X-Git-Url: https://code.wpia.club/?p=motion.git;a=blobdiff_plain;f=motion.py;h=0156ba3aa6a4b85498ac87e63ba6b4d552b7b1b0;hp=82efd0021cef93a1ed51c7abf958059657e24e12;hb=refs%2Fheads%2Fmaster;hpb=65f725a29286db658c4c2c28b7502270fc5de748 diff --git a/motion.py b/motion.py index 82efd00..0156ba3 100644 --- a/motion.py +++ b/motion.py @@ -12,6 +12,7 @@ from datetime import date, time, datetime from flask_language import Language, current_language import gettext import click +import re def get_db(): db = getattr(g, '_database', None) @@ -29,6 +30,7 @@ gettext.install('motion') class EscapeHtml(Extension): def extendMarkdown(self, md, md_globals): del md.preprocessors['html_block'] + del md.postprocessors['raw_html'] del md.inlinePatterns['html'] md = Markdown(app, extensions=[EscapeHtml()]) @@ -60,6 +62,7 @@ class ConfigProxy: prefix = ConfigProxy("GROUP_PREFIX") times = ConfigProxy("DURATION") debuguser = ConfigProxy("DEBUGUSER") +motion_wait_minutes = ConfigProxy("MOTION_WAIT_MINUTES") max_proxy=app.config.get("MAX_PROXY") @@ -111,10 +114,10 @@ def lookup_user(): db = get_db() with db.xact(): - rv = db.prepare("SELECT id FROM voter WHERE email=$1")(user) + rv = db.prepare("SELECT id FROM voter WHERE email=$1 AND host=$2")(user, request.host) if len(rv) == 0: - db.prepare("INSERT INTO voter(\"email\") VALUES($1)")(user) - rv = db.prepare("SELECT id FROM voter WHERE email=$1")(user) + db.prepare("INSERT INTO voter(\"email\", \"host\") VALUES($1, $2)")(user, request.host) + rv = db.prepare("SELECT id FROM voter WHERE email=$1 AND host=$2")(user, request.host) g.voter = rv[0].get("id"); g.proxies_given = "" rv = db.prepare("SELECT email, voter_id FROM voter, proxy WHERE proxy.proxy_id = voter.id AND proxy.revoked IS NULL AND proxy.voter_id = $1 ")(g.voter) @@ -155,7 +158,7 @@ def init_footer_variables(): footer = dict( version_year=version_year, copyright_link=app.config.get("COPYRIGHTLINK"), copyright_name=app.config.get("COPYRIGHTNAME"), - imprint_link=app.config.get("DATAPROTECTIONLINK"), + imprint_link=app.config.get("IMPRINTLINK"), dataprotection_link=app.config.get("DATAPROTECTIONLINK") ) ) @@ -171,11 +174,15 @@ def may_admin(action): return action in g.roles def get_voters(): - rv = get_db().prepare("SELECT email FROM voter") + rv = get_db().prepare("SELECT email FROM voter WHERE host=$1")(request.host) return rv def get_all_proxies(): - rv = get_db().prepare("SELECT p.id as id, v1.email as voter_email, v1.id as voterid, v2.email as proxy_email, v2.id as proxyid FROM voter AS v1, voter AS v2, proxy AS p WHERE v2.id = p.proxy_id AND v1.id = p.voter_id AND p.revoked is NULL ORDER BY voter_email, proxy_email") + rv = get_db().prepare("SELECT p.id as id, v1.email as voter_email, v1.id as voterid, "\ + + "v2.email as proxy_email, v2.id as proxyid "\ + + "FROM voter AS v1, voter AS v2, proxy AS p "\ + + "WHERE v2.id = p.proxy_id AND v1.id = p.voter_id AND p.revoked is NULL "\ + + "AND v1.host=$1 AND v2.host=$1 ORDER BY voter_email, proxy_email")(request.host) return rv @app.teardown_appcontext @@ -237,8 +244,42 @@ def init_db(): db.execute(f.read()) db.prepare("UPDATE \"schema_version\" SET \"version\"=5")() + if ver < 6: + with app.open_resource('sql/from_5.sql', mode='r') as f: + db.execute(f.read()) + rv=db.prepare("INSERT INTO voter (email, host) (SELECT vt.email, m.host FROM motion AS m, voter AS vt, vote as v "\ + + "WHERE (m.id=v.motion_id AND v.voter_id = vt.id) OR (m.id=v.motion_id AND v.proxy_id = vt.id) "\ + + "GROUP BY m.host, vt.email ORDER BY m.host, vt.email)")() + rv=db.prepare("UPDATE vote SET voter_id = "\ + + "(SELECT v_new.id FROM motion AS m, voter AS v_new, voter as v_old "\ + + "WHERE v_new.email = v_old.email AND v_old.id = vote.voter_id AND "\ + + "vote.motion_id = m.id AND m.host = v_new.host AND v_old.host is NULL)")() + rv=db.prepare("UPDATE vote SET proxy_id = "\ + + "(SELECT v_new.id FROM motion AS m, voter AS v_new, voter as v_old "\ + + "WHERE v_new.email = v_old.email AND v_old.id = vote.proxy_id AND "\ + + "vote.motion_id = m.id AND m.host = v_new.host AND v_old.host is NULL)")() + db.prepare("DELETE FROM voter WHERE host IS Null")() + db.prepare("ALTER TABLE \"voter\" ALTER COLUMN \"host\" SET NOT NULL")() + db.prepare("UPDATE \"schema_version\" SET \"version\"=6")() + + if ver < 7: + with app.open_resource('sql/from_6.sql', mode='r') as f: + db.execute(f.read()) + db.prepare("UPDATE \"schema_version\" SET \"version\"=7")() + init_db() +def is_in_ratelimit(group): + rv = get_db().prepare("SELECT EXTRACT(EPOCH FROM (CURRENT_TIMESTAMP - posed)) AS timedifference FROM motion WHERE type=$1 AND host=$2 ORDER BY posed DESC LIMIT 1")(group, request.host) + if len(rv) == 0: + return True + rate_limit = motion_wait_minutes.per_host + if rate_limit is None: + rate_limit = 0 + if rv[0]['timedifference'] > rate_limit*60: + return True + else: + return _('Error, time between last motion to short. The current setting is %s minute(s).') % (str(rate_limit)) @app.route("/") def main(): @@ -270,6 +311,12 @@ def rel_redirect(loc): r.autocorrect_location_header = False return r +def write_proxy_log(userid, action, comment): + get_db().prepare("INSERT INTO adminlog(user_id, action, comment, action_user_id) VALUES($1, $2, $3, $4)")(userid, action, comment, g.voter) + +def write_masking_log(comment): + get_db().prepare("INSERT INTO adminlog(user_id, action, comment, action_user_id) VALUES($1, 'motionmasking', $2, $1)")(0, comment) + @app.route("/motion", methods=['POST']) def put_motion(): cat=request.form.get("category", "") @@ -286,6 +333,9 @@ def put_motion(): content=content.strip() if content =='': return _('Error, missing content'), 400 + ratelimit = is_in_ratelimit(cat) + if ratelimit is not True: + return ratelimit, 400 db = get_db() with db.xact(): @@ -296,7 +346,10 @@ def put_motion(): if len(sr) == 0 or sr[0][0] is None: ident=prefix.per_host[cat]+"."+t.strftime("%Y%m%d")+".001" else: - ident=prefix.per_host[cat]+"."+t.strftime("%Y%m%d")+"."+("%03d" % (int(sr[0][0].split(".")[2])+1)) + nextId = int(sr[0][0].split(".")[2])+1 + if nextId >= 1000: + return _('Too many motions for this day'), 500 + ident=prefix.per_host[cat]+"."+t.strftime("%Y%m%d")+"."+("%03d" % nextId) p = db.prepare("INSERT INTO motion(\"name\", \"content\", \"deadline\", \"posed_by\", \"type\", \"identifier\", \"host\") VALUES($1, $2, CURRENT_TIMESTAMP + $3 * interval '1 days', $4, $5, $6, $7)") p(title, content, time, g.voter, cat, ident, request.host) return rel_redirect("/") @@ -372,7 +425,7 @@ def show_motion(motion): if may("audit", resultmotion[0].get("type")) and not resultmotion[0].get("running") and not resultmotion[0].get("canceled"): votes = get_db().prepare("SELECT vote.result, voter.email FROM vote INNER JOIN voter ON voter.id = vote.voter_id WHERE vote.motion_id=$1")(resultmotion[0].get("id")); votes = get_db().prepare("SELECT vote.result, voter.email, CASE voter.email WHEN proxy.email THEN NULL ELSE proxy.email END as proxyemail FROM vote INNER JOIN voter ON voter.id = vote.voter_id INNER JOIN voter as proxy ON proxy.id = vote.proxy_id WHERE vote.motion_id=$1")(resultmotion[0].get("id")); - return render_template('single_motion.html', motion=resultmotion[0], may_vote=may("vote", resultmotion[0].get("type")), may_cancel=may("cancel", resultmotion[0].get("type")), votes=votes, proxyvote=resultproxyvote, proxyname=resultproxyname, languages=get_languages()) + return render_template('single_motion.html', motion=resultmotion[0], may_vote=may("vote", resultmotion[0].get("type")), may_cancel=may("cancel", resultmotion[0].get("type")), may_finish=may("finish", resultmotion[0].get("type")), votes=votes, proxyvote=resultproxyvote, proxyname=resultproxyname, languages=get_languages()) @app.route("/motion//vote/", methods=['POST']) @validate_motion_access_vote('vote') @@ -409,11 +462,11 @@ def add_proxy(): proxy=request.form.get("proxy", "") if voter == proxy : return _('Error, voter equals proxy.'), 400 - rv = get_db().prepare("SELECT id FROM voter WHERE email=$1")(voter); + rv = get_db().prepare("SELECT id FROM voter WHERE email=$1 AND host=$2")(voter, request.host); if len(rv) == 0: return _('Error, voter not found.'), 400 voterid = rv[0].get("id") - rv = get_db().prepare("SELECT id FROM voter WHERE email=$1")(proxy); + rv = get_db().prepare("SELECT id, host FROM voter WHERE email=$1 AND host=$2")(proxy, request.host); if len(rv) == 0: return _('Error, proxy not found.'), 400 proxyid = rv[0].get("id") @@ -422,9 +475,10 @@ def add_proxy(): return _('Error, proxy allready given.'), 400 rv = get_db().prepare("SELECT COUNT(id) as c FROM proxy WHERE proxy_id=$1 AND revoked is NULL GROUP BY proxy_id")(proxyid); if len(rv) != 0: - if rv[0].get("c") >= max_proxy: + if rv[0].get("c") is None or rv[0].get("c") >= max_proxy: return _("Error, Max proxy for '%s' reached.") % (proxy), 400 rv = get_db().prepare("INSERT INTO proxy(voter_id, proxy_id, granted_by) VALUES ($1,$2,$3)")(voterid, proxyid, g.voter) + write_proxy_log(voterid, 'proxygranted', 'proxy: '+str(proxyid)) return rel_redirect("/proxy") @app.route("/proxy/revoke", methods=['POST']) @@ -433,6 +487,7 @@ def revoke_proxy(): return _('Forbidden'), 403 id=request.form.get("id", "") rv = get_db().prepare("UPDATE proxy SET revoked=CURRENT_TIMESTAMP, revoked_by=$1 WHERE id=$2")(g.voter, int(id)) + write_proxy_log(int(id), 'proxyrevoked', '') return rel_redirect("/proxy") @app.route("/proxy/revokeall", methods=['POST']) @@ -440,6 +495,7 @@ def revoke_proxy_all(): if not may_admin("proxyadmin"): return _('Forbidden'), 403 rv = get_db().prepare("UPDATE proxy SET revoked=CURRENT_TIMESTAMP, revoked_by=$1 WHERE revoked IS NULL")(g.voter) + write_proxy_log(g.voter, 'proxyrevokedall', '') return rel_redirect("/proxy") @app.route("/language/") @@ -449,12 +505,35 @@ def set_language(language): @app.cli.command("create-user") @click.argument("email") -def create_user(email): +@click.argument("host") +def create_user(email, host): db = get_db() with db.xact(): - rv = db.prepare("SELECT id FROM voter WHERE lower(email)=lower($1)")(email) - messagetext="User '%s' already exists." % (email) + rv = db.prepare("SELECT id FROM voter WHERE lower(email)=lower($1) AND host=$2")(email, host) + messagetext=_("User '%s' already exists on %s.") % (email, host) if len(rv) == 0: - db.prepare("INSERT INTO voter(\"email\") VALUES($1)")(email) - messagetext="User '%s' inserted." % (email) + db.prepare("INSERT INTO voter(\"email\", \"host\") VALUES($1, $2)")(email, host) + messagetext=_("User '%s' inserted to %s.") % (email, host) click.echo(messagetext) + +@app.cli.command("motion-masking") +@click.argument("motion") +@click.argument("motionreason") +@click.argument("host") +def motion_masking(motion, motionreason, host): + if re.search(r"[%_\\]", motion): + messagetext = _("No wildcards allowed for motion entry '%s'.") % (motion) + click.echo(messagetext) + else: + db = get_db() + with db.xact(): + rv = db.prepare("SELECT id FROM motion WHERE identifier LIKE $1 AND host = $2")(motion+"%", host) + count = len(rv) + messagetext = _("%s record(s) affected by masking of '%s'.") % (count, motion) + click.echo(messagetext) + if len(rv) != 0: + rv = db.prepare("SELECT id FROM motion WHERE content LIKE $1 AND host = $2")('%'+motionreason+"%", host) + rv = db.prepare("UPDATE motion SET name=$3, content=$4 WHERE identifier LIKE $1 AND host = $2 RETURNING id ")(motion+"%", host, _("Motion masked"), _("Motion masked on base of motion [%s](%s) on %s") % (motionreason, motionreason, datetime.now().strftime("%Y-%m-%d"))) + messagetext = _("%s record(s) updated by masking of '%s'.") % (len(rv), motion) + write_masking_log(_("%s motion(s) masked on base of motion %s with motion identifier '%s' on host %s") %(len(rv), motionreason, motion, host)) + click.echo(messagetext)