]> git.openstreetmap.org Git - osqa.git/blobdiff - forum/views/commands.py
Prevent XSS attacks with wmd using the google-caja html sanitizer.
[osqa.git] / forum / views / commands.py
index 63c65063ea044d8ca82b1aa8b208dbd31df74842..2f35c1ecc82abc7f866ebf3287526f3f41e9eddd 100644 (file)
@@ -1,29 +1,44 @@
+# -*- coding: utf-8 -*-
+
 import datetime
-from forum import settings
+import logging
+
+from urllib import urlencode
+
 from django.core.exceptions import ObjectDoesNotExist
+from django.core.urlresolvers import reverse
 from django.utils import simplejson
-from django.http import HttpResponse, HttpResponseRedirect, HttpResponseForbidden, Http404
-from django.shortcuts import get_object_or_404, render_to_response
+from django.utils.encoding import smart_unicode
 from django.utils.translation import ungettext, ugettext as _
-from django.template import RequestContext
+from django.http import HttpResponse, HttpResponseRedirect, Http404
+from django.shortcuts import get_object_or_404, render_to_response
+
 from forum.models import *
-from forum.models.node import NodeMetaClass
+from forum.utils.decorators import ajax_login_required
 from forum.actions import *
-from django.core.urlresolvers import reverse
-from django.contrib.auth.decorators import login_required
-from forum.utils.decorators import ajax_method, ajax_login_required
-from forum.modules.decorators import decoratable
-from decorators import command, CommandException, RefreshPageCommand
+from forum.modules import decorate
 from forum import settings
-import logging
+
+from decorators import command, CommandException, RefreshPageCommand
 
 class NotEnoughRepPointsException(CommandException):
-    def __init__(self, action):
-        super(NotEnoughRepPointsException, self).__init__(
-                _(
-                        """Sorry, but you don't have enough reputation points to %(action)s.<br />Please check the <a href='%(faq_url)s'>faq</a>"""
-                        ) % {'action': action, 'faq_url': reverse('faq')}
-                )
+    def __init__(self, action, user_reputation=None, reputation_required=None, node=None):
+        if reputation_required is not None and user_reputation is not None:
+            message = _(
+                """Sorry, but you don't have enough reputation points to %(action)s.<br />
+                The minimum reputation required is %(reputation_required)d (yours is %(user_reputation)d).
+                Please check the <a href='%(faq_url)s'>FAQ</a>"""
+            ) % {
+                'action': action,
+                'faq_url': reverse('faq'),
+                'reputation_required' : reputation_required,
+                'user_reputation' : user_reputation,
+            }
+        else:
+            message = _(
+                """Sorry, but you don't have enough reputation points to %(action)s.<br />Please check the <a href='%(faq_url)s'>faq</a>"""
+            ) % {'action': action, 'faq_url': reverse('faq')}
+        super(NotEnoughRepPointsException, self).__init__(message)
 
 class CannotDoOnOwnException(CommandException):
     def __init__(self, action):
@@ -58,7 +73,7 @@ class CannotDoubleActionException(CommandException):
                 )
 
 
-@command
+@decorate.withfn(command)
 def vote_post(request, id, vote_type):
     post = get_object_or_404(Node, id=id).leaf
     user = request.user
@@ -70,11 +85,14 @@ def vote_post(request, id, vote_type):
         raise CannotDoOnOwnException(_('vote'))
 
     if not (vote_type == 'up' and user.can_vote_up() or user.can_vote_down()):
-        raise NotEnoughRepPointsException(vote_type == 'up' and _('upvote') or _('downvote'))
+        reputation_required = int(settings.REP_TO_VOTE_UP) if vote_type == 'up' else int(settings.REP_TO_VOTE_DOWN)
+        action_type = vote_type == 'up' and _('upvote') or _('downvote')
+        raise NotEnoughRepPointsException(action_type, user_reputation=user.reputation, reputation_required=reputation_required, node=post)
 
     user_vote_count_today = user.get_vote_count_today()
+    user_can_vote_count_today = user.can_vote_count_today()
 
-    if user_vote_count_today >= int(settings.MAX_VOTES_PER_DAY):
+    if user_vote_count_today >= user.can_vote_count_today():
         raise NotEnoughLeftException(_('votes'), str(settings.MAX_VOTES_PER_DAY))
 
     new_vote_cls = (vote_type == 'up') and VoteUpAction or VoteDownAction
@@ -91,13 +109,11 @@ def vote_post(request, id, vote_type):
                     )
 
         old_vote.cancel(ip=request.META['REMOTE_ADDR'])
-        score_inc += (old_vote.__class__ == VoteDownAction) and 1 or -1
-
-    if old_vote.__class__ != new_vote_cls:
-        new_vote_cls(user=user, node=post, ip=request.META['REMOTE_ADDR']).save()
-        score_inc += (new_vote_cls == VoteUpAction) and 1 or -1
-    else:
+        score_inc = (old_vote.__class__ == VoteDownAction) and 1 or -1
         vote_type = "none"
+    else:
+        new_vote_cls(user=user, node=post, ip=request.META['REMOTE_ADDR']).save()
+        score_inc = (new_vote_cls == VoteUpAction) and 1 or -1
 
     response = {
     'commands': {
@@ -106,7 +122,7 @@ def vote_post(request, id, vote_type):
     }
     }
 
-    votes_left = (int(settings.MAX_VOTES_PER_DAY) - user_vote_count_today) + (vote_type == 'none' and -1 or 1)
+    votes_left = (user_can_vote_count_today - user_vote_count_today) + (vote_type == 'none' and -1 or 1)
 
     if int(settings.START_WARN_VOTES_LEFT) >= votes_left:
         response['message'] = _("You have %(nvotes)s %(tvotes)s left today.") % \
@@ -114,7 +130,7 @@ def vote_post(request, id, vote_type):
 
     return response
 
-@command
+@decorate.withfn(command)
 def flag_post(request, id):
     if not request.POST:
         return render_to_response('node/report.html', {'types': settings.FLAG_TYPES})
@@ -150,7 +166,7 @@ def flag_post(request, id):
 
     return {'message': _("Thank you for your report. A moderator will review your submission shortly.")}
 
-@command
+@decorate.withfn(command)
 def like_comment(request, id):
     comment = get_object_or_404(Comment, id=id)
     user = request.user
@@ -162,7 +178,7 @@ def like_comment(request, id):
         raise CannotDoOnOwnException(_('like'))
 
     if not user.can_like_comment(comment):
-        raise NotEnoughRepPointsException( _('like comments'))
+        raise NotEnoughRepPointsException( _('like comments'), node=comment)
 
     like = VoteAction.get_action_for(node=comment, user=user)
 
@@ -180,7 +196,7 @@ def like_comment(request, id):
     }
     }
 
-@command
+@decorate.withfn(command)
 def delete_comment(request, id):
     comment = get_object_or_404(Comment, id=id)
     user = request.user
@@ -200,19 +216,19 @@ def delete_comment(request, id):
     }
     }
 
-@command
+@decorate.withfn(command)
 def mark_favorite(request, id):
-    question = get_object_or_404(Question, id=id)
+    node = get_object_or_404(Node, id=id)
 
     if not request.user.is_authenticated():
         raise AnonymousNotAllowedException(_('mark a question as favorite'))
 
     try:
-        favorite = FavoriteAction.objects.get(canceled=False, node=question, user=request.user)
+        favorite = FavoriteAction.objects.get(canceled=False, node=node, user=request.user)
         favorite.cancel(ip=request.META['REMOTE_ADDR'])
         added = False
     except ObjectDoesNotExist:
-        FavoriteAction(node=question, user=request.user, ip=request.META['REMOTE_ADDR']).save()
+        FavoriteAction(node=node, user=request.user, ip=request.META['REMOTE_ADDR']).save()
         added = True
 
     return {
@@ -222,8 +238,7 @@ def mark_favorite(request, id):
     }
     }
 
-@decoratable
-@command
+@decorate.withfn(command)
 def comment(request, id):
     post = get_object_or_404(Node, id=id)
     user = request.user
@@ -264,9 +279,12 @@ def comment(request, id):
         return {
         'commands': {
         'insert_comment': [
-                id, comment.id, comment.comment, user.username, user.get_profile_url(),
+                id, comment.id, comment.comment, user.decorated_name, user.get_profile_url(),
                 reverse('delete_comment', kwargs={'id': comment.id}),
-                reverse('node_markdown', kwargs={'id': comment.id})
+                reverse('node_markdown', kwargs={'id': comment.id}),
+                reverse('convert_comment', kwargs={'id': comment.id}),
+                user.can_convert_comment_to_answer(comment),
+                bool(settings.SHOW_LATEST_COMMENTS_FIRST)
                 ]
         }
         }
@@ -277,7 +295,7 @@ def comment(request, id):
         }
         }
 
-@command
+@decorate.withfn(command)
 def node_markdown(request, id):
     user = request.user
 
@@ -285,11 +303,14 @@ def node_markdown(request, id):
         raise AnonymousNotAllowedException(_('accept answers'))
 
     node = get_object_or_404(Node, id=id)
-    return HttpResponse(node.body, mimetype="text/plain")
+    return HttpResponse(node.active_revision.body, mimetype="text/plain")
 
 
-@command
+@decorate.withfn(command)
 def accept_answer(request, id):
+    if settings.DISABLE_ACCEPTING_FEATURE:
+        raise Http404()
+
     user = request.user
 
     if not user.is_authenticated():
@@ -299,7 +320,7 @@ def accept_answer(request, id):
     question = answer.question
 
     if not user.can_accept_answer(answer):
-        raise CommandException(_("Sorry but only the question author can accept an answer"))
+        raise CommandException(_("Sorry but you cannot accept the answer"))
 
     commands = {}
 
@@ -307,18 +328,39 @@ def accept_answer(request, id):
         answer.nstate.accepted.cancel(user, ip=request.META['REMOTE_ADDR'])
         commands['unmark_accepted'] = [answer.id]
     else:
-        accepted = question.accepted_answer
+        if settings.MAXIMUM_ACCEPTED_ANSWERS and (question.accepted_count >= settings.MAXIMUM_ACCEPTED_ANSWERS):
+            raise CommandException(ungettext("This question already has an accepted answer.",
+                "Sorry but this question has reached the limit of accepted answers.", int(settings.MAXIMUM_ACCEPTED_ANSWERS)))
+
+        if settings.MAXIMUM_ACCEPTED_PER_USER and question.accepted_count:
+            accepted_from_author = question.accepted_answers.filter(author=answer.author).count()
+
+            if accepted_from_author >= settings.MAXIMUM_ACCEPTED_PER_USER:
+                raise CommandException(ungettext("The author of this answer already has an accepted answer in this question.",
+                "Sorry but the author of this answer has reached the limit of accepted answers per question.", int(settings.MAXIMUM_ACCEPTED_PER_USER)))             
 
-        if accepted:
-            accepted.nstate.accepted.cancel(user, ip=request.META['REMOTE_ADDR'])
-            commands['unmark_accepted'] = [accepted.id]
 
         AcceptAnswerAction(node=answer, user=user, ip=request.META['REMOTE_ADDR']).save()
+
+        # If the request is not an AJAX redirect to the answer URL rather than to the home page
+        if not request.is_ajax():
+            msg = _("""
+              Congratulations! You've accepted an answer.
+            """)
+
+            # Notify the user with a message that an answer has been accepted
+            request.user.message_set.create(message=msg)
+
+            # Redirect URL should include additional get parameters that might have been attached
+            redirect_url = answer.parent.get_absolute_url() + "?accepted_answer=true&%s" % smart_unicode(urlencode(request.GET))
+
+            return HttpResponseRedirect(redirect_url)
+
         commands['mark_accepted'] = [answer.id]
 
     return {'commands': commands}
 
-@command
+@decorate.withfn(command)
 def delete_post(request, id):
     post = get_object_or_404(Node, id=id)
     user = request.user
@@ -341,7 +383,7 @@ def delete_post(request, id):
 
     return ret
 
-@command
+@decorate.withfn(command)
 def close(request, id, close):
     if close and not request.POST:
         return render_to_response('node/report.html', {'types': settings.CLOSE_TYPES})
@@ -370,7 +412,7 @@ def close(request, id, close):
 
     return RefreshPageCommand()
 
-@command
+@decorate.withfn(command)
 def wikify(request, id):
     node = get_object_or_404(Node, id=id)
     user = request.user
@@ -394,14 +436,21 @@ def wikify(request, id):
 
     return RefreshPageCommand()
 
-@command
+@decorate.withfn(command)
 def convert_to_comment(request, id):
     user = request.user
     answer = get_object_or_404(Answer, id=id)
     question = answer.question
 
+    # Check whether the user has the required permissions
+    if not user.is_authenticated():
+        raise AnonymousNotAllowedException(_("convert answers to comments"))
+
+    if not user.can_convert_to_comment(answer):
+        raise NotEnoughRepPointsException(_("convert answers to comments"))
+
     if not request.POST:
-        description = lambda a: _("Answer by %(uname)s: %(snippet)s...") % {'uname': a.author.username,
+        description = lambda a: _("Answer by %(uname)s: %(snippet)s...") % {'uname': smart_unicode(a.author.username),
                                                                             'snippet': a.summary[:10]}
         nodes = [(question.id, _("Question"))]
         [nodes.append((a.id, description(a))) for a in
@@ -409,12 +458,6 @@ def convert_to_comment(request, id):
 
         return render_to_response('node/convert_to_comment.html', {'answer': answer, 'nodes': nodes})
 
-    if not user.is_authenticated():
-        raise AnonymousNotAllowedException(_("convert answers to comments"))
-
-    if not user.can_convert_to_comment(answer):
-        raise NotEnoughRepPointsException(_("convert answers to comments"))
-
     try:
         new_parent = Node.objects.get(id=request.POST.get('under', None))
     except:
@@ -427,24 +470,56 @@ def convert_to_comment(request, id):
 
     return RefreshPageCommand()
 
-@command
-def subscribe(request, id):
+@decorate.withfn(command)
+def convert_comment_to_answer(request, id):
+    user = request.user
+    comment = get_object_or_404(Comment, id=id)
+    parent = comment.parent
+
+    if not parent.question:
+        question = parent
+    else:
+        question = parent.question
+    
+    if not user.is_authenticated():
+        raise AnonymousNotAllowedException(_("convert comments to answers"))
+
+    if not user.can_convert_comment_to_answer(comment):
+        raise NotEnoughRepPointsException(_("convert comments to answers"))
+    
+    CommentToAnswerAction(user=user, node=comment, ip=request.META['REMOTE_ADDR']).save(data=dict(question=question))
+
+    return RefreshPageCommand()
+
+@decorate.withfn(command)
+def subscribe(request, id, user=None):
+    if user:
+        try:
+            user = User.objects.get(id=user)
+        except User.DoesNotExist:
+            raise Http404()
+
+        if not (request.user.is_a_super_user_or_staff() or user.is_authenticated()):
+            raise CommandException(_("You do not have the correct credentials to preform this action."))
+    else:
+        user = request.user
+
     question = get_object_or_404(Question, id=id)
 
     try:
-        subscription = QuestionSubscription.objects.get(question=question, user=request.user)
+        subscription = QuestionSubscription.objects.get(question=question, user=user)
         subscription.delete()
         subscribed = False
     except:
-        subscription = QuestionSubscription(question=question, user=request.user, auto_subscription=False)
+        subscription = QuestionSubscription(question=question, user=user, auto_subscription=False)
         subscription.save()
         subscribed = True
 
     return {
-    'commands': {
-    'set_subscription_button': [subscribed and _('unsubscribe me') or _('subscribe me')],
-    'set_subscription_status': ['']
-    }
+        'commands': {
+            'set_subscription_button': [subscribed and _('unsubscribe me') or _('subscribe me')],
+            'set_subscription_status': ['']
+        }
     }
 
 #internally grouped views - used by the tagging system
@@ -472,25 +547,86 @@ def matching_tags(request):
     if len(request.GET['q']) == 0:
         raise CommandException(_("Invalid request"))
 
-    possible_tags = Tag.active.filter(name__istartswith = request.GET['q'])
+    possible_tags = Tag.active.filter(name__icontains = request.GET['q'])
     tag_output = ''
     for tag in possible_tags:
-        tag_output += (tag.name + "|" + tag.name + "." + tag.used_count.__str__() + "\n")
+        tag_output += "%s|%s|%s\n" % (tag.id, tag.name, tag.used_count)
 
     return HttpResponse(tag_output, mimetype="text/plain")
 
+def matching_users(request):
+    if len(request.GET['q']) == 0:
+        raise CommandException(_("Invalid request"))
+
+    possible_users = User.objects.filter(username__icontains = request.GET['q'])
+    output = ''
+
+    for user in possible_users:
+        output += ("%s|%s|%s\n" % (user.id, user.decorated_name, user.reputation))
+
+    return HttpResponse(output, mimetype="text/plain")
+
 def related_questions(request):
     if request.POST and request.POST.get('title', None):
+        can_rank, questions = Question.objects.search(request.POST['title'])
+
+        if can_rank and isinstance(can_rank, basestring):
+            questions = questions.order_by(can_rank)
+
         return HttpResponse(simplejson.dumps(
                 [dict(title=q.title, url=q.get_absolute_url(), score=q.score, summary=q.summary)
-                 for q in Question.objects.search(request.POST['title']).filter_state(deleted=False)[0:10]]),
-                            mimetype="application/json")
+                 for q in questions.filter_state(deleted=False)[0:10]]), mimetype="application/json")
     else:
         raise Http404()
 
+@decorate.withfn(command)
+def answer_permanent_link(request, id):
+    # Getting the current answer object
+    answer = get_object_or_404(Answer, id=id)
+
+    # Getting the current object URL -- the Application URL + the object relative URL
+    url = '%s%s' % (settings.APP_BASE_URL, answer.get_absolute_url())
+
+    if not request.POST:
+        # Display the template
+        return render_to_response('node/permanent_link.html', { 'url' : url, })
 
+    return {
+        'commands' : {
+            'copy_url' : [request.POST['permanent_link_url'],],
+        },
+        'message' : _("The permanent URL to the answer has been copied to your clipboard."),
+    }
+
+@decorate.withfn(command)
+def award_points(request, user_id, answer_id):
+    user = request.user
+    awarded_user = get_object_or_404(User, id=user_id)
+    answer = get_object_or_404(Answer, id=answer_id)
+
+    # Users shouldn't be able to award themselves
+    if awarded_user.id == user.id:
+        raise CannotDoOnOwnException(_("award"))
+
+    # Anonymous users cannot award  points, they just don't have such
+    if not user.is_authenticated():
+        raise AnonymousNotAllowedException(_('award'))
+
+    if not request.POST:
+        return render_to_response("node/award_points.html", { 'user' : user, 'awarded_user' : awarded_user, })
+    else:
+        points = int(request.POST['points'])
 
+        # We should check if the user has enough reputation points, otherwise we raise an exception.
+        if points < 0:
+            raise CommandException(_("The number of points to award needs to be a positive value."))
 
+        if user.reputation < points:
+            raise NotEnoughRepPointsException(_("award"))
 
+        extra = dict(message=request.POST.get('message', ''), awarding_user=request.user.id, value=points)
 
+        # We take points from the awarding user
+        AwardPointsAction(user=request.user, node=answer, extra=extra).save(data=dict(value=points, affected=awarded_user))
 
+        return { 'message' : _("You have awarded %(awarded_user)s with %(points)d points") % {'awarded_user' : awarded_user, 'points' : points} }