A Python content management system designed for kirsle.net featuring a blog, comments and photo albums. https://rophako.kirsle.net/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

351 lines
10 KiB

# -*- coding: utf-8 -*-
from __future__ import unicode_literals, absolute_import
"""Commenting models."""
from flask import url_for, session
from itsdangerous import URLSafeSerializer
import time
import hashlib
import urllib
import random
import sys
import uuid
from rophako.settings import Config
import rophako.jsondb as JsonDB
import rophako.model.user as User
import rophako.model.emoticons as Emoticons
from rophako.utils import send_email, render_markdown
from rophako.log import logger
def deletion_token():
"""Retrieves the comment deletion token for the current user's session.
Deletion tokens are random strings saved with a comment's data that allows
its original commenter to delete or modify their comment on their own,
within a window of time configurable by the site owner
(in ``comment.edit_period``).
If the current session doesn't have a deletion token yet, this function
will generate and set one. Otherwise it returns the one set last time.
All comments posted by the same session would share the same deletion
if not "comment_token" in session:
session["comment_token"] = str(uuid.uuid4())
return session.get("comment_token")
def add_comment(thread, uid, name, subject, message, url, time, ip,
token=None, image=None):
"""Add a comment to a comment thread.
thread (str): the unique comment thread name.
uid (int): 0 for guest posts, otherwise the UID of the logged-in user.
name (str): the commenter's name (if a guest)
subject (str)
message (str)
url (str): the URL where the comment can be read (i.e. the blog post)
time (int): epoch time of the comment.
ip (str): the user's IP address.
token (str): the user's session's comment deletion token.
image (str): the URL to a Gravatar image, if any.
# Get the comments for this thread.
comments = get_comments(thread)
# Make up a unique ID for the comment.
cid = random_hash()
while cid in comments:
cid = random_hash()
# Add the comment.
comments[cid] = dict(
name=name or "Anonymous",
image=image or "",
time=time or int(time.time()),
write_comments(thread, comments)
# Get info about the commenter.
if uid > 0:
user = User.get_user(uid=uid)
if user:
name = user["name"]
# Send the e-mail to the site admins.
subject="Comment Added: {}".format(subject),
message="""{name} has left a comment on: {subject}
To view this comment, please go to <{url}>
Was this comment spam? [Delete it]({deletion_link}).""".format(
token=make_quick_delete_token(thread, cid),
# Notify any subscribers.
subs = get_subscribers(thread)
for sub in subs.keys():
# Make the unsubscribe link.
unsub = url_for("comment.unsubscribe", thread=thread, who=sub, _external=True)
subject="New Comment: {}".format(subject),
{name} has left a comment on: {subject}
To view this comment, please go to <{url}>""".format(
footer="You received this e-mail because you subscribed to the "
"comment thread that this comment was added to. You may "
"[**unsubscribe**]({unsub}) if you like.".format(
def get_comment(thread, cid):
"""Look up a specific comment."""
comments = get_comments(thread)
return comments.get(cid, None)
def update_comment(thread, cid, data):
"""Update the data for a comment."""
comments = get_comments(thread)
if cid in comments:
write_comments(thread, comments)
def delete_comment(thread, cid):
"""Delete a comment from a thread."""
comments = get_comments(thread)
del comments[cid]
write_comments(thread, comments)
def make_quick_delete_token(thread, cid):
"""Generate a unique tamper-proof token for quickly deleting comments.
This allows for an instant 'delete' link to be included in the notification
e-mail sent to the site admins, to delete obviously spammy comments
It uses ``itsdangerous`` to create a unique token signed by the site's
secret key so that users can't forge their own tokens.
thread (str): comment thread name.
cid (str): unique comment ID.
s = URLSafeSerializer(Config.security.secret_key)
return s.dumps(dict(
def validate_quick_delete_token(token):
"""Validate and decode a quick delete token.
If the token is valid, returns a dict of the thread name and comment ID,
as keys ``t`` and ``c`` respectively.
If not valid, returns ``None``.
s = URLSafeSerializer(Config.security.secret_key)
return s.loads(token)
logger.exception("Failed to validate quick-delete token {}".format(token))
return None
def is_editable(thread, cid, comment=None):
"""Determine if the comment is editable by the end user.
A comment is editable to its own author (even guests) for a window defined
by the site owner. In this event, the user's session has their
'comment deletion token' that matches the comment's saved token, and the
comment was posted recently.
Site admins (any logged-in user) can always edit all comments.
thread (str): the unique comment thread name.
cid (str): the comment ID.
comment (dict): if you already have the comment object, you can provide
it here and save an extra DB lookup.
bool: True if the user is logged in *OR* has a valid deletion token and
the comment is relatively new. Otherwise returns False.
# Logged in users can always do it.
if session["login"]:
return True
# Get the comment, or bail if not found.
if comment is None:
comment = get_comment(thread, cid)
if not comment:
return False
# Make sure the comment's token matches the user's, or bail.
if comment.get("token", "x") != deletion_token():
return False
# And finally, make sure the comment is new enough.
return time.time() - comment["time"] < 60*60*Config.comment.edit_period
def count_comments(thread):
"""Count the comments on a thread."""
comments = get_comments(thread)
return len(comments.keys())
def add_subscriber(thread, email):
"""Add a subscriber to a thread."""
if not "@" in email:
# Sanity check: only subscribe to threads that exist.
if not JsonDB.exists("comments/threads/{}".format(thread)):
logger.info("Subscribe e-mail {} to thread {}".format(email, thread))
subs = get_subscribers(thread)
subs[email] = int(time.time())
write_subscribers(thread, subs)
def unsubscribe(thread, email):
"""Unsubscribe an e-mail address from a thread.
If `thread` is `*`, the e-mail is unsubscribed from all threads."""
# Which threads to unsubscribe from?
threads = []
if thread == "*":
threads = JsonDB.list_docs("comments/subscribers")
threads = [thread]
# Remove them as a subscriber.
for thread in threads:
if JsonDB.exists("comments/subscribers/{}".format(thread)):
logger.info("Unsubscribe e-mail address {} from comment thread {}".format(email, thread))
db = get_subscribers(thread)
del db[email]
write_subscribers(thread, db)
def format_message(message):
"""HTML sanitize the message and format it for display."""
# Comments use Markdown formatting, and HTML tags are escaped by default.
message = render_markdown(message)
# Process emoticons.
message = Emoticons.render(message)
return message
def get_comments(thread):
"""Get the comment thread."""
doc = "comments/threads/{}".format(thread)
if JsonDB.exists(doc):
return JsonDB.get(doc)
return {}
def write_comments(thread, comments):
"""Save the comments DB."""
if len(comments.keys()) == 0:
return JsonDB.delete("comments/threads/{}".format(thread))
return JsonDB.commit("comments/threads/{}".format(thread), comments)
def get_subscribers(thread):
"""Get the subscribers to a comment thread."""
doc = "comments/subscribers/{}".format(thread)
if JsonDB.exists(doc):
return JsonDB.get(doc)
return {}
def write_subscribers(thread, subs):
"""Save the subscribers to the DB."""
if len(subs.keys()) == 0:
return JsonDB.delete("comments/subscribers/{}".format(thread))
return JsonDB.commit("comments/subscribers/{}".format(thread), subs)
def random_hash():
"""Get a short random hash to use as the ID for a comment."""
md5 = hashlib.md5()
md5.update(str(random.randint(0, 1000000)).encode("utf-8"))
return md5.hexdigest()
def gravatar(email):
"""Generate a Gravatar link for an email address."""
if "@" in email:
# Default avatar?
default = Config.comment.default_avatar
# Construct the URL.
params = {
"s": "96", # size
if default:
params["d"] = default
url = "//www.gravatar.com/avatar/" + hashlib.md5(email.lower().encode("utf-8")).hexdigest() + "?"
# URL encode the params, the Python 2 & Python 3 way.
if sys.version_info[0] < 3:
url += urllib.urlencode(params)
url += urllib.parse.urlencode(params)
return url
return ""