2008-08-26 06:14:22 +08:00
|
|
|
import time
|
|
|
|
import datetime
|
2008-09-02 11:04:28 +08:00
|
|
|
|
2008-08-26 06:14:22 +08:00
|
|
|
from django import forms
|
|
|
|
from django.forms.util import ErrorDict
|
|
|
|
from django.conf import settings
|
|
|
|
from django.contrib.contenttypes.models import ContentType
|
|
|
|
from models import Comment
|
2008-09-02 01:23:09 +08:00
|
|
|
from django.utils.encoding import force_unicode
|
2008-09-02 11:04:28 +08:00
|
|
|
from django.utils.hashcompat import sha_constructor
|
2008-08-26 06:14:22 +08:00
|
|
|
from django.utils.text import get_text_list
|
2008-10-05 13:05:32 +08:00
|
|
|
from django.utils.translation import ungettext, ugettext_lazy as _
|
2008-08-26 06:14:22 +08:00
|
|
|
|
|
|
|
COMMENT_MAX_LENGTH = getattr(settings,'COMMENT_MAX_LENGTH', 3000)
|
|
|
|
|
|
|
|
class CommentForm(forms.Form):
|
|
|
|
name = forms.CharField(label=_("Name"), max_length=50)
|
|
|
|
email = forms.EmailField(label=_("Email address"))
|
|
|
|
url = forms.URLField(label=_("URL"), required=False)
|
|
|
|
comment = forms.CharField(label=_('Comment'), widget=forms.Textarea,
|
|
|
|
max_length=COMMENT_MAX_LENGTH)
|
|
|
|
honeypot = forms.CharField(required=False,
|
|
|
|
label=_('If you enter anything in this field '\
|
|
|
|
'your comment will be treated as spam'))
|
|
|
|
content_type = forms.CharField(widget=forms.HiddenInput)
|
|
|
|
object_pk = forms.CharField(widget=forms.HiddenInput)
|
|
|
|
timestamp = forms.IntegerField(widget=forms.HiddenInput)
|
|
|
|
security_hash = forms.CharField(min_length=40, max_length=40, widget=forms.HiddenInput)
|
|
|
|
|
|
|
|
def __init__(self, target_object, data=None, initial=None):
|
|
|
|
self.target_object = target_object
|
|
|
|
if initial is None:
|
|
|
|
initial = {}
|
|
|
|
initial.update(self.generate_security_data())
|
|
|
|
super(CommentForm, self).__init__(data=data, initial=initial)
|
|
|
|
|
|
|
|
def get_comment_object(self):
|
|
|
|
"""
|
|
|
|
Return a new (unsaved) comment object based on the information in this
|
|
|
|
form. Assumes that the form is already validated and will throw a
|
|
|
|
ValueError if not.
|
|
|
|
|
|
|
|
Does not set any of the fields that would come from a Request object
|
|
|
|
(i.e. ``user`` or ``ip_address``).
|
|
|
|
"""
|
|
|
|
if not self.is_valid():
|
|
|
|
raise ValueError("get_comment_object may only be called on valid forms")
|
|
|
|
|
|
|
|
new = Comment(
|
|
|
|
content_type = ContentType.objects.get_for_model(self.target_object),
|
2008-09-02 01:23:09 +08:00
|
|
|
object_pk = force_unicode(self.target_object._get_pk_val()),
|
2008-08-26 06:14:22 +08:00
|
|
|
user_name = self.cleaned_data["name"],
|
|
|
|
user_email = self.cleaned_data["email"],
|
|
|
|
user_url = self.cleaned_data["url"],
|
|
|
|
comment = self.cleaned_data["comment"],
|
|
|
|
submit_date = datetime.datetime.now(),
|
|
|
|
site_id = settings.SITE_ID,
|
|
|
|
is_public = True,
|
|
|
|
is_removed = False,
|
|
|
|
)
|
|
|
|
|
|
|
|
# Check that this comment isn't duplicate. (Sometimes people post comments
|
|
|
|
# twice by mistake.) If it is, fail silently by returning the old comment.
|
|
|
|
possible_duplicates = Comment.objects.filter(
|
|
|
|
content_type = new.content_type,
|
|
|
|
object_pk = new.object_pk,
|
|
|
|
user_name = new.user_name,
|
|
|
|
user_email = new.user_email,
|
|
|
|
user_url = new.user_url,
|
|
|
|
)
|
|
|
|
for old in possible_duplicates:
|
|
|
|
if old.submit_date.date() == new.submit_date.date() and old.comment == new.comment:
|
|
|
|
return old
|
|
|
|
|
|
|
|
return new
|
|
|
|
|
|
|
|
def security_errors(self):
|
|
|
|
"""Return just those errors associated with security"""
|
|
|
|
errors = ErrorDict()
|
|
|
|
for f in ["honeypot", "timestamp", "security_hash"]:
|
|
|
|
if f in self.errors:
|
|
|
|
errors[f] = self.errors[f]
|
|
|
|
return errors
|
|
|
|
|
|
|
|
def clean_honeypot(self):
|
|
|
|
"""Check that nothing's been entered into the honeypot."""
|
|
|
|
value = self.cleaned_data["honeypot"]
|
|
|
|
if value:
|
|
|
|
raise forms.ValidationError(self.fields["honeypot"].label)
|
|
|
|
return value
|
|
|
|
|
|
|
|
def clean_security_hash(self):
|
|
|
|
"""Check the security hash."""
|
|
|
|
security_hash_dict = {
|
|
|
|
'content_type' : self.data.get("content_type", ""),
|
|
|
|
'object_pk' : self.data.get("object_pk", ""),
|
|
|
|
'timestamp' : self.data.get("timestamp", ""),
|
|
|
|
}
|
|
|
|
expected_hash = self.generate_security_hash(**security_hash_dict)
|
|
|
|
actual_hash = self.cleaned_data["security_hash"]
|
|
|
|
if expected_hash != actual_hash:
|
|
|
|
raise forms.ValidationError("Security hash check failed.")
|
|
|
|
return actual_hash
|
|
|
|
|
|
|
|
def clean_timestamp(self):
|
|
|
|
"""Make sure the timestamp isn't too far (> 2 hours) in the past."""
|
|
|
|
ts = self.cleaned_data["timestamp"]
|
|
|
|
if time.time() - ts > (2 * 60 * 60):
|
|
|
|
raise forms.ValidationError("Timestamp check failed")
|
|
|
|
return ts
|
|
|
|
|
|
|
|
def clean_comment(self):
|
|
|
|
"""
|
|
|
|
If COMMENTS_ALLOW_PROFANITIES is False, check that the comment doesn't
|
|
|
|
contain anything in PROFANITIES_LIST.
|
|
|
|
"""
|
|
|
|
comment = self.cleaned_data["comment"]
|
|
|
|
if settings.COMMENTS_ALLOW_PROFANITIES == False:
|
|
|
|
bad_words = [w for w in settings.PROFANITIES_LIST if w in comment.lower()]
|
|
|
|
if bad_words:
|
|
|
|
plural = len(bad_words) > 1
|
2008-10-05 13:05:32 +08:00
|
|
|
raise forms.ValidationError(ungettext(
|
2008-08-26 06:14:22 +08:00
|
|
|
"Watch your mouth! The word %s is not allowed here.",
|
|
|
|
"Watch your mouth! The words %s are not allowed here.", plural) % \
|
|
|
|
get_text_list(['"%s%s%s"' % (i[0], '-'*(len(i)-2), i[-1]) for i in bad_words], 'and'))
|
|
|
|
return comment
|
|
|
|
|
|
|
|
def generate_security_data(self):
|
|
|
|
"""Generate a dict of security data for "initial" data."""
|
|
|
|
timestamp = int(time.time())
|
|
|
|
security_dict = {
|
|
|
|
'content_type' : str(self.target_object._meta),
|
|
|
|
'object_pk' : str(self.target_object._get_pk_val()),
|
|
|
|
'timestamp' : str(timestamp),
|
|
|
|
'security_hash' : self.initial_security_hash(timestamp),
|
|
|
|
}
|
|
|
|
return security_dict
|
|
|
|
|
|
|
|
def initial_security_hash(self, timestamp):
|
|
|
|
"""
|
|
|
|
Generate the initial security hash from self.content_object
|
|
|
|
and a (unix) timestamp.
|
|
|
|
"""
|
|
|
|
|
|
|
|
initial_security_dict = {
|
|
|
|
'content_type' : str(self.target_object._meta),
|
|
|
|
'object_pk' : str(self.target_object._get_pk_val()),
|
|
|
|
'timestamp' : str(timestamp),
|
|
|
|
}
|
|
|
|
return self.generate_security_hash(**initial_security_dict)
|
|
|
|
|
|
|
|
def generate_security_hash(self, content_type, object_pk, timestamp):
|
|
|
|
"""Generate a (SHA1) security hash from the provided info."""
|
|
|
|
info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
|
2008-09-02 11:04:28 +08:00
|
|
|
return sha_constructor("".join(info)).hexdigest()
|