Added very basic permission system. #71
[zzz-spline-users.git] / splinext / users / controllers / users.py
1 import logging
2 import unicodedata
3
4 from wtforms import Form, ValidationError, fields, validators, widgets
5
6 from pylons import config, request, response, session, tmpl_context as c, url
7 from pylons.controllers.util import abort, redirect_to
8 from routes import request_config
9 from sqlalchemy.orm.exc import NoResultFound
10
11 from spline.model import meta
12 from spline.lib import helpers as h
13 from spline.lib.base import BaseController, render
14 from splinext.users import model as users_model
15
16 log = logging.getLogger(__name__)
17
18
19 class ProfileEditForm(Form):
20 name = fields.TextField(u'Display name', [validators.Required()])
21
22 def validate_name(form, field):
23 if not 1 < len(field.data) <= 20:
24 raise ValidationError("Name can't be longer than 20 characters")
25
26 any_real_characters = False
27 for char in field.data:
28 cat = unicodedata.category(char)
29
30 # Non-spacing marks and spaces don't count as letters
31 if cat not in ('Mn', 'Zs'):
32 any_real_characters = True
33
34 # Disallow control characters, format characters, non-assigned,
35 # private use, surrogates, spacing-combining marks (for Arabic,
36 # etc), enclosing marks (millions sign), line-spacing,
37 # paragraph-spacing.
38 # This also, thankfully, includes the RTL characters.
39 if cat in ('Cc', 'Cf', 'Cn', 'Co', 'Cs', 'Mc', 'Me', 'Zl', 'Zp'):
40 raise ValidationError("Please don't play stupid Unicode tricks")
41
42 class UsersController(BaseController):
43
44 def list(self):
45 c.users = meta.Session.query(users_model.User) \
46 .order_by(users_model.User.id.asc())
47 return render('/users/list.mako')
48
49 def profile(self, id, name=None):
50 """Main user profile.
51
52 URL is /users/id:name, where 'name' only exists for readability and is
53 entirely optional and ignored.
54 """
55
56 c.page_user = meta.Session.query(users_model.User).get(id)
57 if not c.page_user:
58 abort(404)
59
60 return render('/users/profile.mako')
61
62 def profile_edit(self, id, name=None):
63 """Main user profile editing."""
64 c.page_user = meta.Session.query(users_model.User).get(id)
65 if not c.page_user:
66 abort(404)
67
68 # XXX could use some real permissions
69 if c.page_user != c.user:
70 abort(403)
71
72 c.form = ProfileEditForm(request.params,
73 name=c.page_user.name,
74 )
75
76 if request.method != 'POST' or not c.form.validate():
77 return render('/users/profile_edit.mako')
78
79
80 c.page_user.name = c.form.name.data
81
82 meta.Session.add(c.page_user)
83 meta.Session.commit()
84
85 h.flash('Saved your profile.', icon='tick')
86
87 redirect_to(controller='users', action='profile',
88 id=c.page_user.id, name=c.page_user.name,
89 _code=303)