Block anonymous access to upload files

3a876d92 · benjaoming · d1f50d11 · 3a876d92 · 3a876d92 · 3a876d92
Commit 3a876d92 authored Aug 13, 2012 by benjaoming
10 changed files
--- a/TODO.md
+++ b/TODO.md
@@ -13,11 +13,11 @@ Not implemented - will be ASAP
 * Key-value meta data
 * Index views for urlpaths
 * Searching
- * South migrations **Soon**
+ * South migrations **Done**
 * View source for read-only articles + locked status
 * Global moderator permission **Almost done** (need to add grant form for users with *grant* permissions)
 * Are you sure you wanna leave this page?
- * Special view for deleted articles w/ restore button
+ * Special view for deleted articles w/ restore button **Done**
 Ideas
 =====

--- a/testproject/testproject/settings.py
+++ b/testproject/testproject/settings.py
@@ -9,6 +9,8 @@ ADMINS = (
    # ('Your Name', 'your_email@example.com'),
 )
+LOGIN_URL = '/_accounts/login/'
 MANAGERS = ADMINS
 DATABASES = {

--- a/wiki/conf/settings.py
+++ b/wiki/conf/settings.py
@@ -8,6 +8,8 @@ URL_CASE_SENSITIVE = getattr(django_settings, 'WIKI_URL_CASE_SENSITIVE', False)
 APP_LABEL = 'wiki'
 WIKI_LANGUAGE = 'markdown'
+# The editor class to use -- maybe a 3rd party or your own...? You can always
+# extend the built-in editor and customize it....
 EDITOR = getattr(django_settings, 'WIKI_EDITOR', 'wiki.editors.MarkItUp')
 # This slug is used in URLPath if an article has been deleted. The children of the
@@ -15,9 +17,11 @@ EDITOR = getattr(django_settings, 'WIKI_EDITOR', 'wiki.editors.MarkItUp')
 # and all their content.
 LOST_AND_FOUND_SLUG = getattr(django_settings, 'WIKI_LOST_AND_FOUND_SLUG', 'lost-and-found')
+# Do we want to log IPs?
 LOG_IPS_ANONYMOUS = getattr(django_settings, 'WIKI_LOG_IPS_ANONYMOUS', True)
 LOG_IPS_USERS = getattr(django_settings, 'WIKI_LOG_IPS_USERS', False)
+# Sign up, login and logout views should be accessible 
 ACCOUNT_HANDLING = getattr(django_settings, 'WIKI_ACCOUNT_HANDLING', True)
 # Maximum amount of children to display in a menu before going "+more"

--- a/wiki/plugins/attachments/settings.py
+++ b/wiki/plugins/attachments/settings.py
@@ -2,6 +2,9 @@ from django.conf import settings as django_settings
 SLUG = "attachments"
+# Allow anonymous users to upload (not nice on an open network)
+ANONYMOUS = getattr(django_settings, 'WIKI_ATTACHMENTS_ANONYMOUS', False)
 # Maximum file sizes: Please using something like LimitRequestBody on
 # your web server.
 # http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestBody

--- a/wiki/plugins/attachments/templates/wiki/plugins/attachments/index.html
+++ b/wiki/plugins/attachments/templates/wiki/plugins/attachments/index.html
@@ -82,12 +82,16 @@
        <div id="collapse_upload" class="accordion-body collapse{% if form.errors %} in{% endif %}">
          <div class="accordion-inner">
+            {% if anonymous_disallowed %}
+              {% include "wiki/includes/anonymous_blocked.html" %}
+            {% else %}
            <form method="POST" class="form-vertical" id="attachment_form" enctype="multipart/form-data">
            {% wiki_form form %}
              <button type="submit" name="save" value="1" class="btn btn-large">
                {% trans "Upload file" %}
              </button>
            </form>
+            {% endif %}
          </div>
        </div>

--- a/wiki/plugins/attachments/views.py
+++ b/wiki/plugins/attachments/views.py
 # -*- coding: utf-8 -*-
+from django.conf import settings as django_settings
+from django.contrib import messages
+from django.db import transaction
+from django.db.models import Q
+from django.http import Http404
 from django.shortcuts import redirect, get_object_or_404
 from django.utils.decorators import method_decorator
 from django.utils.translation import ugettext as _
-from django.views.generic.edit import FormView 
-from django.db.models import Q
-from wiki.views.mixins import ArticleMixin
-from wiki.decorators import get_article
-from wiki.plugins.attachments import forms
-from wiki.plugins.attachments import models
-from django.contrib import messages
 from django.views.generic.base import TemplateView, View
-from wiki.core.http import send_file
+from django.views.generic.edit import FormView
-from django.http import Http404
-from django.db import transaction
 from django.views.generic.list import ListView
+from wiki.core.http import send_file
+from wiki.decorators import get_article
+from wiki.plugins.attachments import models, settings, forms
+from wiki.views.mixins import ArticleMixin
 class AttachmentView(ArticleMixin, FormView):
    form_class = forms.AttachmentForm
@@ -34,6 +35,9 @@ class AttachmentView(ArticleMixin, FormView):
    # WARNING! The below decorator silences other exceptions that may occur!
    #@transaction.commit_manually
    def form_valid(self, form):
+        if self.request.user.is_anonymous and not settings.ANONYMOUS:
+            return redirect(django_settings.LOGIN_URL)
        try:
            attachment_revision = form.save(commit=False)
            attachment = models.Attachment()
@@ -59,6 +63,7 @@ class AttachmentView(ArticleMixin, FormView):
        kwargs['attachments'] = self.attachments
        kwargs['search_form'] = forms.SearchForm()
        kwargs['selected_tab'] = 'attachments'
+        kwargs['anonymous_disallowed'] = self.request.user.is_anonymous and not settings.ANONYMOUS
        return super(AttachmentView, self).get_context_data(**kwargs)

--- a/wiki/plugins/images/settings.py
+++ b/wiki/plugins/images/settings.py
 from django.conf import settings as django_settings
 # Where to store images
-IMAGE_PATH = getattr(django_settings, "WIKI_IMAGE_PATH", 'wiki/images/%aid/')
+IMAGE_PATH = getattr(django_settings, 'WIKI_IMAGE_PATH', "wiki/images/%aid/")
+SLUG = 'images'
\ No newline at end of file
--- a/wiki/plugins/images/views.py
+++ b/wiki/plugins/images/views.py
+from wiki.views.mixins import ArticleMixin
+from django.views.generic.base import TemplateView
+from django.utils.decorators import method_decorator
+from wiki.decorators import get_article
+class ImageView(ArticleMixin, TemplateView):
+    @method_decorator(get_article(can_read=True))
+    def dispatch(self, request, article, *args, **kwargs):
+        return super(ImageView, self).dispatch(request, article, *args, **kwargs)
\ No newline at end of file
--- a/wiki/plugins/images/wiki_plugin.py
+++ b/wiki/plugins/images/wiki_plugin.py
+# -*- coding: utf-8 -*-
+from django.conf.urls.defaults import patterns, url
+from django.utils.translation import ugettext as _
+from wiki.core import plugins_registry
+from wiki import plugins
+from wiki.plugins.images import views, models, settings
+from wiki.plugins.notifications import ARTICLE_EDIT
+class ImagePlugin(plugins.BasePlugin):
+    #settings_form = 'wiki.plugins.notifications.forms.SubscriptionForm'
+    slug = settings.SLUG
+    urlpatterns = patterns('',
+        url('^$', views.ImageView.as_view(), name='images_index'),
+    )
+    # List of notifications to construct signal handlers for. This
+    # is handled inside the notifications plugin.
+    notifications = [{'model': models.Image,
+                      'message': lambda obj: _(u"An image was added: %s") % obj.get_filename(),
+                      'key': ARTICLE_EDIT,
+                      'created': True,
+                      'get_article': lambda obj: obj.attachment.article}
+                     ]
+    #markdown_extensions = [AttachmentExtension()]
+    def __init__(self):
+        #print "I WAS LOADED!"
+        pass
+plugins_registry.register(ImagePlugin)
--- a/wiki/templates/wiki/includes/anonymous_blocked.html
+++ b/wiki/templates/wiki/includes/anonymous_blocked.html
+{% load i18n %}
+{% load url from future %}
+<em>
+{% url 'wiki:signup' as signup_url %}
+{% url 'wiki:login' as login_url %}
+{% if login_url and signup_url %}
+  {% blocktrans %}
+  You need to <a href="{{ login_url }}">log in</a> or <a href="{{ signup_url }}">sign up</a> to use this function.
+  {% endblocktrans %}
+{% else %}
+  {% trans "You need to log in og sign up to use this function." %}
+{% endif %}
+</em>