2121from ietf .submit .utils import check_idnits , found_idnits , validate_submission , create_submission_event
2222from ietf .submit .utils import post_submission , cancel_submission , rename_submission_files
2323from ietf .submit .mail import send_full_url , send_approval_request_to_group , send_submission_confirmation , submission_confirmation_email_list , send_manual_post_request
24- from ietf .utils .uniquekey import generate_unique_key
24+ from ietf .utils .accesstoken import generate_random_key , generate_access_token
2525
2626def upload_submission (request ):
2727 if request .method == 'POST' :
@@ -89,7 +89,7 @@ def upload_submission(request):
8989
9090 create_submission_event (request , submission , desc = "Uploaded submission" )
9191
92- return redirect ("submit_submission_status_by_hash" , submission_id = submission .pk , access_key = submission .access_key )
92+ return redirect ("submit_submission_status_by_hash" , submission_id = submission .pk , access_token = submission .access_token () )
9393 except IOError as e :
9494 if "read error" in str (e ): # The server got an IOError when trying to read POST data
9595 form = UploadForm (request = request )
@@ -128,23 +128,26 @@ def search_submission(request):
128128 'name' : name },
129129 context_instance = RequestContext (request ))
130130
131- def can_edit_submission (request , submission , access_key ):
132- key_matched = access_key and submission .access_key == access_key
131+ def can_edit_submission (request , submission , access_token ):
132+ key_matched = access_token and submission .access_token () == access_token
133+ if not key_matched : key_matched = submission .access_key == access_token # backwards-compat
133134 return key_matched or has_role (request .user , "Secretariat" )
134135
135- def submission_status (request , submission_id , access_key = None , message = None ):
136+ def submission_status (request , submission_id , access_token = None ):
136137 submission = get_object_or_404 (Submission , pk = submission_id )
137- if access_key and submission .access_key != access_key :
138+
139+ key_matched = access_token and submission .access_token () == access_token
140+ if not key_matched : key_matched = submission .access_key == access_token # backwards-compat
141+ if access_token and not key_matched :
138142 raise Http404
139143
140144 errors = validate_submission (submission )
141145 passes_idnits = found_idnits (submission .idnits_message )
142146
143- key_matched = access_key and submission .access_key == access_key
144147 is_secretariat = has_role (request .user , "Secretariat" )
145148 is_chair = submission .group and submission .group .has_role (request .user , "chair" )
146149
147- can_edit = can_edit_submission (request , submission , access_key ) and submission .state_id == "uploaded"
150+ can_edit = can_edit_submission (request , submission , access_token ) and submission .state_id == "uploaded"
148151 can_cancel = (key_matched or is_secretariat ) and submission .state .next_states .filter (slug = "cancel" )
149152 can_group_approve = (is_secretariat or is_chair ) and submission .state_id == "grp-appr"
150153 can_force_post = is_secretariat and submission .state .next_states .filter (slug = "posted" )
@@ -161,8 +164,10 @@ def submission_status(request, submission_id, access_key=None, message=None):
161164
162165 requires_prev_authors_approval = Document .objects .filter (name = submission .name )
163166
167+ message = None
168+
164169 if submission .state_id == "cancel" :
165- message = ('error' , 'This submission has been cancelled , modification is no longer possible.' )
170+ message = ('error' , 'This submission has been canceled , modification is no longer possible.' )
166171 elif submission .state_id == "auth" :
167172 message = ('success' , u'The submission is pending email authentication. An email has been sent to: %s' % "," .join (confirmation_list ))
168173 elif submission .state_id == "grp-appr" :
@@ -192,7 +197,7 @@ def submission_status(request, submission_id, access_key=None, message=None):
192197 desc = "sent approval email to group chairs: %s" % u", " .join (sent_to )
193198
194199 else :
195- submission .auth_key = generate_unique_key ()
200+ submission .auth_key = generate_random_key ()
196201 if requires_prev_authors_approval :
197202 submission .state = DraftSubmissionStateName .objects .get (slug = "aut-appr" )
198203 else :
@@ -208,11 +213,11 @@ def submission_status(request, submission_id, access_key=None, message=None):
208213
209214 create_submission_event (request , submission , u"Set submitter to \" %s\" and %s" % (submission .submitter , desc ))
210215
211- return redirect ("submit_submission_status_by_hash" , submission_id = submission .pk , access_key = access_key )
216+ return redirect ("submit_submission_status_by_hash" , submission_id = submission .pk , access_token = access_token )
212217
213218 elif action == "edit" and submission .state_id == "uploaded" :
214- if access_key :
215- return redirect ("submit_edit_submission_by_hash" , submission_id = submission .pk , access_key = access_key )
219+ if access_token :
220+ return redirect ("submit_edit_submission_by_hash" , submission_id = submission .pk , access_token = access_token )
216221 else :
217222 return redirect ("submit_edit_submission" , submission_id = submission .pk )
218223
@@ -229,7 +234,7 @@ def submission_status(request, submission_id, access_key=None, message=None):
229234
230235 cancel_submission (submission )
231236
232- create_submission_event (request , submission , "Cancelled submission" )
237+ create_submission_event (request , submission , "Canceled submission" )
233238
234239 return redirect ("submit_submission_status" , submission_id = submission_id )
235240
@@ -284,10 +289,10 @@ def submission_status(request, submission_id, access_key=None, message=None):
284289 context_instance = RequestContext (request ))
285290
286291
287- def edit_submission (request , submission_id , access_key = None ):
292+ def edit_submission (request , submission_id , access_token = None ):
288293 submission = get_object_or_404 (Submission , pk = submission_id , state = "uploaded" )
289294
290- if not can_edit_submission (request .user , submission , access_key ):
295+ if not can_edit_submission (request .user , submission , access_token ):
291296 return HttpResponseForbidden ('You do not have permission to access this page' )
292297
293298 errors = validate_submission (submission )
@@ -360,10 +365,13 @@ def edit_submission(request, submission_id, access_key=None):
360365 context_instance = RequestContext (request ))
361366
362367
363- def confirm_submission (request , submission_id , auth_key ):
368+ def confirm_submission (request , submission_id , auth_token ):
364369 submission = get_object_or_404 (Submission , pk = submission_id )
365370
366- if request .method == 'POST' and submission .state_id in ("auth" , "aut-appr" ) and auth_key == submission .auth_key :
371+ key_matched = submission .auth_key and auth_token == generate_access_token (submission .auth_key )
372+ if not key_matched : key_matched = auth_token == submission .auth_key # backwards-compat
373+
374+ if request .method == 'POST' and submission .state_id in ("auth" , "aut-appr" ) and key_matched :
367375 post_submission (request , submission )
368376
369377 create_submission_event (request , submission , "Confirmed and posted submission" )
@@ -372,7 +380,7 @@ def confirm_submission(request, submission_id, auth_key):
372380
373381 return render_to_response ('submit/confirm_submission.html' , {
374382 'submission' : submission ,
375- 'auth_key ' : auth_key ,
383+ 'key_matched ' : key_matched ,
376384 }, context_instance = RequestContext (request ))
377385
378386
0 commit comments