From b36f9c05071ea549ed59e703270fcf223b60df03 Mon Sep 17 00:00:00 2001 From: Jon Bergli Heier Date: Sun, 9 Apr 2017 09:02:09 +0200 Subject: Major rewrite to use jab/oauth. Highlights: - Uses the oauth branch of jab. - Changed design to use bootstrap. - Some minor changes to functionality in file uploading and listing. - API is currently disabled and incomplete. --- .gitignore | 6 +- db.py | 80 --- fbin.py | 626 --------------------- fbin/__init__.py | 39 ++ fbin/api.py | 62 ++ fbin/db.py | 121 ++++ fbin/fbin.py | 353 ++++++++++++ fbin/login.py | 92 +++ fbin/monkey.py | 25 + fbin/static/css/bootstrap.min.css | 6 + fbin/static/css/style.css | 18 + fbin/static/fonts/glyphicons-halflings-regular.eot | Bin 0 -> 20127 bytes fbin/static/fonts/glyphicons-halflings-regular.svg | 288 ++++++++++ fbin/static/fonts/glyphicons-halflings-regular.ttf | Bin 0 -> 45404 bytes .../static/fonts/glyphicons-halflings-regular.woff | Bin 0 -> 23424 bytes .../fonts/glyphicons-halflings-regular.woff2 | Bin 0 -> 18028 bytes fbin/static/img/no-thumbnail.png | Bin 0 -> 1546 bytes fbin/static/js/bootstrap-filestyle.min.js | 1 + fbin/static/js/bootstrap.min.js | 7 + fbin/static/js/jquery.lazy.min.js | 2 + fbin/static/js/jquery.min.js | 4 + fbin/templates/base.html | 70 +++ fbin/templates/file-modals.html | 59 ++ fbin/templates/files.html | 73 +++ fbin/templates/help.html | 30 + fbin/templates/images.html | 29 + fbin/templates/modal.html | 17 + fbin/templates/upload.html | 25 + fbin/templates/uploaded.html | 14 + run.py | 4 + static/jquery-2.1.0.min.js | 4 - static/jquery.lazy.min.js | 2 - static/no-thumbnail.png | Bin 1546 -> 0 bytes static/style.css | 28 - templates/__init__.py | 9 - templates/base.tmpl | 48 -- templates/changepass.tmpl | 16 - templates/delete.tmpl | 9 - templates/help.tmpl | 20 - templates/images.tmpl | 28 - templates/login.tmpl | 24 - templates/my.tmpl | 14 - templates/register.tmpl | 16 - templates/upload.tmpl | 23 - templates/uploaded.tmpl | 16 - 45 files changed, 1342 insertions(+), 966 deletions(-) delete mode 100644 db.py delete mode 100755 fbin.py create mode 100644 fbin/__init__.py create mode 100644 fbin/api.py create mode 100644 fbin/db.py create mode 100755 fbin/fbin.py create mode 100644 fbin/login.py create mode 100644 fbin/monkey.py create mode 100644 fbin/static/css/bootstrap.min.css create mode 100644 fbin/static/css/style.css create mode 100644 fbin/static/fonts/glyphicons-halflings-regular.eot create mode 100644 fbin/static/fonts/glyphicons-halflings-regular.svg create mode 100644 fbin/static/fonts/glyphicons-halflings-regular.ttf create mode 100644 fbin/static/fonts/glyphicons-halflings-regular.woff create mode 100644 fbin/static/fonts/glyphicons-halflings-regular.woff2 create mode 100644 fbin/static/img/no-thumbnail.png create mode 100644 fbin/static/js/bootstrap-filestyle.min.js create mode 100644 fbin/static/js/bootstrap.min.js create mode 100644 fbin/static/js/jquery.lazy.min.js create mode 100644 fbin/static/js/jquery.min.js create mode 100644 fbin/templates/base.html create mode 100644 fbin/templates/file-modals.html create mode 100644 fbin/templates/files.html create mode 100644 fbin/templates/help.html create mode 100644 fbin/templates/images.html create mode 100644 fbin/templates/modal.html create mode 100644 fbin/templates/upload.html create mode 100644 fbin/templates/uploaded.html create mode 100644 run.py delete mode 100644 static/jquery-2.1.0.min.js delete mode 100644 static/jquery.lazy.min.js delete mode 100644 static/no-thumbnail.png delete mode 100644 static/style.css delete mode 100644 templates/__init__.py delete mode 100644 templates/base.tmpl delete mode 100644 templates/changepass.tmpl delete mode 100644 templates/delete.tmpl delete mode 100644 templates/help.tmpl delete mode 100644 templates/images.tmpl delete mode 100644 templates/login.tmpl delete mode 100644 templates/my.tmpl delete mode 100644 templates/register.tmpl delete mode 100644 templates/upload.tmpl delete mode 100644 templates/uploaded.tmpl diff --git a/.gitignore b/.gitignore index 268ebe8..1a01755 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,7 @@ *.swp *.pyc -settings.py +*.cfg +*.pem +__pycache__ /files /thumbs -/templates/*.py -!/templates/__init__.py diff --git a/db.py b/db.py deleted file mode 100644 index dd24204..0000000 --- a/db.py +++ /dev/null @@ -1,80 +0,0 @@ -from sqlalchemy import create_engine, Column, Integer, String, DateTime, Text, Index, ForeignKey, Boolean -from sqlalchemy.ext.declarative import declarative_base -from sqlalchemy.orm import sessionmaker, relation, backref -from sqlalchemy.orm.exc import NoResultFound -from sqlalchemy.exc import IntegrityError -from sqlalchemy.sql import and_ -import settings, os, mimetypes - -engine = create_engine(settings.db_path) - -Base = declarative_base(bind = engine) - -class User(Base): - __tablename__ = 'users' - - id = Column(Integer, primary_key = True) - username = Column(String, unique = True, index = True) - jab_id = Column(String(12), unique = True, index = True) - files = relation('File', backref = 'user', order_by = 'File.date.desc()') - - def __init__(self, username, jab_id): - self.username = username - self.jab_id = jab_id - -class File(Base): - __tablename__ = 'files' - - id = Column(Integer, primary_key = True) - hash = Column(String, unique = True, index = True) - file_hash = Column(String, unique = True, index = True) - filename = Column(String) - date = Column(DateTime) - user_id = Column(Integer, ForeignKey('users.id'), nullable = True) - ip = Column(String) - accessed = Column(DateTime) - - def __init__(self, hash, file_hash, filename, date, user_id = None, ip = None): - self.hash = hash - self.file_hash = file_hash - self.filename = filename - self.date = date - self.user_id = user_id - self.ip = ip - - @staticmethod - def pretty_size(size): - suffixes = (('B', 2**10), ('KiB', 2**20), ('MiB', 2**30), ('GiB', 2**40), ('TiB', 2**50)) - for suf, lim in suffixes: - if size > lim: - continue - else: - return '%s %s' % (str(round(size/float(lim/2**10), 2)), suf) - - def get_path(self): - return os.path.join(settings.file_directory, self.hash + os.path.splitext(self.filename)[1]) - - def get_size(self): - return os.path.getsize(self.get_path()) - - def html(self): - return u'{filename} ' \ - '1 2 del ' \ - '({size}) on {date}'.format( - root = settings.virtual_root, hash = self.hash, filename = self.filename, ext = os.path.splitext(self.filename)[1], - size = self.pretty_size(self.get_size()), date = self.date.strftime('%Y-%m-%d %H:%M:%S UTC')) - - def get_mime_type(self): - return mimetypes.guess_type(self.filename, strict = False)[0] or 'application/octet-stream' - - def is_image(self): - return self.get_mime_type().startswith('image') - - @property - def ext(self): - return os.path.splitext(self.filename)[1] - -Base.metadata.create_all() -Session = sessionmaker(bind = engine, autoflush = True, autocommit = False) - -# vim: noet ts=4 diff --git a/fbin.py b/fbin.py deleted file mode 100755 index 0f91330..0000000 --- a/fbin.py +++ /dev/null @@ -1,626 +0,0 @@ -#!/usr/bin/env python2 - -import templates -import settings, db, os, random, datetime, mimetypes, cgi, tempfile, hashlib, Cookie, urllib, subprocess, json -from PIL import Image -import jab.client - -base62_alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' -rfc1123_format = '%a, %d %b %Y %H:%M:%S +0000' -rfc1123_format_tzname = '%a, %d %b %Y %H:%M:%S %Z' - -if not os.path.isdir(settings.file_directory): - os.mkdir(settings.file_directory) - -if not os.path.isdir(settings.thumb_directory): - os.mkdir(settings.thumb_directory) - -try: - # Throws OSError if mogrify doesn't exist. - subprocess.call(['mogrify', '-quiet']) -except OSError: - has_mogrify = False -else: - has_mogrify = True - -class BinError(Exception): pass -class InvalidCookieError(BinError): pass -class InactiveLoginError(BinError): pass - -class FileUploadFieldStorage(cgi.FieldStorage): - def make_file(self, binary = None): - # Make a temporary file in the destination directory, which will be renamed on completion. - return tempfile.NamedTemporaryFile(prefix = 'upload_', dir = settings.file_directory, delete = True) - -class Application(object): - def get_or_create_user(self, username, jab_id): - session = db.Session() - try: - return session.query(db.User).filter(db.User.jab_id == jab_id).one() - except db.NoResultFound: - try: - user = db.User(username, jab_id) - session.add(user) - session.commit() - session.refresh(user) - return user - except db.IntegrityError: - return None - finally: - session.close() - - def get_user_by_jab_id(self, jab_id): - session = db.Session() - try: - return session.query(db.User).filter(db.User.jab_id == jab_id).one() - except db.NoResultFound: - return None - finally: - session.close() - - def get_user_by_id(self, uid): - session = db.Session() - try: - return session.query(db.User).filter(db.User.id == uid).one() - except db.NoResultFound: - return None - finally: - session.close() - - def get_file(self, hash, update_accessed = False): - session = db.Session() - try: - f = session.query(db.File).filter(db.File.hash == hash).one() - if update_accessed: - f.accessed = datetime.datetime.utcnow() - session.add(f) - session.commit() - # Refresh after field update. - session.refresh(f) - return f - except db.NoResultFound: - return None - finally: - session.close() - - def add_file(self, path, filename, file_hash, user = None, ip = None): - hash = ''.join(random.choice(base62_alphabet) for x in xrange(5)) - new_path = os.path.join(settings.file_directory, hash + os.path.splitext(filename)[1]) - os.rename(path, new_path) - if hasattr(settings, 'destination_mode'): - os.chmod(new_path, settings.destination_mode) - - session = db.Session() - try: - file = db.File(hash, file_hash, filename, datetime.datetime.utcnow(), user.id if user else None, ip) - session.add(file) - session.commit() - finally: - session.close() - - return hash - - def get_files(self, user): - session = db.Session() - try: - session.add(user) - files = user.files - except db.NoResultFound: - return [] - finally: - session.close() - - return files - - def validate_cookie(self, environ): - cookie = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) - if not cookie or not 'token' in cookie: - return - - token = cookie['token'].value - try: - user = self.jab.get_user_by_token(token, settings.jab_identifier, environ['REMOTE_ADDR']) - user = self.get_user_by_id(user['token_data']['user_id']) - except jab.client.InvalidCredentialsError: - user = None - return user - - def get_file_by_file_hash(self, file_hash): - session = db.Session() - try: - return session.query(db.File).filter(db.File.file_hash == file_hash).one() - except db.NoResultFound: - return None - finally: - session.close() - - def delete_file(self, file): - session = db.Session() - try: - session.delete(file) - session.commit() - os.unlink(file.get_path()) - thumbfile = os.path.join(settings.thumb_directory, file.hash + '.jpg') - if os.path.exists(thumbfile): - os.unlink(thumbfile) - except: - raise - finally: - session.close() - - def redirect(self, environ, start_response, dest): - start_response('302 Found', [('Location', settings.virtual_root + dest)]) - return [] - - def not_modified(self, environ, date): - if not 'HTTP_IF_MODIFIED_SINCE' in environ: - return False - try: - mod_since_date = datetime.datetime.strptime(environ['HTTP_IF_MODIFIED_SINCE'], rfc1123_format) - except ValueError: - # some clients use timezone names (eg. GMT) instead of numeric timezones - mod_since_date = datetime.datetime.strptime(environ['HTTP_IF_MODIFIED_SINCE'], rfc1123_format_tzname) - return date == mod_since_date - - def file(self, environ, start_response, path): - hash = path[1] - if '.' in hash: - hash = hash.split('.')[0] - file = self.get_file(hash, True) - filename = file.get_path() if file else None - if file == None or filename == None: - start_response('404 Not Found', [('Content-Type', 'text/html')]) - return ['

Not Found

The file you requested does not exist.

'] - - # strip microseconds - if self.not_modified(environ, file.date - datetime.timedelta(microseconds = file.date.microsecond)): - start_response('304 Not Modified', [('Last-Modified', file.date.strftime(rfc1123_format))]) - return [] - - do_range = 'HTTP_RANGE' in environ - if do_range: - file_range = environ['HTTP_RANGE'].split('bytes=')[1] - - mime = mimetypes.guess_type(file.filename, strict = False)[0] or 'application/octet-stream' - - # X-Sendfile handling - if settings.use_xsendfile: - headers = [('Content-Type', mime), ('Last-Modified', file.date.strftime(rfc1123_format))] - if do_range: - headers.append(('X-Sendfile2', '{filename} {range}'.format(filename = urllib.quote(filename.encode('utf8')), range = file_range))) - if file_range.endswith('-'): - file_range += str(os.path.getsize(filename)-1) - headers.append(('Content-Range', 'bytes {range}/{size}'.format(range = file_range, size = os.path.getsize(filename)))) - status = '206 Partial Content' - else: - headers.append(('X-Sendfile', filename.encode('utf8'))) - status = '200 OK' - start_response(status, headers) - return [] - - # Range handling - if do_range: - start, end = [int(x or 0) for x in file_range.split('-')] - size = os.path.getsize(filename) - - if end == 0: - end = size-1 - - write_out = start_response('206 Partial Content', [('Content-Type', mime), - ('Content-Range', 'bytes {start}-{end}/{size}'.format(start = start, end = end, size = size)), - ('Content-Length', str(end - start + 1)), ('Last-Modified', file.date.strftime(rfc1123_format))]) - - f = open(filename, 'rb') - f.seek(start) - remaining = end-start+1 - s = f.read(min(remaining, 1024)) - while s: - write_out(s) - remaining -= len(s) - s = f.read(min(remaining, 1024)) - return [] - - start_response('200 OK', [('Content-Type', mime), ('Content-Length', str(os.path.getsize(filename))), - ('Last-Modified', file.date.strftime(rfc1123_format))]) - return open(filename, 'rb') - - def upload(self, environ, start_response, path): - user = self.validate_cookie(environ) - tempfile.tempdir = settings.file_directory - form = FileUploadFieldStorage(fp = environ['wsgi.input'], environ = environ) - if environ['REQUEST_METHOD'] != 'POST' or not 'file' in form or not 'filename' in form: - if user or settings.allow_anonymous_uploads: - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.upload(searchList = {'settings': settings, 'user': user}))] - else: - return self.redirect(environ, start_response, 'l') - - if not user and not settings.allow_anonymous_uploads: - if hasattr(form['file'].file, 'delete'): - form['file'].file.delete = True - start_response('403 Forbidden', [('Content-Type', 'text/plain')]) - return ['Anonymous uploads are disabled by the administrator.'] - - filename = form.getvalue('filename') - temp = form['file'].file - if hasattr(temp, 'delete'): - temp.delete = False - - # If the name attribute is missing, assume this is a StringIO object, then create a new temporary file and copy the contents. - if not hasattr(temp, 'name'): - new_temp = tempfile.NamedTemporaryFile(prefix = 'upload_', dir = settings.file_directory, delete = False) - new_temp.write(temp.getvalue()) - new_temp.seek(0) - temp = new_temp - - m = hashlib.md5() - s = temp.read(128) - while len(s): - m.update(s) - s = temp.read(128) - temp.close() - file_hash = m.hexdigest() - - f = self.get_file_by_file_hash(file_hash) - # TODO: Currently users uploading existing files won't get their files added to their account. - if f: - hash = f.hash - else: - # temp.name will be moved to the destination filename - hash = self.add_file(temp.name, filename, file_hash, user, environ['REMOTE_ADDR']) - # This avoids silly "not bound to a Session" errors when trying to use a newly added file object. - f = self.get_file(hash) - - # If temp.name still exists, we most likely uploaded a file whose file hash already exists, so just delete the file. - if os.path.exists(temp.name): - os.unlink(temp.name) - - mime = f.get_mime_type() - # TODO: Apparently TIFF also supports EXIF, test this. - if has_mogrify and mime == 'image/jpeg': - # NOTE: PIL doesn't support lossless rotation, so we call mogrify to do this. - # NOTE: This changes the file, so the file_hash applies to the ORIGINAL file contents only. - # NOTE: The file hash is only used to detect duplicates when uploading, so this should not be a problem. - subprocess.call(['mogrify', '-auto-orient', f.get_path()]) - - if 'api' in form: - start_response('200 OK', [('Content-Type', 'text/plain')]) - return ['OK {hash}'.format(hash = hash)] - else: - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.uploaded(searchList = { - 'settings': settings, - 'user': user, - 'hash': hash, - 'filename': filename, - 'ext': os.path.splitext(filename)[1], - 'scheme': environ['wsgi.url_scheme'], - 'host': environ['HTTP_HOST'], - }))] - - def login(self, environ, start_response, path): - user = self.validate_cookie(environ) - form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ) - if not user and not 'request_token' in form and not 'verified' in form: - from urlparse import urljoin - request_token = self.jab.generate_request_token(settings.jab_identifier, settings.jab_name, - urljoin('%s://%s' % (environ['wsgi.url_scheme'], environ['HTTP_HOST']), environ['PATH_INFO'])) - if isinstance(request_token, unicode): - request_token = request_token.encode('utf-8') - start_response('302 Found', [('Location', urljoin(settings.jab_web_url, 'verify/' + request_token))]) - return [] - if 'request_token' in form and 'verified' in form: - if form.getvalue('verified') == '0': - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.login(searchList = { - 'settings': settings, - 'user': None, - 'error': 'Login was declined.', - 'loggedin': False, - 'next': form.getvalue('next'), - }))] - request_token = form.getvalue('request_token') - try: - token = self.jab.request_user_token(request_token, settings.jab_identifier, settings.jab_name) - jab_user = self.jab.get_user_by_token(token, settings.jab_identifier, environ['REMOTE_ADDR']) - except jab.client.InvalidCredentialsError: - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.login(searchList = { - 'settings': settings, - 'user': None, - 'error': 'Failed to request login: invalid token or user.', - 'loggedin': False, - 'next': form.getvalue('next'), - }))] - user = self.get_or_create_user(jab_user['username'], jab_user['_id']) - if not user: - start_response('500 Internal Server Error', []) - return [] - self.jab.set_token_data(token, settings.jab_identifier, {'user_id': user.id}) - c = Cookie.SimpleCookie() - c['token'] = token - start_response('200 OK', [ - ('Content-Type', 'text/html'), - ('Set-Cookie', c['token'].OutputString()) - ]) - return [str(templates.login(searchList = { - 'settings': settings, - 'user': user, - 'error': None, - 'loggedin': True, - 'next': form.getvalue('next'), - }))] - - if user: - rememberme = 'rememberme' in form - forever = 'forever' in form - - cookie = Cookie.SimpleCookie(environ['HTTP_COOKIE']) - token = cookie['token'].value - c = Cookie.SimpleCookie() - c['token'] = token - - dt = datetime.datetime.utcnow() + datetime.timedelta(days = 30) - expires = dt.strftime('%a, %d-%b-%y %H:%M:%S GMT') - if rememberme: - c['token']['expires'] = expires - if forever: - c['forever'] = 1 - c['forever']['expires'] = expires - - # FIXME: This field is lost when we redirect to jab. - next = form.getvalue('next') - headers = [ - ('Location', next if next else (settings.virtual_root + 'u')), - ('Set-Cookie', c['token'].OutputString())] - if 'forever' in c: - headers.append(('Set-Cookie', c['forever'].OutputString())) - start_response('302 Found', headers) - return [] - - start_response('404 Not Found', []) - return [] - - def register(self, environ, start_response, path): - start_response('302 Found', [('Location', settings.jab_web_url + 'register')]) - return [] - - def logout(self, environ, start_response, path): - c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) - if c and 'token' in c: - try: - self.jab.expire_user_token(c['token'].value, settings.jab_identifier) - except: - pass - - c = Cookie.SimpleCookie() - expires = datetime.datetime.utcfromtimestamp(0).strftime('%a, %d-%b-%y %H:%M:%S GMT') - c['forever'] = 0 - c['forever']['expires'] = expires - c['token'] = 0 - c['token']['expires'] = expires - start_response('302 Found', [ - ('Set-Cookie', c['forever'].OutputString()), - ('Set-Cookie', c['token'].OutputString()), - ('Location', settings.virtual_root)]) - return [] - - def changepass(self, environ, start_response, path): - start_response('302 Found', [('Location', settings.jab_web_url + 'changepass')]) - return [] - - def static(self, environ, start_response, path): - filename = path[1] - if not filename in ('style.css', 'no-thumbnail.png', 'favicon.ico', 'jquery-2.1.0.min.js', 'jquery.lazy.min.js'): - start_response('404 Not Found', []) - return [] - - filepath = os.path.join(settings.static_root, filename) - if not os.path.exists(filepath): - start_response('404 Not Found', []) - return [] - mime = mimetypes.guess_type(filename, strict = False)[0] or 'application/octet-stream' - start_response('200 OK', [('Content-Type', mime)]) - return open(filepath, 'rb') - - def help(self, environ, start_response, path): - user = self.validate_cookie(environ) - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.help(searchList = { - 'settings': settings, - 'user': user, - 'scheme': environ['wsgi.url_scheme'], - 'host': environ['HTTP_HOST'], - }))] - - def my_files(self, environ, start_response, path): - user = self.validate_cookie(environ) - if user == None: - start_response('302 Found', [('Location', settings.virtual_root + 'l?' + urllib.urlencode({'next': settings.virtual_root + 'm'}))]) - return [] - files = self.get_files(user) - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.my(searchList = { - 'settings': settings, - 'user': user, - 'files': files, - 'total_size': db.File.pretty_size(sum([f.get_size() for f in files])), - }))] - - def images(self, environ, start_response, path): - user = self.validate_cookie(environ) - if user == None: - start_response('302 Found', [('Location', settings.virtual_root + 'l?' + urllib.urlencode({'next': settings.virtual_root + 'i'}))]) - return [] - files = [f for f in self.get_files(user) if f.is_image()] - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.images(searchList = { - 'settings': settings, - 'user': user, - 'files': files, - 'total_size': db.File.pretty_size(sum([f.get_size() for f in files])), - }))] - - def thumb(self, environ, start_response, path): - hash = path[1] - thumbfile = os.path.join(settings.thumb_directory, hash + '.jpg') - if not os.access(thumbfile, os.F_OK): - file = self.get_file(hash) - try: - im = Image.open(file.get_path()) - except IOError: - # We can't generate a thumbnail for this file, just say it doesn't exist. - start_response('404 Not Found', []) - return [] - # Check for valid JPEG modes. - if im.mode not in ('1', 'L', 'RGB', 'RGBA', 'RGBX', 'CMYK', 'YCbCr'): - im = im.convert('RGB') - im.thumbnail(settings.thumb_size, Image.ANTIALIAS) - im.save(thumbfile) - - date = datetime.datetime.utcfromtimestamp(os.path.getmtime(thumbfile)) - if self.not_modified(environ, date): - start_response('304 Not Modified', [('Last-Modified', date.strftime(rfc1123_format))]) - return [] - - start_response('200 OK', [('Content-Type', 'image/jpeg'), ('Last-Modified', date.strftime(rfc1123_format))]) - return open(thumbfile, 'rb') - - def delete(self, environ, start_response, path): - user = self.validate_cookie(environ) - if user == None: - start_response('200 OK', [('Content-Type', 'text/html')]) - return ['Not logged in.'] - hash = path[1] - file = self.get_file(hash) - if file == None: - start_response('404 Not Found', [('Content-Type', 'text/html')]) - return ['

Not Found

The file you requested does not exist.

'] - if file.user_id != user.id: - start_response('403 Forbidden', [('Content-Type', 'text/html')]) - return ['

Forbidden

You are not allowed to delete this file.

'] - if environ['REQUEST_METHOD'] == 'POST': - try: - self.delete_file(file) - except Exception as e: - start_response('500 Internal Error', [('Content-Type', 'text/html')]) - return ['Failed to delete file {filename} ({error}).'.format(filename = file.filename, error = str(e))] - else: - start_response('302 Found', [('Location', settings.virtual_root + 'u')]) - return [] - else: - start_response('200 OK', [('Content-Type', 'text/html')]) - return [str(templates.delete(searchList = { - 'settings': settings, - 'user': user, - 'hash': hash, - 'filename': file.filename, - }))] - - def api(self, environ, start_response, path): - def error(msg): - start_response('200 OK', [('Content-Type', 'application/json')]) - return [json.dumps({'status': False, 'message': msg})] - user = self.validate_cookie(environ) - form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ) - method = form.getvalue('method') - data = {'status': False, 'method': method, 'message': None} - if method in ('list', 'images'): - if user == None: - return error('Not logged in') - files = self.get_files(user) - data['files'] = [ - { - 'name': f.filename, - 'hash': f.hash, - 'date': int(f.date.strftime('%s')), - 'size': f.get_size(), - } - for f in files if method == 'list' or (method == 'images' and f.is_image()) - ] - data['status'] = True - elif method == 'get_token': - try: - token = self.jab.generate_user_token(form['username'].value, form['password'].value, settings.jab_identifier, '%s (API)' % settings.jab_name) - jab_user = self.jab.get_user_by_token(token, settings.jab_identifier, environ['REMOTE_ADDR']) - user = self.get_or_create_user(jab_user['username'], jab_user['_id']) - if not user: - return error('Error fetching user data') - self.jab.set_token_data(token, settings.jab_identifier, {'user_id': user.id}) - except: - return error('Invalid credentials') - data['token'] = token - data['status'] = True - elif method == 'expire_token': - try: - self.jab.expire_token(form['token'].value, settings.jab_identifier) - except: - pass - data['status'] = True - elif method == 'test_token': - try: - user = self.jab.get_user_by_token(form['token'].value, settings.jab_identifier, environ['REMOTE_ADDR']) - except jab.client.InvalidCredentialsError: - return error('Invalid token') - except: - return error('Error fetching user data') - data['status'] = True - else: - data['message'] = 'Unknown method "%s"' % method - start_response('200 OK', [('Content-Type', 'application/json')]) - return [json.dumps(data)] - - f = file - u = upload - l = login - s = static - h = help - m = my_files - i = images - t = thumb - o = logout - r = register - c = changepass - d = delete - a = api - - def __init__(self): - self.jab = jab.client.JabClient(settings.jab_socket) - - def __call__(self, environ, start_response): - def never_forget_wrapper(status, headers, exc_info = None): - c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) - if 'forever' in c and c['forever'].value == '1' and not any(x[0] == 'Set-Cookie' for x in headers): - dt = datetime.datetime.utcnow() + datetime.timedelta(days = 30) - expires = dt.strftime('%a, %d-%b-%y %H:%M:%S GMT') - for k in c.keys(): - c[k]['path'] = settings.virtual_root - c[k]['expires'] = expires - headers.append(('Set-Cookie', c[k].OutputString())) - return start_response(status, headers, exc_info) - try: - path = environ['PATH_INFO'].split('/')[1:] - module = path[0] if len(path) else '' - if len(module) and module in 'fulshmitorcda': - return getattr(self, module)(environ, never_forget_wrapper, path) - elif path == ['favicon.ico']: - return self.static(environ, start_response, ['s'] + path) - else: - start_response('302 Found', [('Location', settings.virtual_root + 'u')]) - return [] - except (InactiveLoginError, InvalidCookieError): - return self.logout(environ, start_response, path) - -if __name__ == '__main__': - import sys - if len(sys.argv) == 3: - from flup.server.fcgi import WSGIServer - WSGIServer(Application(), bindAddress = (sys.argv[1], int(sys.argv[2]))).run() - else: - from wsgiref.simple_server import make_server, WSGIServer - # enable IPv6 - WSGIServer.address_family |= 10 - http = make_server('', 8000, Application()) - http.serve_forever() - -# vim: noet ts=4 diff --git a/fbin/__init__.py b/fbin/__init__.py new file mode 100644 index 0000000..bdeaa5d --- /dev/null +++ b/fbin/__init__.py @@ -0,0 +1,39 @@ +from flask import Flask, url_for, Markup, request +from flask_login import current_user +from werkzeug.routing import BaseConverter + +app = Flask(__name__) +app.config.from_pyfile('fbin.cfg') + +# Set up some custom converters. These are needed for file URLs to be properly parsed. + +class HashConverter(BaseConverter): + regex = r'\w+' + +class ExtensionConverter(BaseConverter): + regex = r'\.\w+' + +app.url_map.converters['hash'] = HashConverter +app.url_map.converters['ext'] = ExtensionConverter + +@app.context_processor +def context_processors(): + def nav_html(view, name=None): + url = url_for(view) + if not name: + name = view.rsplit('.', 1)[-1].replace('_', ' ').capitalize() + if view == '.logout': + name += ' [{}]'.format(current_user.username) + return Markup('{}'.format(' class="active"' if url == request.path else '', url, name)) + return { + 'nav_html': nav_html, + } + +with app.app_context(): + # TODO: Enable API when done + from .fbin import app as fbin + #from .api import app as api + from .login import login_manager + app.register_blueprint(fbin) + #app.register_blueprint(api, url_prefix = '/api') + login_manager.init_app(app) diff --git a/fbin/api.py b/fbin/api.py new file mode 100644 index 0000000..e652019 --- /dev/null +++ b/fbin/api.py @@ -0,0 +1,62 @@ +import functools + +from flask import Blueprint, current_app, request, jsonify +from flask.views import MethodView +from flask_login import current_user + +from . import db +# FIXME +from .fbin import get_file + +app = Blueprint('api', __name__) + +# TODO: Implement this stuff. + +def makejson(f): + @functools.wraps(f) + def wrapper(*args, **kwargs): + r = f(*args, **kwargs) + if isinstance(r, dict): + r = jsonify(r) + return r + return wrapper + +def api_login_required(f): + def wrapper(*args, **kwargs): + if not current_user.is_authenticated: + return { + 'status': False, + 'message': 'Not authenticated' + } + return f(*args, **kwargs) + return wrapper + +class FileAPI(MethodView): + decorators = [api_login_required, makejson] + + def put(self, hash): + f = get_file(hash, user_id = current_user.get_id()) + if not f: + return { + 'status': False, + 'message': 'File not found' + } + filename = request.form.get('filename') + if not filename: + return { + 'status': False, + 'message': 'Empty or missing filename', + } + with db.session_scope() as sess: + f.filename = filename + sess.add(f) + return { + 'status': True, + } + + def delete(self, hash): + pass + +file_api_view = FileAPI.as_view('file_api') +app.add_url_rule('/file/', view_func = file_api_view, methods = ['PUT', 'DELETE']) + diff --git a/fbin/db.py b/fbin/db.py new file mode 100644 index 0000000..dfe3b17 --- /dev/null +++ b/fbin/db.py @@ -0,0 +1,121 @@ +from contextlib import contextmanager +import mimetypes +import os + +from flask import current_app +from sqlalchemy import create_engine, Column, Integer, String, DateTime, Text, Index, ForeignKey, Boolean +from sqlalchemy.ext.declarative import declarative_base +from sqlalchemy.orm import sessionmaker, relation, backref +from sqlalchemy.orm.exc import NoResultFound +from sqlalchemy.exc import IntegrityError +from sqlalchemy.sql import and_ + +engine = create_engine(current_app.config['DB_URI']) + +Base = declarative_base(bind = engine) + +class User(Base): + __tablename__ = 'users' + + id = Column(Integer, primary_key = True) + username = Column(String, unique = True, index = True) + jab_id = Column(String(24), unique = True, index = True) + files = relation('File', backref = 'user', order_by = 'File.date.desc()') + + def __init__(self, username, jab_id): + self.username = username + self.jab_id = jab_id + +class UserSession(Base): + __tablename__ = 'sessions' + + id = Column(Integer, primary_key = True) + user_id = Column(Integer, ForeignKey('users.id'), index = True) + access_token = Column(String) + refresh_token = Column(String) + updated = Column(DateTime) + + def __init__(self, user_id, access_token, refresh_token): + self.user_id = user_id + self.access_token = access_token + self.refresh_token = refresh_token + +class File(Base): + __tablename__ = 'files' + + id = Column(Integer, primary_key = True) + hash = Column(String, unique = True, index = True) + filename = Column(String) + date = Column(DateTime) + user_id = Column(Integer, ForeignKey('users.id'), nullable = True) + ip = Column(String) + accessed = Column(DateTime) + + def __init__(self, hash, filename, date, user_id = None, ip = None): + self.hash = hash + self.filename = filename + self.date = date + self.user_id = user_id + self.ip = ip + + @staticmethod + def pretty_size(size): + if size is None: + return 'N/A' + suffixes = (('TiB', 2**40), ('GiB', 2**30), ('MiB', 2**20), ('KiB', 2**10)) + for suf, threshold in suffixes: + if size >= threshold: + return '{:.2f} {}'.format(size / threshold, suf) + else: + continue + return '{} B'.format(size) + + def get_path(self): + return os.path.join(current_app.config['FILE_DIRECTORY'], self.hash + os.path.splitext(self.filename)[1]) + + def get_thumb_path(self): + return os.path.join(current_app.config['THUMB_DIRECTORY'], self.hash + '.jpg') + + def get_size(self): + try: + return os.path.getsize(self.get_path()) + except OSError: + return None + + @property + def formatted_size(self): + return self.pretty_size(self.get_size()) + + @property + def formatted_date(self): + return self.date.strftime('%Y-%m-%d %H:%M:%S UTC') + + def get_mime_type(self): + return mimetypes.guess_type(self.filename, strict = False)[0] or 'application/octet-stream' + + def is_image(self): + return self.get_mime_type().startswith('image') + + @property + def ext(self): + return os.path.splitext(self.filename)[1] + + @property + def exists(self): + return os.path.exists(self.get_path()) + +Base.metadata.create_all() +Session = sessionmaker(bind = engine, autoflush = True, autocommit = False) + +@contextmanager +def session_scope(): + session = Session() + try: + session.expire_on_commit = False + yield session + session.commit() + except: + session.rollback() + raise + finally: + session.close() diff --git a/fbin/fbin.py b/fbin/fbin.py new file mode 100755 index 0000000..42c371f --- /dev/null +++ b/fbin/fbin.py @@ -0,0 +1,353 @@ +#!/usr/bin/env python + +import base64 +import cgi +import datetime +import hashlib +import io +import json +import mimetypes +import os +import random +import subprocess +import tempfile +import urllib +from urllib.parse import urlencode, urljoin + +from flask import Blueprint, redirect, current_app, url_for, request, render_template, session, flash, send_file, abort, jsonify, Markup +from flask_login import login_user, logout_user, current_user, login_required +import jwt +from PIL import Image +import requests +from werkzeug.utils import secure_filename + +from . import db +from .monkey import patch as monkey_patch +from .login import login_manager, load_user + +monkey_patch() + +base62_alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' + +if not os.path.isdir(current_app.config['FILE_DIRECTORY']): + os.mkdir(current_app.config['FILE_DIRECTORY']) + +if not os.path.isdir(current_app.config['THUMB_DIRECTORY']): + os.mkdir(current_app.config['THUMB_DIRECTORY']) + +try: + # Throws OSError if mogrify doesn't exist. + subprocess.call(['mogrify', '-quiet']) +except OSError: + has_mogrify = False +else: + has_mogrify = True + +def get_or_create_user(username, jab_id): + with db.session_scope() as sess: + try: + return sess.query(db.User).filter(db.User.jab_id == jab_id).one() + except db.NoResultFound: + try: + user = db.User(username, jab_id) + sess.add(user) + sess.commit() + sess.refresh(user) + return user + except db.IntegrityError: + return None + +def add_file(path, filename, user = None, ip = None): + file_hash = ''.join(random.choice(base62_alphabet) for x in range(5)) + new_path = os.path.join(current_app.config['FILE_DIRECTORY'], file_hash + os.path.splitext(filename)[1]) + os.rename(path, new_path) + if current_app.config.get('DESTINATION_MODE'): + os.chmod(new_path, current_app.config.get('DESTINATION_MODE')) + with db.session_scope() as sess: + f = db.File(file_hash, filename, datetime.datetime.utcnow(), user.id if user else None, ip) + sess.add(f) + sess.commit() + sess.refresh(f) + return f + +def get_file(file_hash, user_id=None, update_accessed=False): + with db.session_scope() as sess: + try: + f = sess.query(db.File).filter(db.File.hash == file_hash) + if user_id: + f = f.filter(db.File.user_id == user_id) + f = f.one() + except db.NoResultFound: + return None + if update_accessed: + f.accessed = datetime.datetime.utcnow() + sess.add(f) + sess.commit() + # Refresh after field update. + sess.refresh(f) + return f + +def get_files(user): + with db.session_scope() as sess: + try: + sess.add(user) + files = user.files + except db.NoResultFound: + return [] + return files + +def delete_file(file): + with db.session_scope() as sess: + sess.delete(file) + sess.commit() + filename = file.get_path() + if os.path.exists(filename): + os.unlink(filename) + thumbfile = file.get_thumb_path() + if os.path.exists(thumbfile): + os.unlink(thumbfile) + +app = Blueprint('fbin', __name__) + +@app.route('/') +def index(): + return redirect(url_for('.upload')) + +@app.route('/u') +@app.route('/upload', methods = ['GET', 'POST']) +def upload(): + context = { + 'title': 'Upload', + } + if request.method == 'GET': + return render_template('upload.html', **context) + if not current_user.is_authenticated and not current_app.config.get('ALLOW_ANONYMOUS_UPLOADS'): + abort(403) + uploaded_file = request.files.get('file') + if not uploaded_file or not uploaded_file.filename: + flash('No valid file or filename was provided.', 'warning') + return render_template('upload.html', **context) + if hasattr(uploaded_file.stream, 'file'): + temp = None + temp_path = uploaded_file.stream.name + else: + temp = tempfile.NamedTemporaryFile(prefix = 'upload_', dir = current_app.config['FILE_DIRECTORY'], delete = False) + uploaded_file.save(temp.file) + temp_path = temp.name + new_file = add_file(temp_path, uploaded_file.filename, current_user.user if current_user.is_authenticated else None, request.remote_addr) + + mime = new_file.get_mime_type() + # TODO: Apparently TIFF also supports EXIF, test this. + if has_mogrify and mime == 'image/jpeg': + # NOTE: PIL doesn't support lossless rotation, so we call mogrify to do this. + # NOTE: This changes the file, so the file_hash applies to the ORIGINAL file contents only. + # NOTE: The file hash is only used to detect duplicates when uploading, so this should not be a problem. + subprocess.call(['mogrify', '-auto-orient', new_file.get_path()]) + + if bool(request.form.get('api')): + return 'OK {hash}'.format(hash = new_file.hash) + else: + context = { + 'file': new_file, + } + return redirect(url_for('.uploaded', hash = new_file.hash)) + +@app.route('/uploaded/') +def uploaded(hash): + f = get_file(hash, update_accessed = False) + if not f: + abort(404) + if f.user_id and (not current_user.is_authenticated or f.user_id != current_user.get_user_id()): + abort(404) + context = { + 'title': 'Uploaded', + 'subtitle': f.filename, + 'file': f, + } + return render_template('uploaded.html', **context) + +@app.route('/f/') +@app.route('/f/') +@app.route('/f//') +@app.route('/file/', endpoint = 'file') +@app.route('/file/', endpoint = 'file') +@app.route('/file//', endpoint = 'file') +def _file(hash, ext=None, filename=None): + f = get_file(hash) + if not f: + abort(404) + return send_file(f.get_path()) + +@app.route('/l') +@app.route('/login') +def login(): + session['oauth_state'] = base64.urlsafe_b64encode(os.urandom(30)).decode() + return redirect(urljoin(current_app.config['OAUTH_URL'], 'authorize') + '?' + urlencode({ + 'response_type': 'code', + 'client_id': current_app.config['OAUTH_CLIENT_ID'], + 'redirect_uri': urljoin(request.host_url, url_for('.auth')), + 'state': session['oauth_state'], + })) + +@app.route('/account') +def account(): + return redirect(current_app.config['ACCOUNT_URL']) + +@app.route('/o') +@app.route('/logout') +def logout(): + if not current_user.is_authenticated: + return redirect(url_for('.index')) + session_id = int(current_user.get_id().split(':', 1)[-1]) + with db.session_scope() as s: + try: + s.query(db.UserSession).filter_by(id = session_id).delete() + except: + raise + logout_user() + return redirect(url_for('.index')) + +@app.route('/auth') +def auth(): + if 'error' in request.args: + error = request.args['error'] + error_description = request.args.get('error_description') + msg = 'OAuth error: {}'.format(error) + if error_description: + msg += ' ({})'.format(error_description) + flash(msg, 'error') + return redirect(url_for('.index')) + session_state = session.pop('oauth_state', None) + state = request.args.get('state') + if session_state != state: + flash('Invalid OAuth state', 'error') + return redirect(url_for('.index')) + code = request.args.get('code') + if not code: + flash('Missing OAuth code', 'error') + return redirect(url_for('.index')) + rs = requests.Session() + response = rs.post(urljoin(current_app.config['OAUTH_URL'], 'token'), data = { + 'grant_type': 'authorization_code', + 'code': code, + 'client_id': current_app.config['OAUTH_CLIENT_ID'], + 'client_secret': current_app.config['OAUTH_CLIENT_SECRET'], + 'redirect_uri': urljoin(request.host_url, url_for('.auth')), + }) + token = response.json() + if 'error' in token: + msg = 'OAuth error: {}'.format(token['error']) + flash(msg, 'error') + return redirect(url_for('.index')) + try: + access_data = jwt.decode(token['access_token'], key = current_app.config['JWT_PUBLIC_KEY'], audience = current_app.config['OAUTH_CLIENT_ID']) + refresh_data = jwt.decode(token['refresh_token'], key = current_app.config['JWT_PUBLIC_KEY'], audience = current_app.config['OAUTH_CLIENT_ID']) + except jwt.InvalidTokenError as e: + flash('Failed to verify token: {!s}'.format(e), 'error') + return redirect(url_for('.index')) + response = rs.get(urljoin(current_app.config['OAUTH_URL'], '/api/user'), headers = {'Authorization': 'Bearer {}'.format(token['access_token'])}) + user = response.json() + user = get_or_create_user(user['username'], user['id']) + with db.session_scope() as s: + us = db.UserSession(user.id, token['access_token'], token['refresh_token']) + us.updated = datetime.datetime.utcnow() + s.add(us) + s.commit() + s.refresh(us) + user = load_user('{}:{}'.format(user.id, us.id)) + if not user: + flash('Failed to retrieve user instance.', 'error') + else: + login_user(user, remember = True) + return redirect(url_for('.index')) + +@app.route('/m') +@app.route('/files') +@login_required +def files(): + files = get_files(current_user.user) + context = { + 'title': 'Files', + 'files': files, + 'total_size': db.File.pretty_size(sum(f.get_size() for f in files if f.exists)), + } + return render_template('files.html', **context) + +@app.route('/files', methods = ['POST']) +@login_required +def file_edit(): + f = get_file(request.form.get('hash'), user_id = current_user.get_id(), update_accessed = False) + if not f: + flash('File not found.', 'error') + return redirect(url_for('.files')) + if 'filename' in request.form: + with db.session_scope() as sess: + old_path = f.get_path() + filename = request.form.get('filename', f.filename) + f.filename = filename + new_path = f.get_path() + # If extension changed, the local filename also changes. We could just store the file without the extension, + # but that would break the existing files, requiring a manual rename. + if old_path != new_path: + try: + if os.path.exists(new_path): + # This shouldn't happen unless we have two files with the same hash, which should be impossible. + raise RuntimeError() + else: + os.rename(old_path, new_path) + except: + flash(Markup('Internal rename failed; file may have become unreachable. ' + 'Please contact an admin and specify hash={}.'.format(f.hash)), 'error') + sess.add(f) + flash('Filename changed to "{}".'.format(f.filename), 'success') + elif 'delete' in request.form: + try: + delete_file(f) + except: + flash('Failed to delete file.', 'error') + else: + flash('File deleted.', 'success') + else: + flash('No action was performed.', 'warning') + return redirect(url_for('.files')) + +@app.route('/i') +@app.route('/images') +@login_required +def images(): + files = [f for f in get_files(current_user.user) if f.is_image()] + context = { + 'title': 'Images', + 'fullwidth': True, + 'files': files, + 'total_size': db.File.pretty_size(sum(f.get_size() for f in files if f.exists)), + } + return render_template('images.html', **context) + +@app.route('/t/') +@app.route('/thumb/') +def thumb(hash): + thumbfile = os.path.join(current_app.config['THUMB_DIRECTORY'], hash + '.jpg') + if not os.access(thumbfile, os.F_OK): + f = get_file(hash, update_accessed = False) + try: + im = Image.open(f.get_path()) + except IOError: + # We can't generate a thumbnail for this file, just say it doesn't exist. + abort(404) + # Check for valid JPEG modes. + if im.mode not in ('1', 'L', 'RGB', 'RGBA', 'RGBX', 'CMYK', 'YCbCr'): + im = im.convert('RGB') + im.thumbnail(current_app.config.get('THUMB_SIZE', (128, 128)), Image.ANTIALIAS) + im.save(thumbfile) + return send_file(thumbfile) + +@app.route('/h') +@app.route('/help') +def help(): + context = { + 'title': 'Help', + } + return render_template('help.html', **context) + +login_manager.login_view = '.login' diff --git a/fbin/login.py b/fbin/login.py new file mode 100644 index 0000000..7647e13 --- /dev/null +++ b/fbin/login.py @@ -0,0 +1,92 @@ +import datetime +import traceback +from urllib.parse import urljoin + +from flask import current_app, flash +from flask_login import LoginManager +import jwt +import requests + +from . import db + +login_manager = LoginManager() + +class User: + def __init__(self, user, user_session): + self.user = user + self.user_session = user_session + self.token = None + + def refresh_access_token(self): + response = requests.post(urljoin(current_app.config['OAUTH_URL'], 'token'), data = { + 'grant_type': 'refresh_token', + 'client_id': current_app.config['OAUTH_CLIENT_ID'], + 'client_secret': current_app.config['OAUTH_CLIENT_SECRET'], + 'refresh_token': self.user_session.refresh_token, + }) + if response.status_code != 200: + flash('Failed to refresh authentication token (API call returned {} {})'.format(response.status_code, response.reason), 'error') + return + token = response.json() + try: + access_data = jwt.decode(token['access_token'], key = current_app.config['JWT_PUBLIC_KEY'], audience = current_app.config['OAUTH_CLIENT_ID']) + refresh_data = jwt.decode(token['refresh_token'], key = current_app.config['JWT_PUBLIC_KEY'], audience = current_app.config['OAUTH_CLIENT_ID']) + except jwt.InvalidTokenError as e: + traceback.print_exc() + flash('Failed to refresh authentication token (verification failed)', 'error') + return + with db.session_scope() as sess: + self.user_session.access_token = token['access_token'] + self.user_session.refresh_token = token['refresh_token'] + self.user_session.updated = datetime.datetime.utcnow() + sess.add(self.user_session) + return True + + @property + def is_authenticated(self): + if self.user is None: + return False + if self.token: + return True + try: + self.token = jwt.decode(self.user_session.access_token, key = current_app.config['JWT_PUBLIC_KEY'], audience = current_app.config['OAUTH_CLIENT_ID']) + except jwt.ExpiredSignatureError: + try: + if not self.refresh_access_token(): + return False + except: + traceback.print_exc() + flash('Failed to refresh authentication token (unhandled error; contact an admin)', 'error') + return False + except jwt.InvalidTokenError: + return False + return True + + @property + def is_active(self): + return True + + @property + def is_anonymous(self): + return False + + def get_id(self): + return '{}:{}'.format(self.user.id, self.user_session.id) + + def get_user_id(self): + return self.user.id if self.is_authenticated else None + + @property + def username(self): + return self.user.username + +@login_manager.user_loader +def load_user(user_id): + user_id, session_id = map(int, user_id.split(':', 1)) + try: + with db.session_scope() as sess: + user, user_session = sess.query(db.User, db.UserSession).join(db.UserSession).filter(db.User.id == user_id, db.UserSession.id == session_id).one() + return User(user, user_session) + except: + traceback.print_exc() + return None diff --git a/fbin/monkey.py b/fbin/monkey.py new file mode 100644 index 0000000..c6458ad --- /dev/null +++ b/fbin/monkey.py @@ -0,0 +1,25 @@ +import tempfile + +from flask import current_app +import werkzeug.formparser +import werkzeug.wrappers + +def werkzeug_patch(): + global werkzeug_orig_stream_factory + + werkzeug_orig_stream_factory = werkzeug.formparser.default_stream_factory + + def custom_stream_factory(total_content_length, filename, content_type, content_length=None): + if total_content_length > 1024 * 500: + return tempfile.NamedTemporaryFile('wb+', prefix = 'upload_', dir = current_app.config['FILE_DIRECTORY'], delete = True) + return werkzeug_orig_stream_factory(total_content_length, filename, content_type, content_length) + + werkzeug.formparser.default_stream_factory = custom_stream_factory + werkzeug.wrappers.default_stream_factory = custom_stream_factory + +def werkzeug_reset(): + werkzeug.formparser.default_stream_factory = werkzeug_orig_stream_factory + werkzeug.wrappers.default_stream_factory = werkzeug_orig_stream_factory + +def patch(): + werkzeug_patch() diff --git a/fbin/static/css/bootstrap.min.css b/fbin/static/css/bootstrap.min.css new file mode 100644 index 0000000..ed3905e --- /dev/null +++ b/fbin/static/css/bootstrap.min.css @@ -0,0 +1,6 @@ +/*! + * Bootstrap v3.3.7 (http://getbootstrap.com) + * Copyright 2011-2016 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,:after,:before{color:#000!important;text-shadow:none!important;background:0 0!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}blockquote,pre{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}img,tr{page-break-inside:avoid}img{max-width:100%!important}h2,h3,p{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table td,.table th{background-color:#fff!important}.table-bordered td,.table-bordered th{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff2) format('woff2'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\002a"}.glyphicon-plus:before{content:"\002b"}.glyphicon-eur:before,.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:b