4 files changed, 41 insertions, 8 deletions

diff --git a/core/views/caves.py b/core/views/caves.py
index 70a7a84..890782f 100644
--- a/core/views/caves.py
+++ b/core/views/caves.py
@@ -555,6 +555,13 @@ def edit_entrance(request, path="", caveslug=None, entslug=None):
     
     GET RID of all this entranceletter stuff. Far too overcomplexified.
     We don't need it. Just the entrance slug is fine, then check uniqueness.
+    
+    A whole new form is created just to edit the entranceletter. 
+    To Do: put the entranceletter field on the Entrance, and delete the whole
+    CaveandEntrance class and form thing. 
+    Don't use the existance of a CaveandEntrance object to see if the letter is valid, 
+    just count the entrances instead.
+    We can do this simplification as troggle now assumes only 1 cave per entrance.
     """
     def check_new_slugname_ok(slug, letter):
         """In Nov.2023 it is possible to create a 2nd entrance and not set an entrance letter, 
@@ -808,9 +815,14 @@ def qm(request, cave_id, qm_id, year, grade=None, blockname=None):
     Needs refactoring though! Uses extremely baroque way of getting the QMs instead of querying for QM objects
     directly, presumably as a result of a baroque history.
 
-    Many caves have several QMS with the same number, grade, year (2018) and first 8 chars of the survexblock. This crashes things, so the terminal char of the survexblock name was added
+    Many caves have several QMS with the same number, grade, year (2018) and first 8 chars of the survexblock. 
+    This crashes things, so the terminal char of the survexblock name was added to disambiguate
     """
-
+    
+    if not qm_id:
+        message = f"No qm_id specified {cave_id=} {year=}  {blockname=}"
+        return render(request, "errors/generic.html", {"message": message})
+        
     year = int(year)
 
     if blockname == "" or not blockname:
diff --git a/core/views/expo.py b/core/views/expo.py
index b2ab312..bf9e78d 100644
--- a/core/views/expo.py
+++ b/core/views/expo.py
@@ -71,8 +71,14 @@ def map(request):
 def mapfile(request, path):
     """Serves unadorned file: everything in the /map/... folder tree"""
     fn = Path(settings.EXPOWEB, "map", path)
-    print(f"MAP cuttout. \n{path=}\n{fn=} mime:{getmimetype(fn)}")
-    return HttpResponse(content=open(fn, "r"), content_type=getmimetype(fn))
+    if fn.is_file():
+        print(f"MAP cuttout. \n{path=}\n{fn=} mime:{getmimetype(fn)}")
+        return HttpResponse(content=open(fn, "r"), content_type=getmimetype(fn))
+    else:
+        message = f"### File not found ### {fn}"
+        print(message)
+        return render(request, "errors/generic.html", {"message": message})
+
 
 
 def expofilessingle(request, filepath):
diff --git a/core/views/logbooks.py b/core/views/logbooks.py
index 4c88d03..c71bab0 100644
--- a/core/views/logbooks.py
+++ b/core/views/logbooks.py
@@ -3,6 +3,7 @@ import re
 from django.db.models import Q
 from django.shortcuts import redirect, render
 from django.views.generic.list import ListView
+from django.core.exceptions import ValidationError
 
 import troggle.settings as settings
 from troggle.core.models.logbooks import QM, LogbookEntry, PersonLogEntry, writelogbook
@@ -307,8 +308,17 @@ def logreport(request, year=1999):
         return render(request, "errors/generic.html", {"message": msg})
 
 def logbookentry(request, date, slug):
-    # start = time.time()
-    trips = LogbookEntry.objects.filter(date=date)  # all the trips not just this one
+    """Displays a single logbook entry
+    however, if an author has not used the correct URL in an image or a reference, then a link from
+    inside a logbook entry can arrive with this default address prefix. So we
+    have to handle that error without crashing.
+    """
+    try:
+        trips = LogbookEntry.objects.filter(date=date)  # all the trips not just this one
+    except ValidationError:
+        msg = f' Logbook entry invalid date:"{date}" probably because of relative (not absolute) addressing of "src=" or "haref=" in the text'
+        print(msg)
+        return render(request, "errors/generic.html", {"message": msg})
     this_logbookentry = trips.filter(date=date, slug=slug)
     year = slug[:4]
 
diff --git a/core/views/uploads.py b/core/views/uploads.py
index 9ef11ac..c7b7e74 100644
--- a/core/views/uploads.py
+++ b/core/views/uploads.py
@@ -157,6 +157,7 @@ class LogbookEditForm(forms.Form):  # not a model-form, just a form-form
 @login_required_if_public
 def edittxtpage(request, path, filepath):
     """Editing a .txt file on expoweb/
+    Yes this is a security hazard as arbitrary text can be uploaded and it is not enclosed in any HTML furniture.
     """
     def simple_get(viewtext):
         form = ExpotextfileForm()
@@ -175,9 +176,10 @@ def edittxtpage(request, path, filepath):
     message=""
     
     if not filepath.is_file():
+        message = f"File not found '{filepath}\n\nfailure detected in expowebpage() in views.expo.py"
         print(f"Not a file: {filepath}")
-        errpage = f"<html>" +  default_head + f"<h3>File not found '{filepath}'<br><br>failure detected in expowebpage() in views.expo.py</h3> </body>"
-        return HttpResponse(errpage)        
+        return render(request, "errors/generic.html", {"message": message})
+      
     try:     
         with open(filepath, "r") as f:
             originaltext = f.read()
@@ -207,6 +209,9 @@ def edittxtpage(request, path, filepath):
         if "Save" in request.POST:
             print("submitted for saving..")
             
+            # should insert sanitization in here
+            # but user cannot rename the file, and cannot create new files
+            # and this is only used for .txt files
             if newtext != originaltext:  # Check if content has changed at all
                 print("text changed.. saving and committing")
                 try: