diff options
| -rw-r--r-- | Mailman/Cgi/admindb.py | 209 |
1 files changed, 132 insertions, 77 deletions
diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py index 06306430e..afd7a1f74 100644 --- a/Mailman/Cgi/admindb.py +++ b/Mailman/Cgi/admindb.py @@ -20,51 +20,105 @@ import sys import os, cgi, string, types -from Mailman import Utils, MailList, Errors, htmlformat +from Mailman import Utils, MailList, Errors +from Mailman.htmlformat import * +from Mailman import Cookie +from Mailman import mm_cfg + +# copied from admin.py +def isAuthenticated(mlist, password=None, SECRET="SECRET"): + if password is not None: # explicit login + try: + mlist.ConfirmAdminPassword(password) + except Errors.MMBadPasswordError: + AddErrorMessage(doc, 'Error: Incorrect admin password.') + return 0 + + token = `hash(list_name)` + c = Cookie.Cookie() + cookie_key = list_name + "-admin" + c[cookie_key] = token + c[cookie_key]['expires'] = mm_cfg.ADMIN_COOKIE_LIFE + print c # Output the cookie + return 1 + if os.environ.has_key('HTTP_COOKIE'): + c = Cookie.Cookie( os.environ['HTTP_COOKIE'] ) + if c.has_key(list_name + "-admin"): + if c[list_name + "-admin"].value == `hash(list_name)`: + return 1 + else: + AddErrorMessage(doc, "error decoding authorization cookie") + return 0 + return 0 + def main(): # XXX: Yuk, blech, ick global list global form global doc + global list_name - doc = htmlformat.Document() + doc = Document() try: path = os.environ['PATH_INFO'] except KeyError: doc.SetTitle("Admindb Error") - doc.AddItem(htmlformat.Header(2, "You must specify what list you are intenting to visit")) + doc.AddItem( + Header(2, "You must specify what list you are intenting to visit")) print doc.Format(bgcolor="#ffffff") sys.exit(0) - list_info = Utils.GetPathPieces(path) + list_info = Utils.GetPathPieces(path) if len(list_info) < 1: doc.SetTitle("Admindb Error") - doc.AddItem(htmlformat.Header(2, "Invalid options to CGI script.")) + doc.AddItem(eader(2, "Invalid options to CGI script.")) print doc.Format(bgcolor="#ffffff") sys.exit(0) list_name = string.lower(list_info[0]) try: - list = MailList.MailList(list_name) + list = MailList.MailList(list_name) except: - msg = "%s: No such list." % list_name - doc.SetTitle("Admindb Error - %s" % msg) - doc.AddItem(htmlformat.Header(2, msg)) - print doc.Format(bgcolor="#ffffff") - sys.exit(0) + msg = "%s: No such list." % list_name + doc.SetTitle("Admindb Error - %s" % msg) + doc.AddItem(Header(2, msg)) + print doc.Format(bgcolor="#ffffff") + sys.exit(0) if not list._ready: msg = "%s: No such list." % list_name doc.SetTitle("Admindb Error - %s" % msg) - doc.AddItem(htmlformat.Header(2, msg)) + doc.AddItem(Header(2, msg)) print doc.Format(bgcolor="#ffffff") sys.exit(0) try: form = cgi.FieldStorage() + + # authenticate. all copied from admin.py + is_auth = 0 + if form.has_key('adminpw'): + is_auth = isAuthenticated(list, form['adminpw'].value) + message = FontAttr('Sorry, wrong password. Try again.', + color='ff5060', size='+1').Format() + else: + is_auth = isAuthenticated(list) + message = '' + if not is_auth: + print 'Content-type: text/html\n\n' + text = Utils.maketext( + 'admlogin.txt', + {'listname': list_name, + 'path' : os.environ.get('REQUEST_URI', + '/mailman/admin/' + list_name), + 'message' : message, + }) + print text + return + if len(form.keys()): doc.SetTitle("%s Admindb Results" % list.real_name) HandleRequests(doc) @@ -110,25 +164,26 @@ def PrintHeader(str, error=0): global doc if error: - it = htmlformat.FontAttr(str, color="ff5060") + it = FontAttr(str, color="ff5060") else: it = str - doc.AddItem(htmlformat.Header(3, htmlformat.Italic(it))) + doc.AddItem(Header(3, Italic(it))) doc.AddItem('<hr>') + def HandleRequests(doc): # XXX: Yuk, blech, ick global list global form - if not form.has_key('adminpw'): - PrintHeader('You need to supply the admin password ' - 'to answer requests.', error=1) - return - try: - list.ConfirmAdminPassword(form['adminpw'].value) - except: - PrintHeader('Incorrect admin password.', error=1) - return +## if not form.has_key('adminpw'): +## PrintHeader('You need to supply the admin password ' +## 'to answer requests.', error=1) +## return +## try: +## list.ConfirmAdminPassword(form['adminpw'].value) +## except: +## PrintHeader('Incorrect admin password.', error=1) +## return ignore_subscribes = 0 if form.has_key('subscribe_all'): ignore_subscribes = 1 @@ -137,14 +192,11 @@ def HandleRequests(doc): ignore_subscribes = 1 SubscribeNone() for k in form.keys(): - try: - # XXX Security?! - v = eval(form[k].value) - request_id = eval(k) - except: # For stuff like adminpw - continue - if type(request_id) <> types.IntType: - continue + try: + v = int(form[k].value) + request_id = int(k) + except ValueError: + continue try: request = list.GetRequest(request_id) except Errors.MMBadRequestId: @@ -164,38 +216,35 @@ def HandleRequests(doc): def PrintAddMemberRequest(val, table): table.AddRow([ val[3], - htmlformat.RadioButtonArray(val[0], ("Refuse", "Subscribe")), - htmlformat.TextBox("comment-%d" % val[0], size=50) + RadioButtonArray(val[0], ("Refuse", "Subscribe")), + TextBox("comment-%d" % val[0], size=50) ]) def PrintPostRequest(val, form): - t = htmlformat.Table(cellspacing=10) + t = Table(cellspacing=10) t.AddRow([ - htmlformat.FontSize("+1", - htmlformat.Bold('Post held because: ')), - val[3]]) + FontSize("+1", Bold('Post held because: ')), + val[3] + ]) t.AddRow([ - htmlformat.FontSize("+1", - htmlformat.Bold('Action to take on this post:')), - htmlformat.RadioButtonArray(val[0], ("Approve", "Reject", - "Discard (eg, spam)")), - htmlformat.SubmitButton('submit', 'Submit All Data') - ]) + FontSize("+1", Bold('Action to take on this post:')), + RadioButtonArray(val[0], ("Approve", "Reject", "Discard (eg, spam)")), + SubmitButton('submit', 'Submit All Data') + ]) t.AddRow([ - htmlformat.FontSize("+1", - htmlformat.Bold('If you reject this post, ' - 'explain (optional):')), - htmlformat.TextBox("comment-%d" % val[0], size=50)]) + FontSize("+1", Bold('If you reject this post, explain (optional):')), + TextBox("comment-%d" % val[0], size=50) + ]) cur_row = t.GetCurrentRowIndex() cur_col = t.GetCurrentCellIndex() t.AddCellInfo(cur_row, cur_col, colspan=3) t.AddRow([ - htmlformat.FontSize("+1", - htmlformat.Bold('Contents:'))]) + FontSize("+1", Bold('Contents:')) + ]) form.AddItem(t) - form.AddItem(htmlformat.Preformatted(val[2][1])) + form.AddItem(Preformatted(val[2][1])) form.AddItem('<p>') @@ -210,47 +259,49 @@ def PrintRequests(doc): # ignore (This should never happen unless someone is hacking at # the code). - doc.AddItem(htmlformat.Header(2, "Administrative requests for " - "'%s' mailing list" % list.real_name)) - doc.AddItem(htmlformat.FontSize("+1", htmlformat.Link( - list.GetRelativeScriptURL('admin'), htmlformat.Italic( - 'View or edit the list configuration information')))) - doc.AddItem('<p><hr>') + doc.AddItem(Header(2, "Administrative requests for '%s' mailing list" + % list.real_name)) + doc.AddItem(FontSize("+1", + Link(list.GetRelativeScriptURL('admin'), + Italic( + 'View or edit the list configuration information')))) + doc.AddItem('<p>') if not list.NumRequestsPending(): - doc.AddItem(htmlformat.Header(3,'There are no pending requests.')) + doc.AddItem(Header(3,'There are no pending requests.')) doc.AddItem(list.GetMailmanFooter()) return - form = htmlformat.Form(list.GetRelativeScriptURL('admindb')) + form = Form(list.GetRelativeScriptURL('admindb')) doc.AddItem(form) - form.AddItem('Admin password: ') - form.AddItem(htmlformat.PasswordBox('adminpw')) - form.AddItem('<p>') +## form.AddItem('Admin password: ') +## form.AddItem(PasswordBox('adminpw')) +## form.AddItem('<p>') if list.requests.has_key('add_member'): ## form.AddItem('<hr>') -## t = htmlformat.Table(cellspacing=10) +## t = Table(cellspacing=10) ## t.AddRow([ -## htmlformat.SubmitButton('submit', 'Submit All Data'), -## htmlformat.SubmitButton('subscribe_all', 'Subscribe Everybody'), -## htmlformat.SubmitButton('subscribe_none', 'Refuse Everybody') +## SubmitButton('submit', 'Submit All Data'), +## SubmitButton('subscribe_all', 'Subscribe Everybody'), +## SubmitButton('subscribe_none', 'Refuse Everybody') ## ]) ## form.AddItem(t) - form.AddItem('<hr>') - form.AddItem(htmlformat.Center( - htmlformat.Header(2, 'Subscription Requests'))) - t = htmlformat.Table(border=2) +## form.AddItem('<hr>') + form.AddItem(Center( + Header(2, 'Subscription Requests'))) + t = Table(border=2) t.AddRow([ - htmlformat.Bold('Email'), - htmlformat.Bold('Decision'), - htmlformat.Bold('Reasoning for subscription refusal (optional)')]) + Bold('Email'), + Bold('Decision'), + Bold('Reasoning for subscription refusal (optional)') + ]) for request in list.requests['add_member']: PrintAddMemberRequest(request, t) form.AddItem(t) - t = htmlformat.Table(cellspacing=10) + t = Table(cellspacing=10) t.AddRow([ - htmlformat.SubmitButton('submit', 'Submit All Data'), - htmlformat.SubmitButton('subscribe_all', 'Subscribe Everybody'), - htmlformat.SubmitButton('subscribe_none', 'Refuse Everybody') + SubmitButton('submit', 'Submit All Data'), + SubmitButton('subscribe_all', 'Subscribe Everybody'), + SubmitButton('subscribe_none', 'Refuse Everybody') ]) form.AddItem(t) @@ -258,8 +309,12 @@ def PrintRequests(doc): if list.requests.has_key('post'): for request in list.requests['post']: form.AddItem('<hr>') - form.AddItem(htmlformat.Center(htmlformat.Header(2, + form.AddItem(Center(Header(2, "Held Message"))) PrintPostRequest(request, form) doc.AddItem(list.GetMailmanFooter()) + +# copied from admin.py +def AddErrorMessage(doc, errmsg, *args): + doc.AddItem(Header(3, Italic(FontAttr(errmsg % args, color="#ff66cc")))) |