dinislage/web2py
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

increased security in appadmin

Browse Source
This commit is contained in:
mdipierro
2012-07-28 20:19:15 -05:00
parent 58ffa90ef2
commit 0bc6d60fbe
8 changed files with 63 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+5 -5
View File
@@ -43,11 +43,11 @@ src:
rm -f applications/admin/uploads/*
rm -f applications/welcome/uploads/*
rm -f applications/examples/uploads/*
### make admin layout and appadmin the default
cp applications/admin/views/appadmin.html applications/welcome/views
cp applications/admin/views/appadmin.html applications/examples/views
cp applications/admin/controllers/appadmin.py applications/welcome/controllers
cp applications/admin/controllers/appadmin.py applications/examples/controllers
### make welcome layout and appadmin the default
cp applications/welcome/views/appadmin.html applications/admin/views
cp applications/welcome/views/appadmin.html applications/examples/views
cp applications/welcome/controllers/appadmin.py applications/admin/controllers
cp applications/welcome/controllers/appadmin.py applications/examples/controllers
### build web2py_src.zip
echo '' > NEWINSTALL
mv web2py_src.zip web2py_src_old.zip | echo 'no old'
VERSION
+1 -1
View File
@@ -1 +1 @@
Version 2.00.0 (2012-07-28 19:28:33) dev
Version 2.00.0 (2012-07-28 20:19:12) dev
applications/admin/controllers/appadmin.py
+18 -9
View File
@@ -199,17 +199,8 @@ def select():
_class='delete', _type='checkbox', value=False), ''),
TR('', '', INPUT(_type='submit', _value=T('submit')))),
_action=URL(r=request,args=request.args))
if request.vars.csvfile != None:
try:
import_csv(db[request.vars.table],
request.vars.csvfile.file)
response.flash = T('data uploaded')
except Exception, e:
response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
if form.accepts(request.vars, formname=None):
# regex = re.compile(request.args[0] + '\.(?P<table>\w+)\.id\>0')
regex = re.compile(request.args[0] + '\.(?P<table>\w+)\..+')
match = regex.match(form.vars.query.strip())
if match:
table = match.group('table')
@@ -230,6 +221,23 @@ def select():
except Exception, e:
(rows, nrows) = ([], 0)
response.flash = DIV(T('Invalid Query'),PRE(str(e)))
# begin handle upload csv
if table:
formcsv = FORM(str(T('or import from csv file'))+" ",
INPUT(_type='file',_name='csvfile'),
INPUT(_type='hidden',_value=table,_name='table'),
INPUT(_type='submit',_value=T('import')))
else:
formcsv = None
if formcsv and formcsv.process().accepted and request.vars.csvfile:
try:
import_csv(db[request.vars.table],
request.vars.csvfile.file)
response.flash = T('data uploaded')
except Exception, e:
response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
# end handle upload csv
return dict(
form=form,
table=table,
@@ -238,6 +246,7 @@ def select():
nrows=nrows,
rows=rows,
query=request.vars.query,
formcsv = formcsv,
)
applications/admin/views/appadmin.html
+1 -4
View File
@@ -62,10 +62,7 @@
{{pass}}
<br/><br/><h3>{{=T("Import/Export")}}</h3><br/>
[ <a href="{{=URL('csv',args=request.args[0],vars=dict(query=query))}}">{{=T("export as csv file")}}</a> ]
{{if table:}}
{{=FORM(str(T('or import from csv file'))+" ",INPUT(_type='file',_name='csvfile'),INPUT(_type='hidden',_value=table,_name='table'),INPUT(_type='submit',_value=T('import')))}}
{{pass}}
{{=formcsv or ''}}
{{elif request.function=='insert':}}
<h2>{{=T("database")}} {{=A(request.args[0],_href=URL('index'))}}
applications/examples/controllers/appadmin.py
+18 -9
View File
@@ -199,17 +199,8 @@ def select():
_class='delete', _type='checkbox', value=False), ''),
TR('', '', INPUT(_type='submit', _value=T('submit')))),
_action=URL(r=request,args=request.args))
if request.vars.csvfile != None:
try:
import_csv(db[request.vars.table],
request.vars.csvfile.file)
response.flash = T('data uploaded')
except Exception, e:
response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
if form.accepts(request.vars, formname=None):
# regex = re.compile(request.args[0] + '\.(?P<table>\w+)\.id\>0')
regex = re.compile(request.args[0] + '\.(?P<table>\w+)\..+')
match = regex.match(form.vars.query.strip())
if match:
table = match.group('table')
@@ -230,6 +221,23 @@ def select():
except Exception, e:
(rows, nrows) = ([], 0)
response.flash = DIV(T('Invalid Query'),PRE(str(e)))
# begin handle upload csv
if table:
formcsv = FORM(str(T('or import from csv file'))+" ",
INPUT(_type='file',_name='csvfile'),
INPUT(_type='hidden',_value=table,_name='table'),
INPUT(_type='submit',_value=T('import')))
else:
formcsv = None
if formcsv and formcsv.process().accepted and request.vars.csvfile:
try:
import_csv(db[request.vars.table],
request.vars.csvfile.file)
response.flash = T('data uploaded')
except Exception, e:
response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
# end handle upload csv
return dict(
form=form,
table=table,
@@ -238,6 +246,7 @@ def select():
nrows=nrows,
rows=rows,
query=request.vars.query,
formcsv = formcsv,
)
applications/examples/views/appadmin.html
+1 -4
View File
@@ -62,10 +62,7 @@
{{pass}}
<br/><br/><h3>{{=T("Import/Export")}}</h3><br/>
[ <a href="{{=URL('csv',args=request.args[0],vars=dict(query=query))}}">{{=T("export as csv file")}}</a> ]
{{if table:}}
{{=FORM(str(T('or import from csv file'))+" ",INPUT(_type='file',_name='csvfile'),INPUT(_type='hidden',_value=table,_name='table'),INPUT(_type='submit',_value=T('import')))}}
{{pass}}
{{=formcsv or ''}}
{{elif request.function=='insert':}}
<h2>{{=T("database")}} {{=A(request.args[0],_href=URL('index'))}}
applications/welcome/controllers/appadmin.py
+18 -9
View File
@@ -199,17 +199,8 @@ def select():
_class='delete', _type='checkbox', value=False), ''),
TR('', '', INPUT(_type='submit', _value=T('submit')))),
_action=URL(r=request,args=request.args))
if request.vars.csvfile != None:
try:
import_csv(db[request.vars.table],
request.vars.csvfile.file)
response.flash = T('data uploaded')
except Exception, e:
response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
if form.accepts(request.vars, formname=None):
# regex = re.compile(request.args[0] + '\.(?P<table>\w+)\.id\>0')
regex = re.compile(request.args[0] + '\.(?P<table>\w+)\..+')
match = regex.match(form.vars.query.strip())
if match:
table = match.group('table')
@@ -230,6 +221,23 @@ def select():
except Exception, e:
(rows, nrows) = ([], 0)
response.flash = DIV(T('Invalid Query'),PRE(str(e)))
# begin handle upload csv
if table:
formcsv = FORM(str(T('or import from csv file'))+" ",
INPUT(_type='file',_name='csvfile'),
INPUT(_type='hidden',_value=table,_name='table'),
INPUT(_type='submit',_value=T('import')))
else:
formcsv = None
if formcsv and formcsv.process().accepted and request.vars.csvfile:
try:
import_csv(db[request.vars.table],
request.vars.csvfile.file)
response.flash = T('data uploaded')
except Exception, e:
response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
# end handle upload csv
return dict(
form=form,
table=table,
@@ -238,6 +246,7 @@ def select():
nrows=nrows,
rows=rows,
query=request.vars.query,
formcsv = formcsv,
)
applications/welcome/views/appadmin.html
+1 -4
View File
@@ -62,10 +62,7 @@
{{pass}}
<br/><br/><h3>{{=T("Import/Export")}}</h3><br/>
[ <a href="{{=URL('csv',args=request.args[0],vars=dict(query=query))}}">{{=T("export as csv file")}}</a> ]
{{if table:}}
{{=FORM(str(T('or import from csv file'))+" ",INPUT(_type='file',_name='csvfile'),INPUT(_type='hidden',_value=table,_name='table'),INPUT(_type='submit',_value=T('import')))}}
{{pass}}
{{=formcsv or ''}}
{{elif request.function=='insert':}}
<h2>{{=T("database")}} {{=A(request.args[0],_href=URL('index'))}}