bugfixes and more comments

5 files changed, 47 insertions, 9 deletions

diff --git a/core/forms.py b/core/forms.py
index 4229d82..24d0fec 100644
--- a/core/forms.py
+++ b/core/forms.py
@@ -45,6 +45,8 @@ todo = """
 class CaveForm(ModelForm):
     """Only those fields for which we want to override defaults are listed here
     the other fields of the class Cave are present on the form, but use the default presentation style
+    
+    see https://docs.djangoproject.com/en/5.1/topics/forms/modelforms/
     """
     unofficial_number= forms.CharField(required=False, 
         label="Unofficial Number used to construct internal identifiers",
@@ -143,6 +145,8 @@ class CaveForm(ModelForm):
 class EntranceForm(ModelForm):
     """Only those fields for which we want to override defaults are listed here
     the other fields are present on the form, but use the default presentation style
+    
+    see https://docs.djangoproject.com/en/5.1/topics/forms/modelforms/
     """
 
     name = forms.CharField(required=False, widget=forms.TextInput(attrs={"size": "45", "placeholder": "usually leave this blank"}))
@@ -240,7 +244,6 @@ class EntranceForm(ModelForm):
 
 
 # # This next line is sufficient to create an entire entry for for the cave fields automatically
-# # using django built-in Deep Magic. https://docs.djangoproject.com/en/dev/topics/forms/modelforms/
 # # for forms which map directly onto a Django Model
 # CaveAndEntranceFormSet = modelformset_factory(CaveAndEntrance, exclude=("cave",))
 # # This is used only in templates/editcave.html which is called only to edit caves in core/views/cave.py
@@ -250,6 +253,8 @@ class EntranceLetterForm(ModelForm):
 
     Nb. The relationship between caves and entrances has historically been a many to many relationship.
     With entrances gaining new caves and letters when caves are joined.
+    
+    see https://docs.djangoproject.com/en/5.1/topics/forms/modelforms/
     """
     
     # This only needs to be required=True for the second and subsequent entrances, not the first. Tricky.
diff --git a/core/views/caves.py b/core/views/caves.py
index 70a7a84..890782f 100644
--- a/core/views/caves.py
+++ b/core/views/caves.py
@@ -555,6 +555,13 @@ def edit_entrance(request, path="", caveslug=None, entslug=None):
     
     GET RID of all this entranceletter stuff. Far too overcomplexified.
     We don't need it. Just the entrance slug is fine, then check uniqueness.
+    
+    A whole new form is created just to edit the entranceletter. 
+    To Do: put the entranceletter field on the Entrance, and delete the whole
+    CaveandEntrance class and form thing. 
+    Don't use the existance of a CaveandEntrance object to see if the letter is valid, 
+    just count the entrances instead.
+    We can do this simplification as troggle now assumes only 1 cave per entrance.
     """
     def check_new_slugname_ok(slug, letter):
         """In Nov.2023 it is possible to create a 2nd entrance and not set an entrance letter, 
@@ -808,9 +815,14 @@ def qm(request, cave_id, qm_id, year, grade=None, blockname=None):
     Needs refactoring though! Uses extremely baroque way of getting the QMs instead of querying for QM objects
     directly, presumably as a result of a baroque history.
 
-    Many caves have several QMS with the same number, grade, year (2018) and first 8 chars of the survexblock. This crashes things, so the terminal char of the survexblock name was added
+    Many caves have several QMS with the same number, grade, year (2018) and first 8 chars of the survexblock. 
+    This crashes things, so the terminal char of the survexblock name was added to disambiguate
     """
-
+    
+    if not qm_id:
+        message = f"No qm_id specified {cave_id=} {year=}  {blockname=}"
+        return render(request, "errors/generic.html", {"message": message})
+        
     year = int(year)
 
     if blockname == "" or not blockname:
diff --git a/core/views/expo.py b/core/views/expo.py
index b2ab312..bf9e78d 100644
--- a/core/views/expo.py
+++ b/core/views/expo.py
@@ -71,8 +71,14 @@ def map(request):
 def mapfile(request, path):
     """Serves unadorned file: everything in the /map/... folder tree"""
     fn = Path(settings.EXPOWEB, "map", path)
-    print(f"MAP cuttout. \n{path=}\n{fn=} mime:{getmimetype(fn)}")
-    return HttpResponse(content=open(fn, "r"), content_type=getmimetype(fn))
+    if fn.is_file():
+        print(f"MAP cuttout. \n{path=}\n{fn=} mime:{getmimetype(fn)}")
+        return HttpResponse(content=open(fn, "r"), content_type=getmimetype(fn))
+    else:
+        message = f"### File not found ### {fn}"
+        print(message)
+        return render(request, "errors/generic.html", {"message": message})
+
 
 
 def expofilessingle(request, filepath):
diff --git a/core/views/logbooks.py b/core/views/logbooks.py
index 4c88d03..c71bab0 100644
--- a/core/views/logbooks.py
+++ b/core/views/logbooks.py
@@ -3,6 +3,7 @@ import re
 from django.db.models import Q
 from django.shortcuts import redirect, render
 from django.views.generic.list import ListView
+from django.core.exceptions import ValidationError
 
 import troggle.settings as settings
 from troggle.core.models.logbooks import QM, LogbookEntry, PersonLogEntry, writelogbook
@@ -307,8 +308,17 @@ def logreport(request, year=1999):
         return render(request, "errors/generic.html", {"message": msg})
 
 def logbookentry(request, date, slug):
-    # start = time.time()
-    trips = LogbookEntry.objects.filter(date=date)  # all the trips not just this one
+    """Displays a single logbook entry
+    however, if an author has not used the correct URL in an image or a reference, then a link from
+    inside a logbook entry can arrive with this default address prefix. So we
+    have to handle that error without crashing.
+    """
+    try:
+        trips = LogbookEntry.objects.filter(date=date)  # all the trips not just this one
+    except ValidationError:
+        msg = f' Logbook entry invalid date:"{date}" probably because of relative (not absolute) addressing of "src=" or "haref=" in the text'
+        print(msg)
+        return render(request, "errors/generic.html", {"message": msg})
     this_logbookentry = trips.filter(date=date, slug=slug)
     year = slug[:4]
 
diff --git a/core/views/uploads.py b/core/views/uploads.py
index 9ef11ac..c7b7e74 100644
--- a/core/views/uploads.py
+++ b/core/views/uploads.py
@@ -157,6 +157,7 @@ class LogbookEditForm(forms.Form):  # not a model-form, just a form-form
 @login_required_if_public
 def edittxtpage(request, path, filepath):
     """Editing a .txt file on expoweb/
+    Yes this is a security hazard as arbitrary text can be uploaded and it is not enclosed in any HTML furniture.
     """
     def simple_get(viewtext):
         form = ExpotextfileForm()
@@ -175,9 +176,10 @@ def edittxtpage(request, path, filepath):
     message=""
     
     if not filepath.is_file():
+        message = f"File not found '{filepath}\n\nfailure detected in expowebpage() in views.expo.py"
         print(f"Not a file: {filepath}")
-        errpage = f"<html>" +  default_head + f"<h3>File not found '{filepath}'<br><br>failure detected in expowebpage() in views.expo.py</h3> </body>"
-        return HttpResponse(errpage)        
+        return render(request, "errors/generic.html", {"message": message})
+      
     try:     
         with open(filepath, "r") as f:
             originaltext = f.read()
@@ -207,6 +209,9 @@ def edittxtpage(request, path, filepath):
         if "Save" in request.POST:
             print("submitted for saving..")
             
+            # should insert sanitization in here
+            # but user cannot rename the file, and cannot create new files
+            # and this is only used for .txt files
             if newtext != originaltext:  # Check if content has changed at all
                 print("text changed.. saving and committing")
                 try: