1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
#! /usr/bin/env python
#
# Copyright (C) 1998 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
"""Produce subscriber roster, using listinfo form data, roster.html template.
Takes listname in PATH_INFO."""
# We don't need to lock in this script, because we're never going to change
# data.
import sys
import os, string
import cgi
import mm_utils, maillist, htmlformat, mm_cfg, mm_err
def main():
doc = htmlformat.HeadlessDocument()
form = cgi.FieldStorage()
list = get_list()
bad = ""
# These nested conditionals constituted a cascading authentication
# check, yielding a
if not list.private_roster:
# No privacy.
bad = ""
else:
auth_req = ("%s subscriber list requires authentication."
% list.real_name)
if not form.has_key("roster-pw"):
bad = auth_req
else:
pw = form['roster-pw'].value
# Just the admin password is sufficient - check it early.
if not list.ValidAdminPassword(pw):
if not form.has_key('roster-email'):
# No admin password and no user id, nogo.
bad = auth_req
else:
id = form['roster-email'].value
if list.private_roster == 1:
# Private list - members visible.
try:
list.ConfirmUserPassword(id, pw)
except (mm_err.MMBadUserError,
mm_err.MMBadPasswordError):
bad = ("%s subscriber authentication failed."
% list.real_name)
else:
# Anonymous list - admin-only visible
# - and we already tried admin password, above.
bad = ("%s admin authentication failed."
% list.real_name)
if bad:
doc = error_page_doc(bad)
doc.AddItem(list.GetMailmanFooter())
print doc.Format()
sys.exit(0)
replacements = list.GetStandardReplacements()
doc.AddItem(list.ParseTags('roster.html', replacements))
print doc.Format()
def get_list():
"Return list or bail out with error page."
list_info = mm_utils.GetPathPieces(os.environ['PATH_INFO'])
if len(list_info) != 1:
error_page("Invalid options to CGI script.")
sys.exit(0)
list_name = string.lower(list_info[0])
try:
list = maillist.MailList(list_name, lock = 0)
except mm_err.MMUnknownListError:
error_page("%s: No such list.", list_name)
sys.exit(0)
if not list._ready:
error_page("%s: No such list.", list_name)
sys.exit(0)
return list
def error_page(errmsg, *args):
print apply(error_page_doc, (errmsg,) + args).Format()
def error_page_doc(errmsg, *args):
"""Produce a simple error-message page on stdout and exit.
Optional arg justreturn means just return the doc, don't print it."""
doc = htmlformat.Document()
doc.SetTitle("Error")
doc.AddItem(htmlformat.Header(2, "Error"))
doc.AddItem(htmlformat.Bold(errmsg % args))
return doc
|
