %s)", (proj,)) + c['members'] = cursor.fetchall() + c['proj'] = proj + + return render_to_string("members.html", c) |