diff --git a/MANIFEST.in b/MANIFEST.in index ff5fdcbad..80b2334ea 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,3 +1,3 @@ include *.rst -recursive-include ihatemoney *.rst *.py *.yaml *.po *.mo *.html *.css *.js *.eot *.svg *.woff *.txt *.png *.webp *.ini *.cfg *.j2 *.jpg *.gif *.ico +recursive-include ihatemoney *.rst *.py *.yaml *.po *.mo *.html *.css *.js *.eot *.svg *.woff *.txt *.png *.webp *.ini *.cfg *.j2 *.jpg *.gif *.ico *.xml include LICENSE CONTRIBUTORS CHANGELOG.rst diff --git a/ihatemoney/models.py b/ihatemoney/models.py index 80732529c..c3d72dc88 100644 --- a/ihatemoney/models.py +++ b/ihatemoney/models.py @@ -453,7 +453,8 @@ def generate_token(self, token_type="auth"): """Generate a timed and serialized JsonWebToken :param token_type: Either "auth" for authentication (invalidated when project code changed), - or "reset" for password reset (invalidated after expiration) + or "reset" for password reset (invalidated after expiration), + or "feed" for project feeds (invalidated when project code changed) """ if token_type == "reset": @@ -476,7 +477,8 @@ def verify_token(token, token_type="auth", project_id=None, max_age=3600): :param token: Serialized TimedJsonWebToken :param token_type: Either "auth" for authentication (invalidated when project code changed), - or "reset" for password reset (invalidated after expiration) + or "reset" for password reset (invalidated after expiration), + or "feed" for project feeds (invalidated when project code changed) :param project_id: Project ID. Used for token_type "auth" to use the password as serializer secret key. :param max_age: Token expiration time (in seconds). Only used with token_type "reset" diff --git a/ihatemoney/templates/edit_project.html b/ihatemoney/templates/edit_project.html index 1834b3755..f4e108034 100644 --- a/ihatemoney/templates/edit_project.html +++ b/ihatemoney/templates/edit_project.html @@ -36,6 +36,10 @@

{{ _("Download project's data") }}

{{ _('Bill items') }} + + {{ static_include("images/globe.svg") | safe }} + RSS + {{ static_include("images/file-alt.svg") | safe }} JSON diff --git a/ihatemoney/templates/layout.html b/ihatemoney/templates/layout.html index c99960eb0..9cfd2ceff 100644 --- a/ihatemoney/templates/layout.html +++ b/ihatemoney/templates/layout.html @@ -103,6 +103,7 @@
{{ _('Languages') }}
{% if g.project %}
  • {{ _("History") }}
  • {{ _("Settings") }}
    • +
  • {{ _("RSS Feed") }}
    • {% endif %} {% if session['projects'] and not ((session['projects'] | length) == 1 and g.project and g.project.id in session['projects']) %} diff --git a/ihatemoney/templates/list_bills.html b/ihatemoney/templates/list_bills.html index 947e97786..78d0b952e 100644 --- a/ihatemoney/templates/list_bills.html +++ b/ihatemoney/templates/list_bills.html @@ -44,6 +44,9 @@ {% endblock %} +{% block head %} + +{% endblock %} {% block sidebar %}
    diff --git a/ihatemoney/templates/project_feed.xml b/ihatemoney/templates/project_feed.xml new file mode 100644 index 000000000..f805a9cb8 --- /dev/null +++ b/ihatemoney/templates/project_feed.xml @@ -0,0 +1,22 @@ + + + + I Hate Money — {{ g.project.name }} + {% trans project_name=g.project.name %}Latest bills from {{ project_name }}{% endtrans %} + + {{ url_for(".list_bills", _external=True) }} + {% for (weights, bill) in bills.items -%} + + {{ bill.what }} - {{ bill.amount|currency(bill.original_currency) }} + {{ bill.id }} + {{ bill.payer }} + {% if bill.external_link %}{{ bill.external_link }}{% endif -%} + {{ bill.date|dateformat("long") }} - {{ bill.owers|join(', ', 'name') }} : {{ (bill.amount/weights)|currency(bill.original_currency) }} + {{ bill.creation_date.strftime("%a, %d %b %Y %T") }} +0000 + + {% endfor -%} + + diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py index 6110fabd3..c89418ec1 100644 --- a/ihatemoney/tests/budget_test.py +++ b/ihatemoney/tests/budget_test.py @@ -5,6 +5,7 @@ from urllib.parse import urlparse, urlunparse from flask import session, url_for +from libfaketime import fake_time import pytest from werkzeug.security import check_password_hash, generate_password_hash @@ -13,6 +14,7 @@ from ihatemoney.tests.common.help_functions import extract_link from ihatemoney.tests.common.ihatemoney_testcase import IhatemoneyTestCase from ihatemoney.versioning import LoggingMode +from ihatemoney.web import build_etag class BudgetTestCase(IhatemoneyTestCase): @@ -150,6 +152,54 @@ def test_multiple_join(self): data = self.client.get("/tartiflette/").data.decode("utf-8") self.assertEqual(data.count('href="/raclette/"'), 1) + def test_invalid_invite_link_with_feed_token(self): + """Test that a 'feed' token is not valid to join a project""" + self.post_project("raclette") + project = self.get_project("raclette") + invite_link = url_for( + ".join_project", project_id="raclette", token=project.generate_token("feed") + ) + response = self.client.get(invite_link, follow_redirects=True) + assert "Provided token is invalid" in response.data.decode() + + def test_invalid_invite_link_with_feed_token_different_project_with_same_password( + self, + ): + """ + Test that a 'feed' token is not valid to join another project_id + with the same password. + """ + self.post_project("raclette", password="password") + self.post_project("reblochon", password="password") + + project = self.get_project("raclette") + invite_link = url_for( + ".join_project", + project_id="reblochon", + token=project.generate_token("feed"), + ) + response = self.client.get(invite_link, follow_redirects=True) + assert "Provided token is invalid" in response.data.decode() + + def test_invalid_invite_link_with_feed_token_different_project_with_different_password( + self, + ): + """ + Test that a 'feed' token is not valid to join another project_id + with a different password. + """ + self.post_project("raclette", password="password") + self.post_project("reblochon", password="another-password") + + project = self.get_project("raclette") + invite_link = url_for( + ".join_project", + project_id="reblochon", + token=project.generate_token("feed"), + ) + response = self.client.get(invite_link, follow_redirects=True) + assert "Provided token is invalid" in response.data.decode() + def test_invite_code_invalidation(self): """Test that invitation link expire after code change""" self.login("raclette") @@ -1685,6 +1735,328 @@ def test_session_projects_migration_to_list(self): self.assertIsInstance(session["projects"], dict) self.assertIn("raclette", session["projects"]) + def test_rss_feed(self): + """ + Tests that the RSS feed output content is expected. + """ + with fake_time("2023-07-25 12:00:00"): + self.post_project("raclette") + self.client.post("/raclette/members/add", data={"name": "george"}) + self.client.post("/raclette/members/add", data={"name": "peter"}) + self.client.post("/raclette/members/add", data={"name": "steven"}) + + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-31", + "what": "fromage à raclette", + "payer": 1, + "payed_for": [1, 2, 3], + "amount": "12", + "original_currency": "EUR", + }, + ) + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-30", + "what": "charcuterie", + "payer": 2, + "payed_for": [1, 2], + "amount": "15", + "original_currency": "EUR", + }, + ) + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-29", + "what": "vin blanc", + "payer": 2, + "payed_for": [1, 2], + "amount": "10", + "original_currency": "EUR", + }, + ) + + project = self.get_project("raclette") + token = project.generate_token("feed") + resp = self.client.get(f"/raclette/feed/{token}.xml") + + expected_rss_content = f""" + + + I Hate Money — raclette + Latest bills from raclette + + http://localhost/raclette/ + + fromage à raclette - €12.00 + 1 + george + December 31, 2016 - george, peter, steven : €4.00 + Tue, 25 Jul 2023 00:00:00 +0000 + + + charcuterie - €15.00 + 2 + peter + December 30, 2016 - george, peter : €7.50 + Tue, 25 Jul 2023 00:00:00 +0000 + + + vin blanc - €10.00 + 3 + peter + December 29, 2016 - george, peter : €5.00 + Tue, 25 Jul 2023 00:00:00 +0000 + + +""" # noqa: E501 + assert resp.data.decode() == expected_rss_content + + def test_rss_feed_history_disabled(self): + """ + Tests that RSS feeds is correctly rendered even if the project + history is disabled. + """ + with fake_time("2023-07-25 12:00:00"): + self.post_project("raclette", project_history=False) + self.client.post("/raclette/members/add", data={"name": "george"}) + self.client.post("/raclette/members/add", data={"name": "peter"}) + self.client.post("/raclette/members/add", data={"name": "steven"}) + + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-31", + "what": "fromage à raclette", + "payer": 1, + "payed_for": [1, 2, 3], + "amount": "12", + "original_currency": "EUR", + }, + ) + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-30", + "what": "charcuterie", + "payer": 2, + "payed_for": [1, 2], + "amount": "15", + "original_currency": "EUR", + }, + ) + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-29", + "what": "vin blanc", + "payer": 2, + "payed_for": [1, 2], + "amount": "10", + "original_currency": "EUR", + }, + ) + + project = self.get_project("raclette") + token = project.generate_token("feed") + resp = self.client.get(f"/raclette/feed/{token}.xml") + + expected_rss_content = f""" + + + I Hate Money — raclette + Latest bills from raclette + + http://localhost/raclette/ + + fromage à raclette - €12.00 + 1 + george + December 31, 2016 - george, peter, steven : €4.00 + Tue, 25 Jul 2023 00:00:00 +0000 + + + charcuterie - €15.00 + 2 + peter + December 30, 2016 - george, peter : €7.50 + Tue, 25 Jul 2023 00:00:00 +0000 + + + vin blanc - €10.00 + 3 + peter + December 29, 2016 - george, peter : €5.00 + Tue, 25 Jul 2023 00:00:00 +0000 + + +""" # noqa: E501 + assert resp.data.decode() == expected_rss_content + + def test_rss_if_modified_since_header(self): + # Project creation + with fake_time("2023-07-26 13:00:00"): + self.post_project("raclette") + self.client.post("/raclette/members/add", data={"name": "george"}) + project = self.get_project("raclette") + token = project.generate_token("feed") + + resp = self.client.get(f"/raclette/feed/{token}.xml") + assert resp.status_code == 200 + assert resp.headers.get("Last-Modified") == "Wed, 26 Jul 2023 13:00:00 UTC" + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={"If-Modified-Since": "Tue, 26 Jul 2023 12:00:00 UTC"}, + ) + assert resp.status_code == 200 + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={"If-Modified-Since": "Tue, 26 Jul 2023 14:00:00 UTC"}, + ) + assert resp.status_code == 304 + + # Add bill + with fake_time("2023-07-27 13:00:00"): + self.login("raclette") + resp = self.client.post( + "/raclette/add", + data={ + "date": "2016-12-31", + "what": "fromage à raclette", + "payer": 1, + "payed_for": [1], + "amount": "12", + "original_currency": "EUR", + }, + follow_redirects=True, + ) + assert resp.status_code == 200 + assert "The bill has been added" in resp.data.decode() + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={"If-Modified-Since": "Tue, 27 Jul 2023 12:00:00 UTC"}, + ) + assert resp.headers.get("Last-Modified") == "Thu, 27 Jul 2023 13:00:00 UTC" + assert resp.status_code == 200 + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={"If-Modified-Since": "Tue, 27 Jul 2023 14:00:00 UTC"}, + ) + assert resp.status_code == 304 + + def test_rss_etag_headers(self): + # Project creation + with fake_time("2023-07-26 13:00:00"): + self.post_project("raclette") + self.client.post("/raclette/members/add", data={"name": "george"}) + project = self.get_project("raclette") + token = project.generate_token("feed") + + resp = self.client.get(f"/raclette/feed/{token}.xml") + assert resp.headers.get("ETag") == build_etag( + project.id, "2023-07-26T13:00:00" + ) + assert resp.status_code == 200 + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={ + "If-None-Match": build_etag(project.id, "2023-07-26T12:00:00"), + }, + ) + assert resp.status_code == 200 + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={ + "If-None-Match": build_etag(project.id, "2023-07-26T13:00:00"), + }, + ) + assert resp.status_code == 304 + + # Add bill + with fake_time("2023-07-27 13:00:00"): + self.login("raclette") + resp = self.client.post( + "/raclette/add", + data={ + "date": "2016-12-31", + "what": "fromage à raclette", + "payer": 1, + "payed_for": [1], + "amount": "12", + "original_currency": "EUR", + }, + follow_redirects=True, + ) + assert resp.status_code == 200 + assert "The bill has been added" in resp.data.decode() + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={ + "If-None-Match": build_etag(project.id, "2023-07-27T12:00:00"), + }, + ) + assert resp.headers.get("ETag") == build_etag(project.id, "2023-07-27T13:00:00") + assert resp.status_code == 200 + + resp = self.client.get( + f"/raclette/feed/{token}.xml", + headers={ + "If-None-Match": build_etag(project.id, "2023-07-27T13:00:00"), + }, + ) + assert resp.status_code == 304 + + def test_rss_feed_bad_token(self): + self.post_project("raclette") + project = self.get_project("raclette") + token = project.generate_token("feed") + + resp = self.client.get(f"/raclette/feed/{token}.xml") + self.assertEqual(resp.status_code, 200) + resp = self.client.get("/raclette/feed/invalid-token.xml") + self.assertEqual(resp.status_code, 404) + + def test_rss_feed_invalidated_token(self): + """ + Tests that a feed URL becames invalid when the project password changes. + """ + self.post_project("raclette") + project = self.get_project("raclette") + token = project.generate_token("feed") + + resp = self.client.get(f"/raclette/feed/{token}.xml") + self.assertEqual(resp.status_code, 200) + + self.client.post( + "/raclette/edit", + data={ + "name": "raclette", + "contact_email": "zorglub@notmyidea.org", + "password": "didoudida", + "default_currency": "XXX", + }, + follow_redirects=True, + ) + + resp = self.client.get(f"/raclette/feed/{token}.xml") + self.assertEqual(resp.status_code, 404) + if __name__ == "__main__": unittest.main() diff --git a/ihatemoney/tests/common/ihatemoney_testcase.py b/ihatemoney/tests/common/ihatemoney_testcase.py index 704753745..73d14ec27 100644 --- a/ihatemoney/tests/common/ihatemoney_testcase.py +++ b/ihatemoney/tests/common/ihatemoney_testcase.py @@ -56,6 +56,7 @@ def post_project( default_currency="XXX", name=None, password=None, + project_history=True, ): """Create a fake project""" name = name or id @@ -69,6 +70,7 @@ def post_project( "password": password, "contact_email": f"{id}@notmyidea.org", "default_currency": default_currency, + "project_history": project_history, }, follow_redirects=follow_redirects, ) diff --git a/ihatemoney/web.py b/ihatemoney/web.py index 19135a0c3..e97b8fc37 100644 --- a/ihatemoney/web.py +++ b/ihatemoney/web.py @@ -9,12 +9,14 @@ and `add_project_id` for a quick overview) """ from functools import wraps +import hashlib import json import os from urllib.parse import urlparse, urlunparse from flask import ( Blueprint, + Response, abort, current_app, flash, @@ -154,7 +156,8 @@ def pull_project(endpoint, values): is_admin = session.get("is_admin") is_invitation = endpoint == "main.join_project" - if session.get(project.id) or is_admin or is_invitation: + is_feed = endpoint == "main.feed" + if session.get(project.id) or is_admin or is_invitation or is_feed: # add project into kwargs and call the original function g.project = project else: @@ -898,6 +901,53 @@ def statistics(): ) +def build_etag(project_id, last_modified): + return hashlib.md5( + (current_app.config["SECRET_KEY"] + project_id + last_modified).encode() + ).hexdigest() + + +@main.route("//feed/.xml") +def feed(token): + verified_project_id = Project.verify_token( + token, token_type="feed", project_id=g.project.id + ) + if verified_project_id != g.project.id: + abort(404) + + weighted_bills = g.project.get_bill_weights_ordered().paginate( + per_page=100, error_out=True + ) + + # This computes the last modification datetime for the project or + # any of the 100 latest bills. This is done by reading the issued_at + # attribute generated by sqlalchemy-continuum. + bills_last_modified = [ + bill.versions[0].transaction.issued_at for _, bill in weighted_bills.items + ] + project_last_modified = g.project.versions[0].transaction.issued_at + last_modified = max(bills_last_modified + [project_last_modified]) + etag = build_etag(g.project.id, last_modified.isoformat()) + + if request.if_none_match and etag in request.if_none_match: + return "", 304 + + if ( + request.if_modified_since + and request.if_modified_since.replace(tzinfo=None) >= last_modified + ): + return "", 304 + + return Response( + render_template("project_feed.xml", bills=weighted_bills), + mimetype="application/rss+xml", + headers={ + "ETag": etag, + "Last-Modified": last_modified.strftime("%a, %d %b %Y %H:%M:%S UTC"), + }, + ) + + @main.route("/dashboard") @requires_admin() def dashboard(): diff --git a/setup.cfg b/setup.cfg index 4be876f26..c581307f4 100644 --- a/setup.cfg +++ b/setup.cfg @@ -61,6 +61,7 @@ dev = vermin==1.5.2 Flask-Testing>=0.8.1 pytest>=6.2.5 + pytest-libfaketime>=0.1.2 tox>=3.14.6 zest.releaser>=6.20.1 diff --git a/tox.ini b/tox.ini index 0b071d34a..cc5570bd5 100644 --- a/tox.ini +++ b/tox.ini @@ -7,7 +7,7 @@ passenv = TESTING_SQLALCHEMY_DATABASE_URI commands = python --version - py.test --pyargs ihatemoney.tests + py.test --pyargs ihatemoney.tests {posargs} deps = -e.[database,dev]