From 49ae89eb9b4b1aea64de2eb94fce93bed5b78a8e Mon Sep 17 00:00:00 2001
From: j <0x006A@0x2620.org>
Date: Tue, 10 Jan 2012 21:30:41 +0530
Subject: [PATCH] oembed, dont leak private layers
---
pandora/annotation/managers.py | 9 +++++
pandora/annotation/models.py | 8 +++++
pandora/app/views.py | 49 +++++++++++++++++++-------
pandora/item/views.py | 64 ++++++++++++++++++++++++++++++----
pandora/templates/item.html | 1 +
pandora/urls.py | 1 +
6 files changed, 112 insertions(+), 20 deletions(-)
diff --git a/pandora/annotation/managers.py b/pandora/annotation/managers.py
index d156b803..51acf801 100644
--- a/pandora/annotation/managers.py
+++ b/pandora/annotation/managers.py
@@ -153,4 +153,13 @@ class AnnotationManager(Manager):
user)
if conditions:
qs = qs.filter(conditions)
+
+ #anonymous can only see public items
+ public_layers = self.model.public_layers()
+
+ if user.is_anonymous():
+ qs = qs.filter(layer__in=public_layers)
+ #users can see public and own
+ else:
+ qs = qs.filter(Q(layer__in=public_layers)|Q(user=user))
return qs
diff --git a/pandora/annotation/models.py b/pandora/annotation/models.py
index 42629437..53c2de4a 100644
--- a/pandora/annotation/models.py
+++ b/pandora/annotation/models.py
@@ -57,6 +57,14 @@ class Annotation(models.Model):
self.public_id = "%s/%s" % (self.item.itemId, ox.toAZ(public_id))
Annotation.objects.filter(id=self.id).update(public_id=self.public_id)
+ @classmethod
+ def public_layers(self):
+ layers = []
+ for layer in settings.CONFIG['layers']:
+ if not layer.get('private', False):
+ layers.append(layer['id'])
+ return layers
+
def get_layer(self):
for layer in settings.CONFIG['layers']:
if layer['id'] == self.layer:
diff --git a/pandora/app/views.py b/pandora/app/views.py
index a26898ae..564e46b2 100644
--- a/pandora/app/views.py
+++ b/pandora/app/views.py
@@ -1,9 +1,6 @@
# -*- coding: utf-8 -*-
# vi:si:et:sw=4:sts=4:ts=4
-try:
- import xml.etree.ElementTree as ET
-except:
- import elementtree.ElementTree as ET
+import re
import copy
@@ -16,7 +13,7 @@ from ox.django.shortcuts import json_response, render_to_json_response
from ox.django.decorators import login_required_json
import ox
-from ox.utils import json
+from ox.utils import json, ET
import models
@@ -43,6 +40,15 @@ def embed(request, id):
})
return render_to_response('embed.html', context)
+def redirect_url(request, url):
+ if request.META['QUERY_STRING']:
+ url += "?" + request.META['QUERY_STRING']
+
+ if settings.CONFIG.get('sendReferrer', False):
+ return redirect(url)
+ else:
+ return HttpResponse(''%json.dumps(url))
+
def opensearch_xml(request):
osd = ET.Element('OpenSearchDescription')
osd.attrib['xmlns']="http://a9.com/-/spec/opensearch/1.1/"
@@ -124,14 +130,6 @@ def editPage(request):
return render_to_json_response(response)
actions.register(editPage)
-def redirect_url(request, url):
- if request.META['QUERY_STRING']:
- url += "?" + request.META['QUERY_STRING']
-
- if settings.CONFIG.get('sendReferrer', False):
- return redirect(url)
- else:
- return HttpResponse(''%json.dumps(url))
def init(request):
'''
@@ -146,3 +144,28 @@ def init(request):
response['data']['user'] = init_user(request.user, request)
return render_to_json_response(response)
actions.register(init)
+
+
+def embedURL(request):
+ '''
+
+ param data {
+ url
+ maxwidth
+ maxheight
+ }
+ return {
+ status: ...
+ data: {
+ html
+ ...
+ }
+ }
+ return {'status': {'code': int, 'text': string},
+ 'data': {user: object}}
+ '''
+ data = json.loads(request.POST['data'])
+ response = json_response({})
+ response['data'] = ox.get_embed_code(data['url'], data.get('maxwidth'), data.get('maxheight'))
+ return render_to_json_response(response)
+actions.register(embedURL)
diff --git a/pandora/item/views.py b/pandora/item/views.py
index f35eb0a6..5c3c52b5 100644
--- a/pandora/item/views.py
+++ b/pandora/item/views.py
@@ -5,6 +5,7 @@ import os.path
from datetime import datetime, timedelta
import mimetypes
import random
+from urlparse import urlparse
import Image
from django.db.models import Count, Sum, Max
@@ -13,7 +14,7 @@ from django.http import HttpResponse, HttpResponseForbidden, Http404
from django.shortcuts import get_object_or_404, redirect, render_to_response
from django.conf import settings
-from ox.utils import json
+from ox.utils import json, ET
from ox.django.decorators import login_required_json
from ox.django.shortcuts import render_to_json_response, get_object_or_404_json, json_response
@@ -808,6 +809,51 @@ def random_annotation(request):
clip = item.annotations.all()[pos]
return redirect('/%s'% clip.public_id)
+def oembed(request):
+ format = request.GET.get('format', 'json')
+ maxwidth = request.GET.get('maxwidth', 640)
+ maxheight = request.GET.get('maxheight', 480)
+
+ url = request.GET['url']
+ parts = urlparse(url).path.split('/')
+ itemId = parts[1]
+ #fixme: embed should reflect actuall url
+ item = get_object_or_404_json(models.Item, itemId=itemId)
+ embed_url = request.build_absolute_uri('/%s/embed' % item.itemId)
+ oembed = {}
+ oembed['version'] = '1.0'
+ oembed['type'] = 'video'
+ oembed['provider_name'] = settings.SITENAME
+ oembed['provider_url'] = request.build_absolute_uri('/')
+ oembed['title'] = item.get('title')
+ #oembed['author_name'] = item.get('director')
+ #oembed['author_url'] = ??
+ height = 96
+ width = 128
+ if maxheight > height or height > maxheight:
+ height = maxheight
+ if maxwidth > width or width > maxwidth:
+ width = maxwidth
+ oembed['html'] = '' % (height, width, embed_url)
+ oembed['width'] = width
+ oembed['height'] = height
+ thumbheight = 96
+ thumbwidth = int(thumbheight * item.sort.aspectratio)
+ thumbwidth -= thumbwidth % 2
+ oembed['thumbnail_height'] = thumbheight
+ oembed['thumbnail_width'] = thumbwidth
+ oembed['thumbnail_url'] = request.build_absolute_uri('/%s/%sp.jpg' % (item.itemId, thumbheight))
+ if format == 'xml':
+ oxml = ET.Element('oembed')
+ for key in oembed:
+ e = ET.SubElement(oxml, key)
+ e.text = unicode(oembed[key])
+ return HttpResponse(
+ '\n' + ET.tostring(oxml),
+ 'application/xml'
+ )
+ return HttpResponse(json.dumps(oembed, indent=2), 'application/json')
+
def item(request, id):
id = id.split('/')[0]
template = 'index.html'
@@ -834,13 +880,17 @@ def item(request, id):
value = value = u', '.join([unicode(v) for v in value])
data.append({'key': key.capitalize(), 'value': value})
clips = []
- for c in item.clips.all():
- clip = {
- 'in': c.start,
- 'annotations': '
\n'.join([a.value for a in c.annotations.all()])
- }
- clips.append(clip)
+ clip = {'in': 0, 'annotations': []}
+ for a in item.annotations.filter(
+ layer__in=models.Annotation.public_layers()).order_by('start', 'end', 'sortvalue'):
+ if clip['in'] < a.start:
+ if clip['annotations']:
+ clip['annotations'] = '
\n'.join(clip['annotations'])
+ clips.append(clip)
+ clip = {'in': a.start, 'annotations': []}
+ clip['annotations'].append(a.value)
ctx = {
+ 'current_url': request.build_absolute_uri(request.get_full_path()),
'base_url': request.build_absolute_uri('/'),
'url': request.build_absolute_uri('/%s' % id),
'id': id,
diff --git a/pandora/templates/item.html b/pandora/templates/item.html
index 5548804c..c573f914 100644
--- a/pandora/templates/item.html
+++ b/pandora/templates/item.html
@@ -8,6 +8,7 @@
+