import ast
import collections
import contextlib
+import datetime
import errno
import functools
import getpass
import traceback
import urlparse
import warnings
+from zlib import adler32
import babel.core
import psutil
import werkzeug.routing
import werkzeug.wrappers
import werkzeug.wsgi
+from werkzeug.wsgi import wrap_file
import openerp
from openerp import SUPERUSER_ID
from openerp.service import security, model as service_model
from openerp.tools.func import lazy_property
+from openerp.tools import ustr
_logger = logging.getLogger(__name__)
+# 1 week cache for statics as advised by Google Page Speed
+STATIC_CACHE = 60 * 60 * 24 * 7
+
#----------------------------------------------------------
# RequestHandler
#----------------------------------------------------------
args[2] = '*'
return tuple(args)
+# don't trigger debugger for those exceptions, they carry user-facing warnings
+# and indications, they're not necessarily indicative of anything being
+# *broken*
+NO_POSTMORTEM = (openerp.osv.orm.except_orm,
+ openerp.exceptions.AccessError,
+ openerp.exceptions.AccessDenied,
+ openerp.exceptions.Warning,
+ openerp.exceptions.RedirectWarning)
def dispatch_rpc(service_name, method, params):
""" Handle a RPC call.
openerp.netsvc.log(rpc_request, logging.DEBUG, logline, replace_request_password(params), depth=1)
return result
- except (openerp.osv.orm.except_orm, openerp.exceptions.AccessError, \
- openerp.exceptions.AccessDenied, openerp.exceptions.Warning, \
- openerp.exceptions.RedirectWarning):
+ except NO_POSTMORTEM:
raise
except openerp.exceptions.DeferredException, e:
_logger.exception(openerp.tools.exception_to_unicode(e))
return "<html><head><script>window.location = '%s' + location.hash;</script></head></html>" % url
class WebRequest(object):
- """ Parent class for all OpenERP Web request types, mostly deals with
+ """ Parent class for all Odoo Web request types, mostly deals with
initialization and setup of the request object (the dispatching itself has
to be handled by the subclasses)
the original :class:`werkzeug.wrappers.Request` object provided to the
request
- .. attribute:: httpsession
-
- .. deprecated:: 8.0
-
- Use :attr:`session` instead.
-
.. attribute:: params
:class:`~collections.Mapping` of request parameters, not generally
useful as they're provided directly to the handler method as keyword
arguments
-
- .. attribute:: session_id
-
- opaque identifier for the :class:`OpenERPSession` instance of
- the current request
-
- .. attribute:: session
-
- a :class:`OpenERPSession` holding the HTTP session data for the
- current http session
-
- .. attribute:: context
-
- :class:`~collections.Mapping` of context values for the current
- request
-
- .. attribute:: db
-
- ``str``, the name of the database linked to the current request. Can
- be ``None`` if the current request uses the ``none`` authentication
- in ``web`` module's controllers.
-
- .. attribute:: uid
-
- ``int``, the id of the user related to the current request. Can be
- ``None`` if the current request uses the ``none`` authentication.
-
- .. attribute:: env
-
- an :class:`openerp.api.Environment` bound to the current
- request's ``cr``, ``uid`` and ``context``
"""
def __init__(self, httprequest):
self.httprequest = httprequest
self.httpresponse = None
self.httpsession = httprequest.session
- self.session = httprequest.session
- self.session_id = httprequest.session.sid
self.disable_db = False
self.uid = None
self.endpoint = None
self.auth_method = None
- self._cr_cm = None
self._cr = None
# prevents transaction commit, use when you catch an exception during handling
threading.current_thread().dbname = self.db
if self.session.uid:
threading.current_thread().uid = self.session.uid
- self.context = dict(self.session.context)
- self.lang = self.context["lang"]
- @property
- def registry(self):
+ @lazy_property
+ def env(self):
"""
- The registry to the database linked to this request. Can be ``None``
- if the current request uses the ``none`` authentication.
+ The :class:`~openerp.api.Environment` bound to current request.
"""
- return openerp.modules.registry.RegistryManager.get(self.db) if self.db else None
+ return openerp.api.Environment(self.cr, self.uid, self.context)
- @property
- def db(self):
+ @lazy_property
+ def context(self):
"""
- The database linked to this request. Can be ``None``
- if the current request uses the ``none`` authentication.
+ :class:`~collections.Mapping` of context values for the current
+ request
"""
- return self.session.db if not self.disable_db else None
+ return dict(self.session.context)
+
+ @lazy_property
+ def lang(self):
+ return self.context["lang"]
+
+ @lazy_property
+ def session(self):
+ """
+ a :class:`OpenERPSession` holding the HTTP session data for the
+ current http session
+ """
+ return self.httprequest.session
@property
def cr(self):
"""
- The cursor initialized for the current method call. If the current
- request uses the ``none`` authentication trying to access this
- property will raise an exception.
+ :class:`~openerp.sql_db.Cursor` initialized for the current method
+ call.
+
+ Accessing the cursor when the current request uses the ``none``
+ authentication will raise an exception.
"""
- # some magic to lazy create the cr
+ # can not be a lazy_property because manual rollback in _call_function
+ # if already set (?)
if not self._cr:
self._cr = self.registry.cursor()
return self._cr
- @lazy_property
- def env(self):
- """
- The Environment bound to current request.
- """
- return openerp.api.Environment(self.cr, self.uid, self.context)
-
def __enter__(self):
_request_stack.push(self)
return self
to abitrary responses. Anything returned (except None) will
be used as response."""
self._failed = exception # prevent tx commit
+ if not isinstance(exception, NO_POSTMORTEM):
+ openerp.tools.debugger.post_mortem(
+ openerp.tools.config, sys.exc_info())
raise
def _call_function(self, *args, **kwargs):
request = self
if self.endpoint.routing['type'] != self._request_type:
- raise Exception("%s, %s: Function declared as capable of handling request of type '%s' but called with a request of type '%s'" \
- % (self.endpoint.original, self.httprequest.path, self.endpoint.routing['type'], self._request_type))
+ msg = "%s, %s: Function declared as capable of handling request of type '%s' but called with a request of type '%s'"
+ params = (self.endpoint.original, self.httprequest.path, self.endpoint.routing['type'], self._request_type)
+ _logger.error(msg, *params)
+ raise werkzeug.exceptions.BadRequest(msg % params)
kwargs.update(self.endpoint.arguments)
@property
def debug(self):
+ """ Indicates whether the current request is in "debug" mode
+ """
return 'debug' in self.httprequest.args
@contextlib.contextmanager
warnings.warn('please use request.registry and request.cr directly', DeprecationWarning)
yield (self.registry, self.cr)
+ @lazy_property
+ def session_id(self):
+ """
+ opaque identifier for the :class:`OpenERPSession` instance of
+ the current request
+
+ .. deprecated:: 8.0
+
+ Use the ``sid`` attribute on :attr:`.session`
+ """
+ return self.session.sid
+
+ @property
+ def registry(self):
+ """
+ The registry to the database linked to this request. Can be ``None``
+ if the current request uses the ``none`` authentication.
+
+ .. deprecated:: 8.0
+
+ use :attr:`.env`
+ """
+ return openerp.modules.registry.RegistryManager.get(self.db) if self.db else None
+
+ @property
+ def db(self):
+ """
+ The database linked to this request. Can be ``None``
+ if the current request uses the ``none`` authentication.
+ """
+ return self.session.db if not self.disable_db else None
+
+ @lazy_property
+ def httpsession(self):
+ """ HTTP session data
+
+ .. deprecated:: 8.0
+
+ Use :attr:`.session` instead.
+ """
+ return self.session
+
def route(route=None, **kw):
"""
Decorator marking the decorated method as being a handler for
return decorator
class JsonRequest(WebRequest):
- """ JSON-RPC2 over HTTP.
+ """ Request handler for `JSON-RPC 2
+ <http://www.jsonrpc.org/specification>`_ over HTTP
+
+ * ``method`` is ignored
+ * ``params`` must be a JSON object (not an array) and is passed as keyword
+ arguments to the handler method
+ * the handler method's result is returned as JSON-RPC ``result`` and
+ wrapped in the `JSON-RPC Response
+ <http://www.jsonrpc.org/specification#response_object>`_
Sucessful request::
request = self.httprequest.stream.read()
# Read POST content or POST Form Data named "request"
- self.jsonrequest = simplejson.loads(request)
+ try:
+ self.jsonrequest = simplejson.loads(request)
+ except simplejson.JSONDecodeError:
+ msg = 'Invalid JSON data: %r' % (request,)
+ _logger.error('%s: %s', self.httprequest.path, msg)
+ raise werkzeug.exceptions.BadRequest(msg)
+
self.params = dict(self.jsonrequest.get("params", {}))
self.context = self.params.pop('context', dict(self.session.context))
def _handle_exception(self, exception):
"""Called within an except block to allow converting exceptions
- to abitrary responses. Anything returned (except None) will
+ to arbitrary responses. Anything returned (except None) will
be used as response."""
try:
return super(JsonRequest, self)._handle_exception(exception)
except Exception:
- _logger.exception("Exception during JSON request handling.")
+ if not isinstance(exception, (openerp.exceptions.Warning, SessionExpiredException)):
+ _logger.exception("Exception during JSON request handling.")
error = {
'code': 200,
- 'message': "OpenERP Server Error",
+ 'message': "Odoo Server Error",
'data': serialize_exception(exception)
}
if isinstance(exception, AuthenticationError):
error['code'] = 100
- error['message'] = "OpenERP Session Invalid"
+ error['message'] = "Odoo Session Invalid"
+ if isinstance(exception, SessionExpiredException):
+ error['code'] = 100
+ error['message'] = "Odoo Session Expired"
return self._json_response(error=error)
def dispatch(self):
- """ Calls the method asked for by the JSON-RPC2 or JSONP request
- """
if self.jsonp_handler:
return self.jsonp_handler()
try:
tmp = {
"name": type(e).__module__ + "." + type(e).__name__ if type(e).__module__ else type(e).__name__,
"debug": traceback.format_exc(),
- "message": u"%s" % e,
+ "message": ustr(e),
"arguments": to_jsonable(e.args),
}
if isinstance(e, openerp.osv.osv.except_osv):
for k, v in o.items():
tmp[u"%s" % k] = to_jsonable(v)
return tmp
- return u"%s" % o
+ return ustr(o)
def jsonrequest(f):
"""
return route([base, base + "/<path:_ignored_path>"], type="json", auth="user", combine=True)(f)
class HttpRequest(WebRequest):
- """ Regular GET/POST request
+ """ Handler for the ``http`` request type.
+
+ matched routing parameters, query string parameters, form_ parameters
+ and files are passed to the handler method as keyword arguments.
+
+ In case of name conflict, routing parameters have priority.
+
+ The handler method's result can be:
+
+ * a falsy value, in which case the HTTP response will be an
+ `HTTP 204`_ (No Content)
+ * a werkzeug Response object, which is returned as-is
+ * a ``str`` or ``unicode``, will be wrapped in a Response object and
+ interpreted as HTML
+
+ .. _form: http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.2
+ .. _HTTP 204: http://tools.ietf.org/html/rfc7231#section-6.3.5
"""
_request_type = "http"
be used as response."""
try:
return super(HttpRequest, self)._handle_exception(exception)
+ except SessionExpiredException:
+ if not request.params.get('noredirect'):
+ query = werkzeug.urls.url_encode({
+ 'redirect': request.httprequest.url,
+ })
+ return werkzeug.utils.redirect('/web/login?%s' % query)
except werkzeug.exceptions.HTTPException, e:
return e
return response
def render(self, template, qcontext=None, lazy=True, **kw):
- """ Lazy render of QWeb template.
+ """ Lazy render of a QWeb template.
The actual rendering of the given template will occur at then end of
the dispatching. Meanwhile, the template and/or qcontext can be
:param basestring template: template to render
:param dict qcontext: Rendering context to use
- :param dict lazy: Lazy rendering is processed later in wsgi response layer (default True)
+ :param bool lazy: whether the template rendering should be deferred
+ until the last possible moment
+ :param kw: forwarded to werkzeug's Response object
"""
response = Response(template=template, qcontext=qcontext, **kw)
if not lazy:
return response
def not_found(self, description=None):
- """ Helper for 404 response, return its result from the method
+ """ Shortcut for a `HTTP 404
+ <http://tools.ietf.org/html/rfc7231#section-6.5.4>`_ (Not Found)
+ response
"""
return werkzeug.exceptions.NotFound(description)
or self.session.uid != request.uid:
raise Exception("Trying to use Model with badly configured database or user.")
- mod = request.registry.get(self.model)
if method.startswith('_'):
raise Exception("Access denied")
+ mod = request.registry[self.model]
meth = getattr(mod, method)
cr = request.cr
result = meth(cr, request.uid, *args, **kw)
mimetypes.add_type('application/vnd.ms-fontobject', '.eot')
mimetypes.add_type('application/x-font-ttf', '.ttf')
-class Retry(RuntimeError):
- """ Exception raised during QWeb rendering to signal that the rendering
- should be retried with the provided ``render_updates`` dict merged into
- the previous rendering context
- """
- def __init__(self, name, render_updates=None):
- super(Retry, self).__init__(name)
- self.updates = render_updates or {}
-
class Response(werkzeug.wrappers.Response):
""" Response object passed through controller route chain.
- In addition to the werkzeug.wrappers.Response parameters, this
- classe's constructor can take the following additional parameters
+ In addition to the :class:`werkzeug.wrappers.Response` parameters, this
+ class's constructor can take the following additional parameters
for QWeb Lazy Rendering.
:param basestring template: template to render
:param dict qcontext: Rendering context to use
- :param int uid: User id to use for the ir.ui.view render call
+ :param int uid: User id to use for the ir.ui.view render call,
+ ``None`` to use the request's user (the default)
+
+ these attributes are available as parameters on the Response object and
+ can be altered at any time before rendering
+
+ Also exposes all the attributes and methods of
+ :class:`werkzeug.wrappers.Response`.
"""
default_mimetype = 'text/html'
def __init__(self, *args, **kw):
return self.template is not None
def render(self):
+ """ Renders the Response's template, returns the result
+ """
view_obj = request.registry["ir.ui.view"]
uid = self.uid or request.uid or openerp.SUPERUSER_ID
- while True:
- try:
- return view_obj.render(
- request.cr, uid, self.template, self.qcontext,
- context=request.context)
- except Retry, e:
- self.qcontext.update(e.updates)
+ return view_obj.render(
+ request.cr, uid, self.template, self.qcontext,
+ context=request.context)
def flatten(self):
+ """ Forces the rendering of the response's template, sets the result
+ as response body and unsets :attr:`.template`
+ """
self.response.append(self.render())
self.template = None
if statics:
_logger.info("HTTP Configuring static files")
- app = werkzeug.wsgi.SharedDataMiddleware(self.dispatch, statics)
+ app = werkzeug.wsgi.SharedDataMiddleware(self.dispatch, statics, cache_timeout=STATIC_CACHE)
self.dispatch = DisableCacheMiddleware(app)
def setup_session(self, httprequest):
# deduce type of request
if httprequest.args.get('jsonp'):
return JsonRequest(httprequest)
- if httprequest.mimetype == "application/json":
+ if httprequest.mimetype in ("application/json", "application/json-rpc"):
return JsonRequest(httprequest)
else:
return HttpRequest(httprequest)
return dbs[0]
return None
+def send_file(filepath_or_fp, mimetype=None, as_attachment=False, filename=None, mtime=None,
+ add_etags=True, cache_timeout=STATIC_CACHE, conditional=True):
+ """This is a modified version of Flask's send_file()
+
+ Sends the contents of a file to the client. This will use the
+ most efficient method available and configured. By default it will
+ try to use the WSGI server's file_wrapper support.
+
+ By default it will try to guess the mimetype for you, but you can
+ also explicitly provide one. For extra security you probably want
+ to send certain files as attachment (HTML for instance). The mimetype
+ guessing requires a `filename` or an `attachment_filename` to be
+ provided.
+
+ Please never pass filenames to this function from user sources without
+ checking them first.
+
+ :param filepath_or_fp: the filename of the file to send.
+ Alternatively a file object might be provided
+ in which case `X-Sendfile` might not work and
+ fall back to the traditional method. Make sure
+ that the file pointer is positioned at the start
+ of data to send before calling :func:`send_file`.
+ :param mimetype: the mimetype of the file if provided, otherwise
+ auto detection happens.
+ :param as_attachment: set to `True` if you want to send this file with
+ a ``Content-Disposition: attachment`` header.
+ :param filename: the filename for the attachment if it differs from the file's filename or
+ if using file object without 'name' attribute (eg: E-tags with StringIO).
+ :param mtime: last modification time to use for contitional response.
+ :param add_etags: set to `False` to disable attaching of etags.
+ :param conditional: set to `False` to disable conditional responses.
+
+ :param cache_timeout: the timeout in seconds for the headers.
+ """
+ if isinstance(filepath_or_fp, (str, unicode)):
+ if not filename:
+ filename = os.path.basename(filepath_or_fp)
+ file = open(filepath_or_fp, 'rb')
+ if not mtime:
+ mtime = os.path.getmtime(filepath_or_fp)
+ else:
+ file = filepath_or_fp
+ if not filename:
+ filename = getattr(file, 'name', None)
+
+ file.seek(0, 2)
+ size = file.tell()
+ file.seek(0)
+
+ if mimetype is None and filename:
+ mimetype = mimetypes.guess_type(filename)[0]
+ if mimetype is None:
+ mimetype = 'application/octet-stream'
+
+ headers = werkzeug.datastructures.Headers()
+ if as_attachment:
+ if filename is None:
+ raise TypeError('filename unavailable, required for sending as attachment')
+ headers.add('Content-Disposition', 'attachment', filename=filename)
+ headers['Content-Length'] = size
+
+ data = wrap_file(request.httprequest.environ, file)
+ rv = Response(data, mimetype=mimetype, headers=headers,
+ direct_passthrough=True)
+
+ if isinstance(mtime, str):
+ try:
+ server_format = openerp.tools.misc.DEFAULT_SERVER_DATETIME_FORMAT
+ mtime = datetime.datetime.strptime(mtime.split('.')[0], server_format)
+ except Exception:
+ mtime = None
+ if mtime is not None:
+ rv.last_modified = mtime
+
+ rv.cache_control.public = True
+ if cache_timeout:
+ rv.cache_control.max_age = cache_timeout
+ rv.expires = int(time.time() + cache_timeout)
+
+ if add_etags and filename and mtime:
+ rv.set_etag('odoo-%s-%s-%s' % (
+ mtime,
+ size,
+ adler32(
+ filename.encode('utf-8') if isinstance(filename, unicode)
+ else filename
+ ) & 0xffffffff
+ ))
+ if conditional:
+ rv = rv.make_conditional(request.httprequest)
+ # make sure we don't send x-sendfile for servers that
+ # ignore the 304 status code for x-sendfile.
+ if rv.status_code == 304:
+ rv.headers.pop('x-sendfile', None)
+ return rv
+
#----------------------------------------------------------
# RPC controller
#----------------------------------------------------------