]> git.llucax.com Git - software/blitiri.git/blobdiff - blitiri.cgi
Honour umask when creating the comments directory
[software/blitiri.git] / blitiri.cgi
index 22532edc1c28ee5b578a9d019561ed10f2c17efd..0ffc81a6ac40851dbc1944aa90794c33f413f1bb 100755 (executable)
@@ -24,6 +24,12 @@ comments_path = "/tmp/blog/comments"
 # default templates. If they're not found, the built-in ones will be used.
 templates_path = "/tmp/blog/templates"
 
+# Path where the cache is stored (must be writeable by the web server);
+# set to None to disable. When enabled, you must take care of cleaning it up
+# every once in a while.
+#cache_path = "/tmp/blog/cache"
+cache_path = None
+
 # URL to the blog, including the name. Can be a full URL or just the path.
 blog_url = "/blog/blitiri.cgi"
 
@@ -40,6 +46,15 @@ author = "Hartmut Kegan"
 # Article encoding
 encoding = "utf8"
 
+# Captcha method to use. At the moment only "title" is supported, but if you
+# are keen with Python you can provide your own captcha implementation, see
+# below for details.
+captcha_method = "title"
+
+# How many articles to show in the index
+index_articles = 10
+
+
 #
 # End of configuration
 # DO *NOT* EDIT ANYTHING PAST HERE
@@ -57,6 +72,7 @@ import zlib
 import urllib
 import cgi
 from docutils.core import publish_parts
+from docutils.utils import SystemMessage
 
 # Before importing the config, add our cwd to the Python path
 sys.path.append(os.getcwd())
@@ -72,6 +88,84 @@ except:
 data_path = os.path.realpath(data_path)
 templates_path = os.path.realpath(templates_path)
 
+
+#
+# Captcha classes
+#
+# They must follow the interface described below.
+#
+# Constructor:
+#      Captcha(article) -> constructor, takes an article[1] as argument
+# Attributes:
+#      puzzle -> a string with the puzzle the user must solve to prove he is
+#                not a bot (can be raw HTML)
+#      help -> a string with extra instructions, shown only when the user
+#              failed to solve the puzzle
+# Methods:
+#      validate(form_data) -> based on the form data[2],  returns True if
+#                             the user has solved the puzzle uccessfully
+#                             (False otherwise).
+#
+# Note you must ensure that the puzzle attribute and validate() method can
+# "communicate" because they are executed in different requests. You can pass a
+# cookie or just calculate the answer based on the article's data, for example.
+#
+# [1] article is an object with all the article's information:
+#      path -> string
+#      created -> datetime
+#      updated -> datetime
+#      uuid -> string (unique ID)
+#      title -> string
+#      author -> string
+#      tags -> list of strings
+#      raw_contents -> string in rst format
+#      comments -> list of Comment objects (not too relevant here)
+# [2] form_data is an object with the form fields (all strings):
+#      author, author_error
+#      link, link_error
+#      catpcha, captcha_error
+#      body, body_error
+#      action, method
+
+class TitleCaptcha (object):
+       "Captcha that uses the article's title for the puzzle"
+       def __init__(self, article):
+               self.article = article
+               words = article.title.split()
+               self.nword = hash(article.title) % len(words) % 5
+               self.answer = words[self.nword]
+               self.help = 'gotcha, damn spam bot!'
+
+       @property
+       def puzzle(self):
+               nword = self.nword + 1
+               if nword == 1:
+                       n = '1st'
+               elif nword == 2:
+                       n = '2nd'
+               elif nword == 3:
+                       n = '3rd'
+               else:
+                       n = str(nword) + 'th'
+               return "enter the %s word of the article's title" % n
+
+       def validate(self, form_data):
+               if form_data.captcha.lower() == self.answer.lower():
+                       return True
+               return False
+
+known_captcha_methods = {
+       'title': TitleCaptcha,
+}
+
+# If the configured captcha method was a known string, replace it by the
+# matching class; otherwise assume it's already a class and leave it
+# alone. This way the user can either use one of our methods, or provide one
+# of his/her own.
+if captcha_method in known_captcha_methods:
+       captcha_method = known_captcha_methods[captcha_method]
+
+
 # Default template
 
 default_main_header = """\
@@ -101,6 +195,7 @@ default_main_footer = """
   years: %(yearlinks)s<br/>
   subscribe: <a href="%(url)s/atom">atom</a><br/>
   views: <a href="%(url)s/">blog</a> <a href="%(url)s/list">list</a><br/>
+  tags: %(taglinks)s<br/>
 </div>
 
 </body>
@@ -140,7 +235,7 @@ default_comment_header = """
 <div class="comment">
 <a name="comment-%(number)d" />
 <h3><a href="#comment-%(number)d">Comment #%(number)d</a></h3>
-<span class="cominfo">by <a href="%(link)s">%(author)s</a>
+<span class="cominfo">by %(linked_author)s
   on %(year)04d-%(month)02d-%(day)02d %(hour)02d:%(minute)02d</span>
 <p/>
 <div class="combody">
@@ -159,24 +254,32 @@ default_comment_form = """
 <div class="comforminner">
 <form method="%(form_method)s" action="%(form_action)s">
 <div class="comformauthor">
-  <label for="comformauthor">Your name</label>
+  <label for="comformauthor">Your name %(form_author_error)s</label>
   <input type="text" class="comformauthor" id="comformauthor"
-         name="comformauthor" />
+         name="comformauthor" value="%(form_author)s" />
 </div>
 <div class="comformlink">
   <label for="comformlink">Your link
-    <span class="comformoptional">(optional, will be published)</span></label>
+    <span class="comformoptional">(optional, will be published)</span>
+      %(form_link_error)s</label>
   <input type="text" class="comformlink" id="comformlink"
-         name="comformlink" />
+         name="comformlink" value="%(form_link)s" />
   <div class="comformhelp">
     like <span class="formurlexample">http://www.example.com/</span>
     or <span class="formurlexample">mailto:you@example.com</span>
   </div>
 </div>
+<div class="comformcaptcha">
+  <label for="comformcaptcha">Your humanity proof %(form_captcha_error)s</label>
+  <input type="text" class="comformcaptcha" id="comformcaptcha"
+         name="comformcaptcha" value="%(form_captcha)s" />
+  <div class="comformhelp">%(captcha_puzzle)s</div>
+</div>
 <div class="comformbody">
-  <label for="comformbody" class="comformbody">The comment</label>
+  <label for="comformbody" class="comformbody">The comment
+    %(form_body_error)s</label>
   <textarea class="comformbody" id="comformbody" name="comformbody" rows="15"
-            cols="80"></textarea>
+            cols="80">%(form_body)s</textarea>
   <div class="comformhelp">
     in
     <a href="http://docutils.sourceforge.net/docs/user/rst/quickref.html">\
@@ -193,6 +296,8 @@ RestructuredText</a> format, please
 </div>
 """
 
+default_comment_error = '<span class="comformerror">(%(error)s)</span>'
+
 
 # Default CSS
 default_css = """
@@ -328,6 +433,12 @@ button.comformsend {
        margin-top: 0.5em;
 }
 
+span.comformerror {
+       color: #900;
+       font-size: xx-small;
+       margin-left: 0.5em;
+}
+
 hr {
        float: left;
        height: 2px;
@@ -359,29 +470,90 @@ div.section h1 {
 
 """
 
+
+# Cache decorator
+# It only works if the function is pure (that is, its return value depends
+# only on its arguments), and if all the arguments are hash()eable.
+def cached(f):
+       # do not decorate if the cache is disabled
+       if cache_path is None:
+               return f
+
+       def decorate(*args, **kwargs):
+               hashes = '-'.join( str(hash(x)) for x in args +
+                               tuple(kwargs.items()) )
+               fname = 'blitiri.%s.%s.cache' % (f.__name__, hashes)
+               cache_file = os.path.join(cache_path, fname)
+               try:
+                       s = open(cache_file).read()
+               except:
+                       s = f(*args, **kwargs)
+                       open(cache_file, 'w').write(s)
+               return s
+
+       return decorate
+
+
 # helper functions
-def rst_to_html(rst):
+@cached
+def rst_to_html(rst, secure = True):
        settings = {
                'input_encoding': encoding,
                'output_encoding': 'utf8',
                'halt_level': 1,
                'traceback':  1,
+               'file_insertion_enabled': secure,
+               'raw_enabled': secure,
        }
        parts = publish_parts(rst, settings_overrides = settings,
                                writer_name = "html")
        return parts['body'].encode('utf8')
 
-def valid_rst(rst):
+def validate_rst(rst, secure = True):
        try:
-               rst_to_html(rst)
-               return True
-       except:
-               return False
+               rst_to_html(rst, secure)
+               return None
+       except SystemMessage, e:
+               desc = e.args[0].encode('utf-8') # the error string
+               desc = desc[9:] # remove "<string>:"
+               line = int(desc[:desc.find(':')] or 0) # get the line number
+               desc = desc[desc.find(')')+2:-1] # remove (LEVEL/N)
+               try:
+                       desc, context = desc.split('\n', 1)
+               except ValueError:
+                       context = ''
+               if desc.endswith('.'):
+                       desc = desc[:-1]
+               return (line, desc, context)
+
+def valid_link(link):
+       import re
+       scheme_re = r'^[a-zA-Z]+:'
+       mail_re = r"^[^ \t\n\r@<>()]+@[a-z0-9][a-z0-9\.\-_]*\.[a-z]+$"
+       url_re = r'^(?:[a-z0-9\-]+|[a-z0-9][a-z0-9\-\.\_]*\.[a-z]+)' \
+                       r'(?::[0-9]+)?(?:/.*)?$'
+
+       if re.match(scheme_re, link, re.I):
+               scheme, rest = link.split(':', 1)
+               # if we have an scheme and a rest, assume the link is valid
+               # and return it as-is; otherwise (having just the scheme) is
+               # invalid
+               if rest:
+                       return link
+               return None
+
+       # at this point, we don't have a scheme; we will try to recognize some
+       # common addresses (mail and http at the moment) and complete them to
+       # form a valid link, if we fail we will just claim it's invalid
+       if re.match(mail_re, link, re.I):
+               return 'mailto:' + link
+       elif re.match(url_re, link, re.I):
+               return 'http://' + link
+
+       return None
 
 def sanitize(obj):
-       if isinstance(obj, basestring):
-               return cgi.escape(obj, True)
-       return obj
+       return cgi.escape(obj, quote = True)
 
 
 # find out our URL, needed for syndication
@@ -415,6 +587,7 @@ class Templates (object):
                        'showyear': showyear,
                        'monthlinks': ' '.join(db.get_month_links(showyear)),
                        'yearlinks': ' '.join(db.get_year_links()),
+                       'taglinks': ' '.join(db.get_tag_links()),
                }
 
        def get_template(self, page_name, default_template, extra_vars = None):
@@ -444,19 +617,65 @@ class Templates (object):
                        'art_footer', default_article_footer, article.to_vars())
 
        def get_comment_header(self, comment):
+               vars = comment.to_vars()
+               if comment.link:
+                       vars['linked_author'] = '<a href="%s">%s</a>' \
+                                       % (vars['link'], vars['author'])
+               else:
+                       vars['linked_author'] = vars['author']
                return self.get_template(
-                       'com_header', default_comment_header, comment.to_vars())
+                       'com_header', default_comment_header, vars)
 
        def get_comment_footer(self, comment):
                return self.get_template(
                        'com_footer', default_comment_footer, comment.to_vars())
 
-       def get_comment_form(self, article, method, action):
+       def get_comment_form(self, article, form_data, captcha_puzzle):
                vars = article.to_vars()
-               vars['form_method'] = method
-               vars['form_action'] = action
+               vars.update(form_data.to_vars(self))
+               vars['captcha_puzzle'] = captcha_puzzle
+               return self.get_template(
+                       'com_form', default_comment_form, vars)
+
+       def get_comment_error(self, error):
                return self.get_template(
-                       'com_footer', default_comment_form, vars)
+                       'com_error', default_comment_error, dict(error=error))
+
+
+class CommentFormData (object):
+       def __init__(self, author = '', link = '', captcha = '', body = ''):
+               self.author = author
+               self.link = link
+               self.captcha = captcha
+               self.body = body
+               self.author_error = ''
+               self.link_error = ''
+               self.captcha_error = ''
+               self.body_error = ''
+               self.action = ''
+               self.method = 'post'
+
+       def to_vars(self, template):
+               render_error = template.get_comment_error
+               a_error = self.author_error and render_error(self.author_error)
+               l_error = self.link_error and render_error(self.link_error)
+               c_error = self.captcha_error \
+                               and render_error(self.captcha_error)
+               b_error = self.body_error and render_error(self.body_error)
+               return {
+                       'form_author': sanitize(self.author),
+                       'form_link': sanitize(self.link),
+                       'form_captcha': sanitize(self.captcha),
+                       'form_body': sanitize(self.body),
+
+                       'form_author_error': a_error,
+                       'form_link_error': l_error,
+                       'form_captcha_error': c_error,
+                       'form_body_error': b_error,
+
+                       'form_action': self.action,
+                       'form_method': self.method,
+               }
 
 
 class Comment (object):
@@ -475,25 +694,23 @@ class Comment (object):
                self._link = ''
                self._raw_content = 'Removed comment'
 
-
-       def get_author(self):
+       @property
+       def author(self):
                if not self.loaded:
                        self.load()
                return self._author
-       author = property(fget = get_author)
 
-       def get_link(self):
+       @property
+       def link(self):
                if not self.loaded:
                        self.load()
                return self._link
-       link = property(fget = get_link)
 
-       def get_raw_content(self):
+       @property
+       def raw_content(self):
                if not self.loaded:
                        self.load()
                return self._raw_content
-       raw_content = property(fget = get_raw_content)
-
 
        def set(self, author, raw_content, link = '', created = None):
                self.loaded = True
@@ -561,6 +778,11 @@ class Comment (object):
 class CommentDB (object):
        def __init__(self, article):
                self.path = os.path.join(comments_path, article.uuid)
+               # if comments were enabled after the article was added, we
+               # will need to create the directory
+               if not os.path.exists(self.path):
+                       os.mkdir(self.path, 0777)
+
                self.comments = []
                self.load(article)
 
@@ -617,37 +839,35 @@ class Article (object):
                self._raw_content = ''
                self._comments = []
 
-
-       def get_title(self):
+       @property
+       def title(self):
                if not self.loaded:
                        self.load()
                return self._title
-       title = property(fget = get_title)
 
-       def get_author(self):
+       @property
+       def author(self):
                if not self.loaded:
                        self.load()
                return self._author
-       author = property(fget = get_author)
 
-       def get_tags(self):
+       @property
+       def tags(self):
                if not self.loaded:
                        self.load()
                return self._tags
-       tags = property(fget = get_tags)
 
-       def get_raw_content(self):
+       @property
+       def raw_content(self):
                if not self.loaded:
                        self.load()
                return self._raw_content
-       raw_content = property(fget = get_raw_content)
 
-       def get_comments(self):
+       @property
+       def comments(self):
                if not self.loaded:
                        self.load()
                return self._comments
-       comments = property(fget = get_comments)
-
 
        def __cmp__(self, other):
                if self.path == other.path:
@@ -752,6 +972,7 @@ class ArticleDB (object):
                self.uuids = {}
                self.actyears = set()
                self.actmonths = set()
+               self.acttags = set()
                self.load()
 
        def get_articles(self, year = 0, month = 0, day = 0, tags = None):
@@ -789,6 +1010,7 @@ class ArticleDB (object):
                                datetime.datetime.fromtimestamp(float(l[1])),
                                datetime.datetime.fromtimestamp(float(l[2])))
                        self.uuids[a.uuid] = a
+                       self.acttags.update(a.tags)
                        self.actyears.add(a.created.year)
                        self.actmonths.add((a.created.year, a.created.month))
                        self.articles.append(a)
@@ -823,14 +1045,33 @@ class ArticleDB (object):
                        ml.append(s)
                return ml
 
+       def get_tag_links(self):
+               tl = list(self.acttags)
+               tl.sort()
+               return [ '<a href="%s/tag/%s">%s</a>' % (blog_url,
+                               sanitize(t), sanitize(t)) for t in tl ]
+
 #
 # Main
 #
 
+def render_comments(article, template, form_data):
+       print '<a name="comments" />'
+       for c in article.comments:
+               if c is None:
+                       continue
+               print template.get_comment_header(c)
+               print c.to_html()
+               print template.get_comment_footer(c)
+       if not form_data:
+               form_data = CommentFormData()
+       form_data.action = blog_url + '/comment/' + article.uuid + '#comment'
+       captcha = captcha_method(article)
+       print template.get_comment_form(article, form_data, captcha.puzzle)
 
 def render_html(articles, db, actyear = None, show_comments = False,
-               redirect =  None):
-       if redirect is not None:
+               redirect =  None, form_data = None):
+       if redirect:
                print 'Status: 303 See Other\r\n',
                print 'Location: %s\r\n' % redirect,
        print 'Content-type: text/html; charset=utf-8\r\n',
@@ -842,15 +1083,7 @@ def render_html(articles, db, actyear = None, show_comments = False,
                print a.to_html()
                print template.get_article_footer(a)
                if show_comments:
-                       print '<a name="comments" />'
-                       for c in a.comments:
-                               if c is None:
-                                       continue
-                               print template.get_comment_header(c)
-                               print c.to_html()
-                               print template.get_comment_footer(c)
-                       print template.get_comment_form(a, 'post',
-                                       blog_url + '/comment/' + a.uuid)
+                       render_comments(a, template, form_data)
        print template.get_main_footer()
 
 def render_artlist(articles, db, actyear = None):
@@ -859,7 +1092,7 @@ def render_artlist(articles, db, actyear = None):
        print template.get_main_header()
        print '<h2>Articles</h2>'
        for a in articles:
-               print '<li><a href="%(url)s/uuid/%(uuid)s">%(title)s</a></li>' \
+               print '<li><a href="%(url)s/post/%(uuid)s">%(title)s</a></li>' \
                        % {     'url': blog_url,
                                'uuid': a.uuid,
                                'title': a.title,
@@ -905,9 +1138,9 @@ def render_atom(articles):
     <published>%(ciso)sZ</published>
     <updated>%(uiso)sZ</updated>
     <content type="xhtml">
-      <div xmlns="http://www.w3.org/1999/xhtml"><p>
+      <div xmlns="http://www.w3.org/1999/xhtml">
 %(contents)s
-      </p></div>
+      </div>
     </content>
   </entry>
                """ % vars
@@ -930,6 +1163,7 @@ def handle_cgi():
        atom = False
        style = False
        post = False
+       post_preview = False
        artlist = False
        comment = False
 
@@ -939,10 +1173,11 @@ def handle_cgi():
                atom = path_info == '/atom'
                tag = path_info.startswith('/tag/')
                post = path_info.startswith('/post/')
+               post_preview = path_info.startswith('/preview/post/')
                artlist = path_info.startswith('/list')
                comment = path_info.startswith('/comment/') and enable_comments
-               if not style and not atom and not post and not tag \
-                               and not comment and not artlist:
+               if not style and not atom and not post and not post_preview \
+                               and not tag and not comment and not artlist:
                        date = path_info.split('/')[1:]
                        try:
                                if len(date) > 1 and date[0]:
@@ -956,6 +1191,15 @@ def handle_cgi():
                elif post:
                        uuid = path_info.replace('/post/', '')
                        uuid = uuid.replace('/', '')
+               elif post_preview:
+                       art_path = path_info.replace('/preview/post/', '')
+                       art_path = urllib.unquote_plus(art_path)
+                       art_path = os.path.join(data_path, art_path)
+                       art_path = os.path.realpath(art_path)
+                       common = os.path.commonprefix([data_path, art_path])
+                       if common != data_path: # something nasty happened
+                               post_preview = False
+                       art_path = art_path[len(data_path)+1:]
                elif tag:
                        t = path_info.replace('/tag/', '')
                        t = t.replace('/', '')
@@ -963,44 +1207,81 @@ def handle_cgi():
                        tags = set((t,))
                elif comment:
                        uuid = path_info.replace('/comment/', '')
+                       uuid = uuid.replace('#comment', '')
                        uuid = uuid.replace('/', '')
                        author = form.getfirst('comformauthor', '')
                        link = form.getfirst('comformlink', '')
+                       captcha = form.getfirst('comformcaptcha', '')
                        body = form.getfirst('comformbody', '')
 
        db = ArticleDB(os.path.join(data_path, 'db'))
        if atom:
                articles = db.get_articles(tags = tags)
                articles.sort(reverse = True)
-               render_atom(articles[:10])
+               render_atom(articles[:index_articles])
        elif style:
                render_style()
        elif post:
                render_html( [db.get_article(uuid)], db, year, enable_comments )
+       elif post_preview:
+               article = Article(art_path, datetime.datetime.now(),
+                                       datetime.datetime.now())
+               render_html( [article], db, year, enable_comments )
        elif artlist:
                articles = db.get_articles()
                articles.sort(cmp = Article.title_cmp)
                render_artlist(articles, db)
-       elif comment:
-               author = author.strip().replace('\n', ' ')
-               link = link.strip().replace('\n', ' ')
-               body = body.strip()
+       elif comment and enable_comments:
+               form_data = CommentFormData(author.strip().replace('\n', ' '),
+                               link.strip().replace('\n', ' '), captcha,
+                               body.replace('\r', ''))
                article = db.get_article(uuid)
-               redirect = blog_url + '/post/' + uuid + '#comment'
-               if author and body and valid_rst(body):
-                       c = article.add_comment(author, body, link)
+               captcha = captcha_method(article)
+               redirect = False
+               valid = True
+               if not form_data.author:
+                       form_data.author_error = 'please, enter your name'
+                       valid = False
+               if form_data.link:
+                       link = valid_link(form_data.link)
+                       if link:
+                               form_data.link = link
+                       else:
+                               form_data.link_error = 'please, enter a ' \
+                                               'valid link'
+                               valid = False
+               if not captcha.validate(form_data):
+                       form_data.captcha_error = captcha.help
+                       valid = False
+               if not form_data.body:
+                       form_data.body_error = 'please, write a comment'
+                       valid = False
+               else:
+                       error = validate_rst(form_data.body, secure=False)
+                       if error is not None:
+                               (line, desc, ctx) = error
+                               at = ''
+                               if line:
+                                       at = ' at line %d' % line
+                               form_data.body_error = 'error%s: %s' \
+                                               % (at, desc)
+                               valid = False
+               if valid:
+                       c = article.add_comment(form_data.author,
+                                       form_data.body, form_data.link)
                        c.save()
                        cdb = CommentDB(article)
                        cdb.comments = article.comments
                        cdb.save()
-                       redirect += '-' + str(c.number)
-               render_html( [article], db, year, enable_comments,
-                               redirect = redirect )
+                       redirect = blog_url + '/post/' + uuid + '#comment-' \
+                                       + str(c.number)
+               render_html( [article], db, year, enable_comments, redirect,
+                               form_data )
        else:
                articles = db.get_articles(year, month, day, tags)
                articles.sort(reverse = True)
                if not year and not month and not day and not tags:
-                       articles = articles[:10]
+                       articles = articles[:index_articles]
                render_html(articles, db, year)
 
 
@@ -1078,7 +1359,10 @@ def handle_cmd():
 
 
 if os.environ.has_key('GATEWAY_INTERFACE'):
+       i = datetime.datetime.now()
        handle_cgi()
+       f = datetime.datetime.now()
+       print '<!-- render time: %s -->' % (f-i)
 else:
        sys.exit(handle_cmd())