func deleteClass(w http.ResponseWriter, r *http.Request) *webapp.Error { idString := r.FormValue("class") if idString == "" { return missingFields(w) } id, err := strconv.ParseInt(idString, 10, 64) if err != nil { return invalidData(w, fmt.Sprintf("Invalid class ID")) } c := appengine.NewContext(r) class, err := classes.ClassWithID(c, id) switch err { case nil: break case classes.ErrClassNotFound: return invalidData(w, "No such class.") default: return webapp.InternalError(fmt.Errorf("failed to look up class %d: %s", id, err)) } staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may delete classes")) } if r.Method == "POST" { c.Infof("updating class %d", class.ID) token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } if err := class.Delete(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to delete class %d: %s", class.ID, err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), "Class": class, "Teacher": class.TeacherEntity(c), } if err := deleteClassPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func checkToken(c appengine.Context, userID, path, encoded string) (*auth.Token, bool) { token, err := auth.TokenForRequest(c, userID, path) if err != nil { return nil, false } if token.IsValid(encoded, time.Now()) { return token, true } return nil, false }
func deleteYinYogassage(w http.ResponseWriter, r *http.Request) *webapp.Error { fields, err := webapp.ParseRequiredValues(r, "id") if err != nil { return webapp.InternalError(err) } id, err := strconv.ParseInt(fields["id"], 10, 64) if err != nil { return invalidData(w, fmt.Sprintf("Invalid yogassage ID")) } c := appengine.NewContext(r) yin, err := yogassage.WithID(c, id) if err != nil { return webapp.InternalError(fmt.Errorf("failed to find yogassage %d: %s", id, err)) } staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may delete yogassage classes")) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } if err := yin.Delete(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to delete yogassage %d: %s", yin.ID, err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), "Class": yin, } if err := deleteYinYogassagePage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func addSession(w http.ResponseWriter, r *http.Request) *webapp.Error { c := appengine.NewContext(r) staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may add sessions")) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } fields, err := webapp.ParseRequiredValues(r, "name", "startdate", "enddate") if err != nil { return missingFields(w) } start, err := parseLocalDate(fields["startdate"]) if err != nil { return invalidData(w, "Invalid start date; please use mm/dd/yyyy format.") } end, err := parseLocalDate(fields["enddate"]) if err != nil { return invalidData(w, "Invalid end date; please use mm/dd/yyyy format.") } session := classes.NewSession(fields["name"], start, end) if err := session.Insert(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to put session: %s", err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), } if err := addSessionPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func deleteAnnouncement(w http.ResponseWriter, r *http.Request) *webapp.Error { fields, err := webapp.ParseRequiredValues(r, "id") if err != nil { return webapp.InternalError(err) } id, err := strconv.ParseInt(fields["id"], 10, 64) if err != nil { return webapp.InternalError(fmt.Errorf("failed to parse %q as announcement ID: %s", fields["id"], err)) } c := appengine.NewContext(r) announce, err := staff.AnnouncementWithID(c, id) if err != nil { return missingFields(w) } staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may delete announcements")) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } if err := announce.Delete(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to delete announcement %d: %s", announce.ID, err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), "Announcement": announce, } if err := deleteAnnouncementPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func addTeacher(w http.ResponseWriter, r *http.Request) *webapp.Error { c := appengine.NewContext(r) vals, err := webapp.ParseRequiredValues(r, "email") if err != nil { return webapp.InternalError(err) } staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may add teachers")) } account, err := account.WithEmail(c, vals["email"]) if err != nil { return webapp.InternalError(fmt.Errorf("Couldn't find account for '%s'", vals["email"])) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } teacher := classes.NewTeacher(account) if err := teacher.Put(c); err != nil { return webapp.InternalError(fmt.Errorf("Couldn't store teacher for %q: %s", account.Email, err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), "User": account, } if err := addTeacherPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func addAnnouncement(w http.ResponseWriter, r *http.Request) *webapp.Error { c := appengine.NewContext(r) staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may add announcements")) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } fields, err := webapp.ParseRequiredValues(r, "text", "expiration") if err != nil { return missingFields(w) } expiration, err := parseLocalDate(fields["expiration"]) if err != nil { return invalidData(w, "Invalid date entry; please use mm/dd/yyyy format.") } c.Infof("expiration: %s", expiration) announce := staff.NewAnnouncement(fields["text"], expiration) if err := staffAccount.AddAnnouncement(c, announce); err != nil { return webapp.InternalError(fmt.Errorf("staff: failed to add announcement: %s", err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), } if err := addAnnouncementPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func addStaff(w http.ResponseWriter, r *http.Request) *webapp.Error { c := appengine.NewContext(r) adminAccount, ok := userContext(r) if !ok { return webapp.InternalError(fmt.Errorf("user not logged in")) } account, err := account.WithEmail(c, r.FormValue("email")) if err != nil { return webapp.InternalError(fmt.Errorf("Couldn't find user for email %s", r.FormValue("email"))) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, adminAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue("xsrf_token"), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("Invalid XSRF token provided")) } staff := staff.New(account) if err := staff.Store(c); err != nil { return webapp.InternalError(fmt.Errorf("Couldn't add %s as staff", account.Email)) } http.Redirect(w, r, "/admin", http.StatusSeeOther) return nil } token, err := auth.NewToken(adminAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), "User": account, } if err := addStaffPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func editClass(w http.ResponseWriter, r *http.Request) *webapp.Error { idString := r.FormValue("class") if idString == "" { return missingFields(w) } id, err := strconv.ParseInt(idString, 10, 64) if err != nil { return invalidData(w, fmt.Sprintf("Invalid class ID")) } c := appengine.NewContext(r) class, err := classes.ClassWithID(c, id) switch err { case nil: break case classes.ErrClassNotFound: return invalidData(w, "No such class.") default: return webapp.InternalError(fmt.Errorf("failed to look up class %d: %s", id, err)) } staffAccount, ok := staffContext(r) if !ok { return webapp.UnauthorizedError(fmt.Errorf("only staff may edit classes")) } if r.Method == "POST" { c.Infof("updating class %d", class.ID) token, err := auth.TokenForRequest(c, staffAccount.ID, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("didn't find an auth token")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid auth token")) } fields, err := webapp.ParseRequiredValues(r, "name", "description", "maxstudents", "dayofweek", "starttime", "length", "dropinonly") if err != nil { return missingFields(w) } class.Title = fields["name"] class.LongDescription = []byte(fields["description"]) class.DropInOnly = fields["dropinonly"] == "yes" weekday, err := parseWeekday(fields["dayofweek"]) if err != nil { return invalidData(w, "Invalid weekday") } class.Weekday = weekday maxStudents, err := strconv.ParseInt(fields["maxstudents"], 10, 32) if err != nil || maxStudents <= 0 { return invalidData(w, "Invalid student capacity") } class.Capacity = int32(maxStudents) length, err := parseMinutes(fields["length"]) if err != nil { return invalidData(w, "Invalid length") } class.Length = length start, err := parseLocalTime(fields["starttime"]) if err != nil { return invalidData(w, "Invalid start time; please use HH:MMpm format (e.g., 3:04pm)") } class.StartTime = start if email := r.FormValue("teacher"); email == "" { class.Teacher = nil } else { teacher, err := classes.TeacherWithEmail(c, email) if err != nil { return invalidData(w, "Invalid teacher selected") } class.Teacher = teacher.Key(c) } if err := class.Update(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to update class %d: %s", class.ID, err)) } token.Delete(c) http.Redirect(w, r, "/staff", http.StatusSeeOther) return nil } token, err := auth.NewToken(staffAccount.ID, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(err) } if err := token.Store(c); err != nil { return webapp.InternalError(err) } data := map[string]interface{}{ "Token": token.Encode(), "Class": class, "Teacher": class.TeacherEntity(c), "Teachers": classes.Teachers(c), "DaysInOrder": daysInOrder, } if err := editClassPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }
func newAccount(w http.ResponseWriter, r *http.Request) *webapp.Error { target := continueTarget(r) c := appengine.NewContext(r) u := user.Current(c) if u == nil { webapp.RedirectToLogin(w, r, "/") return nil } if _, err := account.ForUser(c, u); err != account.ErrUserNotFound { if err != nil { return webapp.InternalError(fmt.Errorf("failed to account for current user: %s", err)) } http.Redirect(w, r, "/", http.StatusFound) return nil } id, err := account.ID(u) if err != nil { return webapp.InternalError(err) } if r.Method == "POST" { token, err := auth.TokenForRequest(c, id, r.URL.Path) if err != nil { return webapp.UnauthorizedError(fmt.Errorf("no stored token for request")) } if !token.IsValid(r.FormValue(auth.TokenFieldName), time.Now()) { return webapp.UnauthorizedError(fmt.Errorf("invalid XSRF token")) } fields, err := webapp.ParseRequiredValues(r, "email", "firstname", "lastname") if err != nil { // TODO(rwsims): Clean up this error reporting. w.WriteHeader(http.StatusBadRequest) fmt.Fprintf(w, "Please go back and enter all required data.") return nil } claim := account.NewClaimedEmail(c, id, fields["email"]) switch err := claim.Claim(c); { case err == nil: break case err == account.ErrEmailAlreadyClaimed: // TODO(rwsims): Clean up this error reporting. w.WriteHeader(http.StatusBadRequest) fmt.Fprintf(w, "That email is already in use; please use a different email") return nil default: return webapp.InternalError(fmt.Errorf("failed to claim email %q: %s", claim.Email, err)) } info := account.Info{ FirstName: fields["firstname"], LastName: fields["lastname"], Email: fields["email"], } if phone := r.FormValue("phone"); phone != "" { info.Phone = phone } acct, err := account.New(u, info) if err != nil { return webapp.InternalError(fmt.Errorf("failed to create user account: %s", err)) } if err := acct.Put(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to write new user account: %s", err)) } if err := acct.SendConfirmation(c); err != nil { c.Errorf("Failed to send confirmation email to %q: %s", acct.Email, err) } http.Redirect(w, r, target, http.StatusSeeOther) token.Delete(c) return nil } token, err := auth.NewToken(id, r.URL.Path, time.Now()) if err != nil { return webapp.InternalError(fmt.Errorf("failed to create auth token: %s", err)) } if err := token.Store(c); err != nil { return webapp.InternalError(fmt.Errorf("failed to store token: %s", err)) } data := map[string]interface{}{ "Target": target, "Token": token.Encode(), } if err := newAccountPage.Execute(w, data); err != nil { return webapp.InternalError(err) } return nil }