2020-08-01 21:26:06 +02:00
|
|
|
|
from flask_login import current_user
|
|
|
|
|
|
from wtforms.validators import ValidationError, StopValidation
|
|
|
|
|
|
from werkzeug.utils import secure_filename
|
|
|
|
|
|
from app.utils.filesize import filesize
|
2020-08-06 00:04:47 +02:00
|
|
|
|
from PIL import Image
|
2020-08-01 21:26:06 +02:00
|
|
|
|
import re
|
|
|
|
|
|
|
2020-08-06 00:04:47 +02:00
|
|
|
|
|
2020-08-01 21:26:06 +02:00
|
|
|
|
def optional(form, files):
|
|
|
|
|
|
if(len(files.data) == 0 or files.data[0].filename == ""):
|
|
|
|
|
|
raise StopValidation()
|
|
|
|
|
|
|
2020-08-06 00:04:47 +02:00
|
|
|
|
|
2020-08-01 21:26:06 +02:00
|
|
|
|
def count(form, files):
|
|
|
|
|
|
if current_user.is_authenticated:
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
if current_user.priv("misc.no-upload-limits"):
|
2020-08-01 21:26:06 +02:00
|
|
|
|
return
|
2020-08-05 22:52:56 +02:00
|
|
|
|
if len(files.data) > 100: # 100 files for a authenticated user
|
2020-08-01 21:26:06 +02:00
|
|
|
|
raise ValidationError("100 fichiers maximum autorisés")
|
|
|
|
|
|
else:
|
|
|
|
|
|
if len(files.data) > 3:
|
|
|
|
|
|
raise ValidationError("3 fichiers maximum autorisés")
|
|
|
|
|
|
|
2020-08-06 00:04:47 +02:00
|
|
|
|
|
2020-08-01 21:26:06 +02:00
|
|
|
|
def extension(form, files):
|
|
|
|
|
|
valid_extensions = [
|
2020-08-05 22:52:56 +02:00
|
|
|
|
"g[123][a-z]|cpa|c1a|fxi|cat|mcs|xcp|fls", # Casio files
|
|
|
|
|
|
"png|jpg|jpeg|bmp|tiff|gif|xcf", # Images
|
|
|
|
|
|
"[ch](pp|\+\+|xx)?|s|py|bide|lua|lc", # Source code
|
|
|
|
|
|
"txt|md|tex|pdf|odt|ods|docx|xlsx", # Office files
|
|
|
|
|
|
"zip|7z|tar|bz2?|t?gz|xz|zst", # Archives
|
2020-08-01 21:26:06 +02:00
|
|
|
|
]
|
|
|
|
|
|
r = re.compile("|".join(valid_extensions), re.IGNORECASE)
|
|
|
|
|
|
errors = []
|
|
|
|
|
|
|
|
|
|
|
|
for f in files.data:
|
|
|
|
|
|
name = secure_filename(f.filename)
|
|
|
|
|
|
ext = name.split(".")[-1]
|
|
|
|
|
|
if not r.fullmatch(ext):
|
|
|
|
|
|
errors.append("." + ext)
|
|
|
|
|
|
|
|
|
|
|
|
if len(errors) > 0:
|
2020-08-06 00:04:47 +02:00
|
|
|
|
raise ValidationError("Extension(s) invalide(s)"
|
|
|
|
|
|
f"({', '.join(errors)})")
|
|
|
|
|
|
|
2020-08-01 21:26:06 +02:00
|
|
|
|
|
|
|
|
|
|
def size(form, files):
|
|
|
|
|
|
"""There is no global limit to file sizes"""
|
|
|
|
|
|
size = sum([filesize(f) for f in files.data])
|
|
|
|
|
|
if current_user.is_authenticated:
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
if current_user.priv("misc.no-upload-limits"):
|
2020-08-01 21:26:06 +02:00
|
|
|
|
return
|
2020-08-05 22:52:56 +02:00
|
|
|
|
if size > 5e6: # 5 Mo per comment for an authenticated user
|
2020-08-01 21:26:06 +02:00
|
|
|
|
raise ValidationError("Fichiers trop lourds (max 5 Mo)")
|
|
|
|
|
|
else:
|
2020-08-05 22:52:56 +02:00
|
|
|
|
if size > 500e3: # 500 ko per comment for a guest
|
2020-08-01 21:26:06 +02:00
|
|
|
|
raise ValidationError("Fichiers trop lourds (max 500 ko)")
|
2020-08-02 15:03:08 +02:00
|
|
|
|
|
2020-08-06 00:04:47 +02:00
|
|
|
|
|
2020-08-02 15:03:08 +02:00
|
|
|
|
def namelength(form, files):
|
|
|
|
|
|
errors = []
|
|
|
|
|
|
for f in files.data:
|
|
|
|
|
|
name = secure_filename(f.filename)
|
|
|
|
|
|
if len(name) > 64:
|
|
|
|
|
|
errors.append(f.filename)
|
|
|
|
|
|
if len(errors) > 0:
|
2020-08-06 00:04:47 +02:00
|
|
|
|
raise ValidationError("Noms trop longs, 64 caractères max "
|
2020-08-02 15:03:08 +02:00
|
|
|
|
f"({', '.join(errors)})")
|
2020-08-06 00:04:47 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def is_image(form, avatar):
|
|
|
|
|
|
try:
|
|
|
|
|
|
Image.open(avatar.data)
|
|
|
|
|
|
except IOError:
|
|
|
|
|
|
raise ValidationError("Avatar invalide")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def avatar_size(form, file):
|
|
|
|
|
|
if filesize(file.data) > 200e3:
|
|
|
|
|
|
raise ValidationError("Fichier trop lourd (max 200 ko)")
|
