]> git.openstreetmap.org Git - osqa.git/blobdiff - forum/views/commands.py
Prevent XSS attacks with wmd using the google-caja html sanitizer.
[osqa.git] / forum / views / commands.py
index 956463ae03098fcba0706f7967c910fdb143e94d..2f35c1ecc82abc7f866ebf3287526f3f41e9eddd 100644 (file)
@@ -1,29 +1,44 @@
+# -*- coding: utf-8 -*-
+
 import datetime
 import datetime
-from forum import settings
+import logging
+
+from urllib import urlencode
+
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.exceptions import ObjectDoesNotExist
+from django.core.urlresolvers import reverse
 from django.utils import simplejson
 from django.utils import simplejson
+from django.utils.encoding import smart_unicode
+from django.utils.translation import ungettext, ugettext as _
 from django.http import HttpResponse, HttpResponseRedirect, Http404
 from django.shortcuts import get_object_or_404, render_to_response
 from django.http import HttpResponse, HttpResponseRedirect, Http404
 from django.shortcuts import get_object_or_404, render_to_response
-from django.utils.translation import ungettext, ugettext as _
-from django.template import RequestContext
+
 from forum.models import *
 from forum.models import *
-from forum.models.node import NodeMetaClass
+from forum.utils.decorators import ajax_login_required
 from forum.actions import *
 from forum.actions import *
-from django.core.urlresolvers import reverse
-from django.contrib.auth.decorators import login_required
-from forum.utils.decorators import ajax_method, ajax_login_required
-from decorators import command, CommandException, RefreshPageCommand
 from forum.modules import decorate
 from forum import settings
 from forum.modules import decorate
 from forum import settings
-import logging
+
+from decorators import command, CommandException, RefreshPageCommand
 
 class NotEnoughRepPointsException(CommandException):
 
 class NotEnoughRepPointsException(CommandException):
-    def __init__(self, action):
-        super(NotEnoughRepPointsException, self).__init__(
-                _(
-                        """Sorry, but you don't have enough reputation points to %(action)s.<br />Please check the <a href='%(faq_url)s'>faq</a>"""
-                        ) % {'action': action, 'faq_url': reverse('faq')}
-                )
+    def __init__(self, action, user_reputation=None, reputation_required=None, node=None):
+        if reputation_required is not None and user_reputation is not None:
+            message = _(
+                """Sorry, but you don't have enough reputation points to %(action)s.<br />
+                The minimum reputation required is %(reputation_required)d (yours is %(user_reputation)d).
+                Please check the <a href='%(faq_url)s'>FAQ</a>"""
+            ) % {
+                'action': action,
+                'faq_url': reverse('faq'),
+                'reputation_required' : reputation_required,
+                'user_reputation' : user_reputation,
+            }
+        else:
+            message = _(
+                """Sorry, but you don't have enough reputation points to %(action)s.<br />Please check the <a href='%(faq_url)s'>faq</a>"""
+            ) % {'action': action, 'faq_url': reverse('faq')}
+        super(NotEnoughRepPointsException, self).__init__(message)
 
 class CannotDoOnOwnException(CommandException):
     def __init__(self, action):
 
 class CannotDoOnOwnException(CommandException):
     def __init__(self, action):
@@ -70,11 +85,14 @@ def vote_post(request, id, vote_type):
         raise CannotDoOnOwnException(_('vote'))
 
     if not (vote_type == 'up' and user.can_vote_up() or user.can_vote_down()):
         raise CannotDoOnOwnException(_('vote'))
 
     if not (vote_type == 'up' and user.can_vote_up() or user.can_vote_down()):
-        raise NotEnoughRepPointsException(vote_type == 'up' and _('upvote') or _('downvote'))
+        reputation_required = int(settings.REP_TO_VOTE_UP) if vote_type == 'up' else int(settings.REP_TO_VOTE_DOWN)
+        action_type = vote_type == 'up' and _('upvote') or _('downvote')
+        raise NotEnoughRepPointsException(action_type, user_reputation=user.reputation, reputation_required=reputation_required, node=post)
 
     user_vote_count_today = user.get_vote_count_today()
 
     user_vote_count_today = user.get_vote_count_today()
+    user_can_vote_count_today = user.can_vote_count_today()
 
 
-    if user_vote_count_today >= int(settings.MAX_VOTES_PER_DAY):
+    if user_vote_count_today >= user.can_vote_count_today():
         raise NotEnoughLeftException(_('votes'), str(settings.MAX_VOTES_PER_DAY))
 
     new_vote_cls = (vote_type == 'up') and VoteUpAction or VoteDownAction
         raise NotEnoughLeftException(_('votes'), str(settings.MAX_VOTES_PER_DAY))
 
     new_vote_cls = (vote_type == 'up') and VoteUpAction or VoteDownAction
@@ -91,13 +109,11 @@ def vote_post(request, id, vote_type):
                     )
 
         old_vote.cancel(ip=request.META['REMOTE_ADDR'])
                     )
 
         old_vote.cancel(ip=request.META['REMOTE_ADDR'])
-        score_inc += (old_vote.__class__ == VoteDownAction) and 1 or -1
-
-    if old_vote.__class__ != new_vote_cls:
-        new_vote_cls(user=user, node=post, ip=request.META['REMOTE_ADDR']).save()
-        score_inc += (new_vote_cls == VoteUpAction) and 1 or -1
-    else:
+        score_inc = (old_vote.__class__ == VoteDownAction) and 1 or -1
         vote_type = "none"
         vote_type = "none"
+    else:
+        new_vote_cls(user=user, node=post, ip=request.META['REMOTE_ADDR']).save()
+        score_inc = (new_vote_cls == VoteUpAction) and 1 or -1
 
     response = {
     'commands': {
 
     response = {
     'commands': {
@@ -106,7 +122,7 @@ def vote_post(request, id, vote_type):
     }
     }
 
     }
     }
 
-    votes_left = (int(settings.MAX_VOTES_PER_DAY) - user_vote_count_today) + (vote_type == 'none' and -1 or 1)
+    votes_left = (user_can_vote_count_today - user_vote_count_today) + (vote_type == 'none' and -1 or 1)
 
     if int(settings.START_WARN_VOTES_LEFT) >= votes_left:
         response['message'] = _("You have %(nvotes)s %(tvotes)s left today.") % \
 
     if int(settings.START_WARN_VOTES_LEFT) >= votes_left:
         response['message'] = _("You have %(nvotes)s %(tvotes)s left today.") % \
@@ -162,7 +178,7 @@ def like_comment(request, id):
         raise CannotDoOnOwnException(_('like'))
 
     if not user.can_like_comment(comment):
         raise CannotDoOnOwnException(_('like'))
 
     if not user.can_like_comment(comment):
-        raise NotEnoughRepPointsException( _('like comments'))
+        raise NotEnoughRepPointsException( _('like comments'), node=comment)
 
     like = VoteAction.get_action_for(node=comment, user=user)
 
 
     like = VoteAction.get_action_for(node=comment, user=user)
 
@@ -202,17 +218,17 @@ def delete_comment(request, id):
 
 @decorate.withfn(command)
 def mark_favorite(request, id):
 
 @decorate.withfn(command)
 def mark_favorite(request, id):
-    question = get_object_or_404(Question, id=id)
+    node = get_object_or_404(Node, id=id)
 
     if not request.user.is_authenticated():
         raise AnonymousNotAllowedException(_('mark a question as favorite'))
 
     try:
 
     if not request.user.is_authenticated():
         raise AnonymousNotAllowedException(_('mark a question as favorite'))
 
     try:
-        favorite = FavoriteAction.objects.get(canceled=False, node=question, user=request.user)
+        favorite = FavoriteAction.objects.get(canceled=False, node=node, user=request.user)
         favorite.cancel(ip=request.META['REMOTE_ADDR'])
         added = False
     except ObjectDoesNotExist:
         favorite.cancel(ip=request.META['REMOTE_ADDR'])
         added = False
     except ObjectDoesNotExist:
-        FavoriteAction(node=question, user=request.user, ip=request.META['REMOTE_ADDR']).save()
+        FavoriteAction(node=node, user=request.user, ip=request.META['REMOTE_ADDR']).save()
         added = True
 
     return {
         added = True
 
     return {
@@ -265,7 +281,10 @@ def comment(request, id):
         'insert_comment': [
                 id, comment.id, comment.comment, user.decorated_name, user.get_profile_url(),
                 reverse('delete_comment', kwargs={'id': comment.id}),
         'insert_comment': [
                 id, comment.id, comment.comment, user.decorated_name, user.get_profile_url(),
                 reverse('delete_comment', kwargs={'id': comment.id}),
-                reverse('node_markdown', kwargs={'id': comment.id})
+                reverse('node_markdown', kwargs={'id': comment.id}),
+                reverse('convert_comment', kwargs={'id': comment.id}),
+                user.can_convert_comment_to_answer(comment),
+                bool(settings.SHOW_LATEST_COMMENTS_FIRST)
                 ]
         }
         }
                 ]
         }
         }
@@ -284,7 +303,7 @@ def node_markdown(request, id):
         raise AnonymousNotAllowedException(_('accept answers'))
 
     node = get_object_or_404(Node, id=id)
         raise AnonymousNotAllowedException(_('accept answers'))
 
     node = get_object_or_404(Node, id=id)
-    return HttpResponse(node.body, mimetype="text/plain")
+    return HttpResponse(node.active_revision.body, mimetype="text/plain")
 
 
 @decorate.withfn(command)
 
 
 @decorate.withfn(command)
@@ -322,6 +341,21 @@ def accept_answer(request, id):
 
 
         AcceptAnswerAction(node=answer, user=user, ip=request.META['REMOTE_ADDR']).save()
 
 
         AcceptAnswerAction(node=answer, user=user, ip=request.META['REMOTE_ADDR']).save()
+
+        # If the request is not an AJAX redirect to the answer URL rather than to the home page
+        if not request.is_ajax():
+            msg = _("""
+              Congratulations! You've accepted an answer.
+            """)
+
+            # Notify the user with a message that an answer has been accepted
+            request.user.message_set.create(message=msg)
+
+            # Redirect URL should include additional get parameters that might have been attached
+            redirect_url = answer.parent.get_absolute_url() + "?accepted_answer=true&%s" % smart_unicode(urlencode(request.GET))
+
+            return HttpResponseRedirect(redirect_url)
+
         commands['mark_accepted'] = [answer.id]
 
     return {'commands': commands}
         commands['mark_accepted'] = [answer.id]
 
     return {'commands': commands}
@@ -408,8 +442,15 @@ def convert_to_comment(request, id):
     answer = get_object_or_404(Answer, id=id)
     question = answer.question
 
     answer = get_object_or_404(Answer, id=id)
     question = answer.question
 
+    # Check whether the user has the required permissions
+    if not user.is_authenticated():
+        raise AnonymousNotAllowedException(_("convert answers to comments"))
+
+    if not user.can_convert_to_comment(answer):
+        raise NotEnoughRepPointsException(_("convert answers to comments"))
+
     if not request.POST:
     if not request.POST:
-        description = lambda a: _("Answer by %(uname)s: %(snippet)s...") % {'uname': a.author.username,
+        description = lambda a: _("Answer by %(uname)s: %(snippet)s...") % {'uname': smart_unicode(a.author.username),
                                                                             'snippet': a.summary[:10]}
         nodes = [(question.id, _("Question"))]
         [nodes.append((a.id, description(a))) for a in
                                                                             'snippet': a.summary[:10]}
         nodes = [(question.id, _("Question"))]
         [nodes.append((a.id, description(a))) for a in
@@ -417,12 +458,6 @@ def convert_to_comment(request, id):
 
         return render_to_response('node/convert_to_comment.html', {'answer': answer, 'nodes': nodes})
 
 
         return render_to_response('node/convert_to_comment.html', {'answer': answer, 'nodes': nodes})
 
-    if not user.is_authenticated():
-        raise AnonymousNotAllowedException(_("convert answers to comments"))
-
-    if not user.can_convert_to_comment(answer):
-        raise NotEnoughRepPointsException(_("convert answers to comments"))
-
     try:
         new_parent = Node.objects.get(id=request.POST.get('under', None))
     except:
     try:
         new_parent = Node.objects.get(id=request.POST.get('under', None))
     except:
@@ -436,23 +471,55 @@ def convert_to_comment(request, id):
     return RefreshPageCommand()
 
 @decorate.withfn(command)
     return RefreshPageCommand()
 
 @decorate.withfn(command)
-def subscribe(request, id):
+def convert_comment_to_answer(request, id):
+    user = request.user
+    comment = get_object_or_404(Comment, id=id)
+    parent = comment.parent
+
+    if not parent.question:
+        question = parent
+    else:
+        question = parent.question
+    
+    if not user.is_authenticated():
+        raise AnonymousNotAllowedException(_("convert comments to answers"))
+
+    if not user.can_convert_comment_to_answer(comment):
+        raise NotEnoughRepPointsException(_("convert comments to answers"))
+    
+    CommentToAnswerAction(user=user, node=comment, ip=request.META['REMOTE_ADDR']).save(data=dict(question=question))
+
+    return RefreshPageCommand()
+
+@decorate.withfn(command)
+def subscribe(request, id, user=None):
+    if user:
+        try:
+            user = User.objects.get(id=user)
+        except User.DoesNotExist:
+            raise Http404()
+
+        if not (request.user.is_a_super_user_or_staff() or user.is_authenticated()):
+            raise CommandException(_("You do not have the correct credentials to preform this action."))
+    else:
+        user = request.user
+
     question = get_object_or_404(Question, id=id)
 
     try:
     question = get_object_or_404(Question, id=id)
 
     try:
-        subscription = QuestionSubscription.objects.get(question=question, user=request.user)
+        subscription = QuestionSubscription.objects.get(question=question, user=user)
         subscription.delete()
         subscribed = False
     except:
         subscription.delete()
         subscribed = False
     except:
-        subscription = QuestionSubscription(question=question, user=request.user, auto_subscription=False)
+        subscription = QuestionSubscription(question=question, user=user, auto_subscription=False)
         subscription.save()
         subscribed = True
 
     return {
         subscription.save()
         subscribed = True
 
     return {
-    'commands': {
-    'set_subscription_button': [subscribed and _('unsubscribe me') or _('subscribe me')],
-    'set_subscription_status': ['']
-    }
+        'commands': {
+            'set_subscription_button': [subscribed and _('unsubscribe me') or _('subscribe me')],
+            'set_subscription_status': ['']
+        }
     }
 
 #internally grouped views - used by the tagging system
     }
 
 #internally grouped views - used by the tagging system
@@ -480,25 +547,86 @@ def matching_tags(request):
     if len(request.GET['q']) == 0:
         raise CommandException(_("Invalid request"))
 
     if len(request.GET['q']) == 0:
         raise CommandException(_("Invalid request"))
 
-    possible_tags = Tag.active.filter(name__istartswith = request.GET['q'])
+    possible_tags = Tag.active.filter(name__icontains = request.GET['q'])
     tag_output = ''
     for tag in possible_tags:
     tag_output = ''
     for tag in possible_tags:
-        tag_output += (tag.name + "|" + tag.name + "." + tag.used_count.__str__() + "\n")
+        tag_output += "%s|%s|%s\n" % (tag.id, tag.name, tag.used_count)
 
     return HttpResponse(tag_output, mimetype="text/plain")
 
 
     return HttpResponse(tag_output, mimetype="text/plain")
 
+def matching_users(request):
+    if len(request.GET['q']) == 0:
+        raise CommandException(_("Invalid request"))
+
+    possible_users = User.objects.filter(username__icontains = request.GET['q'])
+    output = ''
+
+    for user in possible_users:
+        output += ("%s|%s|%s\n" % (user.id, user.decorated_name, user.reputation))
+
+    return HttpResponse(output, mimetype="text/plain")
+
 def related_questions(request):
     if request.POST and request.POST.get('title', None):
         can_rank, questions = Question.objects.search(request.POST['title'])
 def related_questions(request):
     if request.POST and request.POST.get('title', None):
         can_rank, questions = Question.objects.search(request.POST['title'])
+
+        if can_rank and isinstance(can_rank, basestring):
+            questions = questions.order_by(can_rank)
+
         return HttpResponse(simplejson.dumps(
                 [dict(title=q.title, url=q.get_absolute_url(), score=q.score, summary=q.summary)
                  for q in questions.filter_state(deleted=False)[0:10]]), mimetype="application/json")
     else:
         raise Http404()
 
         return HttpResponse(simplejson.dumps(
                 [dict(title=q.title, url=q.get_absolute_url(), score=q.score, summary=q.summary)
                  for q in questions.filter_state(deleted=False)[0:10]]), mimetype="application/json")
     else:
         raise Http404()
 
+@decorate.withfn(command)
+def answer_permanent_link(request, id):
+    # Getting the current answer object
+    answer = get_object_or_404(Answer, id=id)
+
+    # Getting the current object URL -- the Application URL + the object relative URL
+    url = '%s%s' % (settings.APP_BASE_URL, answer.get_absolute_url())
+
+    if not request.POST:
+        # Display the template
+        return render_to_response('node/permanent_link.html', { 'url' : url, })
+
+    return {
+        'commands' : {
+            'copy_url' : [request.POST['permanent_link_url'],],
+        },
+        'message' : _("The permanent URL to the answer has been copied to your clipboard."),
+    }
+
+@decorate.withfn(command)
+def award_points(request, user_id, answer_id):
+    user = request.user
+    awarded_user = get_object_or_404(User, id=user_id)
+    answer = get_object_or_404(Answer, id=answer_id)
 
 
+    # Users shouldn't be able to award themselves
+    if awarded_user.id == user.id:
+        raise CannotDoOnOwnException(_("award"))
+
+    # Anonymous users cannot award  points, they just don't have such
+    if not user.is_authenticated():
+        raise AnonymousNotAllowedException(_('award'))
+
+    if not request.POST:
+        return render_to_response("node/award_points.html", { 'user' : user, 'awarded_user' : awarded_user, })
+    else:
+        points = int(request.POST['points'])
 
 
+        # We should check if the user has enough reputation points, otherwise we raise an exception.
+        if points < 0:
+            raise CommandException(_("The number of points to award needs to be a positive value."))
 
 
+        if user.reputation < points:
+            raise NotEnoughRepPointsException(_("award"))
 
 
+        extra = dict(message=request.POST.get('message', ''), awarding_user=request.user.id, value=points)
 
 
+        # We take points from the awarding user
+        AwardPointsAction(user=request.user, node=answer, extra=extra).save(data=dict(value=points, affected=awarded_user))
 
 
+        return { 'message' : _("You have awarded %(awarded_user)s with %(points)d points") % {'awarded_user' : awarded_user, 'points' : points} }