Add an export() view, and implement it as text/text for Document.
For every Model except Document, the public() view is displayed for any
attempts to access the export() view.
Currently, the permissions for export() are the same as for public(). This
seems reasonable for Document, since anyone could extract the raw HTML from
the page source anyway. The permissions should probably be different for
other types of exports, such as vCard or iCard exports of profiles, CSV
exports of lists, etc.
Patch by: Todd Larsen
Review by: to-be-reviewed
from os.path import join, normcase, abspath, sep
from django.utils.encoding import force_unicode
def safe_join(base, *paths):
"""
Joins one or more path components to the base path component intelligently.
Returns a normalized, absolute version of the final path.
The final path must be located inside of the base path component (otherwise
a ValueError is raised).
"""
# We need to use normcase to ensure we don't false-negative on case
# insensitive operating systems (like Windows).
base = force_unicode(base)
paths = [force_unicode(p) for p in paths]
final_path = normcase(abspath(join(base, *paths)))
base_path = normcase(abspath(base))
base_path_len = len(base_path)
# Ensure final_path starts with base_path and that the next character after
# the final path is os.sep (or nothing, in which case final_path must be
# equal to base_path).
if not final_path.startswith(base_path) \
or final_path[base_path_len:base_path_len+1] not in ('', sep):
raise ValueError('the joined path is located outside of the base path'
' component')
return final_path