search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove <br/> from safe string indicating that CSRF cooking is missing.
[larjonas-mediagoblin.git] / mediagoblin / api / views.py
blob671c3b360ce40bd48d1e32914977d6606f9d5c4f
1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
3 #
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
13 #
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16
17 import json
18 import io
19 import mimetypes
20
21 from werkzeug.datastructures import FileStorage
22
23 from mediagoblin.decorators import oauth_required, require_active_login
24 from mediagoblin.api.decorators import user_has_privilege
25 from mediagoblin.db.models import User, LocalUser, MediaEntry, Comment, TextComment, Activity
26 from mediagoblin.tools.federation import create_activity, create_generator
27 from mediagoblin.tools.routing import extract_url_arguments
28 from mediagoblin.tools.response import redirect, json_response, json_error, \
29 render_404, render_to_response
30 from mediagoblin.meddleware.csrf import csrf_exempt
31 from mediagoblin.submit.lib import new_upload_entry, api_upload_request, \
32 api_add_to_feed
33
34 # MediaTypes
35 from mediagoblin.media_types.image import MEDIA_TYPE as IMAGE_MEDIA_TYPE
36
37 # Getters
38 def get_profile(request):
39 """
40 Gets the user's profile for the endpoint requested.
41
42 For example an endpoint which is /api/{username}/feed
43 as /api/cwebber/feed would get cwebber's profile. This
44 will return a tuple (username, user_profile). If no user
45 can be found then this function returns a (None, None).
46 """
47 username = request.matchdict["username"]
48 user = LocalUser.query.filter(LocalUser.username==username).first()
49
50 if user is None:
51 return None, None
52
53 return user, user.serialize(request)
54
55
56 # Endpoints
57 @oauth_required
58 def profile_endpoint(request):
59 """ This is /api/user/<username>/profile - This will give profile info """
60 user, user_profile = get_profile(request)
61
62 if user is None:
63 username = request.matchdict["username"]
64 return json_error(
65 "No such 'user' with username '{0}'".format(username),
66 status=404
67 )
68
69 # user profiles are public so return information
70 return json_response(user_profile)
71
72 @oauth_required
73 def user_endpoint(request):
74 """ This is /api/user/<username> - This will get the user """
75 user, user_profile = get_profile(request)
76
77 if user is None:
78 username = request.matchdict["username"]
79 return json_error(
80 "No such 'user' with username '{0}'".format(username),
81 status=404
82 )
83
84 return json_response({
85 "nickname": user.username,
86 "updated": user.created.isoformat(),
87 "published": user.created.isoformat(),
88 "profile": user_profile,
89 })
90
91 @oauth_required
92 @csrf_exempt
93 @user_has_privilege(u'uploader')
94 def uploads_endpoint(request):
95 """ Endpoint for file uploads """
96 username = request.matchdict["username"]
97 requested_user = LocalUser.query.filter(LocalUser.username==username).first()
98
99 if requested_user is None:
100 return json_error("No such 'user' with id '{0}'".format(username), 404)
101
102 if request.method == "POST":
103 # Ensure that the user is only able to upload to their own
104 # upload endpoint.
105 if requested_user.id != request.user.id:
106 return json_error(
107 "Not able to post to another users feed.",
108 status=403
109 )
110
111 # Wrap the data in the werkzeug file wrapper
112 if "Content-Type" not in request.headers:
113 return json_error(
114 "Must supply 'Content-Type' header to upload media."
115 )
116
117 mimetype = request.headers["Content-Type"]
118 filename = mimetypes.guess_all_extensions(mimetype)
119 filename = 'unknown' + filename[0] if filename else filename
120 file_data = FileStorage(
121 stream=io.BytesIO(request.data),
122 filename=filename,
123 content_type=mimetype
124 )
125
126 # Find media manager
127 entry = new_upload_entry(request.user)
128 entry.media_type = IMAGE_MEDIA_TYPE
129 return api_upload_request(request, file_data, entry)
130
131 return json_error("Not yet implemented", 501)
132
133 @oauth_required
134 @csrf_exempt
135 def inbox_endpoint(request, inbox=None):
136 """ This is the user's inbox
137
138 Currently because we don't have the ability to represent the inbox in the
139 database this is not a "real" inbox in the pump.io/Activity streams 1.0
140 sense but instead just gives back all the data on the website
141
142 inbox: allows you to pass a query in to limit inbox scope
143 """
144 username = request.matchdict["username"]
145 user = LocalUser.query.filter(LocalUser.username==username).first()
146
147 if user is None:
148 return json_error("No such 'user' with id '{0}'".format(username), 404)
149
150
151 # Only the user who's authorized should be able to read their inbox
152 if user.id != request.user.id:
153 return json_error(
154 "Only '{0}' can read this inbox.".format(user.username),
155 403
156 )
157
158 if inbox is None:
159 inbox = Activity.query
160
161 # Count how many items for the "totalItems" field
162 total_items = inbox.count()
163
164 # We want to make a query for all media on the site and then apply GET
165 # limits where we can.
166 inbox = inbox.order_by(Activity.published.desc())
167
168 # Limit by the "count" (default: 20)
169 try:
170 limit = int(request.args.get("count", 20))
171 except ValueError:
172 limit = 20
173
174 # Prevent the count being too big (pump uses 200 so we shall)
175 limit = limit if limit <= 200 else 200
176
177 # Apply the limit
178 inbox = inbox.limit(limit)
179
180 # Offset (default: no offset - first <count> results)
181 inbox = inbox.offset(request.args.get("offset", 0))
182
183 # build the inbox feed
184 feed = {
185 "displayName": "Activities for {0}".format(user.username),
186 "author": user.serialize(request),
187 "objectTypes": ["activity"],
188 "url": request.base_url,
189 "links": {"self": {"href": request.url}},
190 "items": [],
191 "totalItems": total_items,
192 }
193
194 for activity in inbox:
195 try:
196 feed["items"].append(activity.serialize(request))
197 except AttributeError:
198 # As with the feed endpint this occurs because of how we our
199 # hard-deletion method. Some activites might exist where the
200 # Activity object and/or target no longer exist, for this case we
201 # should just skip them.
202 pass
203
204 return json_response(feed)
205
206 @oauth_required
207 @csrf_exempt
208 def inbox_minor_endpoint(request):
209 """ Inbox subset for less important Activities """
210 inbox = Activity.query.filter(
211 (Activity.verb == "update") | (Activity.verb == "delete")
212 )
213
214 return inbox_endpoint(request=request, inbox=inbox)
215
216 @oauth_required
217 @csrf_exempt
218 def inbox_major_endpoint(request):
219 """ Inbox subset for most important Activities """
220 inbox = Activity.query.filter_by(verb="post")
221 return inbox_endpoint(request=request, inbox=inbox)
222
223 @oauth_required
224 @csrf_exempt
225 def feed_endpoint(request, outbox=None):
226 """ Handles the user's outbox - /api/user/<username>/feed """
227 username = request.matchdict["username"]
228 requested_user = LocalUser.query.filter(LocalUser.username==username).first()
229
230 # check if the user exists
231 if requested_user is None:
232 return json_error("No such 'user' with id '{0}'".format(username), 404)
233
234 if request.data:
235 data = json.loads(request.data.decode())
236 else:
237 data = {"verb": None, "object": {}}
238
239
240 if request.method in ["POST", "PUT"]:
241 # Validate that the activity is valid
242 if "verb" not in data or "object" not in data:
243 return json_error("Invalid activity provided.")
244
245 # Check that the verb is valid
246 if data["verb"] not in ["post", "update", "delete"]:
247 return json_error("Verb not yet implemented", 501)
248
249 # We need to check that the user they're posting to is
250 # the person that they are.
251 if requested_user.id != request.user.id:
252 return json_error(
253 "Not able to post to another users feed.",
254 status=403
255 )
256
257 # Handle new posts
258 if data["verb"] == "post":
259 obj = data.get("object", None)
260 if obj is None:
261 return json_error("Could not find 'object' element.")
262
263 if obj.get("objectType", None) == "comment":
264 # post a comment
265 if not request.user.has_privilege(u'commenter'):
266 return json_error(
267 "Privilege 'commenter' required to comment.",
268 status=403
269 )
270
271 comment = TextComment(actor=request.user.id)
272 comment.unserialize(data["object"], request)
273 comment.save()
274
275 # Create activity for comment
276 generator = create_generator(request)
277 activity = create_activity(
278 verb="post",
279 actor=request.user,
280 obj=comment,
281 target=comment.get_reply_to(),
282 generator=generator
283 )
284
285 return json_response(activity.serialize(request))
286
287 elif obj.get("objectType", None) == "image":
288 # Posting an image to the feed
289 media_id = extract_url_arguments(
290 url=data["object"]["id"],
291 urlmap=request.app.url_map
292 )["id"]
293
294 # Build public_id
295 public_id = request.urlgen(
296 "mediagoblin.api.object",
297 object_type=obj["objectType"],
298 id=media_id,
299 qualified=True
300 )
301
302 media = MediaEntry.query.filter_by(
303 public_id=public_id
304 ).first()
305
306 if media is None:
307 return json_response(
308 "No such 'image' with id '{0}'".format(media_id),
309 status=404
310 )
311
312 if media.actor != request.user.id:
313 return json_error(
314 "Privilege 'commenter' required to comment.",
315 status=403
316 )
317
318
319 if not media.unserialize(data["object"]):
320 return json_error(
321 "Invalid 'image' with id '{0}'".format(media_id)
322 )
323
324
325 # Add location if one exists
326 if "location" in data:
327 Location.create(data["location"], self)
328
329 media.save()
330 activity = api_add_to_feed(request, media)
331
332 return json_response(activity.serialize(request))
333
334 elif obj.get("objectType", None) is None:
335 # They need to tell us what type of object they're giving us.
336 return json_error("No objectType specified.")
337 else:
338 # Oh no! We don't know about this type of object (yet)
339 object_type = obj.get("objectType", None)
340 return json_error(
341 "Unknown object type '{0}'.".format(object_type)
342 )
343
344 # Updating existing objects
345 if data["verb"] == "update":
346 # Check we've got a valid object
347 obj = data.get("object", None)
348
349 if obj is None:
350 return json_error("Could not find 'object' element.")
351
352 if "objectType" not in obj:
353 return json_error("No objectType specified.")
354
355 if "id" not in obj:
356 return json_error("Object ID has not been specified.")
357
358 obj_id = extract_url_arguments(
359 url=obj["id"],
360 urlmap=request.app.url_map
361 )["id"]
362
363 public_id = request.urlgen(
364 "mediagoblin.api.object",
365 object_type=obj["objectType"],
366 id=obj_id,
367 qualified=True
368 )
369
370 # Now try and find object
371 if obj["objectType"] == "comment":
372 if not request.user.has_privilege(u'commenter'):
373 return json_error(
374 "Privilege 'commenter' required to comment.",
375 status=403
376 )
377
378 comment = TextComment.query.filter_by(
379 public_id=public_id
380 ).first()
381 if comment is None:
382 return json_error(
383 "No such 'comment' with id '{0}'.".format(obj_id)
384 )
385
386 # Check that the person trying to update the comment is
387 # the author of the comment.
388 if comment.actor != request.user.id:
389 return json_error(
390 "Only author of comment is able to update comment.",
391 status=403
392 )
393
394 if not comment.unserialize(data["object"], request):
395 return json_error(
396 "Invalid 'comment' with id '{0}'".format(obj["id"])
397 )
398
399 comment.save()
400
401 # Create an update activity
402 generator = create_generator(request)
403 activity = create_activity(
404 verb="update",
405 actor=request.user,
406 obj=comment,
407 generator=generator
408 )
409
410 return json_response(activity.serialize(request))
411
412 elif obj["objectType"] == "image":
413 image = MediaEntry.query.filter_by(
414 public_id=public_id
415 ).first()
416 if image is None:
417 return json_error(
418 "No such 'image' with the id '{0}'.".format(obj["id"])
419 )
420
421 # Check that the person trying to update the comment is
422 # the author of the comment.
423 if image.actor != request.user.id:
424 return json_error(
425 "Only uploader of image is able to update image.",
426 status=403
427 )
428
429 if not image.unserialize(obj):
430 return json_error(
431 "Invalid 'image' with id '{0}'".format(obj_id)
432 )
433 image.generate_slug()
434 image.save()
435
436 # Create an update activity
437 generator = create_generator(request)
438 activity = create_activity(
439 verb="update",
440 actor=request.user,
441 obj=image,
442 generator=generator
443 )
444
445 return json_response(activity.serialize(request))
446 elif obj["objectType"] == "person":
447 # check this is the same user
448 if "id" not in obj or obj["id"] != requested_user.id:
449 return json_error(
450 "Incorrect user id, unable to update"
451 )
452
453 requested_user.unserialize(obj)
454 requested_user.save()
455
456 generator = create_generator(request)
457 activity = create_activity(
458 verb="update",
459 actor=request.user,
460 obj=requested_user,
461 generator=generator
462 )
463
464 return json_response(activity.serialize(request))
465
466 elif data["verb"] == "delete":
467 obj = data.get("object", None)
468 if obj is None:
469 return json_error("Could not find 'object' element.")
470
471 if "objectType" not in obj:
472 return json_error("No objectType specified.")
473
474 if "id" not in obj:
475 return json_error("Object ID has not been specified.")
476
477 # Parse out the object ID
478 obj_id = extract_url_arguments(
479 url=obj["id"],
480 urlmap=request.app.url_map
481 )["id"]
482
483 public_id = request.urlgen(
484 "mediagoblin.api.object",
485 object_type=obj["objectType"],
486 id=obj_id,
487 qualified=True
488 )
489
490 if obj.get("objectType", None) == "comment":
491 # Find the comment asked for
492 comment = TextComment.query.filter_by(
493 public_id=public_id,
494 actor=request.user.id
495 ).first()
496
497 if comment is None:
498 return json_error(
499 "No such 'comment' with id '{0}'.".format(obj_id)
500 )
501
502 # Make a delete activity
503 generator = create_generator(request)
504 activity = create_activity(
505 verb="delete",
506 actor=request.user,
507 obj=comment,
508 generator=generator
509 )
510
511 # Unfortunately this has to be done while hard deletion exists
512 context = activity.serialize(request)
513
514 # now we can delete the comment
515 comment.delete()
516
517 return json_response(context)
518
519 if obj.get("objectType", None) == "image":
520 # Find the image
521 entry = MediaEntry.query.filter_by(
522 public_id=public_id,
523 actor=request.user.id
524 ).first()
525
526 if entry is None:
527 return json_error(
528 "No such 'image' with id '{0}'.".format(obj_id)
529 )
530
531 # Make the delete activity
532 generator = create_generator(request)
533 activity = create_activity(
534 verb="delete",
535 actor=request.user,
536 obj=entry,
537 generator=generator
538 )
539
540 # This is because we have hard deletion
541 context = activity.serialize(request)
542
543 # Now we can delete the image
544 entry.delete()
545
546 return json_response(context)
547
548 elif request.method != "GET":
549 return json_error(
550 "Unsupported HTTP method {0}".format(request.method),
551 status=501
552 )
553
554 feed = {
555 "displayName": "Activities by {user}@{host}".format(
556 user=request.user.username,
557 host=request.host
558 ),
559 "objectTypes": ["activity"],
560 "url": request.base_url,
561 "links": {"self": {"href": request.url}},
562 "author": request.user.serialize(request),
563 "items": [],
564 }
565
566 # Create outbox
567 if outbox is None:
568 outbox = Activity.query.filter_by(actor=request.user.id)
569 else:
570 outbox = outbox.filter_by(actor=request.user.id)
571
572 # We want the newest things at the top (issue: #1055)
573 outbox = outbox.order_by(Activity.published.desc())
574
575 # Limit by the "count" (default: 20)
576 limit = request.args.get("count", 20)
577
578 try:
579 limit = int(limit)
580 except ValueError:
581 limit = 20
582
583 # The upper most limit should be 200
584 limit = limit if limit < 200 else 200
585
586 # apply the limit
587 outbox = outbox.limit(limit)
588
589 # Offset (default: no offset - first <count> result)
590 outbox = outbox.offset(request.args.get("offset", 0))
591
592 # Build feed.
593 for activity in outbox:
594 try:
595 feed["items"].append(activity.serialize(request))
596 except AttributeError:
597 # This occurs because of how we hard-deletion and the object
598 # no longer existing anymore. We want to keep the Activity
599 # in case someone wishes to look it up but we shouldn't display
600 # it in the feed.
601 pass
602 feed["totalItems"] = len(feed["items"])
603
604 return json_response(feed)
605
606 @oauth_required
607 def feed_minor_endpoint(request):
608 """ Outbox for minor activities such as updates """
609 # If it's anything but GET pass it along
610 if request.method != "GET":
611 return feed_endpoint(request)
612
613 outbox = Activity.query.filter(
614 (Activity.verb == "update") | (Activity.verb == "delete")
615 )
616 return feed_endpoint(request, outbox=outbox)
617
618 @oauth_required
619 def feed_major_endpoint(request):
620 """ Outbox for all major activities """
621 # If it's anything but a GET pass it along
622 if request.method != "GET":
623 return feed_endpoint(request)
624
625 outbox = Activity.query.filter_by(verb="post")
626 return feed_endpoint(request, outbox=outbox)
627
628 @oauth_required
629 def object_endpoint(request):
630 """ Lookup for a object type """
631 object_type = request.matchdict["object_type"]
632 try:
633 object_id = request.matchdict["id"]
634 except ValueError:
635 error = "Invalid object ID '{0}' for '{1}'".format(
636 request.matchdict["id"],
637 object_type
638 )
639 return json_error(error)
640
641 if object_type not in ["image"]:
642 # not sure why this is 404, maybe ask evan. Maybe 400?
643 return json_error(
644 "Unknown type: {0}".format(object_type),
645 status=404
646 )
647
648 public_id = request.urlgen(
649 "mediagoblin.api.object",
650 object_type=object_type,
651 id=object_id,
652 qualified=True
653 )
654
655 media = MediaEntry.query.filter_by(public_id=public_id).first()
656 if media is None:
657 return json_error(
658 "Can't find '{0}' with ID '{1}'".format(object_type, object_id),
659 status=404
660 )
661
662 return json_response(media.serialize(request))
663
664 @oauth_required
665 def object_comments(request):
666 """ Looks up for the comments on a object """
667 public_id = request.urlgen(
668 "mediagoblin.api.object",
669 object_type=request.matchdict["object_type"],
670 id=request.matchdict["id"],
671 qualified=True
672 )
673 media = MediaEntry.query.filter_by(public_id=public_id).first()
674 if media is None:
675 return json_error("Can't find '{0}' with ID '{1}'".format(
676 request.matchdict["object_type"],
677 request.matchdict["id"]
678 ), 404)
679
680 comments = media.serialize(request)
681 comments = comments.get("replies", {
682 "totalItems": 0,
683 "items": [],
684 "url": request.urlgen(
685 "mediagoblin.api.object.comments",
686 object_type=media.object_type,
687 id=media.id,
688 qualified=True
689 )
690 })
691
692 comments["displayName"] = "Replies to {0}".format(comments["url"])
693 comments["links"] = {
694 "first": comments["url"],
695 "self": comments["url"],
696 }
697 return json_response(comments)
698
699 ##
700 # RFC6415 - Web Host Metadata
701 ##
702 def host_meta(request):
703 """
704 This provides the host-meta URL information that is outlined
705 in RFC6415. By default this should provide XRD+XML however
706 if the client accepts JSON we will provide that over XRD+XML.
707 The 'Accept' header is used to decude this.
708
709 A client should use this endpoint to determine what URLs to
710 use for OAuth endpoints.
711 """
712
713 links = [
714 {
715 "rel": "lrdd",
716 "type": "application/json",
717 "href": request.urlgen(
718 "mediagoblin.webfinger.well-known.webfinger",
719 qualified=True
720 )
721 },
722 {
723 "rel": "registration_endpoint",
724 "href": request.urlgen(
725 "mediagoblin.oauth.client_register",
726 qualified=True
727 ),
728 },
729 {
730 "rel": "http://apinamespace.org/oauth/request_token",
731 "href": request.urlgen(
732 "mediagoblin.oauth.request_token",
733 qualified=True
734 ),
735 },
736 {
737 "rel": "http://apinamespace.org/oauth/authorize",
738 "href": request.urlgen(
739 "mediagoblin.oauth.authorize",
740 qualified=True
741 ),
742 },
743 {
744 "rel": "http://apinamespace.org/oauth/access_token",
745 "href": request.urlgen(
746 "mediagoblin.oauth.access_token",
747 qualified=True
748 ),
749 },
750 {
751 "rel": "http://apinamespace.org/activitypub/whoami",
752 "href": request.urlgen(
753 "mediagoblin.webfinger.whoami",
754 qualified=True
755 ),
756 },
757 ]
758
759 if "application/json" in request.accept_mimetypes:
760 return json_response({"links": links})
761
762 # provide XML+XRD
763 return render_to_response(
764 request,
765 "mediagoblin/api/host-meta.xml",
766 {"links": links},
767 mimetype="application/xrd+xml"
768 )
769
770 def lrdd_lookup(request):
771 """
772 This is the lrdd endpoint which can lookup a user (or
773 other things such as activities). This is as specified by
774 RFC6415.
775
776 The cleint must provide a 'resource' as a GET parameter which
777 should be the query to be looked up.
778 """
779
780 if "resource" not in request.args:
781 return json_error("No resource parameter", status=400)
782
783 resource = request.args["resource"]
784
785 if "@" in resource:
786 # Lets pull out the username
787 resource = resource[5:] if resource.startswith("acct:") else resource
788 username, host = resource.split("@", 1)
789
790 # Now lookup the user
791 user = LocalUser.query.filter(LocalUser.username==username).first()
792
793 if user is None:
794 return json_error(
795 "Can't find 'user' with username '{0}'".format(username))
796
797 return json_response([
798 {
799 "rel": "http://webfinger.net/rel/profile-page",
800 "href": user.url_for_self(request.urlgen),
801 "type": "text/html"
802 },
803 {
804 "rel": "self",
805 "href": request.urlgen(
806 "mediagoblin.api.user",
807 username=user.username,
808 qualified=True
809 )
810 },
811 {
812 "rel": "activity-outbox",
813 "href": request.urlgen(
814 "mediagoblin.api.feed",
815 username=user.username,
816 qualified=True
817 )
818 }
819 ])
820 else:
821 return json_error("Unrecognized resource parameter", status=404)
822
823
824 def whoami(request):
825 """ /api/whoami - HTTP redirect to API profile """
826 if request.user is None:
827 return json_error("Not logged in.", status=401)
828
829 profile = request.urlgen(
830 "mediagoblin.api.user.profile",
831 username=request.user.username,
832 qualified=True
833 )
834
835 return redirect(request, location=profile)
LArjona's clone of GNU MediaGoblin (https://www.mediagoblin.org/)