| """ |
| Formtools Preview application. |
| """ |
| |
| import cPickle as pickle |
| |
| from django.conf import settings |
| from django.http import Http404 |
| from django.shortcuts import render_to_response |
| from django.template.context import RequestContext |
| from django.utils.hashcompat import md5_constructor |
| |
| AUTO_ID = 'formtools_%s' # Each form here uses this as its auto_id parameter. |
| |
| class FormPreview(object): |
| preview_template = 'formtools/preview.html' |
| form_template = 'formtools/form.html' |
| |
| # METHODS SUBCLASSES SHOULDN'T OVERRIDE ################################### |
| |
| def __init__(self, form): |
| # form should be a Form class, not an instance. |
| self.form, self.state = form, {} |
| |
| def __call__(self, request, *args, **kwargs): |
| stage = {'1': 'preview', '2': 'post'}.get(request.POST.get(self.unused_name('stage')), 'preview') |
| self.parse_params(*args, **kwargs) |
| try: |
| method = getattr(self, stage + '_' + request.method.lower()) |
| except AttributeError: |
| raise Http404 |
| return method(request) |
| |
| def unused_name(self, name): |
| """ |
| Given a first-choice name, adds an underscore to the name until it |
| reaches a name that isn't claimed by any field in the form. |
| |
| This is calculated rather than being hard-coded so that no field names |
| are off-limits for use in the form. |
| """ |
| while 1: |
| try: |
| f = self.form.base_fields[name] |
| except KeyError: |
| break # This field name isn't being used by the form. |
| name += '_' |
| return name |
| |
| def preview_get(self, request): |
| "Displays the form" |
| f = self.form(auto_id=AUTO_ID) |
| return render_to_response(self.form_template, |
| {'form': f, 'stage_field': self.unused_name('stage'), 'state': self.state}, |
| context_instance=RequestContext(request)) |
| |
| def preview_post(self, request): |
| "Validates the POST data. If valid, displays the preview page. Else, redisplays form." |
| f = self.form(request.POST, auto_id=AUTO_ID) |
| context = {'form': f, 'stage_field': self.unused_name('stage'), 'state': self.state} |
| if f.is_valid(): |
| context['hash_field'] = self.unused_name('hash') |
| context['hash_value'] = self.security_hash(request, f) |
| return render_to_response(self.preview_template, context, context_instance=RequestContext(request)) |
| else: |
| return render_to_response(self.form_template, context, context_instance=RequestContext(request)) |
| |
| def post_post(self, request): |
| "Validates the POST data. If valid, calls done(). Else, redisplays form." |
| f = self.form(request.POST, auto_id=AUTO_ID) |
| if f.is_valid(): |
| if self.security_hash(request, f) != request.POST.get(self.unused_name('hash')): |
| return self.failed_hash(request) # Security hash failed. |
| return self.done(request, f.cleaned_data) |
| else: |
| return render_to_response(self.form_template, |
| {'form': f, 'stage_field': self.unused_name('stage'), 'state': self.state}, |
| context_instance=RequestContext(request)) |
| |
| # METHODS SUBCLASSES MIGHT OVERRIDE IF APPROPRIATE ######################## |
| |
| def parse_params(self, *args, **kwargs): |
| """ |
| Given captured args and kwargs from the URLconf, saves something in |
| self.state and/or raises Http404 if necessary. |
| |
| For example, this URLconf captures a user_id variable: |
| |
| (r'^contact/(?P<user_id>\d{1,6})/$', MyFormPreview(MyForm)), |
| |
| In this case, the kwargs variable in parse_params would be |
| {'user_id': 32} for a request to '/contact/32/'. You can use that |
| user_id to make sure it's a valid user and/or save it for later, for |
| use in done(). |
| """ |
| pass |
| |
| def security_hash(self, request, form): |
| """ |
| Calculates the security hash for the given Form instance. |
| |
| This creates a list of the form field names/values in a deterministic |
| order, pickles the result with the SECRET_KEY setting and takes an md5 |
| hash of that. |
| |
| Subclasses may want to take into account request-specific information |
| such as the IP address. |
| """ |
| data = [(bf.name, bf.data or '') for bf in form] + [settings.SECRET_KEY] |
| # Use HIGHEST_PROTOCOL because it's the most efficient. It requires |
| # Python 2.3, but Django requires 2.3 anyway, so that's OK. |
| pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) |
| return md5_constructor(pickled).hexdigest() |
| |
| def failed_hash(self, request): |
| "Returns an HttpResponse in the case of an invalid security hash." |
| return self.preview_post(request) |
| |
| # METHODS SUBCLASSES MUST OVERRIDE ######################################## |
| |
| def done(self, request, cleaned_data): |
| """ |
| Does something with the cleaned_data and returns an |
| HttpResponseRedirect. |
| """ |
| raise NotImplementedError('You must define a done() method on your %s subclass.' % self.__class__.__name__) |