Compare commits


No commits in common. "master" and "v1.13.0" have entirely different histories.

434 changed files with 16939 additions and 91736 deletions

View File

.gitignore vendored
View File

@ -1,17 +1,14 @@
/config.cfg config.cfg
/*.env *.env
*.sqlite *.sqlite
custom.css custom.css
tmp tmp
log.txt log.txt
*.rdb *.rdb
app/public/uploads uploads
app/public/thumbnails thumbnails
celerybeat-schedule celerybeat-schedule
/data /data
# Created by,macos,python,windows # Created by,macos,python,windows
@ -106,6 +103,10 @@ coverage.xml
*.cover *.cover
.hypothesis/ .hypothesis/
# Translations
# Flask stuff: # Flask stuff:
instance/ instance/
.webassets-cache .webassets-cache

View File

@ -1,24 +1,17 @@
FROM python:3.10 FROM python:3.6
RUN groupadd -g 5123 cdb && \
useradd -r -u 5123 -g cdb cdb
WORKDIR /home/cdb WORKDIR /home/cdb
RUN mkdir /var/cdb COPY requirements.txt requirements.txt
RUN chown -R cdb:cdb /var/cdb RUN pip install -r ./requirements.txt
COPY requirements.lock.txt requirements.lock.txt
RUN pip install -r requirements.lock.txt
RUN pip install gunicorn RUN pip install gunicorn
RUN pip install psycopg2
COPY utils utils COPY ./
COPY config.cfg config.cfg COPY ./
COPY migrations migrations RUN chmod +x
COPY app app COPY app app
COPY translations translations COPY migrations migrations
COPY config.cfg ./config.cfg
RUN pybabel compile -d translations
RUN chown -R cdb:cdb /home/cdb
USER cdb

View File

LICENSE.txt Normal file
View File

@ -0,0 +1,674 @@
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
16. Limitation of Liability.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read

View File

@ -1,94 +1,27 @@
# Content Database # Content Database
![Build Status](
Content database for Minetest mods, games, and more.\ Content database for Minetest mods, games, and more.
Developed by rubenwardy, license AGPLv3.0+.
See [Getting Started](docs/ for setting up a development/prodiction environment. Developed by rubenwardy, license GPLv3.0+.
See [Developer Intro](docs/ for an overview of the code organisation.
## How-tos ## How-tos
```sh Note: you should first read one of the guides on the [Github repo wiki](
# Hot/live reload (only works with FLASK_DEBUG=1)
# Cold update a running version of CDB with minimal downtime (production) ```sh
./utils/ # Run celery worker
FLASK_CONFIG=../config.cfg celery -A app.tasks.celery worker
# if sqlite
python -t
rm db.sqlite && python -t && FLASK_CONFIG=../config.cfg FLASK_APP=app/ flask db stamp head
# Create migration
FLASK_CONFIG=../config.cfg FLASK_APP=app/ flask db migrate
# Run migration
FLASK_CONFIG=../config.cfg FLASK_APP=app/ flask db upgrade
# Enter docker # Enter docker
./utils/ docker exec -it contentdb_app_1 bash
# Run migrations
# Create new migration
### VSCode: Setting up Linting
* (optional) Install the [Docker extension](
* Install the [Python extension](
* Click no to installing pylint (we don't want it to be installed outside of a virtual env)
* Set up a virtual env
* Replace `psycopg2` with `psycopg2_binary` in requirements.txt (because postgresql won't be installed on the system)
* `python3 -m venv env`
* Click yes to prompt to select virtual env for workspace
* Click yes to any prompts about installing pylint
* `source env/bin/activate`
* `pip install -r requirements`
* `pip install pylint` (if a prompt didn't appear)
* Undo changes to requirements.txt
### VSCode: Material Icon Folder Designations
"material-icon-theme.folders.associations": {
"packages": "",
"tasks": "",
"api": "",
"meta": "",
"blueprints": "routes",
"scss": "sass",
"flatpages": "markdown",
"data": "temp",
"migrations": "archive",
"textures": "images",
"sounds": "audio"
## Database
User "1" --> "*" Package
User --> UserEmailVerification
User "1" --> "*" Notification
Package "1" --> "*" Release
Package "1" --> "*" Dependency
Package "1" --> "*" Tag
Package "1" --> "*" MetaPackage : provides
Release --> MinetestVersion
Package --> License
Dependency --> Package
Dependency --> MetaPackage
MetaPackage "1" --> "*" Package
Package "1" --> "*" Screenshot
Package "1" --> "*" Thread
Thread "1" --> "*" Reply
Thread "1" --> "*" User : watchers
User "1" --> "*" Thread
User "1" --> "*" Reply
User "1" --> "*" ForumTopic
User --> "0..1" EmailPreferences
User "1" --> "*" APIToken
APIToken --> Package
``` ```

View File

@ -1,172 +1,54 @@
# ContentDB # Content DB
# Copyright (C) 2018-21 rubenwardy # Copyright (C) 2018 rubenwardy
# #
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by # it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version. # (at your option) any later version.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <>. # along with this program. If not, see <>.
import datetime
from flask import * from flask import *
from flask_user import *
from flask_gravatar import Gravatar from flask_gravatar import Gravatar
import flask_menu as menu
from flask_mail import Mail from flask_mail import Mail
from flaskext.markdown import Markdown
from flask_github import GitHub from flask_github import GitHub
from flask_wtf.csrf import CSRFProtect from flask_wtf.csrf import CsrfProtect
from flask_flatpages import FlatPages from flask_flatpages import FlatPages
from flask_babel import Babel, gettext import os
from flask_login import logout_user, current_user, LoginManager
import os, redis
from app.markdown import init_markdown, MARKDOWN_EXTENSIONS, MARKDOWN_EXTENSION_CONFIG
app = Flask(__name__, static_folder="public/static") app = Flask(__name__, static_folder="public/static")
app.config["FLATPAGES_ROOT"] = "flatpages" app.config["FLATPAGES_ROOT"] = "flatpages"
app.config["FLATPAGES_EXTENSION"] = ".md" app.config["FLATPAGES_EXTENSION"] = ".md"
app.config["BABEL_TRANSLATION_DIRECTORIES"] = "../translations"
app.config["LANGUAGES"] = {
"en": "English",
"de": "Deutsch",
"fr": "Français",
"id": "Bahasa Indonesia",
"ms": "Bahasa Melayu",
"ru": "русский язык",
app.config.from_pyfile(os.environ["FLASK_CONFIG"]) app.config.from_pyfile(os.environ["FLASK_CONFIG"])
r = redis.Redis.from_url(app.config["REDIS_URL"]) menu.Menu(app=app)
markdown = Markdown(app, extensions=["fenced_code"], safe_mode=True, output_format="html5")
github = GitHub(app) github = GitHub(app)
csrf = CSRFProtect(app) csrf = CsrfProtect(app)
mail = Mail(app) mail = Mail(app)
pages = FlatPages(app) pages = FlatPages(app)
babel = Babel(app)
gravatar = Gravatar(app, gravatar = Gravatar(app,
size=64, size=58,
rating="g", rating='g',
default="retro", default='mp',
force_default=False, force_default=False,
force_lower=False, force_lower=False,
use_ssl=True, use_ssl=True,
base_url=None) base_url=None)
login_manager = LoginManager() if not app.debug:
login_manager.init_app(app) from .maillogger import register_mail_error_handler
login_manager.login_view = "users.login" register_mail_error_handler(app, mail)
from . import models, tasks
from .sass import init_app as sass from .views import *
if not app.debug and app.config["MAIL_UTILS_ERROR_SEND_TO"]:
from .maillogger import build_handler
from . import models, template_filters
def load_user(user_id):
return models.User.query.filter_by(username=user_id).first()
from .blueprints import create_blueprints
def send_upload(path):
return send_from_directory(app.config["UPLOAD_DIR"], path)
def flatpage(path):
page = pages.get_or_404(path)
template = page.meta.get("template", "flatpage.html")
return render_template(template, page=page)
def check_for_ban():
if current_user.is_authenticated:
if current_user.rank == models.UserRank.BANNED:
flash(gettext("You have been banned."), "danger")
return redirect(url_for("users.login"))
elif current_user.rank == models.UserRank.NOT_JOINED:
current_user.rank = models.UserRank.MEMBER
from .utils import clearNotifications, is_safe_url
def check_for_notifications():
if current_user.is_authenticated:
def page_not_found(e):
return render_template("404.html"), 404
def get_locale():
if not request:
return None
locales = app.config["LANGUAGES"].keys()
if current_user.is_authenticated and current_user.locale in locales:
return current_user.locale
locale = request.cookies.get("locale")
if locale not in locales:
locale = request.accept_languages.best_match(locales)
if locale and current_user.is_authenticated:
new_session = models.db.create_session({})()
new_session.query(models.User) \
.filter(models.User.username == current_user.username) \
.update({ "locale": locale })
return locale
@app.route("/set-locale/", methods=["POST"])
def set_locale():
locale = request.form.get("locale")
if locale not in app.config["LANGUAGES"].keys():
flash("Unknown locale {}".format(locale), "danger")
locale = None
next_url = request.form.get("r")
if next_url and is_safe_url(next_url):
resp = make_response(redirect(next_url))
resp = make_response(redirect(url_for("homepage.home")))
if locale:
expire_date =
expire_date = expire_date + datetime.timedelta(days=5*365)
resp.set_cookie("locale", locale, expires=expire_date)
if current_user.is_authenticated:
current_user.locale = locale
return resp

View File

@ -1,10 +0,0 @@
import os, importlib
def create_blueprints(app):
dir = os.path.dirname(os.path.realpath(__file__))
modules = next(os.walk(dir))[1]
for modname in modules:
if all(c.islower() for c in modname):
module = importlib.import_module("." + modname, __name__)

View File

@ -1,338 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import os
import sys
from typing import List
import requests
from celery import group
from flask import redirect, url_for, flash, current_app, jsonify
from sqlalchemy import or_, and_
from app.logic.game_support import GameSupportResolver
from app.models import PackageRelease, db, Package, PackageState, PackageScreenshot, MetaPackage, User, \
NotificationType, PackageUpdateConfig, License, UserRank, PackageType, PackageGameSupport
from app.tasks.emails import send_pending_digests
from app.tasks.forumtasks import importTopicList, checkAllForumAccounts
from app.tasks.importtasks import importRepoScreenshot, checkZipRelease, check_for_updates
from app.utils import addNotification, get_system_user
from app.utils.image import get_image_size
actions = {}
def action(title: str):
def func(f):
name = f.__name__
actions[name] = {
"title": title,
"func": f,
return f
return func
@action("Delete stuck releases")
def del_stuck_releases():
return redirect(url_for("admin.admin_page"))
@action("Check ZIP releases")
def check_releases():
releases = PackageRelease.query.filter("/uploads/%")).all()
tasks = []
for release in releases:
tasks.append(checkZipRelease.s(, release.file_path))
result = group(tasks).apply_async()
while not result.ready():
import time
return redirect(url_for("todo.view_editor"))
@action("Check the first release of all packages")
def reimport_packages():
tasks = []
for package in Package.query.filter(Package.state != PackageState.DELETED).all():
release = package.releases.first()
if release:
tasks.append(checkZipRelease.s(, release.file_path))
result = group(tasks).apply_async()
while not result.ready():
import time
return redirect(url_for("todo.view_editor"))
@action("Import forum topic list")
def import_topic_list():
task = importTopicList.delay()
return redirect(url_for("tasks.check",, r=url_for("todo.topics")))
@action("Check all forum accounts")
def check_all_forum_accounts():
task = checkAllForumAccounts.delay()
return redirect(url_for("tasks.check",, r=url_for("admin.admin_page")))
@action("Import screenshots")
def import_screenshots():
packages = Package.query \
.filter(Package.state != PackageState.DELETED) \
.outerjoin(PackageScreenshot, == PackageScreenshot.package_id) \
.filter( \
for package in packages:
return redirect(url_for("admin.admin_page"))
@action("Remove unused uploads")
def clean_uploads():
upload_dir = current_app.config['UPLOAD_DIR']
(_, _, filenames) = next(os.walk(upload_dir))
existing_uploads = set(filenames)
if len(existing_uploads) != 0:
def get_filenames_from_column(column):
results = db.session.query(column).filter(column.isnot(None), column != "").all()
return set([os.path.basename(x[0]) for x in results])
release_urls = get_filenames_from_column(PackageRelease.url)
screenshot_urls = get_filenames_from_column(PackageScreenshot.url)
db_urls = release_urls.union(screenshot_urls)
unreachable = existing_uploads.difference(db_urls)
import sys
print("On Disk: ", existing_uploads, file=sys.stderr)
print("In DB: ", db_urls, file=sys.stderr)
print("Unreachable: ", unreachable, file=sys.stderr)
for filename in unreachable:
os.remove(os.path.join(upload_dir, filename))
flash("Deleted " + str(len(unreachable)) + " unreachable uploads", "success")
flash("No downloads to create", "danger")
return redirect(url_for("admin.admin_page"))
@action("Delete unused metapackages")
def del_meta_packages():
query = MetaPackage.query.filter(~MetaPackage.dependencies.any(), ~MetaPackage.packages.any())
count = query.count()
flash("Deleted " + str(count) + " unused meta packages", "success")
return redirect(url_for("admin.admin_page"))
@action("Delete removed packages")
def del_removed_packages():
query = Package.query.filter_by(state=PackageState.DELETED)
count = query.count()
for pkg in query.all():
pkg.review_thread = None
flash("Deleted {} soft deleted packages packages".format(count), "success")
return redirect(url_for("admin.admin_page"))
@action("Run update configs")
def run_update_config():
flash("Started update configs", "success")
return redirect(url_for("admin.admin_page"))
def _package_list(packages: List[str]):
# Who needs translations?
if len(packages) >= 3:
packages[len(packages) - 1] = "and " + packages[len(packages) - 1]
packages_list = ", ".join(packages)
packages_list = " and ".join(packages)
return packages_list
@action("Send WIP package notification")
def remind_wip():
users = User.query.filter(User.packages.any(or_(Package.state == PackageState.WIP, Package.state == PackageState.CHANGES_NEEDED)))
system_user = get_system_user()
for user in users:
packages = db.session.query(Package.title).filter(
Package.author_id ==,
or_(Package.state == PackageState.WIP, Package.state==PackageState.CHANGES_NEEDED)) \
packages = [pkg[0] for pkg in packages]
packages_list = _package_list(packages)
havent = "haven't" if len(packages) > 1 else "hasn't"
if len(packages_list) + 54 > 100:
packages_list = packages_list[0:(100-54-1)] + ""
addNotification(user, system_user, NotificationType.PACKAGE_APPROVAL,
f"Did you forget? {packages_list} {havent} been submitted for review yet",
url_for('todo.view_user', username=user.username))
@action("Send outdated package notification")
def remind_outdated():
users = User.query.filter(User.maintained_packages.any(
system_user = get_system_user()
for user in users:
packages = db.session.query(Package.title).filter(
Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))) \
packages = [pkg[0] for pkg in packages]
packages_list = _package_list(packages)
addNotification(user, system_user, NotificationType.PACKAGE_APPROVAL,
f"The following packages may be outdated: {packages_list}",
url_for('todo.view_user', username=user.username))
@action("Import licenses from SPDX")
def import_licenses():
renames = {
"GPLv2": "GPL-2.0-only",
"GPLv3": "GPL-3.0-only",
"AGPLv2": "AGPL-2.0-only",
"AGPLv3": "AGPL-3.0-only",
"LGPLv2.1": "LGPL-2.1-only",
"LGPLv3": "LGPL-3.0-only",
"Apache 2.0": "Apache-2.0",
"BSD 2-Clause / FreeBSD": "BSD-2-Clause-FreeBSD",
"BSD 3-Clause": "BSD-3-Clause",
"CC0": "CC0-1.0",
"CC BY 3.0": "CC-BY-3.0",
"CC BY 4.0": "CC-BY-4.0",
"CC BY-NC-SA 3.0": "CC-BY-NC-SA-3.0",
"CC BY-SA 3.0": "CC-BY-SA-3.0",
"CC BY-SA 4.0": "CC-BY-SA-4.0",
"NPOSLv3": "NPOSL-3.0",
"MPL 2.0": "MPL-2.0",
"EUPLv1.2": "EUPL-1.2",
"SIL Open Font License v1.1": "OFL-1.1",
for old_name, new_name in renames.items():
License.query.filter_by(name=old_name).update({ "name": new_name })
r = requests.get(
licenses = r.json()["licenses"]
existing_licenses = {}
for license in License.query.all():
assert not in renames.keys()
existing_licenses[] = license
for license in licenses:
obj = existing_licenses.get(license["licenseId"].lower())
if obj:
obj.url = license["reference"]
elif license.get("isOsiApproved") and license.get("isFsfLibre") and \
not license["isDeprecatedLicenseId"]:
obj = License(license["licenseId"], True, license["reference"])
@action("Delete inactive users")
def delete_inactive_users():
users = User.query.filter(User.is_active == False, User.packages.is_(None), User.forum_topics.is_(None),
User.rank == UserRank.NOT_JOINED).all()
for user in users:
@action("Send Video URL notification")
def remind_video_url():
users = User.query.filter(User.maintained_packages.any(
and_(Package.video_url.is_(None), Package.type==PackageType.GAME, Package.state==PackageState.APPROVED)))
system_user = get_system_user()
for user in users:
packages = db.session.query(Package.title).filter(
or_(, Package.maintainers.any(,
Package.type == PackageType.GAME,
Package.state == PackageState.APPROVED) \
packages = [pkg[0] for pkg in packages]
packages_list = _package_list(packages)
addNotification(user, system_user, NotificationType.PACKAGE_APPROVAL,
f"You should add a video to {packages_list}",
url_for('users.profile', username=user.username))
@action("Update screenshot sizes")
def update_screenshot_sizes():
import sys
for screenshot in PackageScreenshot.query.all():
width, height = get_image_size(screenshot.file_path)
print(f"{screenshot.url}: {width}, {height}", file=sys.stderr)
screenshot.width = width
screenshot.height = height
@action("Detect game support")
def detect_game_support():
resolver = GameSupportResolver()
@action("Send pending notif digests")
def do_send_pending_digests():

View File

@ -1,130 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import redirect, render_template, url_for, request, flash
from flask_login import current_user, login_user
from flask_wtf import FlaskForm
from wtforms import StringField, SubmitField
from wtforms.validators import InputRequired, Length
from app.utils import rank_required, addAuditLog, addNotification, get_system_user
from . import bp
from .actions import actions
from ...models import UserRank, Package, db, PackageState, User, AuditSeverity, NotificationType
@bp.route("/admin/", methods=["GET", "POST"])
def admin_page():
if request.method == "POST":
action = request.form["action"]
if action == "restore":
package = Package.query.get(request.form["package"])
if package is None:
flash("Unknown package", "danger")
package.state = PackageState.READY_FOR_REVIEW
return redirect(url_for("admin.admin_page"))
elif action in actions:
ret = actions[action]["func"]()
if ret:
return ret
flash("Unknown action: " + action, "danger")
deleted_packages = Package.query.filter(Package.state == PackageState.DELETED).all()
return render_template("admin/list.html", deleted_packages=deleted_packages, actions=actions)
class SwitchUserForm(FlaskForm):
username = StringField("Username")
submit = SubmitField("Switch")
@bp.route("/admin/switchuser/", methods=["GET", "POST"])
def switch_user():
form = SwitchUserForm(formdata=request.form)
if form.validate_on_submit():
user = User.query.filter_by(username=form["username"].data).first()
if user is None:
flash("Unable to find user", "danger")
elif login_user(user):
return redirect(url_for("users.profile", username=current_user.username))
flash("Unable to login as user", "danger")
# Process GET or invalid POST
return render_template("admin/switch_user.html", form=form)
class SendNotificationForm(FlaskForm):
title = StringField("Title", [InputRequired(), Length(1, 300)])
url = StringField("URL", [InputRequired(), Length(1, 100)], default="/")
submit = SubmitField("Send")
@bp.route("/admin/send-notification/", methods=["GET", "POST"])
def send_bulk_notification():
form = SendNotificationForm(request.form)
if form.validate_on_submit():
addAuditLog(AuditSeverity.MODERATION, current_user,
"Sent bulk notification", url_for("admin.admin_page"), None,
users = User.query.filter(User.rank >= UserRank.NEW_MEMBER).all()
addNotification(users, get_system_user(), NotificationType.OTHER,,, None)
return redirect(url_for("admin.admin_page"))
return render_template("admin/send_bulk_notification.html", form=form)
@bp.route("/admin/restore/", methods=["GET", "POST"])
def restore():
if request.method == "POST":
target = request.form["submit"]
if "Review" in target:
target = PackageState.READY_FOR_REVIEW
elif "Changes" in target:
target = PackageState.CHANGES_NEEDED
target = PackageState.WIP
package = Package.query.get(request.form["package"])
if package is None:
flash("Unknown package", "danger")
package.state = target
addAuditLog(AuditSeverity.EDITOR, current_user, f"Restored package to state {target.value}",
package.getURL("packages.view"), package)
return redirect(package.getURL("packages.view"))
deleted_packages = Package.query \
.filter(Package.state == PackageState.DELETED) \
.join( \
.order_by(db.asc(User.username), db.asc( \
return render_template("admin/restore.html", deleted_packages=deleted_packages)

View File

@ -1,46 +0,0 @@
# ContentDB
# Copyright (C) 2020 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import render_template, request, abort
from app.models import db, AuditLogEntry, UserRank, User
from app.utils import rank_required, get_int_or_abort
from . import bp
def audit():
page = get_int_or_abort(request.args.get("page"), 1)
num = min(40, get_int_or_abort(request.args.get("n"), 100))
query = AuditLogEntry.query.order_by(db.desc(AuditLogEntry.created_at))
if "username" in request.args:
user = User.query.filter_by(username=request.args.get("username")).first()
if not user:
query = query.filter_by(causer=user)
pagination = query.paginate(page, num, True)
return render_template("admin/audit.html", log=pagination.items, pagination=pagination)
def audit_view(id_):
entry = AuditLogEntry.query.get(id_)
return render_template("admin/audit_view.html", entry=entry)

View File

@ -1,78 +0,0 @@
# ContentDB
# Copyright (C) 2020 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import request, abort, url_for, redirect, render_template, flash
from flask_login import current_user
from flask_wtf import FlaskForm
from wtforms import TextAreaField, SubmitField, StringField
from wtforms.validators import InputRequired, Length
from app.markdown import render_markdown
from app.tasks.emails import send_user_email
from app.utils import rank_required, addAuditLog
from . import bp
from ...models import UserRank, User, AuditSeverity
class SendEmailForm(FlaskForm):
subject = StringField("Subject", [InputRequired(), Length(1, 300)])
text = TextAreaField("Message", [InputRequired()])
submit = SubmitField("Send")
@bp.route("/admin/send-email/", methods=["GET", "POST"])
def send_single_email():
username = request.args["username"]
user = User.query.filter_by(username=username).first()
if user is None:
next_url = url_for("users.profile", username=user.username)
if is None:
flash("User has no email address!", "danger")
return redirect(next_url)
form = SendEmailForm(request.form)
if form.validate_on_submit():
addAuditLog(AuditSeverity.MODERATION, current_user,
"Sent email to {}".format(user.display_name), url_for("users.profile", username=username))
text =
html = render_markdown(text)
task = send_user_email.delay(, user.locale or "en",, text, html)
return redirect(url_for("tasks.check",, r=next_url))
return render_template("admin/send_email.html", form=form, user=user)
@bp.route("/admin/send-bulk-email/", methods=["GET", "POST"])
def send_bulk_email():
form = SendEmailForm(request.form)
if form.validate_on_submit():
addAuditLog(AuditSeverity.MODERATION, current_user,
"Sent bulk email", url_for("admin.admin_page"), None,
text =
html = render_markdown(text)
for user in User.query.filter(
send_user_email.delay(, user.locale or "en",, text, html)
return redirect(url_for("admin.admin_page"))
return render_template("admin/send_bulk_email.html", form=form)

View File

@ -1,82 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import redirect, render_template, abort, url_for, request
from flask_login import current_user, login_required
from flask_wtf import FlaskForm
from wtforms import StringField, TextAreaField, BooleanField, SubmitField
from wtforms.validators import InputRequired, Length, Optional, Regexp
from . import bp
from ...models import Permission, Tag, db
def tag_list():
if not Permission.EDIT_TAGS.check(current_user):
query = Tag.query
if request.args.get("sort") == "views":
query = query.order_by(db.desc(Tag.views))
query = query.order_by(db.asc(Tag.title))
return render_template("admin/tags/list.html", tags=query.all())
class TagForm(FlaskForm):
title = StringField("Title", [InputRequired(), Length(3, 100)])
description = TextAreaField("Description", [Optional(), Length(0, 500)])
name = StringField("Name", [Optional(), Length(1, 20), Regexp("^[a-z0-9_]", 0, "Lower case letters (a-z), digits (0-9), and underscores (_) only")])
is_protected = BooleanField("Is Protected")
submit = SubmitField("Save")
@bp.route("/tags/new/", methods=["GET", "POST"])
@bp.route("/tags/<name>/edit/", methods=["GET", "POST"])
def create_edit_tag(name=None):
tag = None
if name is not None:
tag = Tag.query.filter_by(name=name).first()
if tag is None:
if not Permission.checkPerm(current_user, Permission.EDIT_TAGS if tag else Permission.CREATE_TAG):
form = TagForm( obj=tag)
if form.validate_on_submit():
if tag is None:
tag = Tag(
tag.description =
tag.is_protected =
if Permission.EDIT_TAGS.check(current_user):
return redirect(url_for("admin.create_edit_tag",
return redirect(url_for("homepage.home"))
return render_template("admin/tags/edit.html", tag=tag, form=form)

View File

@ -1,63 +0,0 @@
# ContentDB
# Copyright (C) 2020 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import redirect, render_template, abort, url_for, request, flash
from flask_wtf import FlaskForm
from wtforms import StringField, TextAreaField, SubmitField
from wtforms.validators import InputRequired, Length, Optional, Regexp
from app.utils import rank_required
from . import bp
from ...models import UserRank, ContentWarning, db
def warning_list():
return render_template("admin/warnings/list.html", warnings=ContentWarning.query.order_by(db.asc(ContentWarning.title)).all())
class WarningForm(FlaskForm):
title = StringField("Title", [InputRequired(), Length(3, 100)])
description = TextAreaField("Description", [Optional(), Length(0, 500)])
name = StringField("Name", [Optional(), Length(1, 20),
Regexp("^[a-z0-9_]", 0, "Lower case letters (a-z), digits (0-9), and underscores (_) only")])
submit = SubmitField("Save")
@bp.route("/admin/warnings/new/", methods=["GET", "POST"])
@bp.route("/admin/warnings/<name>/edit/", methods=["GET", "POST"])
def create_edit_warning(name=None):
warning = None
if name is not None:
warning = ContentWarning.query.filter_by(name=name).first()
if warning is None:
form = WarningForm(formdata=request.form, obj=warning)
if form.validate_on_submit():
if warning is None:
warning = ContentWarning(,
return redirect(url_for("admin.warning_list"))
return render_template("admin/warnings/edit.html", warning=warning, form=form)

View File

@ -1,46 +0,0 @@
# ContentDB
# Copyright (C) 2019 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from functools import wraps
from flask import request, abort
from app.models import APIToken
from .support import error
def is_api_authd(f):
def decorated_function(*args, **kwargs):
token = None
value = request.headers.get("authorization")
if value is None:
elif value[0:7].lower() == "bearer ":
access_token = value[7:]
if len(access_token) < 10:
error(400, "API token is too short")
token = APIToken.query.filter_by(access_token=access_token).first()
if token is None:
error(403, "Unknown API token")
abort(403, "Unsupported authentication method")
return f(token=token, *args, **kwargs)
return decorated_function

View File

@ -1,569 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import math
from typing import List
import flask_sqlalchemy
from flask import request, jsonify, current_app
from flask_login import current_user, login_required
from sqlalchemy.orm import joinedload
from sqlalchemy.sql.expression import func
from app import csrf
from app.markdown import render_markdown
from app.models import Tag, PackageState, PackageType, Package, db, PackageRelease, Permission, ForumTopic, \
MinetestRelease, APIToken, PackageScreenshot, License, ContentWarning, User, PackageReview, Thread
from app.querybuilder import QueryBuilder
from app.utils import is_package_page, get_int_or_abort, url_set_query, abs_url, isYes
from . import bp
from .auth import is_api_authd
from .support import error, api_create_vcs_release, api_create_zip_release, api_create_screenshot, \
api_order_screenshots, api_edit_package, api_set_cover_image
from functools import wraps
def cors_allowed(f):
def inner(*args, **kwargs):
res = f(*args, **kwargs)
res.headers["Access-Control-Allow-Origin"] = "*"
res.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
res.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
return res
return inner
def packages():
qb = QueryBuilder(request.args)
query = qb.buildPackageQuery()
if request.args.get("fmt") == "keys":
return jsonify([package.getAsDictionaryKey() for package in query.all()])
pkgs = qb.convertToDictionary(query.all())
if "engine_version" in request.args or "protocol_version" in request.args:
pkgs = [package for package in pkgs if package.get("release")]
return jsonify(pkgs)
def package(package):
return jsonify(package.getAsDictionary(current_app.config["BASE_URL"]))
@bp.route("/api/packages/<author>/<name>/", methods=["PUT"])
def edit_package(token, package):
if not token:
error(401, "Authentication needed")
return api_edit_package(token, package, request.json)
def resolve_package_deps(out, package, only_hard, depth=1):
id = package.getId()
if id in out:
ret = []
out[id] = ret
if package.type != PackageType.MOD:
for dep in package.dependencies:
if only_hard and dep.optional:
if dep.package:
name =
fulfilled_by = [ dep.package.getId() ]
resolve_package_deps(out, dep.package, only_hard, depth)
elif dep.meta_package:
name =
fulfilled_by = [ pkg.getId() for pkg in dep.meta_package.packages]
if depth == 1 and not dep.optional:
most_likely = next((pkg for pkg in dep.meta_package.packages if pkg.type == PackageType.MOD), None)
if most_likely:
resolve_package_deps(out, most_likely, only_hard, depth + 1)
raise Exception("Malformed dependency")
"name": name,
"is_optional": dep.optional,
"packages": fulfilled_by
def package_dependencies(package):
only_hard = request.args.get("only_hard")
out = {}
resolve_package_deps(out, package, only_hard)
return jsonify(out)
def topics():
qb = QueryBuilder(request.args)
query = qb.buildTopicQuery(show_added=True)
return jsonify([t.getAsDictionary() for t in query.all()])
@bp.route("/api/topic_discard/", methods=["POST"])
def topic_set_discard():
tid = request.args.get("tid")
discard = request.args.get("discard")
if tid is None or discard is None:
error(400, "Missing topic ID or discard bool")
topic = ForumTopic.query.get(tid)
if not topic.checkPerm(current_user, Permission.TOPIC_DISCARD):
error(403, "Permission denied, need: TOPIC_DISCARD")
topic.discarded = discard == "true"
return jsonify(topic.getAsDictionary())
def whoami(token):
if token is None:
return jsonify({ "is_authenticated": False, "username": None })
return jsonify({ "is_authenticated": True, "username": token.owner.username })
@bp.route("/api/markdown/", methods=["POST"])
def markdown():
return render_markdown("utf-8"))
def list_all_releases():
query = PackageRelease.query.filter_by(approved=True) \
.filter(PackageRelease.package.has(state=PackageState.APPROVED)) \
if "author" in request.args:
author = User.query.filter_by(username=request.args["author"]).first()
if author is None:
error(404, "Author not found")
query = query.filter(PackageRelease.package.has(author=author))
if "maintainer" in request.args:
maintainer = User.query.filter_by(username=request.args["maintainer"]).first()
if maintainer is None:
error(404, "Maintainer not found")
query = query.join(Package)
query = query.filter(Package.maintainers.any(
return jsonify([ rel.getLongAsDictionary() for rel in query.limit(30).all() ])
def list_releases(package):
return jsonify([ rel.getAsDictionary() for rel in package.releases.all() ])
@bp.route("/api/packages/<author>/<name>/releases/new/", methods=["POST"])
def create_release(token, package):
if not token:
error(401, "Authentication needed")
if not package.checkPerm(token.owner, Permission.APPROVE_RELEASE):
error(403, "You do not have the permission to approve releases")
data = request.json or request.form
if "title" not in data:
error(400, "Title is required in the POST data")
if data.get("method") == "git":
for option in ["method", "ref"]:
if option not in data:
error(400, option + " is required in the POST data")
return api_create_vcs_release(token, package, data["title"], data["ref"])
elif request.files:
file = request.files.get("file")
if file is None:
error(400, "Missing 'file' in multipart body")
commit_hash = data.get("commit")
return api_create_zip_release(token, package, data["title"], file, None, None, "API", commit_hash)
error(400, "Unknown release-creation method. Specify the method or provide a file.")
def release(package: Package, id: int):
release = PackageRelease.query.get(id)
if release is None or release.package != package:
error(404, "Release not found")
return jsonify(release.getAsDictionary())
@bp.route("/api/packages/<author>/<name>/releases/<int:id>/", methods=["DELETE"])
def delete_release(token: APIToken, package: Package, id: int):
release = PackageRelease.query.get(id)
if release is None or release.package != package:
error(404, "Release not found")
if not token:
error(401, "Authentication needed")
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
if not release.checkPerm(token.owner, Permission.DELETE_RELEASE):
error(403, "Unable to delete the release, make sure there's a newer release available")
return jsonify({"success": True})
def list_screenshots(package):
screenshots = package.screenshots.all()
return jsonify([ss.getAsDictionary(current_app.config["BASE_URL"]) for ss in screenshots])
@bp.route("/api/packages/<author>/<name>/screenshots/new/", methods=["POST"])
def create_screenshot(token: APIToken, package: Package):
if not token:
error(401, "Authentication needed")
if not package.checkPerm(token.owner, Permission.ADD_SCREENSHOTS):
error(403, "You do not have the permission to create screenshots")
data = request.form
if "title" not in data:
error(400, "Title is required in the POST data")
file = request.files.get("file")
if file is None:
error(400, "Missing 'file' in multipart body")
return api_create_screenshot(token, package, data["title"], file, isYes(data.get("is_cover_image")))
def screenshot(package, id):
ss = PackageScreenshot.query.get(id)
if ss is None or ss.package != package:
error(404, "Screenshot not found")
return jsonify(ss.getAsDictionary(current_app.config["BASE_URL"]))
@bp.route("/api/packages/<author>/<name>/screenshots/<int:id>/", methods=["DELETE"])
def delete_screenshot(token: APIToken, package: Package, id: int):
ss = PackageScreenshot.query.get(id)
if ss is None or ss.package != package:
error(404, "Screenshot not found")
if not token:
error(401, "Authentication needed")
if not package.checkPerm(token.owner, Permission.ADD_SCREENSHOTS):
error(403, "You do not have the permission to delete screenshots")
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
if package.cover_image == ss:
package.cover_image = None
return jsonify({ "success": True })
@bp.route("/api/packages/<author>/<name>/screenshots/order/", methods=["POST"])
def order_screenshots(token: APIToken, package: Package):
if not token:
error(401, "Authentication needed")
if not package.checkPerm(token.owner, Permission.ADD_SCREENSHOTS):
error(403, "You do not have the permission to change screenshots")
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
json = request.json
if json is None or not isinstance(json, list):
error(400, "Expected order body to be array")
return api_order_screenshots(token, package, request.json)
@bp.route("/api/packages/<author>/<name>/screenshots/cover-image/", methods=["POST"])
def set_cover_image(token: APIToken, package: Package):
if not token:
error(401, "Authentication needed")
if not package.checkPerm(token.owner, Permission.ADD_SCREENSHOTS):
error(403, "You do not have the permission to change screenshots")
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
json = request.json
if json is None or not isinstance(json, dict) or "cover_image" not in json:
error(400, "Expected body to be an object with cover_image as a key")
return api_set_cover_image(token, package, request.json["cover_image"])
def list_reviews(package):
reviews =
return jsonify([review.getAsDictionary() for review in reviews])
def list_all_reviews():
page = get_int_or_abort(request.args.get("page"), 1)
num = min(get_int_or_abort(request.args.get("n"), 100), 100)
query = PackageReview.query
query = query.options(joinedload(, joinedload(PackageReview.package))
if request.args.get("author"):
query = query.filter( == request.args.get("author")))
if request.args.get("is_positive"):
query = query.filter(PackageReview.recommends == isYes(request.args.get("is_positive")))
q = request.args.get("q")
if q:
query = query.filter(PackageReview.thread.has(Thread.title.ilike(f"%{q}%")))
pagination: flask_sqlalchemy.Pagination = query.paginate(page, num, True)
return jsonify({
"per_page": pagination.per_page,
"page_count": math.ceil( / pagination.per_page),
"urls": {
"previous": abs_url(url_set_query(page=page - 1)) if pagination.has_prev else None,
"next": abs_url(url_set_query(page=page + 1)) if pagination.has_next else None,
"items": [review.getAsDictionary(True) for review in pagination.items],
def package_scores():
qb = QueryBuilder(request.args)
query = qb.buildPackageQuery()
pkgs = [package.getScoreDict() for package in query.all()]
return jsonify(pkgs)
def tags():
return jsonify([tag.getAsDictionary() for tag in Tag.query.all() ])
def content_warnings():
return jsonify([warning.getAsDictionary() for warning in ContentWarning.query.all() ])
def licenses():
return jsonify([ { "name":, "is_foss": license.is_foss } \
for license in License.query.order_by(db.asc( ])
def homepage():
query = Package.query.filter_by(state=PackageState.APPROVED)
count = query.count()
featured = query.filter(Package.tags.any(name="featured")).order_by(
new = query.order_by(db.desc(Package.approved_at)).limit(4).all()
pop_mod = query.filter_by(type=PackageType.MOD).order_by(db.desc(Package.score)).limit(8).all()
pop_gam = query.filter_by(type=PackageType.GAME).order_by(db.desc(Package.score)).limit(8).all()
pop_txp = query.filter_by(type=PackageType.TXP).order_by(db.desc(Package.score)).limit(8).all()
high_reviewed = query.order_by(db.desc(Package.score - Package.score_downloads)) \
updated = db.session.query(Package).select_from(PackageRelease).join(Package) \
.filter_by(state=PackageState.APPROVED) \
.order_by(db.desc(PackageRelease.releaseDate)) \
updated = updated[:4]
downloads_result = db.session.query(func.sum(Package.downloads)).one_or_none()
downloads = 0 if not downloads_result or not downloads_result[0] else downloads_result[0]
def mapPackages(packages: List[Package]):
return [pkg.getAsDictionaryShort(current_app.config["BASE_URL"]) for pkg in packages]
return jsonify({
"count": count,
"downloads": downloads,
"featured": mapPackages(featured),
"new": mapPackages(new),
"updated": mapPackages(updated),
"pop_mod": mapPackages(pop_mod),
"pop_txp": mapPackages(pop_txp),
"pop_game": mapPackages(pop_gam),
"high_reviewed": mapPackages(high_reviewed)
def welcome_v1():
featured = Package.query \
.filter(Package.type == PackageType.GAME, Package.state == PackageState.APPROVED,
Package.tags.any(name="featured")) \
.order_by(func.random()) \
mtg = Package.query.filter("Minetest"), == "minetest_game").one()
featured.insert(2, mtg)
def map_packages(packages: List[Package]):
return [pkg.getAsDictionaryShort(current_app.config["BASE_URL"]) for pkg in packages]
return jsonify({
"featured": map_packages(featured),
def versions():
protocol_version = request.args.get("protocol_version")
engine_version = request.args.get("engine_version")
if protocol_version or engine_version:
rel = MinetestRelease.get(engine_version, get_int_or_abort(protocol_version))
if rel is None:
error(404, "No releases found")
return jsonify(rel.getAsDictionary())
return jsonify([rel.getAsDictionary() \
for rel in MinetestRelease.query.all() if rel.getActual() is not None])
def all_deps():
qb = QueryBuilder(request.args)
query = qb.buildPackageQuery()
def format_pkg(pkg: Package):
return {
"type": pkg.type.toName(),
"provides": [ for x in pkg.provides],
"depends": [str(x) for x in pkg.dependencies if not x.optional],
"optional_depends": [str(x) for x in pkg.dependencies if x.optional],
page = get_int_or_abort(request.args.get("page"), 1)
num = min(get_int_or_abort(request.args.get("n"), 100), 300)
pagination: flask_sqlalchemy.Pagination = query.paginate(page, num, True)
return jsonify({
"per_page": pagination.per_page,
"page_count": math.ceil( / pagination.per_page),
"urls": {
"previous": abs_url(url_set_query(page=page - 1)) if pagination.has_prev else None,
"next": abs_url(url_set_query(page=page + 1)) if pagination.has_next else None,
"items": [format_pkg(pkg) for pkg in pagination.items],

View File

@ -1,119 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import jsonify, abort, make_response, url_for, current_app
from app.logic.packages import do_edit_package
from app.logic.releases import LogicError, do_create_vcs_release, do_create_zip_release
from app.logic.screenshots import do_create_screenshot, do_order_screenshots, do_set_cover_image
from app.models import APIToken, Package, MinetestRelease, PackageScreenshot
def error(code: int, msg: str):
abort(make_response(jsonify({ "success": False, "error": msg }), code))
# Catches LogicErrors and aborts with JSON error
def guard(f):
def ret(*args, **kwargs):
return f(*args, **kwargs)
except LogicError as e:
error(e.code, e.message)
return ret
def api_create_vcs_release(token: APIToken, package: Package, title: str, ref: str,
min_v: MinetestRelease = None, max_v: MinetestRelease = None, reason="API"):
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
reason += ", token=" +
rel = guard(do_create_vcs_release)(token.owner, package, title, ref, min_v, max_v, reason)
return jsonify({
"success": True,
"task": url_for("tasks.check", id=rel.task_id),
"release": rel.getAsDictionary()
def api_create_zip_release(token: APIToken, package: Package, title: str, file,
min_v: MinetestRelease = None, max_v: MinetestRelease = None, reason="API", commit_hash:str=None):
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
reason += ", token=" +
rel = guard(do_create_zip_release)(token.owner, package, title, file, min_v, max_v, reason, commit_hash)
return jsonify({
"success": True,
"task": url_for("tasks.check", id=rel.task_id),
"release": rel.getAsDictionary()
def api_create_screenshot(token: APIToken, package: Package, title: str, file, is_cover_image: bool, reason="API"):
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
reason += ", token=" +
ss : PackageScreenshot = guard(do_create_screenshot)(token.owner, package, title, file, is_cover_image, reason)
return jsonify({
"success": True,
"screenshot": ss.getAsDictionary()
def api_order_screenshots(token: APIToken, package: Package, order: [any]):
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
guard(do_order_screenshots)(token.owner, package, order)
return jsonify({
"success": True
def api_set_cover_image(token: APIToken, package: Package, cover_image):
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
guard(do_set_cover_image)(token.owner, package, cover_image)
return jsonify({
"success": True
def api_edit_package(token: APIToken, package: Package, data: dict, reason: str = "API"):
if not token.canOperateOnPackage(package):
error(403, "API token does not have access to the package")
reason += ", token=" +
package = guard(do_edit_package)(token.owner, package, False, False, data, reason)
return jsonify({
"success": True,
"package": package.getAsDictionary(current_app.config["BASE_URL"])

View File

@ -1,151 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask import render_template, redirect, request, session, url_for, abort
from flask_babel import lazy_gettext
from flask_login import login_required, current_user
from flask_wtf import FlaskForm
from wtforms import *
from wtforms_sqlalchemy.fields import QuerySelectField
from wtforms.validators import *
from app.models import db, User, APIToken, Package, Permission
from app.utils import randomString
from . import bp
from ..users.settings import get_setting_tabs
class CreateAPIToken(FlaskForm):
name = StringField(lazy_gettext("Name"), [InputRequired(), Length(1, 30)])
package = QuerySelectField(lazy_gettext("Limit to package"), allow_blank=True,
get_pk=lambda a:, get_label=lambda a: a.title)
submit = SubmitField(lazy_gettext("Save"))
def list_tokens_redirect():
return redirect(url_for("api.list_tokens", username=current_user.username))
def list_tokens(username):
user = User.query.filter_by(username=username).first()
if user is None:
if not user.checkPerm(current_user, Permission.CREATE_TOKEN):
return render_template("api/list_tokens.html", user=user, tabs=get_setting_tabs(user), current_tab="api_tokens")
@bp.route("/users/<username>/tokens/new/", methods=["GET", "POST"])
@bp.route("/users/<username>/tokens/<int:id>/edit/", methods=["GET", "POST"])
def create_edit_token(username, id=None):
user = User.query.filter_by(username=username).first()
if user is None:
if not user.checkPerm(current_user, Permission.CREATE_TOKEN):
is_new = id is None
token = None
access_token = None
if not is_new:
token = APIToken.query.get(id)
if token is None:
elif token.owner != user:
access_token = session.pop("token_" + str(, None)
form = CreateAPIToken(formdata=request.form, obj=token)
form.package.query_factory = lambda: user.maintained_packages.all()
if form.validate_on_submit():
if is_new:
token = APIToken()
token.owner = user
token.access_token = randomString(32)
db.session.commit() # save
if is_new:
# Store token so it can be shown in the edit page
session["token_" + str(] = token.access_token
return redirect(url_for("api.create_edit_token", username=username,
return render_template("api/create_edit_token.html", user=user, form=form, token=token, access_token=access_token)
@bp.route("/users/<username>/tokens/<int:id>/reset/", methods=["POST"])
def reset_token(username, id):
user = User.query.filter_by(username=username).first()
if user is None:
if not user.checkPerm(current_user, Permission.CREATE_TOKEN):
token = APIToken.query.get(id)
if token is None:
elif token.owner != user:
token.access_token = randomString(32)
db.session.commit() # save
# Store token so it can be shown in the edit page
session["token_" + str(] = token.access_token
return redirect(url_for("api.create_edit_token", username=username,
@bp.route("/users/<username>/tokens/<int:id>/delete/", methods=["POST"])
def delete_token(username, id):
user = User.query.filter_by(username=username).first()
if user is None:
if not user.checkPerm(current_user, Permission.CREATE_TOKEN):
is_new = id is None
token = APIToken.query.get(id)
if token is None:
elif token.owner != user:
return redirect(url_for("api.list_tokens", username=username))

from flask import Blueprint
from flask_babel import gettext
bp = Blueprint("github", __name__)
from flask import redirect, url_for, request, flash, jsonify, current_app
from flask_login import current_user
from sqlalchemy import func, or_, and_
from app import github, csrf
from app.models import db, User, APIToken, Package, Permission, AuditSeverity
from app.utils import abs_url_for, addAuditLog, login_user_set_active
from import error, api_create_vcs_release
import hmac, requests
def start():
return github.authorize("", redirect_uri=abs_url_for("github.callback"))
def view_permissions():
url = "" + \
return redirect(url)
def callback(oauth_token):
next_url = request.args.get("next")
if oauth_token is None:
flash(gettext("Authorization failed [err=gh-oauth-login-failed]"), "danger")
return redirect(url_for("users.login"))
# Get Github username
url = ""
r = requests.get(url, headers={"Authorization": "token " + oauth_token})
username = r.json()["login"]
# Get user by github username
userByGithub = User.query.filter(func.lower(User.github_username) == func.lower(username)).first()
# If logged in, connect
if current_user and current_user.is_authenticated:
if userByGithub is None:
current_user.github_username = username
flash(gettext("Linked GitHub to account"), "success")
return redirect(url_for("homepage.home"))
flash(gettext("GitHub account is already associated with another user"), "danger")
return redirect(url_for("homepage.home"))
# If not logged in, log in
if userByGithub is None:
flash(gettext("Unable to find an account for that GitHub user"), "danger")
return redirect(url_for("users.claim_forums"))
ret = login_user_set_active(userByGithub, remember=True)
if ret is None:
flash(gettext("Authorization failed [err=gh-login-failed]"), "danger")
return redirect(url_for("users.login"))
addAuditLog(AuditSeverity.USER, userByGithub, "Logged in using GitHub OAuth",
url_for("users.profile", username=userByGithub.username))
return ret
@bp.route("/github/webhook/", methods=["POST"])
def webhook():
json = request.json
# Get package
github_url = "" + json["repository"]["full_name"]
package = Package.query.filter(Package.repo.ilike("%{}%".format(github_url))).first()
if package is None:
return error(400, "Could not find package, did you set the VCS repo in CDB correctly? Expected {}".format(github_url))
# Get all tokens for package
tokens_query = APIToken.query.filter(or_(APIToken.package==package,
possible_tokens = tokens_query.all()
actual_token = None
# Check signature
header_signature = request.headers.get('X-Hub-Signature')
if header_signature is None:
return error(403, "Expected payload signature")
sha_name, signature = header_signature.split('=')
if sha_name != 'sha1':
return error(403, "Expected SHA1 payload signature")
for token in possible_tokens:
mac ="utf-8"),, digestmod='sha1')
if hmac.compare_digest(str(mac.hexdigest()), signature):
actual_token = token
if actual_token is None:
return error(403, "Invalid authentication, couldn't validate API token")
if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE):
return error(403, "You do not have the permission to approve releases")
# Check event
event = request.headers.get("X-GitHub-Event")
if event == "push":
ref = json["after"]
title = json["head_commit"]["message"].partition("\n")[0]
branch = json["ref"].replace("refs/heads/", "")
if branch not in [ "master", "main" ]:
return jsonify({ "success": False, "message": "Webhook ignored, as it's not on the master/main branch" })
elif event == "create":
ref_type = json.get("ref_type")
if ref_type != "tag":
return jsonify({
"success": False,
"message": "Webhook ignored, as it's a non-tag create event. ref_type='{}'.".format(ref_type)
ref = json["ref"]
title = ref
elif event == "ping":
return jsonify({ "success": True, "message": "Ping successful" })
return error(400, "Unsupported event: '{}'. Only 'push', 'create:tag', and 'ping' are supported."
.format(event or "null"))
# Perform release
if package.releases.filter_by(commit_hash=ref).count() > 0:
return api_create_vcs_release(actual_token, package, title, ref, reason="Webhook")

from flask import Blueprint, request, jsonify
bp = Blueprint("gitlab", __name__)
from app import csrf
from app.models import Package, APIToken, Permission
from import error, api_create_vcs_release
def webhook_impl():
json = request.json
# Get package
gitlab_url = json["project"]["web_url"].replace("https://", "").replace("http://", "")
package = Package.query.filter(Package.repo.ilike("%{}%".format(gitlab_url))).first()
if package is None:
return error(400,
"Could not find package, did you set the VCS repo in CDB correctly? Expected {}".format(gitlab_url))
# Get all tokens for package
secret = request.headers.get("X-Gitlab-Token")
if secret is None:
return error(403, "Token required")
token = APIToken.query.filter_by(access_token=secret).first()
if token is None:
return error(403, "Invalid authentication")
if not package.checkPerm(token.owner, Permission.APPROVE_RELEASE):
return error(403, "You do not have the permission to approve releases")
# Check event
event = json["event_name"]
if event == "push":
ref = json["after"]
title = ref[:5]
branch = json["ref"].replace("refs/heads/", "")
if branch not in ["master", "main"]:
return jsonify({"success": False,
"message": "Webhook ignored, as it's not on the master/main branch"})
elif event == "tag_push":
ref = json["ref"]
title = ref.replace("refs/tags/", "")
return error(400, "Unsupported event: '{}'. Only 'push', 'create:tag', and 'ping' are supported."
.format(event or "null"))
# Perform release
if package.releases.filter_by(commit_hash=ref).count() > 0:
return api_create_vcs_release(token, package, title, ref, reason="Webhook")
@bp.route("/gitlab/webhook/", methods=["POST"])
def webhook():
return webhook_impl()
except KeyError as err:
return error(400, "Missing field: {}".format(err.args[0]))

bp = Blueprint("homepage", __name__)
from app.models import *
from sqlalchemy.orm import joinedload
from sqlalchemy.sql.expression import func
def home():
def join(query):
return query.options(
query = Package.query.filter_by(state=PackageState.APPROVED)
count = query.count()
featured = query.filter(Package.tags.any(name="featured")).order_by(func.random()).limit(6).all()
new = join(query.order_by(db.desc(Package.approved_at))).limit(4).all()
pop_mod = join(query.filter_by(type=PackageType.MOD).order_by(db.desc(Package.score))).limit(8).all()
pop_gam = join(query.filter_by(type=PackageType.GAME).order_by(db.desc(Package.score))).limit(8).all()
pop_txp = join(query.filter_by(type=PackageType.TXP).order_by(db.desc(Package.score))).limit(8).all()
high_reviewed = join(query.order_by(db.desc(Package.score - Package.score_downloads))) \
updated = db.session.query(Package).select_from(PackageRelease).join(Package) \
.filter_by(state=PackageState.APPROVED) \
.order_by(db.desc(PackageRelease.releaseDate)) \
updated = updated[:4]
reviews = PackageReview.query.filter_by(recommends=True).order_by(db.desc(PackageReview.created_at)).limit(5).all()
downloads_result = db.session.query(func.sum(Package.downloads)).one_or_none()
downloads = 0 if not downloads_result or not downloads_result[0] else downloads_result[0]
tags = db.session.query(func.count(Tags.c.tag_id), Tag) \
return render_template("index.html", count=count, downloads=downloads, tags=tags, featured=featured,
new=new, updated=updated, pop_mod=pop_mod, pop_txp=pop_txp, pop_gam=pop_gam, high_reviewed=high_reviewed, reviews=reviews)

from flask import *
from sqlalchemy import func
from app.models import MetaPackage, Package, db, Dependency, PackageState, ForumTopic
bp = Blueprint("metapackages", __name__)
def list_all():
mpackages = db.session.query(MetaPackage, func.count( \
.select_from(MetaPackage).outerjoin(MetaPackage.packages) \
.order_by(db.asc( \
return render_template("metapackages/list.html", mpackages=mpackages)
def view(name):
mpackage = MetaPackage.query.filter_by(name=name).first()
if mpackage is None:
dependers = db.session.query(Package) \
.select_from(MetaPackage) \
.filter( \
.join(MetaPackage.dependencies) \
.join(Dependency.depender) \
.filter(Dependency.optional==False, Package.state==PackageState.APPROVED) \
optional_dependers = db.session.query(Package) \
.select_from(MetaPackage) \
.filter( \
.join(MetaPackage.dependencies) \
.join(Dependency.depender) \
.filter(Dependency.optional==True, Package.state==PackageState.APPROVED) \
similar_topics = ForumTopic.query \
.filter_by(name=name) \
.filter(~ db.exists().where(Package.forums == ForumTopic.topic_id)) \
.order_by(db.asc(, db.asc(ForumTopic.title)) \
return render_template("metapackages/view.html", mpackage=mpackage,
dependers=dependers, optional_dependers=optional_dependers,

from flask import Blueprint, make_response
from sqlalchemy.sql.expression import func
from app.models import Package, db, User, UserRank, PackageState
bp = Blueprint("metrics", __name__)
def generate_metrics(full=False):
def write_single_stat(name, help, type, value):
fmt = "# HELP {name} {help}\n# TYPE {name} {type}\n{name} {value}\n\n"
return fmt.format(name=name, help=help, type=type, value=value)
def gen_labels(labels):
pieces = [key + "=" + str(val) for key, val in labels.items()]
return ",".join(pieces)
def write_array_stat(name, help, type, data):
ret = "# HELP {name} {help}\n# TYPE {name} {type}\n" \
.format(name=name, help=help, type=type)
for entry in data:
assert(len(entry) == 2)
ret += "{name}{{{labels}}} {value}\n" \
.format(name=name, labels=gen_labels(entry[0]), value=entry[1])
return ret + "\n"
downloads_result = db.session.query(func.sum(Package.downloads)).one_or_none()
downloads = 0 if not downloads_result or not downloads_result[0] else downloads_result[0]
packages = Package.query.filter_by(state=PackageState.APPROVED).count()
users = User.query.filter(User.rank != UserRank.NOT_JOINED).count()
ret = ""
ret += write_single_stat("contentdb_packages", "Total packages", "gauge", packages)
ret += write_single_stat("contentdb_users", "Number of registered users", "gauge", users)
ret += write_single_stat("contentdb_downloads", "Total downloads", "gauge", downloads)
if full:
scores = Package.query.join(User).with_entities(User.username,, Package.score) \
ret += write_array_stat("contentdb_package_score", "Package score", "gauge",
[({ "author": score[0], "name": score[1] }, score[2]) for score in scores])
score_result = db.session.query(func.sum(Package.score)).one_or_none()
score = 0 if not score_result or not score_result[0] else score_result[0]
ret += write_single_stat("contentdb_score", "Total package score", "gauge", score)
return ret
def metrics():
response = make_response(generate_metrics(), 200)
response.mimetype = "text/plain"
return response

from flask import Blueprint, render_template, redirect, url_for
from flask_login import current_user, login_required
from sqlalchemy import or_, desc
from app.models import db, Notification, NotificationType
bp = Blueprint("notifications", __name__)
def list_all():
notifications = Notification.query.filter(Notification.user == current_user,
Notification.type != NotificationType.EDITOR_ALERT, Notification.type != NotificationType.EDITOR_MISC) \
.order_by(desc(Notification.created_at)) \
editor_notifications = Notification.query.filter(Notification.user == current_user,
or_(Notification.type == NotificationType.EDITOR_ALERT, Notification.type == NotificationType.EDITOR_MISC)) \
.order_by(desc(Notification.created_at)) \
return render_template("notifications/list.html",
notifications=notifications, editor_notifications=editor_notifications)
@bp.route("/notifications/clear/", methods=["POST"])
def clear():
return redirect(url_for("notifications.list_all"))

from flask import Blueprint
from flask_babel import gettext
from app.models import User, Package, Permission
bp = Blueprint("packages", __name__)
def get_package_tabs(user: User, package: Package):
if package is None or not package.checkPerm(user, Permission.EDIT_PACKAGE):
return []
return [
"id": "edit",
"title": gettext("Edit Details"),
"url": package.getURL("packages.create_edit")
"id": "releases",
"title": gettext("Releases"),
"url": package.getURL("packages.list_releases")
"id": "screenshots",
"title": gettext("Screenshots"),
"url": package.getURL("packages.screenshots")
"id": "maintainers",
"title": gettext("Maintainers"),
"url": package.getURL("packages.edit_maintainers")
"id": "audit",
"title": gettext("Audit Log"),
"url": package.getURL("packages.audit")
"id": "share",
"title": gettext("Share and Badges"),
"url": package.getURL("packages.share")
"id": "remove",
"title": gettext("Remove"),
"url": package.getURL("packages.remove")
# along with this program. If not, see <>.
from flask import render_template, abort
from sqlalchemy.orm import joinedload
from . import bp
from app.utils import is_package_page
from ...models import Package, PackageType, PackageState, db, PackageRelease
def game_hub(package: Package):
if package.type != PackageType.GAME:
def join(query):
return query.options(
query = Package.query.filter(Package.supported_games.any(game=package), Package.state==PackageState.APPROVED)
count = query.count()
new = join(query.order_by(db.desc(Package.approved_at))).limit(4).all()
pop_mod = join(query.filter_by(type=PackageType.MOD).order_by(db.desc(Package.score))).limit(8).all()
pop_gam = join(query.filter_by(type=PackageType.GAME).order_by(db.desc(Package.score))).limit(8).all()
pop_txp = join(query.filter_by(type=PackageType.TXP).order_by(db.desc(Package.score))).limit(8).all()
high_reviewed = join(query.order_by(db.desc(Package.score - Package.score_downloads))) \
updated = db.session.query(Package).select_from(PackageRelease).join(Package) \
.filter(Package.supported_games.any(game=package), Package.state==PackageState.APPROVED) \
.order_by(db.desc(PackageRelease.releaseDate)) \
updated = updated[:4]
return render_template("packages/game_hub.html", package=package, count=count,
new=new, updated=updated, pop_mod=pop_mod, pop_txp=pop_txp, pop_gam=pop_gam,

from urllib.parse import quote as urlescape
from flask import render_template
from flask_babel import lazy_gettext, gettext
from flask_wtf import FlaskForm
from flask_login import login_required
from sqlalchemy import or_, func
from sqlalchemy.orm import joinedload, subqueryload
from wtforms import *
from wtforms_sqlalchemy.fields import QuerySelectField, QuerySelectMultipleField
from wtforms.validators import *
from app.querybuilder import QueryBuilder
from app.rediscache import has_key, set_key
from app.tasks.importtasks import importRepoScreenshot
from app.utils import *
from . import bp, get_package_tabs
from app.logic.LogicError import LogicError
from app.logic.packages import do_edit_package
from app.models.packages import PackageProvides
from app.tasks.webhooktasks import post_discord_webhook
def list_all():
qb = QueryBuilder(request.args)
query = qb.buildPackageQuery()
title = qb.title
query = query.options(
ip = request.headers.get("X-Forwarded-For") or request.remote_addr
if ip is not None and not is_user_bot():
edited = False
for tag in qb.tags:
edited = True
key = "tag/{}/{}".format(ip,
if not has_key(key):
set_key(key, "true")
"views": Tag.views + 1
if edited:
if qb.lucky:
package = query.first()
if package:
return redirect(package.getURL("packages.view"))
topic = qb.buildTopicQuery().first()
if and topic:
return redirect("" + str(topic.topic_id))
page = get_int_or_abort(request.args.get("page"), 1)
num = min(40, get_int_or_abort(request.args.get("n"), 100))
query = query.paginate(page, num, True)
search = request.args.get("q")
type_name = request.args.get("type")
authors = []
if search:
authors = User.query \
.filter(or_(*[func.lower(User.username) == name.lower().strip() for name in search.split(" ")])) \
authors = [(author.username, search.lower().replace(author.username.lower(), "")) for author in authors]
topics = None
if and not query.has_next:
qb.show_discarded = True
topics = qb.buildTopicQuery().all()
tags_query = db.session.query(func.count(Tags.c.tag_id), Tag) \
tags = qb.filterPackageQuery(tags_query).all()
selected_tags = set(qb.tags)
return render_template("packages/list.html",
query_hint=title, packages=query.items, pagination=query,
query=search, tags=tags, selected_tags=selected_tags, type=type_name,
authors=authors,, topics=topics)
def getReleases(package):
if package.checkPerm(current_user, Permission.MAKE_RELEASE):
return package.releases.limit(5)
return package.releases.filter_by(approved=True).limit(5)
def view(package):
show_similar = not package.approved and (
current_user in package.maintainers or
package.checkPerm(current_user, Permission.APPROVE_NEW))
conflicting_modnames = None
if show_similar and package.type != PackageType.TXP:
conflicting_modnames = db.session.query( \
.filter([ for mp in package.provides ])) \
.filter(MetaPackage.packages.any( != \
conflicting_modnames += db.session.query( \
.filter([ for mp in package.provides ])) \
.filter(ForumTopic.topic_id != package.forums) \
.filter(~ db.exists().where(Package.forums==ForumTopic.topic_id)) \
.order_by(db.asc(, db.asc(ForumTopic.title)) \
conflicting_modnames = set([x[0] for x in conflicting_modnames])
packages_uses = None
if package.type == PackageType.MOD:
packages_uses = Package.query.filter(
Package.type == PackageType.MOD, !=,
Package.state == PackageState.APPROVED,
Dependency.meta_package_id.in_([ for p in package.provides]))) \
releases = getReleases(package)
review_thread = package.review_thread
if review_thread is not None and not review_thread.checkPerm(current_user, Permission.SEE_THREAD):
review_thread = None
topic_error = None
topic_error_lvl = "warning"
if package.state != PackageState.APPROVED and package.forums is not None:
errors = []
if Package.query.filter(Package.forums==package.forums, Package.state!=PackageState.DELETED).count() > 1:
errors.append("<b>" + gettext("Error: Another package already uses this forum topic!") + "</b>")
topic_error_lvl = "danger"
topic = ForumTopic.query.get(package.forums)
if topic is not None:
if !=
errors.append("<b>" + gettext("Error: Forum topic author doesn't match package author.") + "</b>")
topic_error_lvl = "danger"
elif package.type != PackageType.TXP:
errors.append(gettext("Warning: Forum topic not found. This may happen if the topic has only just been created."))
topic_error = "<br />".join(errors)
threads = Thread.query.filter_by(, review_id=None)
if not current_user.is_authenticated:
threads = threads.filter_by(private=False)
elif not current_user.rank.atLeast(UserRank.APPROVER) and not current_user ==
threads = threads.filter(or_(Thread.private == False, == current_user))
has_review = current_user.is_authenticated and PackageReview.query.filter_by(package=package, author=current_user).count() > 0
return render_template("packages/view.html",
package=package, releases=releases, packages_uses=packages_uses,
review_thread=review_thread, topic_error=topic_error, topic_error_lvl=topic_error_lvl,
threads=threads.all(), has_review=has_review)
def shield(package, type):
if type == "title":
url = "{}&color={}" \
.format(urlescape(package.title), urlescape("#375a7f"))
elif type == "downloads":
#api_url = abs_url_for("api.package",,
api_url = "" + url_for("api.package",,
url = "{}&label=ContentDB&query=downloads&suffix=+downloads&url={}" \
.format(urlescape("#375a7f"), urlescape(api_url))
return redirect(url)
def download(package):
release = package.getDownloadRelease()
if release is None:
if "application/zip" in request.accept_mimetypes and \
not "text/html" in request.accept_mimetypes:
return "", 204
flash(gettext("No download available."), "danger")
return redirect(package.getURL("packages.view"))
return redirect(release.getDownloadURL())
def makeLabel(obj):
if obj.description:
return "{}: {}".format(obj.title, obj.description)
return obj.title
class PackageForm(FlaskForm):
type = SelectField(lazy_gettext("Type"), [InputRequired()], choices=PackageType.choices(), coerce=PackageType.coerce, default=PackageType.MOD)
title = StringField(lazy_gettext("Title (Human-readable)"), [InputRequired(), Length(1, 100)])
name = StringField(lazy_gettext("Name (Technical)"), [InputRequired(), Length(1, 100), Regexp("^[a-z0-9_]+$", 0, lazy_gettext("Lower case letters (a-z), digits (0-9), and underscores (_) only"))])
short_desc = StringField(lazy_gettext("Short Description (Plaintext)"), [InputRequired(), Length(1,200)])
dev_state = SelectField(lazy_gettext("Maintenance State"), [InputRequired()], choices=PackageDevState.choices(with_none=True), coerce=PackageDevState.coerce)
tags = QuerySelectMultipleField(lazy_gettext('Tags'), query_factory=lambda: Tag.query.order_by(db.asc(, get_pk=lambda a:, get_label=makeLabel)
content_warnings = QuerySelectMultipleField(lazy_gettext('Content Warnings'), query_factory=lambda: ContentWarning.query.order_by(db.asc(, get_pk=lambda a:, get_label=makeLabel)
license = QuerySelectField(lazy_gettext("License"), [DataRequired()], allow_blank=True, query_factory=lambda: License.query.order_by(db.asc(, get_pk=lambda a:, get_label=lambda a:
media_license = QuerySelectField(lazy_gettext("Media License"), [DataRequired()], allow_blank=True, query_factory=lambda: License.query.order_by(db.asc(, get_pk=lambda a:, get_label=lambda a:
desc = TextAreaField(lazy_gettext("Long Description (Markdown)"), [Optional(), Length(0,10000)])
repo = StringField(lazy_gettext("VCS Repository URL"), [Optional(), URL()], filters = [lambda x: x or None])
website = StringField(lazy_gettext("Website URL"), [Optional(), URL()], filters = [lambda x: x or None])
issueTracker = StringField(lazy_gettext("Issue Tracker URL"), [Optional(), URL()], filters = [lambda x: x or None])
forums = IntegerField(lazy_gettext("Forum Topic ID"), [Optional(), NumberRange(0,999999)])
video_url = StringField(lazy_gettext("Video URL"), [Optional(), URL()], filters = [lambda x: x or None])
submit = SubmitField(lazy_gettext("Save"))
@bp.route("/packages/new/", methods=["GET", "POST"])
@bp.route("/packages/<author>/<name>/edit/", methods=["GET", "POST"])
def create_edit(author=None, name=None):
package = None
if author is None:
form = PackageForm(formdata=request.form)
author = request.args.get("author")
if author is None or author == current_user.username:
author = current_user
author = User.query.filter_by(username=author).first()
if author is None:
flash(gettext("Unable to find that user"), "danger")
return redirect(url_for("packages.create_edit"))
if not author.checkPerm(current_user, Permission.CHANGE_AUTHOR):
flash(gettext("Permission denied"), "danger")
return redirect(url_for("packages.create_edit"))
package = getPackageByInfo(author, name)
if package is None:
if not package.checkPerm(current_user, Permission.EDIT_PACKAGE):
return redirect(package.getURL("packages.view"))
author =
form = PackageForm(formdata=request.form, obj=package)
# Initial form class from post data and default data
if request.method == "GET":
if package is None: = request.args.get("bname") = request.args.get("title") = request.args.get("repo") = request.args.get("forums") = None = None
else: = package.tags = package.content_warnings
if request.method == "POST" and == PackageType.TXP: =
if form.validate_on_submit():
wasNew = False
if not package:
package = Package.query.filter_by(name=form["name"].data,
if package is not None:
if package.state == PackageState.READY_FOR_REVIEW:
flash(gettext("Package already exists!"), "danger")
return redirect(url_for("packages.create_edit"))
package = Package() = author
wasNew = True
do_edit_package(current_user, package, wasNew, True, {
"tags": form.tags.raw_data,
"content_warnings": form.content_warnings.raw_data,
if wasNew and package.repo is not None:
next_url = package.getURL("packages.view")
if wasNew and ("WTFPL" in or "WTFPL" in
next_url = url_for("flatpage", path="help/wtfpl", r=next_url)
elif wasNew:
next_url = package.getURL("packages.setup_releases")
return redirect(next_url)
except LogicError as e:
flash(e.message, "danger")
package_query = Package.query.filter_by(state=PackageState.APPROVED)
if package is not None:
package_query = package_query.filter( !=
enableWizard = name is None and request.method != "POST"
return render_template("packages/create_edit.html", package=package,
form=form, author=author, enable_wizard=enableWizard,
tabs=get_package_tabs(current_user, package), current_tab="edit")
@bp.route("/packages/<author>/<name>/state/", methods=["POST"])
def move_to_state(package):
state = PackageState.get(request.args.get("state"))
if state is None:
if not package.canMoveToState(current_user, state):
flash(gettext("You don't have permission to do that"), "danger")
return redirect(package.getURL("packages.view"))
package.state = state
msg = "Marked {} as {}".format(package.title, state.value)
if state == PackageState.APPROVED:
if not package.approved_at:
"New package {}".format(package.getURL("packages.view", absolute=True)), False)
package.approved_at =
screenshots = PackageScreenshot.query.filter_by(package=package, approved=False).all()
for s in screenshots:
s.approved = True
msg = "Approved {}".format(package.title)
elif state == PackageState.READY_FOR_REVIEW:
"Ready for Review: {}".format(package.getURL("packages.view", absolute=True)), True)
addNotification(package.maintainers, current_user, NotificationType.PACKAGE_APPROVAL, msg, package.getURL("packages.view"), package)
severity = AuditSeverity.NORMAL if current_user in package.maintainers else AuditSeverity.EDITOR
addAuditLog(severity, current_user, msg, package.getURL("packages.view"), package)
if package.state == PackageState.CHANGES_NEEDED:
flash(gettext("Please comment what changes are needed in the approval thread"), "warning")
if package.review_thread:
return redirect(package.review_thread.getViewURL())
return redirect(url_for('',, title='Package approval comments'))
return redirect(package.getURL("packages.view"))
@bp.route("/packages/<author>/<name>/remove/", methods=["GET", "POST"])
def remove(package):
if request.method == "GET":
return render_template("packages/remove.html", package=package,
tabs=get_package_tabs(current_user, package), current_tab="remove")
reason = request.form.get("reason") or "?"
if "delete" in request.form:
if not package.checkPerm(current_user, Permission.DELETE_PACKAGE):
flash(gettext("You don't have permission to do that."), "danger")
return redirect(package.getURL("packages.view"))
package.state = PackageState.DELETED
url = url_for("users.profile",
msg = "Deleted {}, reason={}".format(package.title, reason)
addNotification(package.maintainers, current_user, NotificationType.PACKAGE_EDIT, msg, url, package)
addAuditLog(AuditSeverity.EDITOR, current_user, msg, url)
flash(gettext("Deleted package"), "success")
return redirect(url)
elif "unapprove" in request.form:
if not package.checkPerm(current_user, Permission.UNAPPROVE_PACKAGE):
flash(gettext("You don't have permission to do that."), "danger")
return redirect(package.getURL("packages.view"))
package.state = PackageState.WIP
msg = "Unapproved {}, reason={}".format(package.title, reason)
addNotification(package.maintainers, current_user, NotificationType.PACKAGE_APPROVAL, msg, package.getURL("packages.view"), package)
addAuditLog(AuditSeverity.EDITOR, current_user, msg, package.getURL("packages.view"), package)
flash(gettext("Unapproved package"), "success")
return redirect(package.getURL("packages.view"))
class PackageMaintainersForm(FlaskForm):
maintainers_str = StringField(lazy_gettext("Maintainers (Comma-separated)"), [Optional()])
submit = SubmitField(lazy_gettext("Save"))
@bp.route("/packages/<author>/<name>/edit-maintainers/", methods=["GET", "POST"])
def edit_maintainers(package):
if not package.checkPerm(current_user, Permission.EDIT_MAINTAINERS):
flash(gettext("You do not have permission to edit maintainers"), "danger")
return redirect(package.getURL("packages.view"))
form = PackageMaintainersForm(formdata=request.form)
if request.method == "GET": = ", ".join([ x.username for x in package.maintainers if x != ])
if form.validate_on_submit():
usernames = [x.strip().lower() for x in",")]
users = User.query.filter(func.lower(User.username).in_(usernames)).all()
thread = package.threads.filter_by(author=get_system_user()).first()
for user in users:
if not user in package.maintainers:
if thread:
addNotification(user, current_user, NotificationType.MAINTAINER,
"Added you as a maintainer of {}".format(package.title), package.getURL("packages.view"), package)
for user in package.maintainers:
if user != and not user in users:
addNotification(user, current_user, NotificationType.MAINTAINER,
"Removed you as a maintainer of {}".format(package.title), package.getURL("packages.view"), package)
if not in package.maintainers:
msg = "Edited {} maintainers".format(package.title)
addNotification(, current_user, NotificationType.MAINTAINER, msg, package.getURL("packages.view"), package)
severity = AuditSeverity.NORMAL if current_user == else AuditSeverity.MODERATION
addAuditLog(severity, current_user, msg, package.getURL("packages.view"), package)
return redirect(package.getURL("packages.view"))
users = User.query.filter(User.rank >= UserRank.NEW_MEMBER).order_by(db.asc(User.username)).all()
return render_template("packages/edit_maintainers.html", package=package, form=form,
users=users, tabs=get_package_tabs(current_user, package), current_tab="maintainers")
@bp.route("/packages/<author>/<name>/remove-self-maintainer/", methods=["POST"])
def remove_self_maintainers(package):
if not current_user in package.maintainers:
flash(gettext("You are not a maintainer"), "danger")
elif current_user ==
flash(gettext("Package owners cannot remove themselves as maintainers"), "danger")
addNotification(, current_user, NotificationType.MAINTAINER,
"Removed themself as a maintainer of {}".format(package.title), package.getURL("packages.view"), package)
return redirect(package.getURL("packages.view"))
def audit(package):
if not (package.checkPerm(current_user, Permission.EDIT_PACKAGE) or
package.checkPerm(current_user, Permission.APPROVE_NEW)):
page = get_int_or_abort(request.args.get("page"), 1)
num = min(40, get_int_or_abort(request.args.get("n"), 100))
query = package.audit_log_entries.order_by(db.desc(AuditLogEntry.created_at))
pagination = query.paginate(page, num, True)
return render_template("packages/audit.html", log=pagination.items, pagination=pagination,
package=package, tabs=get_package_tabs(current_user, package), current_tab="audit")
class PackageAliasForm(FlaskForm):
author = StringField(lazy_gettext("Author Name"), [InputRequired(), Length(1, 50)])
name = StringField(lazy_gettext("Name (Technical)"), [InputRequired(), Length(1, 100),
Regexp("^[a-z0-9_]+$", 0, lazy_gettext("Lower case letters (a-z), digits (0-9), and underscores (_) only"))])
submit = SubmitField(lazy_gettext("Save"))
def alias_list(package: Package):
return render_template("packages/alias_list.html", package=package)
@bp.route("/packages/<author>/<name>/aliases/new/", methods=["GET", "POST"])
@bp.route("/packages/<author>/<name>/aliases/<int:alias_id>/", methods=["GET", "POST"])
def alias_create_edit(package: Package, alias_id: int = None):
alias = None
if alias_id:
alias = PackageAlias.query.get(alias_id)
if alias is None or alias.package != package:
form = PackageAliasForm(request.form, obj=alias)
if form.validate_on_submit():
if alias is None:
alias = PackageAlias()
alias.package = package
return redirect(package.getURL("packages.alias_list"))
return render_template("packages/alias_create_edit.html", package=package, form=form)
def share(package):
return render_template("packages/share.html", package=package,
tabs=get_package_tabs(current_user, package), current_tab="share")
def similar(package):
packages_modnames = {}
for metapackage in package.provides:
packages_modnames[metapackage] = Package.query.filter( !=,
Package.state != PackageState.DELETED) \
.filter(Package.provides.any(PackageProvides.c.metapackage_id == \
.order_by(db.desc(Package.score)) \
similar_topics = ForumTopic.query \
.filter_by( \
.filter(ForumTopic.topic_id != package.forums) \
.filter(~ db.exists().where(Package.forums == ForumTopic.topic_id)) \
.order_by(db.asc(, db.asc(ForumTopic.title)) \
return render_template("packages/similar.html", package=package,
packages_modnames=packages_modnames, similar_topics=similar_topics)

from flask import *
from flask_babel import gettext, lazy_gettext
from flask_login import login_required
from flask_wtf import FlaskForm
from wtforms import *
from wtforms_sqlalchemy.fields import QuerySelectField
from wtforms.validators import *
from app.logic.releases import do_create_vcs_release, LogicError, do_create_zip_release
from app.rediscache import has_key, set_key, make_download_key
from app.tasks.importtasks import check_update_config
from app.utils import *
from . import bp, get_package_tabs
@bp.route("/packages/<author>/<name>/releases/", methods=["GET", "POST"])
def list_releases(package):
return render_template("packages/releases_list.html",
tabs=get_package_tabs(current_user, package), current_tab="releases")
def get_mt_releases(is_max):
query = MinetestRelease.query.order_by(db.asc(
if is_max:
query = query.limit(query.count() - 1)
query = query.filter( != "0.4.17")
return query
class CreatePackageReleaseForm(FlaskForm):
title = StringField(lazy_gettext("Title"), [InputRequired(), Length(1, 30)])
uploadOpt = RadioField(lazy_gettext("Method"), choices=[("upload", lazy_gettext("File Upload"))], default="upload")
vcsLabel = StringField(lazy_gettext("Git reference (ie: commit hash, branch, or tag)"), default=None)
fileUpload = FileField(lazy_gettext("File Upload"))
min_rel = QuerySelectField(lazy_gettext("Minimum Minetest Version"), [InputRequired()],
query_factory=lambda: get_mt_releases(False), get_pk=lambda a:, get_label=lambda a:
max_rel = QuerySelectField(lazy_gettext("Maximum Minetest Version"), [InputRequired()],
query_factory=lambda: get_mt_releases(True), get_pk=lambda a:, get_label=lambda a:
submit = SubmitField(lazy_gettext("Save"))
class EditPackageReleaseForm(FlaskForm):
title = StringField(lazy_gettext("Title"), [InputRequired(), Length(1, 30)])
url = StringField(lazy_gettext("URL"), [Optional()])
task_id = StringField(lazy_gettext("Task ID"), filters = [lambda x: x or None])
approved = BooleanField(lazy_gettext("Is Approved"))
min_rel = QuerySelectField(lazy_gettext("Minimum Minetest Version"), [InputRequired()],
query_factory=lambda: get_mt_releases(False), get_pk=lambda a:, get_label=lambda a:
max_rel = QuerySelectField(lazy_gettext("Maximum Minetest Version"), [InputRequired()],
query_factory=lambda: get_mt_releases(True), get_pk=lambda a:, get_label=lambda a:
submit = SubmitField(lazy_gettext("Save"))
@bp.route("/packages/<author>/<name>/releases/new/", methods=["GET", "POST"])
def create_release(package):
if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
return redirect(package.getURL("packages.view"))
# Initial form class from post data and default data
form = CreatePackageReleaseForm()
if package.repo is not None:
form["uploadOpt"].choices = [("vcs", gettext("Import from Git")), ("upload", gettext("Upload .zip file"))]
if request.method == "GET":
form["uploadOpt"].data = "vcs" = request.args.get("ref")
if request.method == "GET": = request.args.get("title")
if form.validate_on_submit():
if form["uploadOpt"].data == "vcs":
rel = do_create_vcs_release(current_user, package,,,,
rel = do_create_zip_release(current_user, package,,,,
return redirect(url_for("tasks.check", id=rel.task_id, r=rel.getEditURL()))
except LogicError as e:
flash(e.message, "danger")
return render_template("packages/release_new.html", package=package, form=form)
def download_release(package, id):
release = PackageRelease.query.get(id)
if release is None or release.package != package:
ip = request.headers.get("X-Forwarded-For") or request.remote_addr
if ip is not None and not is_user_bot():
key = make_download_key(ip, release.package)
if not has_key(key):
set_key(key, "true")
bonus = 1
"downloads": PackageRelease.downloads + 1
"downloads": Package.downloads + 1,
"score_downloads": Package.score_downloads + bonus,
"score": Package.score + bonus
return redirect(release.url)
@bp.route("/packages/<author>/<name>/releases/<id>/", methods=["GET", "POST"])
def edit_release(package, id):
release : PackageRelease = PackageRelease.query.get(id)
if release is None or release.package != package:
canEdit = package.checkPerm(current_user, Permission.MAKE_RELEASE)
canApprove = release.checkPerm(current_user, Permission.APPROVE_RELEASE)
if not (canEdit or canApprove):
return redirect(package.getURL("packages.view"))
# Initial form class from post data and default data
form = EditPackageReleaseForm(formdata=request.form, obj=release)
if request.method == "GET":
# HACK: fix bug in wtforms = release.approved
if form.validate_on_submit():
if canEdit:
release.title = form["title"].data
release.min_rel = form["min_rel"].data.getActual()
release.max_rel = form["max_rel"].data.getActual()
if package.checkPerm(current_user, Permission.CHANGE_RELEASE_URL):
release.url = form["url"].data
release.task_id = form["task_id"].data
if release.task_id is not None:
release.task_id = None
elif canApprove:
release.approved = False
return redirect(package.getURL("packages.list_releases"))
return render_template("packages/release_edit.html", package=package, release=release, form=form)
class BulkReleaseForm(FlaskForm):
set_min = BooleanField(lazy_gettext("Set Min"))
min_rel = QuerySelectField(lazy_gettext("Minimum Minetest Version"), [InputRequired()],
query_factory=lambda: get_mt_releases(False), get_pk=lambda a:, get_label=lambda a:
set_max = BooleanField(lazy_gettext("Set Max"))
max_rel = QuerySelectField(lazy_gettext("Maximum Minetest Version"), [InputRequired()],
query_factory=lambda: get_mt_releases(True), get_pk=lambda a:, get_label=lambda a:
only_change_none = BooleanField(lazy_gettext("Only change values previously set as none"))
submit = SubmitField(lazy_gettext("Update"))
@bp.route("/packages/<author>/<name>/releases/bulk_change/", methods=["GET", "POST"])
def bulk_change_release(package):
if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
return redirect(package.getURL("packages.view"))
# Initial form class from post data and default data
form = BulkReleaseForm()
if request.method == "GET": = True
elif form.validate_on_submit():
only_change_none =
for release in package.releases.all():
if form["set_min"].data and (not only_change_none or release.min_rel is None):
release.min_rel = form["min_rel"].data.getActual()
if form["set_max"].data and (not only_change_none or release.max_rel is None):
release.max_rel = form["max_rel"].data.getActual()
return redirect(package.getURL("packages.list_releases"))
return render_template("packages/release_bulk_change.html", package=package, form=form)
@bp.route("/packages/<author>/<name>/releases/<id>/delete/", methods=["POST"])
def delete_release(package, id):
release = PackageRelease.query.get(id)
if release is None or release.package != package:
if not release.checkPerm(current_user, Permission.DELETE_RELEASE):
return redirect(package.getURL("packages.list_releases"))
return redirect(package.getURL("packages.view"))
class PackageUpdateConfigFrom(FlaskForm):
trigger = RadioField(lazy_gettext("Trigger"), [InputRequired()],
choices=[(PackageUpdateTrigger.COMMIT, lazy_gettext("New Commit")),
(PackageUpdateTrigger.TAG, lazy_gettext("New Tag"))],
coerce=PackageUpdateTrigger.coerce, default=PackageUpdateTrigger.TAG)
ref = StringField(lazy_gettext("Branch name"), [Optional()], default=None)
action = RadioField(lazy_gettext("Action"), [InputRequired()],
choices=[("notification", lazy_gettext("Send notification and mark as outdated")), ("make_release", lazy_gettext("Create release"))],
submit = SubmitField(lazy_gettext("Save Settings"))
disable = SubmitField(lazy_gettext("Disable Automation"))
def set_update_config(package, form):
if package.update_config is None:
package.update_config = PackageUpdateConfig()
package.update_config.ref = nonEmptyOrNone(
package.update_config.make_release = == "make_release"
if package.update_config.trigger == PackageUpdateTrigger.COMMIT:
if package.update_config.last_commit is None:
last_release = package.releases.first()
if last_release and last_release.commit_hash:
package.update_config.last_commit = last_release.commit_hash
elif package.update_config.trigger == PackageUpdateTrigger.TAG:
# Only create releases for tags created after this
package.update_config.last_commit = None
package.update_config.last_tag = None
package.update_config.outdated_at = None
package.update_config.auto_created = False
if package.update_config.last_commit is None:
@bp.route("/packages/<author>/<name>/update-config/", methods=["GET", "POST"])
def update_config(package):
if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
if not package.repo:
flash(gettext("Please add a Git repository URL in order to set up automatic releases"), "danger")
return redirect(package.getURL("packages.create_edit"))
form = PackageUpdateConfigFrom(obj=package.update_config)
if request.method == "GET":
if package.update_config: = "make_release" if package.update_config.make_release else "notification"
elif request.args.get("action") == "notification": = PackageUpdateTrigger.COMMIT = "notification"
if "trigger" in request.args: = PackageUpdateTrigger.get(request.args["trigger"])
if form.validate_on_submit():
flash(gettext("Deleted update configuration"), "success")
if package.update_config:
set_update_config(package, form)
if not and package.releases.count() == 0:
flash(gettext("Now, please create an initial release"), "success")
return redirect(package.getURL("packages.create_release"))
return redirect(package.getURL("packages.list_releases"))
return render_template("packages/update_config.html", package=package, form=form)
def setup_releases(package):
if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
if package.update_config:
return redirect(package.getURL("packages.update_config"))
return render_template("packages/release_wizard.html", package=package)
@bp.route("/users/<username>/update-configs/", methods=["GET", "POST"])
def bulk_update_config(username=None):
if username is None:
return redirect(url_for("packages.bulk_update_config", username=current_user.username))
user: User = User.query.filter_by(username=username).first()
if not user:
if current_user != user and not current_user.rank.atLeast(UserRank.EDITOR):
form = PackageUpdateConfigFrom()
if form.validate_on_submit():
for package in user.packages.filter(Package.state != PackageState.DELETED, Package.repo.isnot(None)).all():
set_update_config(package, form)
return redirect(url_for("packages.bulk_update_config", username=username))
confs = user.packages \
.filter(Package.state != PackageState.DELETED,
Package.update_config.has()) \
return render_template("packages/bulk_update_conf.html", user=user, confs=confs, form=form)

from collections import namedtuple
from flask_babel import gettext, lazy_gettext
from . import bp
from flask import *
from flask_login import current_user, login_required
from flask_wtf import FlaskForm
from wtforms import *
from wtforms.validators import *
from app.models import db, PackageReview, Thread, ThreadReply, NotificationType, PackageReviewVote, Package, UserRank, \
Permission, AuditSeverity
from app.utils import is_package_page, addNotification, get_int_or_abort, isYes, is_safe_url, rank_required, addAuditLog
from app.tasks.webhooktasks import post_discord_webhook
def list_reviews():
page = get_int_or_abort(request.args.get("page"), 1)
num = min(40, get_int_or_abort(request.args.get("n"), 100))
pagination = PackageReview.query.order_by(db.desc(PackageReview.created_at)).paginate(page, num, True)
return render_template("packages/reviews_list.html", pagination=pagination, reviews=pagination.items)
class ReviewForm(FlaskForm):
title = StringField(lazy_gettext("Title"), [InputRequired(), Length(3,100)])
comment = TextAreaField(lazy_gettext("Comment"), [InputRequired(), Length(10, 2000)])
recommends = RadioField(lazy_gettext("Private"), [InputRequired()],
choices=[("yes", lazy_gettext("Yes")), ("no", lazy_gettext("No"))])
submit = SubmitField(lazy_gettext("Save"))
@bp.route("/packages/<author>/<name>/review/", methods=["GET", "POST"])
def review(package):
if current_user in package.maintainers:
flash(gettext("You can't review your own package!"), "danger")
return redirect(package.getURL("packages.view"))
review = PackageReview.query.filter_by(package=package, author=current_user).first()
form = ReviewForm(formdata=request.form, obj=review)
# Set default values
if request.method == "GET" and review: = review.thread.title = "yes" if review.recommends else "no" = review.thread.replies[0].comment
# Validate and submit
elif form.validate_on_submit():
was_new = False
if not review:
was_new = True
review = PackageReview()
review.package = package = current_user
review.recommends = == "yes"
thread = review.thread
if not thread:
thread = Thread() = current_user
thread.private = False
thread.package = package = review
reply = ThreadReply()
reply.thread = thread = current_user
reply.comment =
reply = thread.replies[0]
reply.comment =
thread.title =
if was_new:
notif_msg = "New review '{}'".format(
type = NotificationType.NEW_REVIEW
notif_msg = "Updated review '{}'".format(
type = NotificationType.OTHER
addNotification(package.maintainers, current_user, type, notif_msg,
url_for("threads.view",, package)
if was_new:
"Reviewed {}: {}".format(package.title, thread.getViewURL(absolute=True)), False)
return redirect(package.getURL("packages.view"))
return render_template("packages/review_create_edit.html",
form=form, package=package, review=review)
@bp.route("/packages/<author>/<name>/reviews/<reviewer>/delete/", methods=["POST"])
def delete_review(package, reviewer):
review = PackageReview.query \
.filter(PackageReview.package == package, \
if review is None or review.package != package:
if not review.checkPerm(current_user, Permission.DELETE_REVIEW):
thread = review.thread
reply = ThreadReply()
reply.thread = thread = current_user
reply.comment = "_converted review into a thread_"
db.session.add(reply) = None
msg = "Converted review by {} to thread".format(
addAuditLog(AuditSeverity.MODERATION if current_user.username != reviewer else AuditSeverity.NORMAL,
current_user, msg, thread.getViewURL(), thread.package)
notif_msg = "Deleted review '{}', comments were kept as a thread".format(thread.title)
addNotification(package.maintainers, current_user, NotificationType.OTHER, notif_msg, url_for("threads.view",, package)
return redirect(thread.getViewURL())
def handle_review_vote(package: Package, review_id: int):
if current_user in package.maintainers:
flash(gettext("You can't vote on the reviews on your own package!"), "danger")
review: PackageReview = PackageReview.query.get(review_id)
if review is None or review.package != package:
if == current_user:
flash(gettext("You can't vote on your own reviews!"), "danger")
is_positive = isYes(request.form["is_positive"])
vote = PackageReviewVote.query.filter_by(review=review, user=current_user).first()
if vote is None:
vote = PackageReviewVote() = review
vote.user = current_user
vote.is_positive = is_positive
elif vote.is_positive == is_positive:
vote.is_positive = is_positive
@bp.route("/packages/<author>/<name>/review/<int:review_id>/", methods=["POST"])
def review_vote(package, review_id):
handle_review_vote(package, review_id)
next_url = request.args.get("r")
if next_url and is_safe_url(next_url):
return redirect(next_url)
return redirect(review.thread.getViewURL())
def review_votes(package):
user_biases = {}
for review in
review_sign = 1 if review.recommends else -1
for vote in review.votes:
user_biases[vote.user.username] = user_biases.get(vote.user.username, [0, 0])
vote_sign = 1 if vote.is_positive else -1
vote_bias = review_sign * vote_sign
if vote_bias == 1:
user_biases[vote.user.username][0] += 1
user_biases[vote.user.username][1] += 1
BiasInfo = namedtuple("BiasInfo", "username balance with_ against no_vote perc_with")
user_biases_info = []
for username, bias in user_biases.items():
total_votes = bias[0] + bias[1]
balance = bias[0] - bias[1]
perc_with = round((100 * bias[0]) / total_votes)
user_biases_info.append(BiasInfo(username, balance, bias[0], bias[1], len( - total_votes, perc_with))
user_biases_info.sort(key=lambda x: -abs(x.balance))
return render_template("packages/review_votes.html", form=form, package=package,,

from flask import *
from flask_babel import gettext, lazy_gettext
from flask_wtf import FlaskForm
from flask_login import login_required
from wtforms import *
from wtforms_sqlalchemy.fields import QuerySelectField
from wtforms.validators import *
from app.utils import *
from . import bp, get_package_tabs
from app.logic.LogicError import LogicError
from app.logic.screenshots import do_create_screenshot, do_order_screenshots
class CreateScreenshotForm(FlaskForm):
title = StringField(lazy_gettext("Title/Caption"), [Optional(), Length(-1, 100)])
fileUpload = FileField(lazy_gettext("File Upload"), [InputRequired()])
submit = SubmitField(lazy_gettext("Save"))
class EditScreenshotForm(FlaskForm):
title = StringField(lazy_gettext("Title/Caption"), [Optional(), Length(-1, 100)])
approved = BooleanField(lazy_gettext("Is Approved"))
submit = SubmitField(lazy_gettext("Save"))
class EditPackageScreenshotsForm(FlaskForm):
cover_image = QuerySelectField(lazy_gettext("Cover Image"), [DataRequired()], allow_blank=True, get_pk=lambda a:, get_label=lambda a: a.title)
submit = SubmitField(lazy_gettext("Save"))
@bp.route("/packages/<author>/<name>/screenshots/", methods=["GET", "POST"])
def screenshots(package):
if not package.checkPerm(current_user, Permission.ADD_SCREENSHOTS):
return redirect(package.getURL("packages.view"))
if package.screenshots.count() == 0:
return redirect(package.getURL("packages.create_screenshot"))
form = EditPackageScreenshotsForm(obj=package)
form.cover_image.query = package.screenshots
if request.method == "POST":
order = request.form.get("order")
if order:
do_order_screenshots(current_user, package, order.split(","))
return redirect(package.getURL("packages.view"))
except LogicError as e:
flash(e.message, "danger")
if form.validate_on_submit():
return render_template("packages/screenshots.html", package=package, form=form,
tabs=get_package_tabs(current_user, package), current_tab="screenshots")
@bp.route("/packages/<author>/<name>/screenshots/new/", methods=["GET", "POST"])
def create_screenshot(package):
if not package.checkPerm(current_user, Permission.ADD_SCREENSHOTS):
return redirect(package.getURL("packages.view"))
# Initial form class from post data and default data
form = CreateScreenshotForm()
if form.validate_on_submit():
do_create_screenshot(current_user, package,,, False)
return redirect(package.getURL("packages.screenshots"))
except LogicError as e:
flash(e.message, "danger")
return render_template("packages/screenshot_new.html", package=package, form=form)
@bp.route("/packages/<author>/<name>/screenshots/<id>/edit/", methods=["GET", "POST"])
def edit_screenshot(package, id):
screenshot = PackageScreenshot.query.get(id)
if screenshot is None or screenshot.package != package:
canEdit = package.checkPerm(current_user, Permission.ADD_SCREENSHOTS)
canApprove = package.checkPerm(current_user, Permission.APPROVE_SCREENSHOT)
if not (canEdit or canApprove):
return redirect(package.getURL("packages.screenshots"))
# Initial form class from post data and default data
form = EditScreenshotForm(obj=screenshot)
if form.validate_on_submit():
wasApproved = screenshot.approved
if canEdit:
screenshot.title = form["title"].data or "Untitled"
if canApprove:
screenshot.approved = form["approved"].data
screenshot.approved = wasApproved
return redirect(package.getURL("packages.screenshots"))
return render_template("packages/screenshot_edit.html", package=package, screenshot=screenshot, form=form)
@bp.route("/packages/<author>/<name>/screenshots/<id>/delete/", methods=["POST"])
def delete_screenshot(package, id):
screenshot = PackageScreenshot.query.get(id)
if screenshot is None or screenshot.package != package:
if not package.checkPerm(current_user, Permission.ADD_SCREENSHOTS):
flash(gettext("Permission denied"), "danger")
return redirect(url_for("homepage.home"))
if package.cover_image == screenshot:
package.cover_image = None
return redirect(package.getURL("packages.screenshots"))

from flask import Blueprint, request, render_template, url_for
from flask_babel import lazy_gettext
from flask_login import current_user
from flask_wtf import FlaskForm
from werkzeug.utils import redirect
from wtforms import TextAreaField, SubmitField
from wtforms.validators import InputRequired, Length
from app.models import User, UserRank
from app.tasks.emails import send_user_email
from app.tasks.webhooktasks import post_discord_webhook
from app.utils import isNo, abs_url_samesite
bp = Blueprint("report", __name__)
class ReportForm(FlaskForm):
message = TextAreaField(lazy_gettext("Message"), [InputRequired(), Length(10, 10000)])
submit = SubmitField(lazy_gettext("Report"))
@bp.route("/report/", methods=["GET", "POST"])
def report():
is_anon = not current_user.is_authenticated or not isNo(request.args.get("anon"))
url = request.args.get("url")
if url:
url = abs_url_samesite(url)
form = ReportForm(formdata=request.form)
if form.validate_on_submit():
if current_user.is_authenticated:
user_info = f"{current_user.username}"
user_info = request.headers.get("X-Forwarded-For") or request.remote_addr
text = f"{url}\n\n{}"
task = None
for admin in User.query.filter_by(rank=UserRank.ADMIN).all():
task = send_user_email.delay(, admin.locale or "en",
f"User report from {user_info}", text)
post_discord_webhook.delay(None if is_anon else current_user.username, f"**New Report**\n{url}\n\n{}", True)
return redirect(url_for("tasks.check",, r=url_for("homepage.home")))
return render_template("report/index.html", form=form, url=url, is_anon=is_anon)

from flask import *
from flask_babel import gettext, lazy_gettext
from app.markdown import get_user_mentions, render_markdown
from app.tasks.webhooktasks import post_discord_webhook
bp = Blueprint("threads", __name__)
from flask_login import current_user, login_required
from app.models import *
from app.utils import addNotification, isYes, addAuditLog, get_system_user
from flask_wtf import FlaskForm
from wtforms import *
from wtforms.validators import *
from app.utils import get_int_or_abort
def list_all():
query = Thread.query
if not Permission.SEE_THREAD.check(current_user):
query = query.filter_by(private=False)
pid = request.args.get("pid")
if pid:
pid = get_int_or_abort(pid)
query = query.filter_by(package_id=pid)
query = query.filter_by(review_id=None)
query = query.order_by(db.desc(Thread.created_at))
page = get_int_or_abort(request.args.get("page"), 1)
num = min(40, get_int_or_abort(request.args.get("n"), 100))
pagination = query.paginate(page, num, True)
return render_template("threads/list.html", pagination=pagination, threads=pagination.items)
@bp.route("/threads/<int:id>/subscribe/", methods=["POST"])
def subscribe(id):
thread = Thread.query.get(id)
if thread is None or not thread.checkPerm(current_user, Permission.SEE_THREAD):
if current_user in thread.watchers:
flash(gettext("Already subscribed!"), "success")
flash(gettext("Subscribed to thread"), "success")
return redirect(thread.getViewURL())
@bp.route("/threads/<int:id>/unsubscribe/", methods=["POST"])
def unsubscribe(id):
thread = Thread.query.get(id)
if thread is None or not thread.checkPerm(current_user, Permission.SEE_THREAD):
if current_user in thread.watchers:
flash(gettext("Unsubscribed!"), "success")
flash(gettext("Already not subscribed!"), "success")
return redirect(thread.getViewURL())
@bp.route("/threads/<int:id>/set-lock/", methods=["POST"])
def set_lock(id):
thread = Thread.query.get(id)
if thread is None or not thread.checkPerm(current_user, Permission.LOCK_THREAD):
thread.locked = isYes(request.args.get("lock"))
if thread.locked is None:
msg = None
if thread.locked:
msg = "Locked thread '{}'".format(thread.title)
flash(gettext("Locked thread"), "success")
msg = "Unlocked thread '{}'".format(thread.title)
flash(gettext("Unlocked thread"), "success")
addNotification(thread.watchers, current_user, NotificationType.OTHER, msg, thread.getViewURL(), thread.package)
addAuditLog(AuditSeverity.MODERATION, current_user, msg, thread.getViewURL(), thread.package)
return redirect(thread.getViewURL())
@bp.route("/threads/<int:id>/delete/", methods=["GET", "POST"])
def delete_thread(id):
thread = Thread.query.get(id)
if thread is None or not thread.checkPerm(current_user, Permission.DELETE_THREAD):
if request.method == "GET":
return render_template("threads/delete_thread.html", thread=thread)
summary = "\n\n".join([("<{}> {}".format(, reply.comment)) for reply in thread.replies])
msg = "Deleted thread {} by {}".format(thread.title,
addAuditLog(AuditSeverity.MODERATION, current_user, msg, None, thread.package, summary)
return redirect(url_for("homepage.home"))
@bp.route("/threads/<int:id>/delete-reply/", methods=["GET", "POST"])
def delete_reply(id):
thread = Thread.query.get(id)
if thread is None:
reply_id = request.args.get("reply")
if reply_id is None:
reply = ThreadReply.query.get(reply_id)
if reply is None or reply.thread != thread:
if thread.replies[0] == reply:
flash(gettext("Cannot delete thread opening post!"), "danger")
return redirect(thread.getViewURL())
if not reply.checkPerm(current_user, Permission.DELETE_REPLY):
if request.method == "GET":
return render_template("threads/delete_reply.html", thread=thread, reply=reply)
msg = "Deleted reply by {}".format(
addAuditLog(AuditSeverity.MODERATION, current_user, msg, thread.getViewURL(), thread.package, reply.comment)
return redirect(thread.getViewURL())
class CommentForm(FlaskForm):
comment = TextAreaField(lazy_gettext("Comment"), [InputRequired(), Length(10, 2000)])
submit = SubmitField(lazy_gettext("Comment"))
@bp.route("/threads/<int:id>/edit/", methods=["GET", "POST"])
def edit_reply(id):
thread = Thread.query.get(id)
if thread is None:
reply_id = request.args.get("reply")
if reply_id is None:
reply = ThreadReply.query.get(reply_id)
if reply is None or reply.thread != thread:
if not reply.checkPerm(current_user, Permission.EDIT_REPLY):
form = CommentForm(formdata=request.form, obj=reply)
if form.validate_on_submit():
comment =
msg = "Edited reply by {}".format(
severity = AuditSeverity.NORMAL if current_user == else AuditSeverity.MODERATION
addNotification(, current_user, NotificationType.OTHER, msg, thread.getViewURL(), thread.package)
addAuditLog(severity, current_user, msg, thread.getViewURL(), thread.package, reply.comment)
reply.comment = comment
return redirect(thread.getViewURL())
return render_template("threads/edit_reply.html", thread=thread, reply=reply, form=form)
@bp.route("/threads/<int:id>/", methods=["GET", "POST"])
def view(id):
thread: Thread = Thread.query.get(id)
if thread is None or not thread.checkPerm(current_user, Permission.SEE_THREAD):
if current_user.is_authenticated and request.method == "POST":
comment = request.form["comment"]
if not thread.checkPerm(current_user, Permission.COMMENT_THREAD):
flash(gettext("You cannot comment on this thread"), "danger")
return redirect(thread.getViewURL())
if not current_user.canCommentRL():
flash(gettext("Please wait before commenting again"), "danger")
return redirect(thread.getViewURL())
if 2000 >= len(comment) > 3:
reply = ThreadReply() = current_user
reply.comment = comment
if not current_user in thread.watchers:
for mentioned_username in get_user_mentions(render_markdown(comment)):
mentioned = User.query.filter_by(username=mentioned_username)
if mentioned is None:
msg = "Mentioned by {} in '{}'".format(current_user.display_name, thread.title)
addNotification(mentioned, current_user, NotificationType.THREAD_REPLY,
msg, thread.getViewURL(), thread.package)
msg = "New comment on '{}'".format(thread.title)
addNotification(thread.watchers, current_user, NotificationType.THREAD_REPLY, msg, thread.getViewURL(), thread.package)
if == get_system_user():
approvers = User.query.filter(User.rank >= UserRank.APPROVER).all()
addNotification(approvers, current_user, NotificationType.EDITOR_MISC, msg,
thread.getViewURL(), thread.package)
"Replied to bot messages: {}".format(thread.getViewURL(absolute=True)), True)
return redirect(thread.getViewURL())
flash(gettext("Comment needs to be between 3 and 2000 characters."), "danger")
return render_template("threads/view.html", thread=thread)
class ThreadForm(FlaskForm):
title = StringField(lazy_gettext("Title"), [InputRequired(), Length(3,100)])
comment = TextAreaField(lazy_gettext("Comment"), [InputRequired(), Length(10, 2000)])
private = BooleanField(lazy_gettext("Private"))
submit = SubmitField(lazy_gettext("Open Thread"))
@bp.route("/threads/new/", methods=["GET", "POST"])
def new():
form = ThreadForm(formdata=request.form)
package = None
if "pid" in request.args:
package = Package.query.get(int(request.args.get("pid")))
if package is None:
flash(gettext("Unable to find that package!"), "danger")
# Don't allow making orphan threads on approved packages for now
if package is None:
def_is_private = request.args.get("private") or False
if package is None:
def_is_private = True
allow_change = package and package.approved
is_review_thread = package and not package.approved
# Check that user can make the thread
if not package.checkPerm(current_user, Permission.CREATE_THREAD):
flash(gettext("Unable to create thread!"), "danger")
return redirect(url_for("homepage.home"))
# Only allow creating one thread when not approved
elif is_review_thread and package.review_thread is not None:
flash(gettext("An approval thread already exists!"), "danger")
return redirect(package.review_thread.getViewURL())
elif not current_user.canOpenThreadRL():
flash(gettext("Please wait before opening another thread"), "danger")
if package:
return redirect(package.getURL("packages.view"))
return redirect(url_for("homepage.home"))
# Set default values
elif request.method == "GET": = def_is_private = request.args.get("title") or ""
# Validate and submit
elif form.validate_on_submit():
thread = Thread() = current_user
thread.title =
thread.private = if allow_change else def_is_private
thread.package = package
if package is not None and != current_user:
reply = ThreadReply()
reply.thread = thread = current_user
reply.comment =
if is_review_thread:
package.review_thread = thread
for mentioned_username in get_user_mentions(render_markdown(
mentioned = User.query.filter_by(username=mentioned_username)
if mentioned is None:
msg = "Mentioned by {} in new thread '{}'".format(current_user.display_name, thread.title)
addNotification(mentioned, current_user, NotificationType.NEW_THREAD,
msg, thread.getViewURL(), thread.package)
notif_msg = "New thread '{}'".format(thread.title)
if package is not None:
addNotification(package.maintainers, current_user, NotificationType.NEW_THREAD, notif_msg, thread.getViewURL(), package)
approvers = User.query.filter(User.rank >= UserRank.APPROVER).all()
addNotification(approvers, current_user, NotificationType.EDITOR_MISC, notif_msg, thread.getViewURL(), package)
if is_review_thread:
"Opened approval thread: {}".format(thread.getViewURL(absolute=True)), True)
return redirect(thread.getViewURL())
return render_template("threads/new.html", form=form, allow_private_change=allow_change, package=package)
def user_comments(username):
user = User.query.filter_by(username=username).first()
if user is None:
return render_template("threads/user_comments.html", user=user, replies=user.replies)

from celery import uuid
from flask import *
from flask_login import current_user, login_required
from sqlalchemy import or_, and_
from app.models import *
from app.querybuilder import QueryBuilder
from app.utils import get_int_or_abort, addNotification, addAuditLog, isYes
from app.tasks.importtasks import makeVCSRelease
bp = Blueprint("todo", __name__)
@bp.route("/todo/", methods=["GET", "POST"])
def view_editor():
canApproveNew = Permission.APPROVE_NEW.check(current_user)
canApproveRel = Permission.APPROVE_RELEASE.check(current_user)
canApproveScn = Permission.APPROVE_SCREENSHOT.check(current_user)
packages = None
wip_packages = None
if canApproveNew:
packages = Package.query.filter_by(state=PackageState.READY_FOR_REVIEW) \
wip_packages = Package.query.filter(or_(Package.state==PackageState.WIP, Package.state==PackageState.CHANGES_NEEDED)) \
releases = None
if canApproveRel:
releases = PackageRelease.query.filter_by(approved=False).all()
screenshots = None
if canApproveScn:
screenshots = PackageScreenshot.query.filter_by(approved=False).all()
if not canApproveNew and not canApproveRel and not canApproveScn:
if request.method == "POST":
if request.form["action"] == "screenshots_approve_all":
if not canApproveScn:
PackageScreenshot.query.update({ "approved": True })
return redirect(url_for("todo.view_editor"))
license_needed = Package.query \
.filter(Package.state.in_([PackageState.READY_FOR_REVIEW, PackageState.APPROVED])) \
.filter(or_(Package.license.has("Other %")),
Package.media_license.has("Other %")))) \
total_packages = Package.query.filter_by(state=PackageState.APPROVED).count()
total_to_tag = Package.query.filter_by(state=PackageState.APPROVED, tags=None).count()
unfulfilled_meta_packages = MetaPackage.query \
.filter(~ MetaPackage.packages.any(state=PackageState.APPROVED)) \
.filter(MetaPackage.dependencies.any(Package.state == PackageState.APPROVED, optional=False)) \
return render_template("todo/editor.html", current_tab="editor",
packages=packages, wip_packages=wip_packages, releases=releases, screenshots=screenshots,
canApproveNew=canApproveNew, canApproveRel=canApproveRel, canApproveScn=canApproveScn,
license_needed=license_needed, total_packages=total_packages, total_to_tag=total_to_tag,
def topics():
qb = QueryBuilder(request.args)
query = qb.buildTopicQuery()
tmp_q = ForumTopic.query
if not qb.show_discarded:
tmp_q = tmp_q.filter_by(discarded=False)
total = tmp_q.count()
topic_count = query.count()
page = get_int_or_abort(request.args.get("page"), 1)
num = get_int_or_abort(request.args.get("n"), 100)
if num > 100 and not current_user.rank.atLeast(UserRank.APPROVER):
num = 100
query = query.paginate(page, num, True)
next_url = url_for("todo.topics", page=query.next_num,,
show_discarded=qb.show_discarded, n=num, sort=qb.order_by) \
if query.has_next else None
prev_url = url_for("todo.topics", page=query.prev_num,,
show_discarded=qb.show_discarded, n=num, sort=qb.order_by) \
if query.has_prev else None
return render_template("todo/topics.html", current_tab="topics", topics=query.items, total=total,
topic_count=topic_count,, show_discarded=qb.show_discarded,
next_url=next_url, prev_url=prev_url, page=page, page_max=query.pages,
n=num, sort_by=qb.order_by)
def tags():
qb = QueryBuilder(request.args)
qb.setSortIfNone("score", "desc")
query = qb.buildPackageQuery()
only_no_tags = isYes(request.args.get("no_tags"))
if only_no_tags:
query = query.filter(Package.tags==None)
tags = Tag.query.order_by(db.asc(Tag.title)).all()
return render_template("todo/tags.html", current_tab="tags", packages=query.all(), \
tags=tags, only_no_tags=only_no_tags)
def tags_user():
return redirect(url_for('todo.tags', author=current_user.username))
def metapackages():
mpackages = MetaPackage.query \
.filter(~ MetaPackage.packages.any(state=PackageState.APPROVED)) \
.filter(MetaPackage.dependencies.any(optional=False)) \
return render_template("todo/metapackages.html", mpackages=mpackages)
def view_user(username=None):
if username is None:
return redirect(url_for("todo.view_user", username=current_user.username))
user : User = User.query.filter_by(username=username).first()
if not user:
if current_user != user and not current_user.rank.atLeast(UserRank.APPROVER):
unapproved_packages = user.packages \
.filter(or_(Package.state == PackageState.WIP,
Package.state == PackageState.CHANGES_NEEDED)) \
packages_with_small_screenshots = user.maintained_packages \
.filter(Package.screenshots.any(and_(PackageScreenshot.width < PackageScreenshot.SOFT_MIN_SIZE[0],
PackageScreenshot.height < PackageScreenshot.SOFT_MIN_SIZE[1]))) \
outdated_packages = user.maintained_packages \
.filter(Package.state != PackageState.DELETED,
Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))) \
topics_to_add = ForumTopic.query \
.filter_by( \
.filter(~ db.exists().where(Package.forums == ForumTopic.topic_id)) \
.order_by(db.asc(, db.asc(ForumTopic.title)) \
needs_tags = user.maintained_packages \
.filter(Package.state != PackageState.DELETED, Package.tags==None) \
return render_template("todo/user.html", current_tab="user", user=user,
unapproved_packages=unapproved_packages, outdated_packages=outdated_packages,
needs_tags=needs_tags, topics_to_add=topics_to_add,
screenshot_min_size=PackageScreenshot.HARD_MIN_SIZE, screenshot_rec_size=PackageScreenshot.SOFT_MIN_SIZE)
@bp.route("/users/<username>/update-configs/apply-all/", methods=["POST"])
def apply_all_updates(username):
user: User = User.query.filter_by(username=username).first()
if not user:
if current_user != user and not current_user.rank.atLeast(UserRank.EDITOR):
outdated_packages = user.maintained_packages \
.filter(Package.state != PackageState.DELETED,
Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))) \
for package in outdated_packages:
if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
if package.releases.filter(or_(PackageRelease.task_id.isnot(None),
PackageRelease.commit_hash==package.update_config.last_commit)).count() > 0:
title = package.update_config.get_title()
ref = package.update_config.get_ref()
rel = PackageRelease()
rel.package = package
rel.title = title
rel.url = ""
rel.task_id = uuid()
makeVCSRelease.apply_async((, ref),
msg = "Created release {} (Applied all Git Update Detection)".format(rel.title)
addNotification(package.maintainers, current_user, NotificationType.PACKAGE_EDIT, msg,
rel.getURL("packages.create_edit"), package)
addAuditLog(AuditSeverity.NORMAL, current_user, msg, package.getURL("packages.view"), package)
return redirect(url_for("todo.view_user", username=username))
def outdated():
is_mtm_only = isYes(request.args.get("mtm"))
query = db.session.query(Package).select_from(PackageUpdateConfig) \
.filter(PackageUpdateConfig.outdated_at.isnot(None)) \
.join(PackageUpdateConfig.package) \
.filter(Package.state == PackageState.APPROVED)
if is_mtm_only:
query = query.filter(Package.repo.ilike(""))
sort_by = request.args.get("sort")
if sort_by == "date":
query = query.order_by(db.desc(PackageUpdateConfig.outdated_at))
sort_by = "score"
query = query.order_by(db.desc(Package.score))
return render_template("todo/outdated.html", current_tab="outdated",
outdated_packages=query.all(), sort_by=sort_by, is_mtm_only=is_mtm_only)

from flask import Blueprint
bp = Blueprint("users", __name__)
from . import profile, claim, account, settings

from flask import *
from flask_babel import gettext, lazy_gettext, get_locale
from flask_login import current_user, login_required, logout_user, login_user
from flask_wtf import FlaskForm
from sqlalchemy import or_
from wtforms import *
from wtforms.validators import *
from app.models import *
from app.tasks.emails import send_verify_email, send_anon_email, send_unsubscribe_verify, send_user_email
from app.utils import randomString, make_flask_login_password, is_safe_url, check_password_hash, addAuditLog, \
nonEmptyOrNone, post_login, is_username_valid
from passlib.pwd import genphrase
from . import bp
class LoginForm(FlaskForm):
username = StringField(lazy_gettext("Username or email"), [InputRequired()])
password = PasswordField(lazy_gettext("Password"), [InputRequired(), Length(6, 100)])
remember_me = BooleanField(lazy_gettext("Remember me"), default=True)
submit = SubmitField(lazy_gettext("Sign in"))
def handle_login(form):
def show_safe_err(err):
if "@" in username:
flash(gettext("Incorrect email or password"), "danger")
flash(err, "danger")
username =
user = User.query.filter(or_(User.username == username, == username)).first()
if user is None:
return show_safe_err(gettext(u"User %(username)s does not exist", username=username))
if not check_password_hash(user.password,
return show_safe_err(gettext(u"Incorrect password. Did you set one?"))
if not user.is_active:
flash(gettext("You need to confirm the registration email"), "danger")
addAuditLog(AuditSeverity.USER, user, "Logged in using password",
url_for("users.profile", username=user.username))
if not login_user(user,
flash(gettext("Login failed"), "danger")
return post_login(user, request.args.get("next"))
@bp.route("/user/login/", methods=["GET", "POST"])
def login():
if current_user.is_authenticated:
next = request.args.get("next")
if next and not is_safe_url(next):
return redirect(next or url_for("homepage.home"))
form = LoginForm(request.form)
if form.validate_on_submit():
ret = handle_login(form)
if ret:
return ret
if request.method == "GET": = True
return render_template("users/login.html", form=form)
@bp.route("/user/logout/", methods=["GET", "POST"])
def logout():
return redirect(url_for("homepage.home"))
class RegisterForm(FlaskForm):
display_name = StringField(lazy_gettext("Display Name"), [Optional(), Length(1, 20)], filters=[nonEmptyOrNone])
username = StringField(lazy_gettext("Username"), [InputRequired(),
Regexp("^[a-zA-Z0-9._-]+$", message=lazy_gettext("Only a-zA-Z0-9._ allowed"))])
email = StringField(lazy_gettext("Email"), [InputRequired(), Email()])
password = PasswordField(lazy_gettext("Password"), [InputRequired(), Length(6, 100)])
question = StringField(lazy_gettext("What is the result of the above calculation?"), [InputRequired()])
agree = BooleanField(lazy_gettext("I agree"), [DataRequired()])
submit = SubmitField(lazy_gettext("Register"))
def handle_register(form):
if != "19":
flash(gettext("Incorrect captcha answer"), "danger")
if not is_username_valid(
flash(gettext("Username is invalid"))
user_by_name = User.query.filter(or_(
User.username ==,
User.username ==,
User.display_name ==,
User.forums_username ==,
User.github_username ==
if user_by_name:
if user_by_name.rank == UserRank.NOT_JOINED and user_by_name.forums_username:
flash(gettext("An account already exists for that username but hasn't been claimed yet."), "danger")
return redirect(url_for("users.claim_forums", username=user_by_name.forums_username))
flash(gettext("That username/display name is already in use, please choose another."), "danger")
alias_by_name = PackageAlias.query.filter(or_(,
if alias_by_name:
flash(gettext("That username/display name is already in use, please choose another."), "danger")
user_by_email = User.query.filter_by(
if user_by_email:
send_anon_email.delay(, get_locale().language, gettext("Email already in use"),
gettext("We were unable to create the account as the email is already in use by %(display_name)s. Try a different email address.",
return redirect(url_for("users.email_sent"))
elif EmailSubscription.query.filter_by(, blacklisted=True).count() > 0:
flash(gettext("That email address has been unsubscribed/blacklisted, and cannot be used"), "danger")
user = User(, False,, make_flask_login_password(
user.notification_preferences = UserNotificationPreferences(user)
user.display_name =
addAuditLog(AuditSeverity.USER, user, "Registered with email, display name=" + user.display_name,
url_for("users.profile", username=user.username))
token = randomString(32)
ver = UserEmailVerification()
ver.user = user
ver.token = token =
send_verify_email.delay(, token, get_locale().language)
return redirect(url_for("users.email_sent"))
@bp.route("/user/register/", methods=["GET", "POST"])
def register():
form = RegisterForm(request.form)
if form.validate_on_submit():
ret = handle_register(form)
if ret:
return ret
return render_template("users/register.html", form=form,
suggested_password=genphrase(entropy=52, wordset="bip39"))
class ForgotPasswordForm(FlaskForm):
email = StringField(lazy_gettext("Email"), [InputRequired(), Email()])
submit = SubmitField(lazy_gettext("Reset Password"))
@bp.route("/user/forgot-password/", methods=["GET", "POST"])
def forgot_password():
form = ForgotPasswordForm(request.form)
if form.validate_on_submit():
email =
user = User.query.filter_by(email=email).first()
if user:
token = randomString(32)
addAuditLog(AuditSeverity.USER, user, "(Anonymous) requested a password reset",
url_for("users.profile", username=user.username), None)
ver = UserEmailVerification()
ver.user = user
ver.token = token = email
ver.is_password_reset = True
send_verify_email.delay(, token, get_locale().language)
html = render_template("emails/unable_to_find_account.html")
send_anon_email.delay(email, get_locale().language, gettext("Unable to find account"),
html, html)
return redirect(url_for("users.email_sent"))
return render_template("users/forgot_password.html", form=form)
class SetPasswordForm(FlaskForm):
email = StringField(lazy_gettext("Email"), [Optional(), Email()])
password = PasswordField(lazy_gettext("New password"), [InputRequired(), Length(8, 100)])
password2 = PasswordField(lazy_gettext("Verify password"), [InputRequired(), Length(8, 100),
validators.EqualTo('password', message=lazy_gettext('Passwords must match'))])
submit = SubmitField(lazy_gettext("Save"))
class ChangePasswordForm(FlaskForm):
old_password = PasswordField(lazy_gettext("Old password"), [InputRequired(), Length(8, 100)])
password = PasswordField(lazy_gettext("New password"), [InputRequired(), Length(8, 100)])
password2 = PasswordField(lazy_gettext("Verify password"), [InputRequired(), Length(8, 100),
validators.EqualTo('password', message=lazy_gettext('Passwords must match'))])
submit = SubmitField(lazy_gettext("Save"))
def handle_set_password(form):
one =
two =
if one != two:
flash(gettext("Passwords do not match"), "danger")
addAuditLog(AuditSeverity.USER, current_user, "Changed their password", url_for("users.profile", username=current_user.username))
current_user.password = make_flask_login_password(
if hasattr(form, "email"):
newEmail = nonEmptyOrNone(
if newEmail and newEmail !=
if EmailSubscription.query.filter_by(, blacklisted=True).count() > 0:
flash(gettext(u"That email address has been unsubscribed/blacklisted, and cannot be used"), "danger")
user_by_email = User.query.filter_by(
if user_by_email:
send_anon_email.delay(, get_locale().language, gettext("Email already in use"),
gettext(u"We were unable to create the account as the email is already in use by %(display_name)s. Try a different email address.",
token = randomString(32)
ver = UserEmailVerification()
ver.user = current_user
ver.token = token = newEmail
send_verify_email.delay(, token, get_locale().language)
flash(gettext("Your password has been changed successfully."), "success")
return redirect(url_for("users.email_sent"))
flash(gettext("Your password has been changed successfully."), "success")
return redirect(url_for("homepage.home"))
@bp.route("/user/change-password/", methods=["GET", "POST"])
def change_password():
form = ChangePasswordForm(request.form)
if form.validate_on_submit():
if check_password_hash(current_user.password,
ret = handle_set_password(form)
if ret:
return ret
flash(gettext("Old password is incorrect"), "danger")
return render_template("users/change_set_password.html", form=form,
suggested_password=genphrase(entropy=52, wordset="bip39"))
@bp.route("/user/set-password/", methods=["GET", "POST"])
def set_password():
if current_user.password:
return redirect(url_for("users.change_password"))
form = SetPasswordForm(request.form)
if is None: = [InputRequired(), Email()]
if form.validate_on_submit():
ret = handle_set_password(form)
if ret:
return ret
return render_template("users/change_set_password.html", form=form, optional=request.args.get("optional"),
suggested_password=genphrase(entropy=52, wordset="bip39"))
def verify_email():
token = request.args.get("token")
ver: UserEmailVerification = UserEmailVerification.query.filter_by(token=token).first()
if ver is None:
flash(gettext("Unknown verification token!"), "danger")
return redirect(url_for("homepage.home"))
delta = ( - ver.created_at)
delta: datetime.timedelta
if delta.total_seconds() > 12*60*60:
flash(gettext("Token has expired"), "danger")
return redirect(url_for("homepage.home"))
user = ver.user
addAuditLog(AuditSeverity.USER, user, "Confirmed their email",
url_for("users.profile", username=user.username))
was_activating = not user.is_active
if and !=
if User.query.filter_by( > 0:
flash(gettext("Another user is already using that email"), "danger")
return redirect(url_for("homepage.home"))
flash(gettext("Confirmed email change"), "success")
user.locale or "en",
gettext("Email address changed"),
gettext("Your email address has changed. If you didn't request this, please contact an administrator."))
user.is_active = True =
if ver.is_password_reset:
user.password = None
return redirect(url_for("users.set_password"))
if current_user.is_authenticated:
return redirect(url_for("users.profile", username=current_user.username))
elif was_activating:
flash(gettext("You may now log in"), "success")
return redirect(url_for("users.login"))
return redirect(url_for("homepage.home"))
class UnsubscribeForm(FlaskForm):
email = StringField(lazy_gettext("Email"), [InputRequired(), Email()])
submit = SubmitField(lazy_gettext("Send"))
def unsubscribe_verify():
form = UnsubscribeForm(request.form)
if form.validate_on_submit():
email =
sub = EmailSubscription.query.filter_by(email=email).first()
if not sub:
sub = EmailSubscription(email)
sub.token = randomString(32)
send_unsubscribe_verify.delay(, get_locale().language)
return redirect(url_for("users.email_sent"))
return render_template("users/unsubscribe.html", form=form)
def unsubscribe_manage(sub: EmailSubscription):
user = User.query.filter_by(
if request.method == "POST":
if user: = None
sub.blacklisted = True
flash(gettext("That email is now blacklisted. Please contact an admin if you wish to undo this."), "success")
return redirect(url_for("homepage.home"))
return render_template("users/unsubscribe.html", user=user)
@bp.route("/unsubscribe/", methods=["GET", "POST"])
def unsubscribe():
token = request.args.get("token")
if token:
sub = EmailSubscription.query.filter_by(token=token).first()
if sub:
return unsubscribe_manage(sub)
return unsubscribe_verify()
def email_sent():
return render_template("users/email_sent.html")

from flask_babel import gettext
from . import bp
from flask import redirect, render_template, session, request, flash, url_for
from app.models import db, User, UserRank
from app.utils import randomString, login_user_set_active, is_username_valid
from app.tasks.forumtasks import checkForumAccount
from app.utils.phpbbparser import getProfile
@bp.route("/user/claim/", methods=["GET", "POST"])
def claim():
return render_template("users/claim.html")
@bp.route("/user/claim-forums/", methods=["GET", "POST"])
def claim_forums():
username = request.args.get("username")
if username is None:
username = ""
method = request.args.get("method")
if not is_username_valid(username):
flash(gettext("Invalid username - must only contain A-Za-z0-9._. Consider contacting an admin"), "danger")
return redirect(url_for("users.claim_forums"))
user = User.query.filter_by(forums_username=username).first()
if user and user.rank.atLeast(UserRank.NEW_MEMBER):
flash(gettext("User has already been claimed"), "danger")
return redirect(url_for("users.claim_forums"))
elif method == "github":
if user is None or user.github_username is None:
flash(gettext("Unable to get GitHub username for user"), "danger")
return redirect(url_for("users.claim_forums", username=username))
return redirect(url_for("github.start"))
if "forum_token" in session:
token = session["forum_token"]
token = randomString(12)
session["forum_token"] = token
if request.method == "POST":
ctype = request.form.get("claim_type")
username = request.form.get("username")
if not is_username_valid(username):
flash(gettext("Invalid username - must only contain A-Za-z0-9._. Consider contacting an admin"), "danger")
elif ctype == "github":
task = checkForumAccount.delay(username)
return redirect(url_for("tasks.check",, r=url_for("users.claim_forums", username=username, method="github")))
elif ctype == "forum":
user = User.query.filter_by(forums_username=username).first()
if user is not None and user.rank.atLeast(UserRank.NEW_MEMBER):
flash(gettext("That user has already been claimed!"), "danger")
return redirect(url_for("users.claim_forums"))
# Get signature
sig = None
profile = getProfile("", username)
sig = profile.signature if profile else None
except IOError as e:
if hasattr(e, 'message'):
message = e.message
message = str(e)
flash(gettext(u"Error whilst attempting to access forums: %(message)s", message=message), "danger")
return redirect(url_for("users.claim_forums", username=username))
if profile is None:
flash(gettext("Unable to get forum signature - does the user exist?"), "danger")
return redirect(url_for("users.claim_forums", username=username))
# Look for key
if sig and token in sig:
# Try getting again to fix crash
user = User.query.filter_by(forums_username=username).first()
if user is None:
user = User(username)
user.forums_username = username
ret = login_user_set_active(user, remember=True)
if ret is None:
flash(gettext("Unable to login as user"), "danger")
return redirect(url_for("users.claim_forums", username=username))
return ret
flash(gettext("Could not find the key in your signature!"), "danger")
return redirect(url_for("users.claim_forums", username=username))
flash(gettext("Unknown claim type"), "danger")
return render_template("users/claim_forums.html", username=username, key="cdb_" + token)

import math
from typing import Optional
from flask import *
from flask_babel import gettext
from flask_login import current_user, login_required
from sqlalchemy import func
from app.models import *
from app.tasks.forumtasks import checkForumAccount
from . import bp
@bp.route("/users/", methods=["GET"])
def list_all():
users = db.session.query(User, func.count( \
.select_from(User).outerjoin(Package) \
.order_by(db.desc(User.rank), db.asc(User.display_name)) \
return render_template("users/list.html", users=users)
def by_forums_username(username):
user = User.query.filter_by(forums_username=username).first()
if user:
return redirect(url_for("users.profile", username=user.username))
return render_template("users/forums_no_such_user.html", username=username)
class Medal:
description: str
color: Optional[str]
icon: str
title: Optional[str]
progress: Optional[Tuple[int, int]]
def __init__(self, description: str, **kwargs):
self.description = description
self.color = kwargs.get("color", "white")
self.icon = kwargs.get("icon", None)
self.title = kwargs.get("title", None)
self.progress = kwargs.get("progress", None)
def make_unlocked(cls, color: str, icon: str, title: str, description: str):
return Medal(description=description, color=color, icon=icon, title=title)
def make_locked(cls, description: str, progress: Tuple[int, int]):
return Medal(description=description, progress=progress)
def place_to_color(place: int) -> str:
if place == 1:
return "gold"
elif place == 2:
return "#888"
elif place == 3:
return "#cd7f32"
return "white"
def get_user_medals(user: User) -> Tuple[List[Medal], List[Medal]]:
unlocked = []
locked = []
users_by_reviews = db.session.query(User.username, func.sum(PackageReview.score).label("karma")) \
.select_from(User).join(PackageReview) \
.group_by(User.username).order_by(text("karma DESC")).all()
review_boundary = users_by_reviews[math.floor(len(users_by_reviews) * 0.25)][1] + 1
except IndexError:
review_boundary = None
usernames_by_reviews = [username for username, _ in users_by_reviews]
review_idx = None
review_percent = None
review_karma = 0
review_idx = usernames_by_reviews.index(user.username)
review_percent = round(100 * review_idx / len(users_by_reviews), 1)
review_karma = max(users_by_reviews[review_idx][1], 0)
except ValueError:
if review_percent is not None and review_percent < 25:
if review_idx == 0:
title = gettext(u"Top reviewer")
description = gettext(
u"%(display_name)s has written the most helpful reviews on ContentDB.",
elif review_idx <= 2:
if review_idx == 1:
title = gettext(u"2nd most helpful reviewer")
title = gettext(u"3rd most helpful reviewer")
description = gettext(
u"This puts %(display_name)s in the top %(perc)s%%",
display_name=user.display_name, perc=review_percent)
title = gettext(u"Top %(perc)s%% reviewer", perc=review_percent)
description = gettext(u"Only %(place)d users have written more helpful reviews.", place=review_idx)
place_to_color(review_idx + 1), "fa-star-half-alt", title, description))
description = gettext(u"Consider writing more helpful reviews to get a medal.")
if review_idx:
description += " " + gettext(u"You are in place %(place)s.", place=review_idx + 1)
description, (review_karma, review_boundary)))
all_package_ranks = db.session.query(
partition_by=Package.type) \
.label("rank")).order_by(db.asc(text("rank"))) \
user_package_ranks = db.session.query(all_package_ranks) \
.filter_by( \
.filter(text("rank <= 30")) \
user_package_ranks = next(
(x for x in user_package_ranks if x[0] == PackageType.MOD or x[2] <= 10),
if user_package_ranks:
top_rank = user_package_ranks[2]
top_type = PackageType.coerce(user_package_ranks[0])
if top_rank == 1:
title = gettext(u"Top %(type)s", type=top_type.text.lower())
title = gettext(u"Top %(group)d %(type)s", group=top_rank, type=top_type.text.lower())
if top_type == PackageType.MOD:
icon = "fa-box"
elif top_type == PackageType.GAME:
icon = "fa-gamepad"
icon = "fa-paint-brush"
description = gettext(u"%(display_name)s has a %(type)s placed at #%(place)d.",
display_name=user.display_name, type=top_type.text.lower(), place=top_rank)
Medal.make_unlocked(place_to_color(top_rank), icon, title, description))
total_downloads = db.session.query(func.sum(Package.downloads)) \
.select_from(User) \
.join(User.packages) \
.filter( ==,
Package.state == PackageState.APPROVED).scalar()
if total_downloads is None:
elif total_downloads < 50000:
description = gettext(u"Your packages have %(downloads)d downloads in total.", downloads=total_downloads)
description += " " + gettext(u"First medal is at 50k.")
locked.append(Medal.make_locked(description, (total_downloads, 50000)))
if total_downloads >= 300000:
place = 1
title = gettext(u">300k downloads")
elif total_downloads >= 100000:
place = 2
title = gettext(u">100k downloads")
elif total_downloads >= 75000:
place = 3
title = gettext(u">75k downloads")
place = 10
title = gettext(u">50k downloads")
description = gettext(u"Has received %(downloads)d downloads across all packages.",
display_name=user.display_name, downloads=total_downloads)
unlocked.append(Medal.make_unlocked(place_to_color(place), "fa-users", title, description))
return unlocked, locked
def profile(username):
user = User.query.filter_by(username=username).first()
if not user:
if not current_user.is_authenticated or (user != current_user and not current_user.canAccessTodoList()):
packages = user.packages.filter_by(state=PackageState.APPROVED)
maintained_packages = user.maintained_packages.filter_by(state=PackageState.APPROVED)
packages = user.packages.filter(Package.state != PackageState.DELETED)
maintained_packages = user.maintained_packages.filter(Package.state != PackageState.DELETED)
packages = packages.order_by(db.asc(Package.title)).all()
maintained_packages = maintained_packages \
.filter( != user) \
unlocked, locked = get_user_medals(user)
# Process GET or invalid POST
return render_template("users/profile.html", user=user,
packages=packages, maintained_packages=maintained_packages,
medals_unlocked=unlocked, medals_locked=locked)
@bp.route("/users/<username>/check/", methods=["POST"])
def user_check(username):
user = User.query.filter_by(username=username).first()
if user is None:
if current_user != user and not current_user.rank.atLeast(UserRank.MODERATOR):
if user.forums_username is None:
task = checkForumAccount.delay(user.forums_username)
next_url = url_for("users.profile", username=username)
return redirect(url_for("tasks.check",, r=next_url))

from flask import *
from flask_babel import gettext, lazy_gettext, get_locale
from flask_login import current_user, login_required, logout_user
from flask_wtf import FlaskForm
from sqlalchemy import or_
from wtforms import *
from wtforms.validators import *
from app.models import *
from app.utils import nonEmptyOrNone, addAuditLog, randomString, rank_required
from app.tasks.emails import send_verify_email
from . import bp
def get_setting_tabs(user):
ret = [
"id": "edit_profile",
"title": gettext("Edit Profile"),
"url": url_for("users.profile_edit", username=user.username)
"id": "account",
"title": gettext("Account and Security"),
"url": url_for("users.account", username=user.username)
"id": "notifications",
"title": gettext("Email and Notifications"),
"url": url_for("users.email_notifications", username=user.username)
"id": "api_tokens",
"title": gettext("API Tokens"),
"url": url_for("api.list_tokens", username=user.username)
if current_user.rank.atLeast(UserRank.MODERATOR):
"id": "modtools",
"title": gettext("Moderator Tools"),
"url": url_for("users.modtools", username=user.username)
return ret
class UserProfileForm(FlaskForm):
display_name = StringField(lazy_gettext("Display Name"), [Optional(), Length(1, 20)], filters=[lambda x: nonEmptyOrNone(x)])
website_url = StringField(lazy_gettext("Website URL"), [Optional(), URL()], filters = [lambda x: x or None])
donate_url = StringField(lazy_gettext("Donation URL"), [Optional(), URL()], filters = [lambda x: x or None])
submit = SubmitField(lazy_gettext("Save"))
def handle_profile_edit(form, user, username):
severity = AuditSeverity.NORMAL if current_user == user else AuditSeverity.MODERATION
addAuditLog(severity, current_user, "Edited {}'s profile".format(user.display_name),
url_for("users.profile", username=username))
if user.checkPerm(current_user, Permission.CHANGE_DISPLAY_NAME) and \
user.display_name !=
if User.query.filter( !=,
or_(User.username ==,
User.display_name.ilike( > 0:
flash(gettext("A user already has that name"), "danger")
return None
alias_by_name = PackageAlias.query.filter(or_( ==
if alias_by_name:
flash(gettext("A user already has that name"), "danger")
user.display_name =
severity = AuditSeverity.USER if current_user == user else AuditSeverity.MODERATION
addAuditLog(severity, current_user, "Changed display name of {} to {}"
.format(user.username, user.display_name),
url_for("users.profile", username=username))
if user.checkPerm(current_user, Permission.CHANGE_PROFILE_URLS):
user.website_url = form["website_url"].data
user.donate_url = form["donate_url"].data
return redirect(url_for("users.profile", username=username))
@bp.route("/users/<username>/settings/profile/", methods=["GET", "POST"])
def profile_edit(username):
user : User = User.query.filter_by(username=username).first()
if not user:
if not user.can_see_edit_profile(current_user):
flash(gettext("Permission denied"), "danger")
return redirect(url_for("users.profile", username=username))
form = UserProfileForm(obj=user)
if form.validate_on_submit():
ret = handle_profile_edit(form, user, username)
if ret:
return ret
# Process GET or invalid POST
return render_template("users/profile_edit.html", user=user, form=form, tabs=get_setting_tabs(user), current_tab="edit_profile")
def make_settings_form():
attrs = {
"email": StringField(lazy_gettext("Email"), [Optional(), Email()]),
"submit": SubmitField(lazy_gettext("Save"))
for notificationType in NotificationType:
key = "pref_" + notificationType.toName()
attrs[key] = BooleanField("")
attrs[key + "_digest"] = BooleanField("")
return type("SettingsForm", (FlaskForm,), attrs)
SettingsForm = make_settings_form()
def handle_email_notifications(user, prefs: UserNotificationPreferences, is_new, form):
for notificationType in NotificationType:
field_email = getattr(form, "pref_" + notificationType.toName()).data
field_digest = getattr(form, "pref_" + notificationType.toName() + "_digest").data or field_email
prefs.set_can_email(notificationType, field_email)
prefs.set_can_digest(notificationType, field_digest)
if is_new:
if user.checkPerm(current_user, Permission.CHANGE_EMAIL):
newEmail =
if newEmail and newEmail != and newEmail.strip() != "":
if EmailSubscription.query.filter_by(, blacklisted=True).count() > 0:
flash(gettext("That email address has been unsubscribed/blacklisted, and cannot be used"), "danger")
token = randomString(32)
severity = AuditSeverity.NORMAL if current_user == user else AuditSeverity.MODERATION
msg = "Changed email of {}".format(user.display_name)
addAuditLog(severity, current_user, msg, url_for("users.profile", username=user.username))
ver = UserEmailVerification()
ver.user = user
ver.token = token = newEmail
send_verify_email.delay(newEmail, token, get_locale().language)
return redirect(url_for("users.email_sent"))
return redirect(url_for("users.email_notifications", username=user.username))
@bp.route("/users/<username>/settings/email/", methods=["GET", "POST"])
def email_notifications(username=None):
if username is None:
return redirect(url_for("users.email_notifications", username=current_user.username))
user: User = User.query.filter_by(username=username).first()
if not user:
if not user.checkPerm(current_user, Permission.CHANGE_EMAIL):
is_new = False
prefs = user.notification_preferences
if prefs is None:
is_new = True
prefs = UserNotificationPreferences(user)
data = {}
types = []
for notificationType in NotificationType:
data["pref_" + notificationType.toName()] = prefs.get_can_email(notificationType)
data["pref_" + notificationType.toName() + "_digest"] = prefs.get_can_digest(notificationType)
data["email"] =
form = SettingsForm(data=data)
if form.validate_on_submit():
ret = handle_email_notifications(user, prefs, is_new, form)
if ret:
return ret
return render_template("users/settings_email.html",
form=form, user=user, types=types, is_new=is_new,
tabs=get_setting_tabs(user), current_tab="notifications")
def account(username):
user : User = User.query.filter_by(username=username).first()
if not user:
return render_template("users/account.html", user=user, tabs=get_setting_tabs(user), current_tab="account")
@bp.route("/users/<username>/delete/", methods=["GET", "POST"])
def delete(username):
user: User = User.query.filter_by(username=username).first()
if not user:
if user.rank.atLeast(UserRank.MODERATOR):
flash(gettext("Users with moderator rank or above cannot be deleted"), "danger")
return redirect(url_for("users.account", username=username))
if request.method == "GET":
return render_template("users/delete.html", user=user, can_delete=user.can_delete())
if "delete" in request.form and (user.can_delete() or current_user.rank.atLeast(UserRank.ADMIN)):
msg = "Deleted user {}".format(user.username)
flash(msg, "success")
addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
if current_user.rank.atLeast(UserRank.ADMIN):
for pkg in user.packages.all():
pkg.review_thread = None
elif "deactivate" in request.form:
for thread in user.threads.all():
db.session.delete(thread) = None
user.rank = UserRank.NOT_JOINED
msg = "Deactivated user {}".format(user.username)
flash(msg, "success")
addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
assert False
if user == current_user:
return redirect(url_for("homepage.home"))
class ModToolsForm(FlaskForm):
username = StringField(lazy_gettext("Username"), [Optional(), Length(1, 50)])
display_name = StringField(lazy_gettext("Display name"), [Optional(), Length(2, 100)])
forums_username = StringField(lazy_gettext("Forums Username"), [Optional(), Length(2, 50)])
github_username = StringField(lazy_gettext("GitHub Username"), [Optional(), Length(2, 50)])
rank = SelectField(lazy_gettext("Rank"), [Optional()], choices=UserRank.choices(), coerce=UserRank.coerce,
submit = SubmitField(lazy_gettext("Save"))
@bp.route("/users/<username>/modtools/", methods=["GET", "POST"])
def modtools(username):
user: User = User.query.filter_by(username=username).first()
if not user:
if not user.checkPerm(current_user, Permission.CHANGE_EMAIL):
form = ModToolsForm(obj=user)
if form.validate_on_submit():
severity = AuditSeverity.NORMAL if current_user == user else AuditSeverity.MODERATION
addAuditLog(severity, current_user, "Edited {}'s account".format(user.display_name),
url_for("users.profile", username=username))
# Copy form fields to user_profile fields
if user.checkPerm(current_user, Permission.CHANGE_USERNAMES):
if user.username !=
for package in user.packages:
alias = PackageAlias(user.username,
user.username =
user.display_name =
user.forums_username = nonEmptyOrNone(
user.github_username = nonEmptyOrNone(
if user.checkPerm(current_user, Permission.CHANGE_RANK):
newRank = form["rank"].data
if current_user.rank.atLeast(newRank):
if newRank != user.rank:
user.rank = form["rank"].data
msg = "Set rank of {} to {}".format(user.display_name, user.rank.getTitle())
addAuditLog(AuditSeverity.MODERATION, current_user, msg,
url_for("users.profile", username=username))
flash(gettext("Can't promote a user to a rank higher than yourself!"), "danger")
return redirect(url_for("users.modtools", username=username))
return render_template("users/modtools.html", user=user, form=form, tabs=get_setting_tabs(user), current_tab="modtools")
@bp.route("/users/<username>/modtools/set-email/", methods=["POST"])
def modtools_set_email(username):
user: User = User.query.filter_by(username=username).first()
if not user:
if not user.checkPerm(current_user, Permission.CHANGE_EMAIL):
abort(403) = request.form["email"]
user.is_active = False
token = randomString(32)
addAuditLog(AuditSeverity.MODERATION, current_user, f"Set email and sent a password reset on {user.username}",
url_for("users.profile", username=user.username), None)
ver = UserEmailVerification()
ver.user = user
ver.token = token =
ver.is_password_reset = True
send_verify_email.delay(, token, user.locale or "en")
flash(f"Set email and sent a password reset on {user.username}", "success")
return redirect(url_for("users.modtools", username=username))
@bp.route("/users/<username>/modtools/ban/", methods=["POST"])
def modtools_ban(username):
user: User = User.query.filter_by(username=username).first()
if not user:
if not user.checkPerm(current_user, Permission.CHANGE_RANK):
user.rank = UserRank.BANNED
addAuditLog(AuditSeverity.MODERATION, current_user, f"Banned {user.username}",
url_for("users.profile", username=user.username), None)
flash(f"Banned {user.username}", "success")
return redirect(url_for("users.modtools", username=username))

title: Help title: Help
toc: False
* [Package Tags](package_tags)
## General Help
* [Frequently Asked Questions](faq)
* [Content Ratings and Flags](content_flags)
* [Non-free Licenses](non_free)
* [Why WTFPL is a terrible license](wtfpl)
* [Ranks and Permissions](ranks_permissions) * [Ranks and Permissions](ranks_permissions)
* [Contact Us](contact_us) * [Content Ratings and Flags](content_flags)
* [Top Packages Algorithm](top_packages) * [Reporting Content](reporting)
* [Featured Packages](featured)
## Help for Package Authors
* [Package Inclusion Policy and Guidance](/policy_and_guidance/)
* [Git Update Detection](update_config)
* [Creating Releases using Webhooks](release_webhooks)
* [Package Configuration and Releases Guide](package_config)
## Help for Specific User Ranks
* [Editors](editors)
## APIs
* [API](api)
* [Prometheus Metrics](metrics)

title: API
## Resources
* [How the Minetest client uses the API](
## Responses and Error Handling
If there is an error, the response will be JSON similar to the following with a non-200 status code:
"success": false,
"error": "The error message"
Successful GET requests will return the resource's information directly as a JSON response.
Other successful results will return a dictionary with `success` equaling true, and
often other keys with information. For example:
"success": true,
"release": {
/* same as returned by a GET */
### Paginated Results
Some API endpoints returns results in pages. The page number is specified using the `page` query argument, and
the number of items is specified using `num`
The response will be a dictionary with the following keys:
* `page`: page number, integer from 1 to max
* `per_page`: number of items per page, same as `n`
* `page_count`: number of pages
* `total`: total number of results
* `urls`: dictionary containing
* `next`: url to next page
* `previous`: url to previous page
* `items`: array of items
## Authentication
Not all endpoints require authentication, but it is done using Bearer tokens:
curl \
-H "Authorization: Bearer YOURTOKEN"
Tokens can be attained by visiting [Settings > API Tokens](/user/tokens/).
* GET `/api/whoami/`: JSON dictionary with the following keys:
* `is_authenticated`: True on successful API authentication
* `username`: Username of the user authenticated as, null otherwise.
* 4xx status codes will be thrown on unsupported authentication type, invalid access token, or other errors.
## Packages
* GET `/api/packages/` (List)
* See [Package Queries](#package-queries)
* GET `/api/packages/<username>/<name>/` (Read)
* PUT `/api/packages/<author>/<name>/` (Update)
* Requires authentication.
* JSON dictionary with any of these keys (all are optional, null to delete Nullables):
* `type`: One of `GAME`, `MOD`, `TXP`.
* `title`: Human-readable title.
* `name`: Technical name (needs permission if already approved).
* `short_description`
* `tags`: List of [tag](#tags) names.
* `content_warnings`: List of [content warning](#content-warnings) names.
* `license`: A [license](#licenses) name.
* `media_license`: A [license](#licenses) name.
* `long_description`: Long markdown description.
* `repo`: Git repo URL.
* `website`: Website URL.
* `issue_tracker`: Issue tracker URL.
* `forums`: forum topic ID.
* `video_url`: URL to a video.
* `game_support`: Array of game support information objects. Not currently documented, as subject to change.
* GET `/api/packages/<username>/<name>/dependencies/`
* Returns dependencies, with suggested candidates
* If query argument `only_hard` is present, only hard deps will be returned.
* GET `/api/dependencies/`
* Returns `provides` and raw dependencies for all packages.
* Supports [Package Queries](#package-queries)
* [Paginated result](#paginated-results), max 300 results per page
* Each item in `items` will be a dictionary with the following keys:
* `type`: One of `GAME`, `MOD`, `TXP`.
* `author`: Username of the package author.
* `name`: Package name.
* `provides`: List of technical mod names inside the package.
* `depends`: List of hard dependencies.
* Each dep will either be a metapackage dependency (`name`), or a
package dependency (`author/name`).
* `optional_depends`: list of optional dependencies
* Same as above.
You can download a package by building one of the two URLs:
# Edit package
curl -X PUT \
-H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
-d '{ "title": "Foo bar", "tags": ["pvp", "survival"], "license": "MIT" }'
# Remove website URL
curl -X PUT \
-H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
-d '{ "website": null }'
### Package Queries
Supported query parameters:
* `type`: Package types (`mod`, `game`, `txp`).
* `q`: Query string.
* `author`: Filter by author.
* `tag`: Filter by tags.
* `random`: When present, enable random ordering and ignore `sort`.
* `limit`: Return at most `limit` packages.
* `hide`: Hide content based on [Content Flags](/help/content_flags/).
* `sort`: Sort by (`name`, `title`, `score`, `reviews`, `downloads`, `created_at`, `approved_at`, `last_release`).
* `order`: Sort ascending (`asc`) or descending (`desc`).
* `protocol_version`: Only show packages supported by this Minetest protocol version.
* `engine_version`: Only show packages supported by this Minetest engine version, eg: `5.3.0`.
* `fmt`: How the response is formated.
* `keys`: author/name only.
* `short`: stuff needed for the Minetest client.
## Releases
* GET `/api/releases/` (List)
* Limited to 30 most recent releases.
* Optional arguments:
* `author`: Filter by author
* `maintainer`: Filter by maintainer
* Returns array of release dictionaries with keys:
* `id`: release ID
* `title`: human-readable title
* `release_date`: Date released
* `url`: download URL
* `commit`: commit hash or null
* `downloads`: number of downloads
* `min_minetest_version`: dict or null, minimum supported minetest version (inclusive).
* `max_minetest_version`: dict or null, minimum supported minetest version (inclusive).
* `package`
* `author`: author username
* `name`: technical name
* `type`: `mod`, `game`, or `txp`
* GET `/api/packages/<username>/<name>/releases/` (List)
* Returns array of release dictionaries, see above, but without package info.
* GET `/api/packages/<username>/<name>/releases/<id>/` (Read)
* POST `/api/packages/<username>/<name>/releases/new/` (Create)
* Requires authentication.
* Body can be JSON or multipart form data. Zip uploads must be multipart form data.
* `title`: human-readable name of the release.
* For Git release creation:
* `method`: must be `git`.
* `ref`: (Optional) git reference, eg: `master`.
* For zip upload release creation:
* `file`: multipart file to upload, like `<input type="file" name="file">`.
* `commit`: (Optional) Source Git commit hash, for informational purposes.
* You can set min and max Minetest Versions [using the content's .conf file](/help/package_config/).
* DELETE `/api/packages/<username>/<name>/releases/<id>/` (Delete)
* Requires authentication.
* Deletes release.
# Create release from Git
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
-d '{ "method": "git", "title": "My Release", "ref": "master" }'
# Create release from zip upload
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" \
-F title="My Release" -F file=@path/to/
# Create release from zip upload with commit hash
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" \
-F title="My Release" -F commit="8ef74deec170a8ce789f6055a59d43876d16a7ea" -F file=@path/to/
# Delete release
curl -X DELETE \
-H "Authorization: Bearer YOURTOKEN"
## Screenshots
* GET `/api/packages/<username>/<name>/screenshots/` (List)
* Returns array of screenshot dictionaries with keys:
* `id`: screenshot ID
* `approved`: true if approved and visible.
* `title`: human-readable name for the screenshot, shown as a caption and alt text.
* `url`: absolute URL to screenshot.
* `created_at`: ISO time.
* `order`: Number used in ordering.
* `is_cover_image`: true for cover image.
* GET `/api/packages/<username>/<name>/screenshots/<id>/` (Read)
* Returns screenshot dictionary like above.
* POST `/api/packages/<username>/<name>/screenshots/new/` (Create)
* Requires authentication.
* Body is multipart form data.
* `title`: human-readable name for the screenshot, shown as a caption and alt text.
* `file`: multipart file to upload, like `<input type=file>`.
* `is_cover_image`: set cover image to this.
* DELETE `/api/packages/<username>/<name>/screenshots/<id>/` (Delete)
* Requires authentication.
* Deletes screenshot.
* POST `/api/packages/<username>/<name>/screenshots/order/`
* Requires authentication.
* Body is a JSON array containing the screenshot IDs in their order.
* POST `/api/packages/<username>/<name>/screenshots/cover-image/`
* Requires authentication.
* Body is a JSON dictionary with "cover_image" containing the screenshot ID.
Currently, to get a different size of thumbnail you can replace the number in `/thumbnails/1/` with any number from 1-3.
The resolutions returned may change in the future, and we may move to a more capable thumbnail generation.
# Create screenshot
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" \
-F title="My Release" -F file=@path/to/screnshot.png
# Create screenshot and set it as the cover image
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" \
-F title="My Release" -F file=@path/to/screnshot.png -F is_cover_image="true"
# Delete screenshot
curl -X DELETE \
-H "Authorization: Bearer YOURTOKEN"
# Reorder screenshots
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
-d "[13, 2, 5, 7]"
# Set cover image
curl -X POST \
-H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
-d "{ 'cover_image': 123 }"
## Reviews
* GET `/api/packages/<username>/<name>/reviews/` (List)
* Returns array of review dictionaries with keys:
* `user`: dictionary with `display_name` and `username`.
* `title`: review title
* `comment`: the text
* `is_positive`: boolean
* `created_at`: iso timestamp
* `votes`: dictionary with `helpful` and `unhelpful`,
* GET `/api/reviews/` (List)
* Returns a paginated response. This is a dictionary with `page`, `url`, and `items`.
* [Paginated result](#paginated-results)
* `items`: array of review dictionaries, like above
* Each review also has a `package` dictionary with `type`, `author` and `name`
* Query arguments:
* `page`: page number, integer from 1 to max
* `n`: number of results per page, max 100
* `author`: filter by review author username
* `is_positive`: true or false. Default: null
* `q`: filter by title (case insensitive, no fulltext search)
"comment": "This is a really good mod!",
"created_at": "2021-11-24T16:18:33.764084",
"is_positive": true,
"title": "Really good",
"user": {
"display_name": "rubenwardy",
"username": "rubenwardy"
"votes": {
"helpful": 0,
"unhelpful": 0
## Topics
* GET `/api/topics/` ([View](/api/topics/))
* See [Topic Queries](#topic-queries)
### Topic Queries
Supported query parameters:
* `q`: Query string.
* `type`: Package types (`mod`, `game`, `txp`).
* `sort`: Sort by (`name`, `views`, `created_at`).
* `show_added`: Show topics that have an existing package.
* `show_discarded`: Show topics marked as discarded.
* `limit`: Return at most `limit` topics.
## Types
### Tags
* GET `/api/tags/` ([View](/api/tags/)): List of:
* `name`: technical name.
* `title`: human-readable title.
* `description`: tag description or null.
* `is_protected`: boolean, whether the tag is protected (can only be set by Editors in the web interface).
* `views`: number of views of this tag.
### Content Warnings
* GET `/api/content_warnings/` ([View](/api/content_warnings/)): List of:
* `name`: technical name
* `title`: human-readable title
* `description`: tag description or null
### Licenses
* GET `/api/licenses/` ([View](/api/licenses/)): List of:
* `name`
* `is_foss`: whether the license is foss
### Minetest Versions
* GET `/api/minetest_versions/` ([View](/api/minetest_versions/))
* `name`: Version name.
* `is_dev`: boolean, is dev version.
* `protocol_version`: protocol version umber.
## Misc
* GET `/api/scores/` ([View](/api/scores/))
* See [Top Packages Algorithm](/help/top_packages/).
* Supports [Package Queries](#package-queries).
* Returns list of:
* `author`: package author name.
* `name`: package technical name.
* `downloads`: number of downloads.
* `score`: total package score.
* `score_reviews`: score from reviews.
* `score_downloads`: score from downloads.
* GET `/api/homepage/` ([View](/api/homepage/)) - get contents of homepage.
* `count`: number of packages
* `downloads`: get number of downloads
* `new`: new packages
* `updated`: recently updated packages
* `pop_mod`: popular mods
* `pop_txp`: popular textures
* `pop_game`: popular games
* `high_reviewed`: highest reviewed
* GET `/api/welcome/v1/` ([View](/api/welcome/v1/)) - in-menu welcome dialog. Experimental (may change without warning)
@ -1,14 +0,0 @@
title: Contact Us
## Reports
Please let us know if anything on the ContentDB violates our rules or any applicable
We take copyright violation and other offenses very seriously.
<a href="/report/" class="btn btn-primary">Report</a>
## Other
<a href="" class="btn btn-primary">Contact the admin</a>

## Flags ## Flags
Minetest allows you to specify a comma-separated list of flags to hide in the * `nonfree` - can be used to hide packages which do not qualify as
contentdb_flag_blacklist = nonfree, bad_language, drugs
A flag can be:
* `nonfree`: can be used to hide packages which do not qualify as
'free software', as defined by the Free Software Foundation. 'free software', as defined by the Free Software Foundation.
* `wip`: packages marked as Work in Progress * A content rating, given below.
* `deprecated`: packages marked as Deprecated
* A content warning, given below.
* `*`: hides all content warnings.
There are also two meta-flags, which are designed so that we can change how different platforms filter the package list
without making a release.
* `android_default`: currently same as `*, deprecated`. Hides all content warnings and deprecated packages ## Ratings
* `desktop_default`: currently same as `deprecated`. Hides deprecated packages
## Content Warnings Content ratings aren't currently supported by ContentDB.
Instead, mature content isn't allowed at all for now.
Packages with mature content will be tagged with a content warning based In the future, more mature content will be allowed but labelled with
on the content type. content ratings which may contain the following:
* `bad_language`: swearing. * android_default - meta-rating which includes gore and drugs.
* `drugs`: drugs or alcohol. * desktop_default - meta-rating which won't include anything for now.
* `gambling` * gore - more than just blood
* `gore`: blood, etc. * drugs
* `horror`: shocking and scary content. * swearing
* `violence`: non-cartoon violence.

title: Editors
## What should editors do?
Editors are users of rank Editor or above.
They are responsible for ensuring that the package listings of ContentDB are useful.
For this purpose, they can/will:
* Review and approve packages.
* Edit any package - including tags, releases, screenshots, and maintainers.
* Create packages on behalf of authors who aren't present.
Editors should make sure they are familiar with the
[Package Inclusion Policy and Guidance](/policy_and_guidance/).
## ContentDB is not a curated platform
It's important to note that ContentDB isn't a curated platform, but it also does have some
requirements on minimum usefulness. See 2.2 in the [Policy and Guidance](/policy_and_guidance/).
## Editor Work Queue
The [Editor Work Queue](/todo/) and related pages contain useful information for editors, such as:
* The package, release, and screenshot approval queues.
* Packages which are outdated or are missing tags.
* A list of forum topics without packages.
Editors can create the packages or "discard" them if they don't think it's worth adding them.
## Editor Notifications
Editors currently receive notifications for any new thread opened on a package, so that they
know when a user is asking for help. These notifications are shown separately in the notifications
interface, and can be configured separately in Emails and Notifications.

title: Frequently Asked Questions
## Users and Logins
### How do I create an account?
How you create an account depends on whether you have a forum account.
If you have a forum account, then you'll need to prove that you are the owner of the account. This can
be done using a GitHub account or a random string in your forum account signature.
If you don't, then you can just sign up using an email address and password.
GitHub can only be used to login, not to register.
<a class="btn btn-primary" href="/user/claim/">Register</a>
### My verification email never arrived
There are a number of reasons this may have happened:
* Incorrect email address entered.
* Temporary problem with ContentDB.
* Email has been unsubscribed.
If the email doesn't arrive after registering by email, then you'll need to try registering again in 12 hours.
Unconfirmed accounts are deleted after 12 hours.
If the email verification was sent using the Email settings tab, then you can just set a new email.
If you have previously unsubscribed this email, then ContentDB is completely prevented from sending emails to that
address. You'll need to use a different email address, or [contact rubenwardy]( to
remove your email from the blacklist.
## Packages
### How can I create releases automatically?
There are a number of methods:
* [Git Update Detection](update_config): ContentDB will check your Git repo daily, and create updates or send you notifications.
* [Webhooks](release_webhooks): you can configure your Git host to send a webhook to ContentDB, and create an update immediately.
* the [API](api): This is especially powerful when combined with CI/CD and other API endpoints.
## How do I get help?
Please [contact rubenwardy](

title: Featured Packages
<p class="alert alert-warning">
<b>Note:</b> This is a draft, and is likely to change
## What are Featured Packages?
Featured Packages are shown at the top of the ContentDB homepage. In the future,
featured packages may be shown inside the Minetest client.
The purpose is to promote content that demonstrates a high quality of what is
possible in Minetest. The selection should be varied, and should vary over time.
The featured content should be content that we are comfortable recommending to
a first time player.
## How are the packages chosen?
Before a package can be considered, it must fulfil the criteria in the below lists.
There are three types of criteria:
* "MUST": These must absolutely be fulfilled, no exceptions!
* "SHOULD": Most of them should be fulfilled, if possible. Some of them can be
left out if there's a reason.
* "CAN": Can be fulfilled for bonus points, they are entirely optional.
For a chance to get featured, a package must fulfil all "MUST" criteria and
ideally as many "SHOULD" criteria as possible. The more, the better. Thankfully,
many criteria are trivial to fulfil. Note that ticking off all the boxes is not
enough: Just because a package completes the checklist does not make it good.
Other aspects of the package should be rated as well. See this list as a
starting point, not as an exhaustive quality control.
Editors are responsible for maintaining the list of featured packages. Authors
can request that their package be considered by opening a thread titled
"Feature Package" on their package. To speed things up, they should justify
why they meet (or don't meet) the below criteria. Editors must abstain from
voting on packages where they have a conflict of interest.
A package being featured does not mean that it will be featured forever. A
package may be unfeatured if it no longer meets the criteria, to make space for
other packages to be featured, or for another reason.
## General Requirements
### General
* MUST: Be 100% free and open source (as marked as Free on ContentDB).
* MUST: Work out-of-the-box (no weird setup or settings required).
* MUST: Be compatible with the latest stable Minetest release.
* SHOULD: Use public source control (such as Git).
* SHOULD: Have at least 3 reviews, and be largely positive.
### Stability
* MUST: Be well maintained (author is present and active).
* MUST: Be reasonably stable, with no game-breaking or major bugs.
* MUST: The author does not consider the package to be in an
experimental/development/alpha state. Beta and "unfinished" packages are fine.
* MUST: No error messages from the engine (e.g. missing textures).
* SHOULD: No major map breakages (including unknown nodes, corruption, loss of inventories).
Map breakages are a sign that the package isn't sufficiently stable.
Note: Any map breakage will be excused if "disaster relief" (i.e. tools to repair the damage)
is available.
### Meta and packaging
* MUST: `screenshot.png` is present and up-to-date, with a correct aspect ratio (3:2, at least 300x200).
* MUST: Have a high resolution cover image on ContentDB (at least 1280x720 pixels).
It may be shown cropped to 16:9 aspect ratio, or shorter.
* MUST: mod.conf/game.conf/texture_pack.conf present with:
* name (if mod or game)
* description
* dependencies (if relevant)
* `min_minetest_version` and `max_minetest_version` (if relevant)
* MUST: Contain a README file and a LICENSE file. These may be `.md` or `.txt`.
* README files typically contain helpful links (download, manual, bugtracker, etc), and other
information that players or (potential) contributors may need.
* SHOULD: All important settings are in settingtypes.txt with description.
## Game-specific Requirements
### Meta and packaging
* MUST: Have a main menu icon and header image.
### Stability
* MUST: If any major setting (like `enable_damage`) is unsupported, the game must disable it
using `disabled_settings` in the `game.conf`, and deal with it appropriately in the code
(e.g. force-disable the setting, as the user may still set the setting in `minetest.conf`)
### Usability
* MUST: Unsupported mapgens are disabled in game.conf.
* SHOULD: Passes the Beginner Test: A newbie to the game (but not Minetest) wouldn't get completely
stuck within the first 5 minutes of playing.
* SHOULD: Have good documentation. This may include one or more of:
* A craftguide, or other in-game learning system
* A manual
* A wiki
* Something else
### Gameplay
* CAN: Passes the Six Hour Test (only applies to sandbox games): The game doesn't run out of new
content before the first 6 hours of playing.
* CAN: Players don't feel that something in the game is "lacking".
### Audiovisuals
* MUST: Audiovisual design should be of good quality.
* MUST: No obvious GUI/HUD breakages.
* MUST: Sounds have no obvious artifacts like clicks or unintentional noise.
* SHOULD: Graphical design is mostly consistent.
* SHOULD: Sounds are used.
* SHOULD: Sounds are normalized (more or less).
### Quality Assurance
* MUST: No flooding the console/log file with warnings.
* MUST: No duplicate crafting recipes.
* MUST: Highly experimental game features are disabled by default.
* MUST: Experimental game features are clearly marked as such.
* SHOULD: No unknown nodes/items/objects appear.
* SHOULD: No dependency on legacy API calls.
* SHOULD: No console warnings.
### Writing
* MUST: All items that can be obtained in normal gameplay have `description` set (whether in the definition or meta).
* MUST: Game is not littered with typos or bad grammar (a few typos are OK but should be fixed, when found).
* SHOULD: All items have unique names (items which disguise themselves as another item are exempt).
* SHOULD: The writing style of all item names is grammatical and consistent.
* SHOULD: Descriptions of things convey useful and meaningful information (if applicable).
* CAN: Text is written in clear and (if possible) simple language.

title: Prometheus Metrics
## What is Prometheus?
[Prometheus]( is an "open-source monitoring system with a
dimensional data model, flexible query language, efficient time series database
and modern alerting approach".
Prometheus Metrics can be accessed at [/metrics](/metrics), or you can view them
on the Grafana instance below.
<a class="btn btn-primary" href="">
View ContentDB on Grafana
## Metrics
* `contentdb_packages` - Total packages (counter).
* `contentdb_users` - Number of registered users (counter).
* `contentdb_downloads` - Total downloads (counter).
* `contentdb_score` - Total package score (gauge).

title: Non-free Licenses
## What are Non-Free, Free, and Open Source licenses?
A non-free license is one that does not meet the
[Free Software Definition](
or the [Open Source Definition](
ContentDB will clearly label any packages with non-free licenses,
and they will be subject to limited promotion.
## How does ContentDB deal with Non-Free Licenses?
**ContentDB does not allow certain non-free licenses, and will limit the promotion
of packages with non-free licenses.**
Minetest is free and open source software, and is only as big as it is now
because of this. It's pretty amazing you can take nearly any published mod and modify it
to how you like - add some features, maybe fix some bugs - and then share those
modifications without the worry of legal issues. The project, itself, relies on open
source contributions to survive - if it were non-free, then it would have died
when celeron55 lost interest.
If you have played nearly any game with a large modding scene, you will find
that most mods are legally ambiguous. A lot of them don't even provide the
source code to allow you to bug fix or extend as you need.
Limiting the promotion of problematic licenses helps Minetest avoid ending up in
such a state. Licenses that prohibit redistribution or modification are
completely banned from ContentDB and the Minetest forums. Other non-free licenses
will be subject to limited promotion - they won't be shown by default in
the client.
Not providing full promotion on ContentDB, or not allowing your package at all,
doesn't mean you can't make such content - it just means we're not going to help
you spread it.
## What's so bad about licenses that forbid commercial use?
Please read [reasons not to use a Creative Commons -NC license](
Here's a quick summary related to Minetest content:
1. They make your work incompatible with a growing body of free content, even if
you do want to allow derivative works or combinations.
This means that it can cause problems when another modder wishes to include your
work in a modpack or game.
2. They may rule out other basic and beneficial uses that you want to allow.
For example, CC -NC will forbid showing your content in a monetised YouTube
3. They are unlikely to increase the potential profit from your work, and a
share-alike license serves the goal to protect your work from unethical
exploitation equally well.
## How can I show non-free packages in the client?
Non-free packages are hidden in the client by default, partly in order to comply
with the rules of various Linux distributions.
Users can opt-in to showing non-free software, if they wish:
1. In the main menu, go to Settings > All settings
2. Search for "ContentDB Flag Blacklist".
3. Edit that setting to remove `nonfree, `.
<figure class="figure my-4">
<img class="figure-img img-fluid rounded" src="/static/contentdb_flag_blacklist.png" alt="Screenshot of the ContentDB Flag Blacklist setting">
<figcaption class="figure-caption">Screenshot of the ContentDB Flag Blacklist setting</figcaption>
In the future, [the `platform_default` flag](/help/content_flags/) will be used to control what content
each platforms shows - Android is significantly stricter about mature content.
You may wish to remove all text from that setting completely, leaving it blank,
if you wish to view all content when this happens. Currently, [mature content is
not permitted on ContentDB](/policy_and_guidance/).

title: Package Configuration and Releases Guide
## Introduction
ContentDB will read configuration files in your package when doing several
tasks, including package and release creation. This page details how you can use
this to your advantage.
## .conf files
### What is a content .conf file?
Every type of content can have a `.conf` file that contains the metadata.
The filename of the `.conf` file depends on the content type:
* `mod.conf` for mods.
* `modpack.conf` for mod packs.
* `game.conf` for games.
* `texture_pack.conf` for texture packs.
The `.conf` uses a key-value format, separated using equals. Here's a simple example:
name = mymod
description = A short description to show in the client.
### Understood values
ContentDB understands the following information:
* `description` - A short description to show in the client.
* `depends` - Comma-separated hard dependencies.
* `optional_depends` - Comma-separated soft dependencies.
* `min_minetest_version` - The minimum Minetest version this runs on, see [Min and Max Minetest Versions](#min_max_versions).
* `max_minetest_version` - The maximum Minetest version this runs on, see [Min and Max Minetest Versions](#min_max_versions).
and for mods only:
* `name` - the mod technical name.
## .cdb.json
You can include a `.cdb.json` file in the root of your content directory (ie: next to a .conf)
to update the package meta.
It should be a JSON dictionary with one or more of the following optional keys:
* `type`: One of `GAME`, `MOD`, `TXP`.
* `title`: Human-readable title.
* `name`: Technical name (needs permission if already approved).
* `short_description`
* `tags`: List of tag names, see [/api/tags/](/api/tags/).
* `content_warnings`: List of content warning names, see [/api/content_warnings/](/api/content_warnings/).
* `license`: A license name, see [/api/licenses/](/api/licenses/).
* `media_license`: A license name.
* `long_description`: Long markdown description.
* `repo`: Git repo URL.
* `website`: Website URL.
* `issue_tracker`: Issue tracker URL.
* `forums`: forum topic ID.
* `video_url`: URL to a video.
Use `null` to unset fields where relevant.
"title": "Foo bar",
"tags": ["pvp", "survival"],
"license": "MIT",
"website": null
## Controlling Release Creation
### Git-based Releases and Submodules
ContentDB can create releases from a Git repository.
It will include submodules in the resulting archive.
Simply set VCS Repository in the package's meta to a Git repository, and then
choose Git as the method when creating a release.
### Automatic Release Creation
See [Git Update Detection](/help/update_config/).
You can also use [GitLab/GitHub webhooks](/help/release_webhooks/) or the [API](/help/api/)
to create releases.
### Min and Max Minetest Versions
<a name="min_max_versions" />
When creating a release, the `.conf` file will be read to determine what Minetest
versions the release supports. If the `.conf` doesn't specify, then it is assumed
that it supports all versions.
This happens when you create a release via the ContentDB web interface, the
[API](/help/api/), or using a [GitLab/GitHub webhook](/help/release_webhooks/).
Here's an example config:
name = mymod
min_minetest_version = 5.0
max_minetest_version = 5.3
Leaving out min or max to have them set as "None".
### Excluding files
When using Git to create releases,
you can exclude files from a release by using [gitattributes](
.* export-ignore
sources export-ignore
*.zip export-ignore
This will prevent any files from being included if they:
* Beginning with `.`
* or are named `sources` or are inside any directory named `sources`.
* or have an extension of "zip".

title: Package Tags
## Overview
Tags should be added to packages to enable easy identification of different types of mods, games and texture packs.
They are only beneficial when applied correctly, so please use the following guidelines.
## Tag Usage
* **Building** - For mods that focus on adding new materials or nodes to build with.
* **Education** - For mods or games created for educational purposes.
* **Environment** - For mods that add environmental effects, including ambient sound and weather effects.
* **Inventory** - For mods that add new inventory systems or new inventory pages.
* **Machines and Electronics** - For mods that include placeable machinery or electronic components which interact to complete tasks.
* **Maintenance** - For mods that assist with world or player maintenance. This includes large-scale map manipulation, area protection and other administrative tools.
* **Mapgen** - For mods that add new biomes, new mapgen decorations, or any other mapgen elements.
* **Mobs and NPCs** - For mods that add mobs or NPCs, or provide tools that assist with mob and NPC creation or manipulation.
* **Plants and Farming** - For mods that add new plants or other farmable resources.
* **Player effects/Food** - For mods that change player effects, for example speed, jump height or gravity, and food.
* **Tools** - For mods that add new tools or new features for existing tools.
* **Transport** - For mods that add transportation methods. This includes teleportation, vehicles and ridable mobs.
* **Survival** - For mods written specifically for survival games. For example, these mods might focus on game-balance or increase the difficulty level. This tag should also be used for games with a heavy survival focus.
* **Creative** - For mods written specifically (and often exclusively) for use in creative mode. For example, these mods may add a large amount of decorative content, or content without crafting recipes. This tag should also be used for games with a heavy creative focus.
* **Multiplayer-focused** - For games that can be played with other players.
* **Singleplayer-focused** - For games that can be played alone.
* **PvP** - For games designed to be played competitively against other players.
* **PvE** - For games designed for one or multiple players which focus on combat against mobs or NPCs.
* **Puzzle** - For mods and games with a focus on puzzle solving instead of combat.
* **16px** - For 16px texture packs.
* **32px** - For 32px texture packs.
* **64px** - For 64px texture packs.
* **128px+** - For 128px or higher texture packs.

## Overview ## Overview
* **New Members** - mostly untrusted, cannot change package meta data or publish releases without approval. * **New Members** - mostly untrusted, cannot change package meta data or publish releases without approval.
* **Members** - Trusted to change the meta data of their own packages', but cannot approve their own packages. * **Members** - Trusted to change the meta data of their own packages', but cannot publish releases.
* **Trusted Members** - Same as above, but can approve their own releases. * **Trusted Members** - Same as above, but can approve their own releases and packages.
* **Approvers** - Responsible for approving new packages, screenshots, and releases. * **Editors** - Trusted to change the meta data of any package, and also make and publish releases.
* **Editors** - Same as above, and can edit any package or release.
* **Moderators** - Same as above, but can manage users. * **Moderators** - Same as above, but can manage users.
* **Admins** - Full access. * **Admins** - Full access.
## Breakdown ## Breakdown
<table class="table table-striped ranks-table"> <table class="fancyTable">
<thead> <thead>
<tr> <tr>
<th>Rank</th> <th>Rank</th>
<th colspan=2 class="NEW_MEMBER">New Member</th> <th colspan=2>New Member</th>
<th colspan=2 class="MEMBER">Member</th> <th colspan=2>Member</th>
<th colspan=2 class="TRUSTED_MEMBER">Trusted</th> <th colspan=2>Trusted Member</th>
<th colspan=2 class="APPROVER">Approver</th> <th colspan=2>Editor</th>
<th colspan=2 class="EDITOR">Editor</th> <th colspan=2>Moderator</th>
<th colspan=2 class="MODERATOR">Moderator</th> <th colspan=2>Admin</th>
<th colspan=2 class="ADMIN">Admin</th>
</tr> </tr>
<tr> <tr>
<th>Owner of thing</th> <th>Owner of thing</th>
@ -38,269 +36,208 @@ title: Ranks and Permissions
<th>N</th> <th>N</th>
<th>Y</th> <th>Y</th>
<th>N</th> <th>N</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td>Create Package</td> <td>Create Package</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Approve Package</td> <td>Approve Package</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
<td>Delete Package</td>
<td></td> <!-- new -->
<td></td> <!-- member -->
<td></td> <!-- trusted member -->
<td></td> <!-- approver -->
<td></td> <!-- editor -->
<td></td> <!-- moderator -->
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Edit Package</td> <td>Edit Package</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
<td>Edit Maintainers</td>
<td></td> <!-- new -->
<td></td> <!-- member -->
<td></td> <!-- trusted member -->
<td></td> <!-- approver -->
<td></td> <!-- editor -->
<td></td> <!-- moderator -->
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Add/Delete Screenshot</td> <td>Add/Delete Screenshot</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Approve Screenshot</td> <td>Approve Screenshot</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin --> </tr>
<td></td> <tr>
<td>Approve EditRequest</td>
<th></th> <!-- new -->
<th></th> <!-- member -->
<th></th> <!-- trusted member -->
<th></th> <!-- editor -->
<th></th> <!-- moderator -->
<th></th> <!-- admin -->
<td>Edit EditRequest</td>
<th><sup>1</sup></th> <!-- new -->
<th></th> <!-- member -->
<th></th> <!-- trusted member -->
<th></th> <!-- editor -->
<th></th> <!-- moderator -->
<th></th> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Make Release</td> <td>Make Release</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Approve Release</td> <td>Approve Release</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Change Release URL</td> <td>Change Release URL</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>See Private Thread</td> <td>See Private Thread</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <th></th>
<td></td> <!-- moderator --> <th></th> <!-- admin -->
<td></td> <th></th>
<td></td> <!-- admin -->
<td>Edit Comments</td>
<td></td> <!-- new -->
<td></td> <!-- member -->
<td></td> <!-- trusted member -->
<td></td> <!-- approver -->
<td></td> <!-- editor -->
<td></td> <!-- moderator -->
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Set Email</td> <td>Set Email</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th></th> <!-- moderator -->
<td></td> <!-- moderator -->
<th><sup>2</sup></th> <th><sup>2</sup></th>
<td></td> <!-- admin --> <th></th> <!-- admin -->
<td></td> <th></th>
<td>Create Token</td>
<td></td> <!-- new -->
<td></td> <!-- member -->
<td></td> <!-- trusted member -->
<td></td> <!-- approver -->
<td></td> <!-- editor -->
<td></td> <!-- moderator -->
<td></td> <!-- admin -->
</tr> </tr>
<tr> <tr>
<td>Set Rank</td> <td>Set Rank</td>
<td></td> <!-- new --> <th></th> <!-- new -->
<td></td> <th></th>
<td></td> <!-- member --> <th></th> <!-- member -->
<td></td> <th></th>
<td></td> <!-- trusted member --> <th></th> <!-- trusted member -->
<td></td> <th></th>
<td></td> <!-- approver --> <th></th> <!-- editor -->
<td></td> <th></th>
<td></td> <!-- editor --> <th><sup>3</sup></th> <!-- moderator -->
<td></td> <th><sup>2</sup><sup>3</sup></th>
<th><sup>2</sup></th> <!-- moderator --> <th></th> <!-- admin -->
<th><sup>1</sup><sup>2</sup></th> <th></th>
<td></td> <!-- admin -->
</tr> </tr>
</tbody> </tbody>
</table> </table>
1. Target user cannot be an admin. 1. User must be the author of the EditRequest.
2 Cannot set user to a higher rank than themselves. 2. Target user cannot be an admin.
3. Cannot set user to a higher rank than themselves.

title: Creating Releases using Webhooks
## What does this mean?
A webhook is a notification from one service to another. Put simply, a webhook
is used to notify ContentDB that the git repository has changed.
ContentDB offers the ability to automatically create releases using webhooks
from either Github or Gitlab. If you're not using either of those services,
you can also use the [API](../api) to create releases.
ContentDB also offers the ability to poll a Git repo and check for updates
without any web hooks, this is limited to once a day.
See [Git Update Detection](/help/update_config/).
The process is as follows:
1. The user creates an API Token and a webhook to use it.
2. The user pushes a commit to the git host (Gitlab or Github).
3. The git host posts a webhook notification to ContentDB, using the API token assigned to it.
4. ContentDB checks the API token and issues a new release.
<p class="alert alert-warning">
"New commit" or "push" based webhooks will currently only work on branches named `master` or
## Setting up
### GitHub
1. Create a ContentDB API Token at [Profile > API Tokens: Manage](/user/tokens/).
2. Copy the access token that was generated.
3. Go to the GitLab repository's settings > Webhooks > Add Webhook.
4. Set the payload URL to ``
5. Set the content type to JSON.
6. Set the secret to the access token that you copied.
7. Set the events
* If you want a rolling release, choose "just the push event".
* Or if you want a stable release cycle based on tags,
choose "Let me select" > Branch or tag creation.
8. Create.
### GitLab
1. Create a ContentDB API Token at [Profile > API Tokens: Manage](/user/tokens/).
2. Copy the access token that was generated.
3. Go to the GitLab repository's settings > Webhooks.
4. Set the URL to ``
6. Set the secret token to the ContentDB access token that you copied.
7. Set the events
* If you want a rolling release, choose "Push events".
* Or if you want a stable release cycle based on tags,
choose "Tag push events".
8. Add webhook.
## Configuring Release Creation
See the [Package Configuration and Releases Guide](/help/package_config/) for
documentation on configuring the release creation.
From the Git repository, you can set the min/max Minetest versions, which files are included,
and update the package meta.

title: Reporting Content
Please let us know if anything on the ContentDB violates our rules or any applicable
We take copyright violation and other offenses very seriously.
<a href="" class="btn btn-success">Contact</a>

title: Top Packages Algorithm
## Package Score
Each package is given a `score`, which is used when ordering them in the
"Top Games/Mods/Texture Packs" lists. The intention of this feature is
to make it easier for new users to find good packages.
A package's score is equal to a rolling average of recent downloads,
plus the sum of the score given by reviews.
A review score is 100 if positive, -100 if negative.
reviews_sum = sum(100 * (positive ? 1 : -1));
score = avg_downloads + reviews_sum;
## Pseudo rolling average of downloads
Each package adds 1 to `avg_downloads` for each unique download,
and then loses 5% (=1/20) of the value every day.
This is called a [Frecency]( heuristic,
a measure which combines both frequency and recency.
"Unique download" is counted per IP per package.
Downloading an update won't increase the download count if it's already been
downloaded from that IP.
## Transparency and Feedback
You can see all scores using the [scores REST API](/api/scores/), or by
using the [Prometheus metrics](/help/metrics/) endpoint.
Consider [suggesting improvements](

title: Git Update Detection
## Introduction
When you push a change to your Git repository, ContentDB can create a new release automatically or
send you a reminder. ContentDB will check your Git repository one per day, but you can use
webhooks or the API for faster updates.
Git Update Detection is clever enough to not create a release again if you've already created
it manually or using webhooks/the API.
## Setting up
* Set "VCS Repository URL" in your package.
* Open the "Configure Git Update Detection" page:
* Go to the Create Release page and click "Set up" on the banner.
* If the "How do you want to create releases?" wizard appears, choose "Automatic".
* Choose a trigger:
* **New Commit** - this will trigger for each pushed commit on the default branch, or the branch you specify.
* **New Tag** - this will trigger when a New Tag is created.
* Choose action to occur when the trigger happens:
* **Notification** - All maintainers receive a notification under the Bot category, and the package
will appear under "Outdated Packages" in [your to do list](/user/todo/).
* **Create Release** - A new release is created.
If New Commit, the title will be the iso date (eg: 2021-02-01).
If New Tag, the title will the tag name.
## Marking a package as up-to-date
Git Update Detection shouldn't erroneously mark packages as outdated if it is configured currently,
so the first thing you should do is make sure the Update Settings are set correctly.
There are some situations where the settings are correct, but you want to mark a package as
up-to-date - for example, if you don't want to make a release for a particular tag.
Clicking "Save" on "Update Settings" will mark a package as up-to-date.
## Configuring Release Creation
See the [Package Configuration and Releases Guide](/help/package_config/) for
documentation on configuring the release creation.
From the Git repository, you can set the min/max Minetest versions, which files are included,
and update the package meta.

@ -1,12 +1,12 @@
title: WTFPL is a terrible license title: WTFPL is a terrible license
toc: False no_h1: true
<div id="warning" class="alert alert-warning"> <div id="warning" class="alert alert-warning">
<span class="icon_message"></span> <span class="icon_message"></span>
Please reconsider the choice of WTFPL as a license. Please reconsider the choice of WTFPL as a license.
<script> <script>
// @author rubenwardy // @author rubenwardy
// @license magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later // @license magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later
@ -20,6 +20,8 @@ toc: False
</script> </script>
</div> </div>
# WTFPL is a terrible license
The use of WTFPL as a license is discouraged for multiple reasons. The use of WTFPL as a license is discouraged for multiple reasons.
* **No Warranty disclaimer:** This could open you up to being sued.<sup>[1]</sup> * **No Warranty disclaimer:** This could open you up to being sued.<sup>[1]</sup>

View File

@ -1,54 +1,49 @@
title: Package Inclusion Policy and Guidance title: Package Inclusion Policy and Guidance
ContentDB is for the community, and as such listings should be useful to the ContentDB is for the community, and as such listings should be useful to the
community. To help with this, there are a few rules to improve the quality of community. To help with this, there are a few rules to improve the quality of
the listings and to combat abuse. the listings and to combat abuse.
* **No inappropriate content.** <sup>2.1</sup> * No inappropriate content.
* **Content must be playable/useful, but not necessarily finished.** <sup>2.2</sup> * Content must be playable/useful, but not necessarily finished.
* **Don't use the name of another mod unless your mod is a fork or reimplementation.** <sup>3</sup> * Don't use the name of another mod unless your mod is a fork or reimplementation.
* **Licenses must allow derivatives, redistribution, and must not discriminate.** <sup>4</sup> * Licenses must allow derivatives, redistribution, and must not discriminate.
* **Don't put promotions or advertisements in any package metadata.** <sup>5</sup> * Don't put promotions are advertisements in package listings, except for
* **The ContentDB admin reserves the right to remove packages for any reason**, donation and personal website links which are permitted in the long description.
including ones not covered by this document, and to ban users who abuse
this service. <sup>1</sup>
## 1. General ## 1. General
It is not permitted to submit abusive, obscene, vulgar, slanderous, hateful,
threatening, sexually-orientated or any material that may violate any laws be
it of your country, the country where "Content DB” is hosted or International Law.
The ContentDB admin reserves the right to remove packages for any reason, The ContentDB admin reserves the right to remove packages for any reason,
including ones not covered by this document, and to ban users who abuse this service. including ones not covered by this document, and to ban users who abuse this service.
Also see the [help page on tags](/help/package_tags/).
## 2. Accepted Content
### 2.1. Acceptable Content ## 2. Accepted Content and State of Completion
Sexually-orientated content is not permitted. The submission of malware is strictly prohibited. This includes software which
If in doubt at what this means, [contact us by raising a report](/report/). does not do as it advertises, for example if it posts telemetry without stating
Mature content is permitted providing that it is labelled correctly.
See [Content Flags](/help/content_flags/).
The submission of malware is strictly prohibited. This includes software that
does not do as it advertises, for example, if it posts telemetry without stating
clearly that it does in the package meta. clearly that it does in the package meta.
### 2.2. State of Completion
ContentDB should only currently contain playable content - content which is ContentDB should only currently contain playable content - content which is
sufficiently complete to be useful to end-users. It's fine to add stuff which sufficiently complete to be useful to end users. It's fine to add stuff which
is still a Work in Progress (WIP) as long as it adds sufficient value; is still a work in progress (WIP) as long as it adds sufficient value -
MineClone 2 is a good example of a WIP package which may break between releases Mineclone 2 is a good example of a WIP package which may break between releases
but still has value. Note that this doesn't mean that you should add a thing but still has value. Note that this doesn't mean that you should add a thing
you started working on yesterday, it's worth adding all the basic stuff to you started working on yesterday, it's worth adding all the basic stuff to
make your package useful. make your package useful.
You should make sure to mark Work in Progress stuff as such in the "maintenance status" column,
as this will help advise players.
Adding non-player facing mods, such as libraries and server tools, is perfectly fine Adding non-player facing mods, such as libraries and server tools, is perfectly fine
and encouraged. ContentDB isn't just for player-facing things, and adding and encouraged. ContentDB isn't just for player-facing things, and adding
libraries allows them to be installed when a mod depends on it. libraries allows them to be installed when a mod depends on it.
@ -58,10 +53,8 @@ libraries allows them to be installed when a mod depends on it.
### 3.1 Right to a name ### 3.1 Right to a name
A package uses a name when it has that name or contains a mod that uses that name.
The first package to use a name based on the creation of its forum topic or The first package to use a name based on the creation of its forum topic or
ContentDB submission has the right to the technical name. The use of a package contentdb submission has the right to the technical name. The use of a package
on a server or in private doesn't reserve its name. No other packages of the same on a server or in private doesn't reserve its name. No other packages of the same
type may use the same name, except for the exception given by 3.2. type may use the same name, except for the exception given by 3.2.
@ -74,10 +67,10 @@ to change the name of the package, or your package won't be accepted.
We reserve the right to issue exceptions for this where we feel necessary. We reserve the right to issue exceptions for this where we feel necessary.
### 3.2. Mod Forks and Reimplementations ### 3.2 Mod Forks and Reimplementations
An exception to the above is that mods are allowed to have the same name as a An exception to the above is that mods are allowed to have the same name as a
mod if it's a fork of that mod (or a close reimplementation). In real terms, it mod if its a fork of that mod (or a close reimplementation). In real terms, it
should be possible to use the new mod as a drop-in replacement. should be possible to use the new mod as a drop-in replacement.
We reserve the right to decide whether a mod counts as a fork or We reserve the right to decide whether a mod counts as a fork or
@ -86,14 +79,14 @@ reimplementation of the mod that owns the name.
## 4. Licenses ## 4. Licenses
### 4.1. Allowed Licenses ### 4.1 Allowed Licenses
Please ensure that you correctly credit any resources (code, assets, or otherwise) Please ensure that you correctly credit any resources (code, assets, or otherwise)
that you have used in your package. that you have used in your package.
**The use of licenses that do not allow derivatives or redistribution is not **The use of licenses which do not allow derivatives or redistribution is not
permitted. This includes CC-ND (No-Derivatives) and lots of closed source licenses. permitted. This includes CC-ND (No-Derivatives) and lots of closed source licenses.
The use of licenses that discriminate between groups of people or forbid the use The use of licenses which discriminate between groups of people or forbid the use
of the content on servers or singleplayer is also not permitted.** of the content on servers or singleplayer is also not permitted.**
However, closed sourced licenses are allowed if they allow the above. However, closed sourced licenses are allowed if they allow the above.
@ -104,21 +97,17 @@ get around to adding it.
Please note that the definitions of "free" and "non-free" is the same as that Please note that the definitions of "free" and "non-free" is the same as that
of the [Free Software Foundation]( of the [Free Software Foundation](
### 4.2. Recommended Licenses ### 4.2 Recommended Licenses
It is highly recommended that you use a Free and Open Source software (FOSS) It is highly recommended that you use a free and open source software license.
license. FOSS licenses result in a sharing community and will increase the FOSS licenses result in a sharing community and will increase the number of potential users your package has.
number of potential users your package has. Using a closed source license will Using a closed source license will result in your package being massively penalised in the search results and package lists.
result in your package being massively penalised in the search results and
package lists. See the help page on [non-free licenses](/help/non_free/) for more
It is recommended that you use a proper license for code with a warranty It is recommended that you use a proper license for code with a warranty
disclaimer, such as the (L)GPL or MIT. You should also use a proper media license disclaimer, such as the (L)GPL or MIT. You should also use a proper media license
for media, such as a Creative Commons license. for media, such as a Creative Commons license.
The use of WTFPL is discouraged as it doesn't contain a The use of WTFPL is discouraged as it doesn't contain a [valid warranty disclaimer](,
[valid warranty disclaimer](,
and also includes swearing which prevents settings like schools from using your content. and also includes swearing which prevents settings like schools from using your content.
[Read more](/help/wtfpl/). [Read more](/help/wtfpl/).
@ -127,30 +116,16 @@ Public domain is not a valid license in many countries, please use CC0 or MIT in
## 5. Promotions and Advertisements (inc. asking for donations) ## 5. Promotions and Advertisements (inc. asking for donations)
You may not place any promotions or advertisements in any meta data including Any information other than the long description - including screenshots - must
screenshots. This includes asking for donations, promoting online shops, not contain any promotions or advertisements. This includes asking for donations,
or linking to personal websites and social media. Please instead use the promoting online shops, or linking to personal websites and social media.
fields provided on your user profile page to place links to websites and
donation pages.
ContentDB is for the community. We may remove any promotions if we feel that ContentDB is for the community. We may remove any promotions if we feel that
they're inappropriate. they're inappropriate.
Paid promotions are not allowed at all, anywhere.
## 6. Reviews and Package Score
You may invite players to review your package(s). One way to do this is by sharing the link found in the
"Share and Badges" page of the package's settings.
You must not require anyone to review a package. You must not promise or provide incentives for reviewing a package,
including but not limited to monetary rewards, in-game items, features, and/or privileges.
You may give a cosmetic-only role or badge to those who review your package - this must not be tied to the content or
rating of the review.
You must not attempt to unfairly manipulate your package's ranking, whether by reviews or any other method.
Doing so may result in temporary or permanent suspension from ContentDB.
## 7. Reporting Violations ## 6. Reporting Violations
Please click "Report" on the package page. See the [Reporting Content](/help/reporting/) page.

View File

@ -1,100 +0,0 @@
title: Privacy Policy
Last Updated: 2022-01-23
([View updates](
## What Information is Collected
**All users:**
* HTTP requests are logged, with the following information:
* Time
* IP address
* Page URL
* Response status code
* Preferred language/locale. This defaults to the browser's locale, but can be changed by the user
**With an account:**
* Email address
* Passwords (hashed and salted using BCrypt)
* Profile information, such as website URLs and donation URLs
* Comments, threads, and reviews
* Audit log actions (such as edits and logins) and their time stamps
ContentDB collects usernames of content creators from the forums,
as this is required to index forum topics.
Packages, including releases, screenshots, and any meta information,
are not considered personal information.
Please avoid giving other personal information as we do not want it.
## How this information is used
* Logged HTTP requests may be used for debugging ContentDB.
* Email addresses are used to:
* Provide essential system messages, such as password resets and privacy policy updates.
* Send notifications - the user may configure this to their needs, including opting out.
* The admin may use ContentDB to send emails when they need to contact a user.
* Passwords are used to authenticate the user.
* The audit log is used to record actions that may be harmful.
* Preferred language/locale is used to translate emails and the ContentDB interface.
* Other information is displayed as part of ContentDB's service.
## Who has access
* Only the admin has access to the HTTP requests.
The logs may be shared with others to aid in debugging, but care will be taken to remove any personal information.
* Encrypted backups may be shared with selected Minetest staff members (moderators + core devs).
The keys and the backups themselves are given to different people,
requiring at least two staff members to read a backup.
* Email addresses are visible to moderators and the admin.
They have access to assist users, and they are not permitted to share email addresses.
* Hashing protects passwords from being read whilst stored in the database or in backups.
* Profile information is public, including URLs and linked accounts.
* The visibility of comments depends on the visibility of threads.
They are either public, or visible only to the package author and editors.
* The complete audit log is visible to moderators.
Users may see their own audit log actions on their account settings page.
Owners, maintainers, and editors may be able to see the actions on a package in the future.
* Preferred language can only be viewed by this with access to the database or a backup.
* We may be required to share information with law enforcement.
## Location
The ContentDB production server is currently located in Germany.
Backups are stored in the UK.
Encrypted backups may be stored in other countries, such as the US or EU.
By using this service, you give permission for the data to be moved as needed.
## Period of Retention
The server uses log rotation, meaning that any logged HTTP requests will be
forgotten within a few weeks.
Usernames may be kept indefinitely, but other user information will be deleted if
requested. See below.
## Removal Requests
Please [raise a report]( if you
wish to remove your personal information.
ContentDB keeps a record of each username and forum topic on the forums,
for use in indexing mod/game topics. ContentDB also requires the use of a username
to uniquely identify a package. Therefore, an author cannot be removed completely
from ContentDB if they have any packages or mod/game topics on the forum.
If we are unable to remove your account for one of the above reasons, your user
account will instead be wiped and deactivated, ending up exactly like an author
who has not yet joined ContentDB. All personal information will be removed from the profile,
and any comments or threads will be deleted.
## Future Changes to Privacy Policy
We will alert any future changes to the privacy policy via email and
via notices on the ContentDB website.
By continuing to use this service, you agree to the privacy policy.

@ -1,188 +0,0 @@
# ContentDB
# Copyright (C) 2022 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import sys
from typing import List, Dict, Optional, Iterator, Iterable
from app.logic.LogicError import LogicError
from app.models import Package, MetaPackage, PackageType, PackageState, PackageGameSupport, db
if package is a game:
return [ package ]
for all hard dependencies:
support = support AND get_meta_package_support(dep)
return support
for package implementing meta package:
support = support OR get_game_support(package)
return support
minetest_game_mods = {
"beds", "boats", "bucket", "carts", "default", "dungeon_loot", "env_sounds", "fire", "flowers",
"give_initial_stuff", "map", "player_api", "sethome", "spawn", "tnt", "walls", "wool",
"binoculars", "bones", "butterflies", "creative", "doors", "dye", "farming", "fireflies", "game_commands",
"keys", "mtg_craftguide", "screwdriver", "sfinv", "stairs", "vessels", "weather", "xpanes",
mtg_mod_blacklist = {
"repixture", "tutorial", "runorfall", "realtest_mt5", "mevo", "xaenvironment",
class PackageSet:
packages: Dict[str, Package]
def __init__(self, packages: Optional[Iterable[Package]] = None):
self.packages = {}
if packages:
def update(self, packages: Iterable[Package]):
for package in packages:
key = package.getId()
if key not in self.packages:
self.packages[key] = package
def intersection_update(self, other):
keys = set(self.packages.keys())
for key in keys:
del self.packages[key]
def __len__(self):
return len(self.packages)
def __iter__(self):
return self.packages.values().__iter__()
class GameSupportResolver:
checked_packages = set()
checked_metapackages = set()
resolved_packages: Dict[str, PackageSet] = {}
resolved_metapackages: Dict[str, PackageSet] = {}
def resolve_for_meta_package(self, meta: MetaPackage, history: List[str]) -> PackageSet:
print(f"Resolving for {}", file=sys.stderr)
key =
if key in self.resolved_metapackages:
return self.resolved_metapackages.get(key)
if key in self.checked_metapackages:
print(f"Error, cycle found: {','.join(history)}", file=sys.stderr)
return PackageSet()
retval = PackageSet()
for package in meta.packages:
if package.state != PackageState.APPROVED:
if in minetest_game_mods and in mtg_mod_blacklist:
ret = self.resolve(package, history)
if len(ret) == 0:
retval = PackageSet()
self.resolved_metapackages[key] = retval
return retval
def resolve(self, package: Package, history: List[str]) -> PackageSet:
key = package.getId()
print(f"Resolving for {key}", file=sys.stderr)
history = history.copy()
if package.type == PackageType.GAME:
return PackageSet([package])
if key in self.resolved_packages:
return self.resolved_packages.get(key)
if key in self.checked_packages:
print(f"Error, cycle found: {','.join(history)}", file=sys.stderr)
return PackageSet()
if package.type != PackageType.MOD:
raise LogicError(500, "Got non-mod")
retval = PackageSet()
for dep in package.dependencies.filter_by(optional=False).all():
ret = self.resolve_for_meta_package(dep.meta_package, history)
if len(ret) == 0:
elif len(retval) == 0:
if len(retval) == 0:
raise LogicError(500, f"Detected game support contradiction, {key} may not be compatible with any games")
self.resolved_packages[key] = retval
return retval
def update_all(self) -> None:
for package in Package.query.filter(Package.type == PackageType.MOD, Package.state != PackageState.DELETED).all():
retval = self.resolve(package, [])
for game in retval:
support = PackageGameSupport(package, game)
def update(self, package: Package) -> None:
previous_supported: Dict[str, PackageGameSupport] = {}
for support in package.supported_games.all():
previous_supported[] = support
retval = self.resolve(package, [])
for game in retval:
assert game
lookup = previous_supported.pop(game.getId(), None)
if lookup is None:
support = PackageGameSupport(package, game)
elif lookup.confidence == 0:
lookup.supports = True
for game, support in previous_supported.items():
if support.confidence == 0:

# ContentDB
# Copyright (C) 2021 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import re
import validators
from flask_babel import lazy_gettext
from app.logic.LogicError import LogicError
from app.models import User, Package, PackageType, MetaPackage, Tag, ContentWarning, db, Permission, AuditSeverity, \
License, UserRank, PackageDevState
from app.utils import addAuditLog
from app.utils.url import clean_youtube_url
def check(cond: bool, msg: str):
if not cond:
raise LogicError(400, msg)
def get_license(name):
if type(name) == License:
return name
license = License.query.filter(
if license is None:
raise LogicError(400, "Unknown license " + name)
return license
name_re = re.compile("^[a-z0-9_]+$")
AnyType = "?"
"type": AnyType,
"title": str,
"name": str,
"short_description": str,
"short_desc": str,
"dev_state": AnyType,
"tags": list,
"content_warnings": list,
"license": AnyType,
"media_license": AnyType,
"long_description": str,
"desc": str,
"repo": str,
"website": str,
"issue_tracker": str,
"issueTracker": str,
"forums": int,
"video_url": str,
"short_description": "short_desc",
"issue_tracker": "issueTracker",
"long_description": "desc"
def is_int(val):
return True
except ValueError:
return False
def validate(data: dict):
for key, value in data.items():
if value is not None:
typ = ALLOWED_FIELDS.get(key)
check(typ is not None, key + " is not a known field")
if typ != AnyType:
check(isinstance(value, typ), key + " must be a " + typ.__name__)
if "name" in data:
name = data["name"]
check(isinstance(name, str), "Name must be a string")
lazy_gettext("Name can only contain lower case letters (a-z), digits (0-9), and underscores (_)"))
for key in ["repo", "website", "issue_tracker", "issueTracker"]:
value = data.get(key)
if value is not None:
check(value.startswith("http://") or value.startswith("https://"),
key + " must start with http:// or https://")
check(validators.url(value, public=True), key + " must be a valid URL")
def do_edit_package(user: User, package: Package, was_new: bool, was_web: bool, data: dict,
reason: str = None):
if not package.checkPerm(user, Permission.EDIT_PACKAGE):
raise LogicError(403, lazy_gettext("You do not have permission to edit this package"))
if "name" in data and != data["name"] and \
not package.checkPerm(user, Permission.CHANGE_NAME):
raise LogicError(403, lazy_gettext("You do not have permission to change the package name"))
for alias, to in ALIASES.items():
if alias in data:
data[to] = data[alias]
if "type" in data:
data["type"] = PackageType.coerce(data["type"])
if "dev_state" in data:
data["dev_state"] = PackageDevState.coerce(data["dev_state"])
if "license" in data:
data["license"] = get_license(data["license"])
if "media_license" in data:
data["media_license"] = get_license(data["media_license"])
if "video_url" in data and data["video_url"] is not None:
data["video_url"] = clean_youtube_url(data["video_url"]) or data["video_url"]
if "dQw4w9WgXcQ" in data["video_url"]:
raise LogicError(403, "Never gonna give you up / Never gonna let you down / Never gonna run around and desert you")
for key in ["name", "title", "short_desc", "desc", "type", "dev_state", "license", "media_license",
"repo", "website", "issueTracker", "forums", "video_url"]:
if key in data:
setattr(package, key, data[key])
if package.type == PackageType.TXP:
package.license = package.media_license
if was_new and package.type == PackageType.MOD:
m = MetaPackage.GetOrCreate(, {})
if "tags" in data:
old_tags = list(package.tags)
for tag_id in data["tags"]:
if is_int(tag_id):
tag = Tag.query.get(tag_id)
tag = Tag.query.filter_by(name=tag_id).first()
if tag is None:
raise LogicError(400, "Unknown tag: " + tag_id)
if not was_web and tag.is_protected:
if tag.is_protected and tag not in old_tags and not user.rank.atLeast(UserRank.EDITOR):
raise LogicError(400, lazy_gettext("Unable to add protected tag %(title)s to package", title=tag.title))
if not was_web:
for tag in old_tags:
if tag.is_protected:
if "content_warnings" in data:
for warning_id in data["content_warnings"]:
if is_int(warning_id):
warning = ContentWarning.query.filter_by(name=warning_id).first()
if warning is None:
raise LogicError(400, "Unknown warning: " + warning_id)
if not was_new:
if reason is None:
msg = "Edited {}".format(package.title)
msg = "Edited {} ({})".format(package.title, reason)
severity = AuditSeverity.NORMAL if user in package.maintainers else AuditSeverity.EDITOR
addAuditLog(severity, user, msg, package.getURL("packages.view"), package)
return package

@ -1,98 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import datetime, re
from celery import uuid
from flask_babel import lazy_gettext
from app.logic.LogicError import LogicError
from app.logic.uploads import upload_file
from app.models import PackageRelease, db, Permission, User, Package, MinetestRelease
from app.tasks.importtasks import makeVCSRelease, checkZipRelease
from app.utils import AuditSeverity, addAuditLog, nonEmptyOrNone
def check_can_create_release(user: User, package: Package):
if not package.checkPerm(user, Permission.MAKE_RELEASE):
raise LogicError(403, lazy_gettext("You do not have permission to make releases"))
five_minutes_ago = - datetime.timedelta(minutes=5)
count = package.releases.filter(PackageRelease.releaseDate > five_minutes_ago).count()
if count >= 5:
raise LogicError(429, lazy_gettext("You've created too many releases for this package in the last 5 minutes, please wait before trying again"))
def do_create_vcs_release(user: User, package: Package, title: str, ref: str,
min_v: MinetestRelease = None, max_v: MinetestRelease = None, reason: str = None):
check_can_create_release(user, package)
rel = PackageRelease()
rel.package = package
rel.title = title
rel.url = ""
rel.task_id = uuid()
rel.min_rel = min_v
rel.max_rel = max_v
if reason is None:
msg = "Created release {}".format(rel.title)
msg = "Created release {} ({})".format(rel.title, reason)
addAuditLog(AuditSeverity.NORMAL, user, msg, package.getURL("packages.view"), package)
makeVCSRelease.apply_async((, nonEmptyOrNone(ref)), task_id=rel.task_id)
def do_create_zip_release(user: User, package: Package, title: str, file,
min_v: MinetestRelease = None, max_v: MinetestRelease = None, reason: str = None,
commit_hash: str = None):
check_can_create_release(user, package)
if commit_hash:
commit_hash = commit_hash.lower()
if not (len(commit_hash) == 40 and re.match(r"^[0-9a-f]+$", commit_hash)):
raise LogicError(400, lazy_gettext("Invalid commit hash; it must be a 40 character long base16 string"))
uploaded_url, uploaded_path = upload_file(file, "zip", "a zip file")
rel = PackageRelease()
rel.package = package
rel.title = title
rel.url = uploaded_url
rel.task_id = uuid()
rel.commit_hash = commit_hash
rel.min_rel = min_v
rel.max_rel = max_v
if reason is None:
msg = "Created release {}".format(rel.title)
msg = "Created release {} ({})".format(rel.title, reason)
addAuditLog(AuditSeverity.NORMAL, user, msg, package.getURL("packages.view"), package)
checkZipRelease.apply_async((, uploaded_path), task_id=rel.task_id)
return rel

@ -1,87 +0,0 @@
import datetime, json
from flask_babel import lazy_gettext
from app.logic.LogicError import LogicError
from app.logic.uploads import upload_file
from app.models import User, Package, PackageScreenshot, Permission, NotificationType, db, AuditSeverity
from app.utils import addNotification, addAuditLog
from app.utils.image import get_image_size
def do_create_screenshot(user: User, package: Package, title: str, file, is_cover_image: bool, reason: str = None):
thirty_minutes_ago = - datetime.timedelta(minutes=30)
count = package.screenshots.filter(PackageScreenshot.created_at > thirty_minutes_ago).count()
if count >= 20:
raise LogicError(429, lazy_gettext("Too many requests, please wait before trying again"))
uploaded_url, uploaded_path = upload_file(file, "image", lazy_gettext("a PNG or JPG image file"))
counter = 1
for screenshot in package.screenshots.all():
screenshot.order = counter
counter += 1
ss = PackageScreenshot()
ss.package = package
ss.title = title or "Untitled"
ss.url = uploaded_url
ss.approved = package.checkPerm(user, Permission.APPROVE_SCREENSHOT)
ss.order = counter
ss.width, ss.height = get_image_size(uploaded_path)
if ss.is_too_small():
raise LogicError(429,
lazy_gettext("Screenshot is too small, it should be at least %(width)s by %(height)s pixels",
width=PackageScreenshot.HARD_MIN_SIZE[0], height=PackageScreenshot.HARD_MIN_SIZE[1]))
if reason is None:
msg = "Created screenshot {}".format(ss.title)
msg = "Created screenshot {} ({})".format(ss.title, reason)
addNotification(package.maintainers, user, NotificationType.PACKAGE_EDIT, msg, package.getURL("packages.view"), package)
addAuditLog(AuditSeverity.NORMAL, user, msg, package.getURL("packages.view"), package)
if is_cover_image:
package.cover_image = ss
return ss
def do_order_screenshots(_user: User, package: Package, order: [any]):
lookup = {}
for screenshot in package.screenshots.all():
lookup[] = screenshot
counter = 1
for ss_id in order:
lookup[int(ss_id)].order = counter
counter += 1
except KeyError as e:
raise LogicError(400, "Unable to find screenshot with id={}".format(ss_id))
except (ValueError, TypeError) as e:
raise LogicError(400, "Invalid id, not a number: {}".format(json.dumps(ss_id)))
def do_set_cover_image(_user: User, package: Package, cover_image):
cover_image = int(cover_image)
except (ValueError, TypeError) as e:
raise LogicError(400, "Invalid id, not a number: {}".format(json.dumps(cover_image)))
for screenshot in package.screenshots.all():
if == cover_image:
package.cover_image = screenshot
raise LogicError(400, "Unable to find screenshot")

@ -1,63 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import imghdr
import os
from flask_babel import lazy_gettext
from app.logic.LogicError import LogicError
from app.models import *
from app.utils import randomString
def get_extension(filename):
return filename.rsplit(".", 1)[1].lower() if "." in filename else None
ALLOWED_IMAGES = {"jpeg", "png"}
def isAllowedImage(data):
return imghdr.what(None, data) in ALLOWED_IMAGES
def upload_file(file, fileType, fileTypeDesc):
if not file or file is None or file.filename == "":
raise LogicError(400, "Expected file")
assert os.path.isdir(app.config["UPLOAD_DIR"]), "UPLOAD_DIR must exist"
isImage = False
if fileType == "image":
allowedExtensions = ["jpg", "jpeg", "png"]
isImage = True
elif fileType == "zip":
allowedExtensions = ["zip"]
raise Exception("Invalid fileType")
ext = get_extension(file.filename)
if ext is None or not ext in allowedExtensions:
raise LogicError(400, lazy_gettext("Please upload %(file_desc)s", file_desc=fileTypeDesc))
if isImage and not isAllowedImage(
raise LogicError(400, lazy_gettext("Uploaded image isn't actually an image"))
filename = randomString(10) + "." + ext
filepath = os.path.join(app.config["UPLOAD_DIR"], filename)
return "/uploads/" + filename, filepath

@ -1,7 +1,6 @@
import logging import logging
from enum import Enum
from app.tasks.emails import send_user_email from app.tasks.emails import sendEmailRaw
def _has_newline(line): def _has_newline(line):
"""Used by has_bad_header to check for \\r or \\n""" """Used by has_bad_header to check for \\r or \\n"""
@ -35,62 +34,76 @@ class FlaskMailSubjectFormatter(logging.Formatter):
class FlaskMailTextFormatter(logging.Formatter): class FlaskMailTextFormatter(logging.Formatter):
pass pass
# TODO: hier nog niet tevreden over (vooral logger.error(..., exc_info, stack_info))
class FlaskMailHTMLFormatter(logging.Formatter): class FlaskMailHTMLFormatter(logging.Formatter):
pre_template = "<h1>%s</h1><pre>%s</pre>"
def formatException(self, exc_info): def formatException(self, exc_info):
formatted_exception = logging.Handler.formatException(self, exc_info) formatted_exception = logging.Handler.formatException(self, exc_info)
return "<pre>%s</pre>" % formatted_exception return FlaskMailHTMLFormatter.pre_template % ("Exception information", formatted_exception)
def formatStack(self, stack_info): def formatStack(self, stack_info):
return "<pre>%s</pre>" % stack_info return FlaskMailHTMLFormatter.pre_template % ("<h1>Stack information</h1><pre>%s</pre>", stack_info)
# see: (class Handler) # see: (class Handler)
class FlaskMailHandler(logging.Handler): class FlaskMailHandler(logging.Handler):
def __init__(self, send_to, subject_template, level=logging.NOTSET): def __init__(self, mailer, subject_template, level=logging.NOTSET):
logging.Handler.__init__(self, level) logging.Handler.__init__(self, level)
self.send_to = send_to self.mailer = mailer
self.send_to =["MAIL_UTILS_ERROR_SEND_TO"]
self.subject_template = subject_template self.subject_template = subject_template
self.html_formatter = None
def setFormatter(self, text_fmt): def setFormatter(self, text_fmt, html_fmt=None):
""" """
Set the formatters for this handler. Provide at least one formatter. Set the formatters for this handler. Provide at least one formatter.
When no text_fmt is provided, no text-part is created for the email body. When no text_fmt is provided, no text-part is created for the email body.
""" """
assert text_fmt != None, "At least one formatter should be provided" assert (text_fmt, html_fmt) != (None, None), "At least one formatter should be provided"
if type(text_fmt)==str: if type(text_fmt)==str:
self.formatter = text_fmt self.formatter = text_fmt
if type(html_fmt)==str:
html_fmt = FlaskMailHTMLFormatter(html_fmt)
self.html_formatter = html_fmt
def getSubject(self, record): def getSubject(self, record):
fmt = FlaskMailSubjectFormatter(self.subject_template) fmt = FlaskMailSubjectFormatter(self.subject_template)
subject = fmt.format(record) subject = fmt.format(record)
# Since templates can cause header problems, and we rather have a incomplete email then an error, we fix this #Since templates can cause header problems, and we rather have a incomplete email then an error, we fix this
if _is_bad_subject(subject): if _is_bad_subject(subject):
subject="FlaskMailHandler log-entry from ContentDB [original subject is replaced, because it would result in a bad header]" subject="FlaskMailHandler log-entry from %s [original subject is replaced, because it would result in a bad header]" %
return subject return subject
def emit(self, record): def emit(self, record):
subject = self.getSubject(record)
text = self.format(record) if self.formatter else None text = self.format(record) if self.formatter else None
html = "<pre>{}</pre>".format(text) html = self.html_formatter.format(record) if self.html_formatter else None
sendEmailRaw.delay(self.send_to, self.getSubject(record), text, html)
if "The recipient has exceeded message rate limit. Try again later" in subject:
for email in self.send_to:
send_user_email.delay(email, "en", subject, text, html)
def build_handler(app): def register_mail_error_handler(app, mailer):
subject_template = "ContentDB %(message)s (%(module)s > %(funcName)s)" subject_template = "ContentDB crashed (%(module)s > %(funcName)s)"
text_template = ("Message type: %(levelname)s\n" text_template = """
"Location: %(pathname)s:%(lineno)d\n" Message type: %(levelname)s
"Module: %(module)s\n" Location: %(pathname)s:%(lineno)d
"Function: %(funcName)s\n" Module: %(module)s
"Time: %(asctime)s\n" Function: %(funcName)s
"Message: %(message)s\n\n") Time: %(asctime)s
html_template = """
<style>th { text-align: right}</style><table>
<tr><th>Message type:</th><td>%(levelname)s</td></tr>
<tr> <th>Location:</th><td>%(pathname)s:%(lineno)d</td></tr>
<tr> <th>Module:</th><td>%(module)s</td></tr>
<tr> <th>Function:</th><td>%(funcName)s</td></tr>
<tr> <th>Time:</th><td>%(asctime)s</td></tr>
mail_handler = FlaskMailHandler(app.config["MAIL_UTILS_ERROR_SEND_TO"], subject_template) import logging
mail_handler = FlaskMailHandler(mailer, subject_template)
mail_handler.setLevel(logging.ERROR) mail_handler.setLevel(logging.ERROR)
mail_handler.setFormatter(text_template) mail_handler.setFormatter(text_template, html_template)
return mail_handler app.logger.addHandler(mail_handler)

@ -1,179 +0,0 @@
from functools import partial
import bleach
from bleach import Cleaner
from bleach.linkifier import LinkifyFilter
from bs4 import BeautifulSoup
from markdown import Markdown
from flask import Markup, url_for
from markdown.extensions import Extension
from markdown.inlinepatterns import SimpleTagInlineProcessor
from markdown.inlinepatterns import Pattern
from xml.etree import ElementTree
# Based on
# License: MIT
"h1", "h2", "h3", "h4", "h5", "h6", "hr",
"ul", "ol", "li",
"table", "thead", "tbody", "tr", "th", "td",
"div", "span", "del", "s",
"highlight", "codehilite",
"hll", "c", "err", "g", "k", "l", "n", "o", "x", "p", "ch", "cm", "cp", "cpf", "c1", "cs",
"gd", "ge", "gr", "gh", "gi", "go", "gp", "gs", "gu", "gt", "kc", "kd", "kn", "kp", "kr",
"kt", "ld", "m", "s", "na", "nb", "nc", "no", "nd", "ni", "ne", "nf", "nl", "nn", "nx",
"py", "nt", "nv", "ow", "w", "mb", "mf", "mh", "mi", "mo", "sa", "sb", "sc", "dl", "sd",
"s2", "se", "sh", "si", "sx", "sr", "s1", "ss", "bp", "fm", "vc", "vg", "vi", "vm", "il",
def allow_class(_tag, name, value):
return name == "class" and value in ALLOWED_CSS
"h1": ["id"],
"h2": ["id"],
"h3": ["id"],
"h4": ["id"],
"a": ["href", "title", "data-username"],
"img": ["src", "title", "alt"],
"code": allow_class,
"div": allow_class,
"span": allow_class,
ALLOWED_PROTOCOLS = ["http", "https", "mailto"]
md = None
def render_markdown(source):
html = md.convert(source)
cleaner = Cleaner(
filters=[partial(LinkifyFilter, callbacks=bleach.linkifier.DEFAULT_CALLBACKS)])
return cleaner.clean(html)
class DelInsExtension(Extension):
def extendMarkdown(self, md):
del_proc = SimpleTagInlineProcessor(r"(\~\~)(.+?)(\~\~)", "del")
md.inlinePatterns.register(del_proc, "del", 200)
ins_proc = SimpleTagInlineProcessor(r"(\+\+)(.+?)(\+\+)", "ins")
md.inlinePatterns.register(ins_proc, "ins", 200)
RE_PARTS = dict(
class MentionPattern(Pattern):
def __init__(self, config, md):
MENTION_RE = r"(@({USER})(?:\/({REPO}))?)".format(**RE_PARTS)
super(MentionPattern, self).__init__(MENTION_RE, md)
self.config = config
def handleMatch(self, m):
from app.models import User
label =
user =
package_name =
if package_name:
el = ElementTree.Element("a")
el.text = label
el.set("href", url_for("packages.view", author=user, name=package_name))
return el
if User.query.filter_by(username=user).count() == 0:
return None
el = ElementTree.Element("a")
el.text = label
el.set("href", url_for("users.profile", username=user))
el.set("data-username", user)
return el
class MentionExtension(Extension):
def __init__(self, *args, **kwargs):
super(MentionExtension, self).__init__(*args, **kwargs)
def extendMarkdown(self, md):
md.inlinePatterns.register(MentionPattern(self.getConfigs(), md), "mention", 20)
MARKDOWN_EXTENSIONS = ["fenced_code", "tables", "codehilite", "toc", DelInsExtension(), MentionExtension()]
"fenced_code": {},
"tables": {},
"codehilite": {
"guess_lang": False,
def init_markdown(app):
global md
md = Markdown(extensions=MARKDOWN_EXTENSIONS,
def markdown(source):
return Markup(render_markdown(source))
def get_headings(html: str):
soup = BeautifulSoup(html, "html.parser")
headings = soup.find_all(["h1", "h2", "h3"])
root = []
stack = []
for heading in headings:
this = {"link": heading.get("id") or "", "text": heading.text, "children": []}
this_level = int([1:]) - 1
while this_level <= len(stack):
if len(stack) > 0:
return root
def get_user_mentions(html: str) -> set:
soup = BeautifulSoup(html, "html.parser")
links ="a[data-username]")
return set([x.get("data-username") for x in links])

import enum, datetime
from app import app, gravatar
from urllib.parse import urlparse
from flask import Flask, url_for
from flask_sqlalchemy import SQLAlchemy, BaseQuery
from flask_migrate import Migrate
from flask_user import login_required, UserManager, UserMixin, SQLAlchemyAdapter
from sqlalchemy.orm import validates
from sqlalchemy_searchable import SearchQueryMixin
from sqlalchemy_utils.types import TSVectorType
from sqlalchemy_searchable import make_searchable
# Initialise database
db = SQLAlchemy(app)
migrate = Migrate(app, db)
class ArticleQuery(BaseQuery, SearchQueryMixin):
class UserRank(enum.Enum):
def atLeast(self, min):
return self.value >= min.value
def getTitle(self):
return"_", " ").title()
def toName(self):
def __str__(self):
def choices(cls):
return [(choice, choice.getTitle()) for choice in cls]
def coerce(cls, item):
return item if type(item) == UserRank else UserRank[item]
class Permission(enum.Enum):
# Only return true if the permission is valid for *all* contexts
# See Package.checkPerm for package-specific contexts
def check(self, user):
if not user.is_authenticated:
return False
if self == Permission.APPROVE_NEW or \
self == Permission.APPROVE_CHANGES or \
self == Permission.APPROVE_RELEASE or \
self == Permission.APPROVE_SCREENSHOT or \
self == Permission.SEE_THREAD:
return user.rank.atLeast(UserRank.EDITOR)
raise Exception("Non-global permission checked globally. Use Package.checkPerm or User.checkPerm instead.")
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
# User authentication information
username = db.Column(db.String(50, collation="NOCASE"), nullable=False, unique=True, index=True)
password = db.Column(db.String(255), nullable=True)
reset_password_token = db.Column(db.String(100), nullable=False, server_default="")
rank = db.Column(db.Enum(UserRank))
# Account linking
github_username = db.Column(db.String(50, collation="NOCASE"), nullable=True, unique=True)
forums_username = db.Column(db.String(50, collation="NOCASE"), nullable=True, unique=True)
# User email information
email = db.Column(db.String(255), nullable=True, unique=True)
confirmed_at = db.Column(db.DateTime())
# User information
profile_pic = db.Column(db.String(255), nullable=True, server_default=None)
active = db.Column("is_active", db.Boolean, nullable=False, server_default="0")
display_name = db.Column(db.String(100), nullable=False, server_default="")
# Content
notifications = db.relationship("Notification", primaryjoin="")
# causednotifs = db.relationship("Notification", backref="causer", lazy="dynamic")
packages = db.relationship("Package", backref="author", lazy="dynamic")
requests = db.relationship("EditRequest", backref="author", lazy="dynamic")
threads = db.relationship("Thread", backref="author", lazy="dynamic")
replies = db.relationship("ThreadReply", backref="author", lazy="dynamic")
def __init__(self, username, active=False, email=None, password=None):
self.username = username
self.confirmed_at = - datetime.timedelta(days=6000)
self.display_name = username = active = email
self.password = password
self.rank = UserRank.NOT_JOINED
def canAccessTodoList(self):
return Permission.APPROVE_NEW.check(self) or \
Permission.APPROVE_RELEASE.check(self) or \
def isClaimed(self):
return self.rank.atLeast(UserRank.NEW_MEMBER)
def getProfilePicURL(self):
if self.profile_pic:
return self.profile_pic
return gravatar( or "")
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to User.checkPerm()")
# Members can edit their own packages, and editors can edit any packages
if perm == Permission.CHANGE_AUTHOR:
return user.rank.atLeast(UserRank.EDITOR)
elif perm == Permission.CHANGE_RANK or perm == Permission.CHANGE_DNAME:
return user.rank.atLeast(UserRank.MODERATOR)
elif perm == Permission.CHANGE_EMAIL:
return user == self or (user.rank.atLeast(UserRank.MODERATOR) and user.rank.atLeast(self.rank))
raise Exception("Permission {} is not related to users".format(
def canCommentRL(self):
hour_ago = datetime.datetime.utcnow() - datetime.timedelta(hours=1)
return ThreadReply.query.filter_by(author=self) \
.filter(ThreadReply.created_at > hour_ago).count() < 4
def canOpenThreadRL(self):
hour_ago = datetime.datetime.utcnow() - datetime.timedelta(hours=1)
return Thread.query.filter_by(author=self) \
.filter(Thread.created_at > hour_ago).count() < 2
class UserEmailVerification(db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey(""))
email = db.Column(db.String(100))
token = db.Column(db.String(32))
user = db.relationship("User", foreign_keys=[user_id])
class Notification(db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey(""))
causer_id = db.Column(db.Integer, db.ForeignKey(""))
user = db.relationship("User", foreign_keys=[user_id])
causer = db.relationship("User", foreign_keys=[causer_id])
title = db.Column(db.String(100), nullable=False)
url = db.Column(db.String(200), nullable=True)
def __init__(self, us, cau, titl, ur):
self.user = us
self.causer = cau
self.title = titl
self.url = ur
class License(db.Model):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(50), nullable=False, unique=True)
is_foss = db.Column(db.Boolean, nullable=False, default=True)
def __init__(self, v, is_foss=True): = v
self.is_foss = is_foss
def __str__(self):
class PackageType(enum.Enum):
MOD = "Mod"
GAME = "Game"
TXP = "Texture Pack"
def toName(self):
def __str__(self):
def get(cls, name):
return PackageType[name.upper()]
except KeyError:
return None
def choices(cls):
return [(choice, choice.value) for choice in cls]
def coerce(cls, item):
return item if type(item) == PackageType else PackageType[item]
class PackagePropertyKey(enum.Enum):
name = "Name"
title = "Title"
short_desc = "Short Description"
desc = "Description"
type = "Type"
license = "License"
media_license = "Media License"
elif self.meta_package is not None:
raise Exception("Meta and package are both none!")
def SpecToList(depender, spec, cache={}):
retval = []
arr = spec.split(",")
import re
pattern1 = re.compile("^([a-z0-9_]+)$")
pattern2 = re.compile("^([A-Za-z0-9_]+)/([a-z0-9_]+)$")
for x in arr:
x = x.strip()
if x == "":
if pattern1.match(x):
meta = MetaPackage.GetOrCreate(x, cache)
retval.append(Dependency(depender, meta=meta))
m = pattern2.match(x)
username =
name =
user = User.query.filter_by(username=username).first()
if user is None:
raise Exception("Unable to find user " + username)
package = Package.query.filter_by(author=user, name=name).first()
if package is None:
raise Exception("Unable to find package " + name + " by " + username)
retval.append(Dependency(depender, package=package))
return retval
class Package(db.Model):
query_class = ArticleQuery
id = db.Column(db.Integer, primary_key=True)
# Basic details
author_id = db.Column(db.Integer, db.ForeignKey(""))
name = db.Column(db.String(100), nullable=False)
title = db.Column(db.Unicode(100), nullable=False)
short_desc = db.Column(db.Unicode(200), nullable=False)
desc = db.Column(db.UnicodeText, nullable=True)
type = db.Column(db.Enum(PackageType))
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
search_vector = db.Column(TSVectorType("title", "short_desc", "desc"))
license_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False, default=1)
license = db.relationship("License", foreign_keys=[license_id])
media_license_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False, default=1)
media_license = db.relationship("License", foreign_keys=[media_license_id])
approved = db.Column(db.Boolean, nullable=False, default=False)
soft_deleted = db.Column(db.Boolean, nullable=False, default=False)
score = db.Column(db.Float, nullable=False, default=0)
review_thread_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True, default=None)
review_thread = db.relationship("Thread", foreign_keys=[review_thread_id])
# Downloads
repo = db.Column(db.String(200), nullable=True)
website = db.Column(db.String(200), nullable=True)
issueTracker = db.Column(db.String(200), nullable=True)
forums = db.Column(db.Integer, nullable=True)
provides = db.relationship("MetaPackage", secondary=provides, lazy="subquery",
backref=db.backref("packages", lazy="dynamic"))
dependencies = db.relationship("Dependency", backref="depender", lazy="dynamic", foreign_keys=[Dependency.depender_id])
tags = db.relationship("Tag", secondary=tags, lazy="subquery",
backref=db.backref("packages", lazy=True))
releases = db.relationship("PackageRelease", backref="package",
lazy="dynamic", order_by=db.desc("package_release_releaseDate"))
screenshots = db.relationship("PackageScreenshot", backref="package",
lazy="dynamic", order_by=db.asc("package_screenshot_id"))
requests = db.relationship("EditRequest", backref="package",
def __init__(self, package=None):
if package is None:
self.author_id = package.author_id
self.created_at = package.created_at
self.approved = package.approved
for e in PackagePropertyKey:
setattr(self,, getattr(package,
def getAsDictionaryShort(self, base_url, protonum=None):
tnurl = self.getThumbnailURL(1)
return {
"title": self.title,
"short_description": self.short_desc,
"type": self.type.toName(),
"release": self.getDownloadRelease(protonum).id if self.getDownloadRelease(protonum) is not None else None,
"thumbnail": (base_url + tnurl) if tnurl is not None else None,
"score": round(self.score * 10) / 10
def getAsDictionary(self, base_url, protonum=None):
tnurl = self.getThumbnailURL(1)
return {
"title": self.title,
"short_description": self.short_desc,
"desc": self.desc,
"type": self.type.toName(),
"created_at": self.created_at,
"repo": self.repo,
"issue_tracker": self.issueTracker,
"forums": self.forums,
"provides": [ for x in self.provides],
"thumbnail": (base_url + tnurl) if tnurl is not None else None,
"screenshots": [base_url + ss.url for ss in self.screenshots],
"url": base_url + self.getDownloadURL(),
"release": self.getDownloadRelease(protonum).id if self.getDownloadRelease(protonum) is not None else None,
"score": round(self.score * 10) / 10
def getThumbnailURL(self, level=2):
screenshot = self.screenshots.filter_by(approved=True).order_by(db.asc(
return screenshot.getThumbnailURL(level) if screenshot is not None else None
def getMainScreenshotURL(self):
screenshot = self.screenshots.filter_by(approved=True).order_by(db.asc(
return screenshot.url if screenshot is not None else None
def getDetailsURL(self):
return url_for("package_page",,
def getEditURL(self):
return url_for("create_edit_package_page",,
def getApproveURL(self):
return url_for("approve_package_page",,
def getRemoveURL(self):
return url_for("remove_package_page",,
def getNewScreenshotURL(self):
return url_for("create_screenshot_page",,
def getCreateReleaseURL(self):
return url_for("create_release_page",,
def getCreateEditRequestURL(self):
return url_for("create_edit_editrequest_page",,
def getBulkReleaseURL(self):
return url_for("bulk_change_release_page",,
def getDownloadURL(self):
return url_for("package_download_page",,
def getDownloadRelease(self, protonum=None):
version = None
if protonum is not None:
version = MinetestRelease.query.filter(MinetestRelease.protocol >= int(protonum)).first()
if version is not None:
version =
version = 10000000
for rel in self.releases:
if rel.approved and (protonum is None or
((rel.min_rel is None or rel.min_rel_id <= version) and \
(rel.max_rel is None or rel.max_rel_id >= version))):
return rel
return None
def getDownloadCount(self):
counter = 0
for release in self.releases:
counter += release.downloads
return counter
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to Package.checkPerm()")
isOwner = user ==
if perm == Permission.CREATE_THREAD:
return user.rank.atLeast(UserRank.MEMBER)
# Members can edit their own packages, and editors can edit any packages
if perm == Permission.MAKE_RELEASE or perm == Permission.ADD_SCREENSHOTS:
return isOwner or user.rank.atLeast(UserRank.EDITOR)
if perm == Permission.EDIT_PACKAGE or perm == Permission.APPROVE_CHANGES:
if isOwner:
return user.rank.atLeast(UserRank.MEMBER if self.approved else UserRank.NEW_MEMBER)
return user.rank.atLeast(UserRank.EDITOR)
# Editors can change authors and approve new packages
elif perm == Permission.APPROVE_NEW or perm == Permission.CHANGE_AUTHOR:
return user.rank.atLeast(UserRank.EDITOR)
elif perm == Permission.APPROVE_RELEASE or perm == Permission.APPROVE_SCREENSHOT:
return user.rank.atLeast(UserRank.TRUSTED_MEMBER if isOwner else UserRank.EDITOR)
# Moderators can delete packages
elif perm == Permission.DELETE_PACKAGE or perm == Permission.UNAPPROVE_PACKAGE \
or perm == Permission.CHANGE_RELEASE_URL:
return user.rank.atLeast(UserRank.MODERATOR)
raise Exception("Permission {} is not related to packages".format(
def recalcScore(self):
self.score = 10
if self.forums is not None:
topic = ForumTopic.query.get(self.forums)
if topic:
days = ( - topic.created_at).days
months = days / 30
years = days / 365
self.score = topic.views / max(years, 0.0416) + 80*min(max(months, 0.5), 6)
if self.getMainScreenshotURL() is None:
self.score *= 0.8
if not self.license.is_foss or not self.media_license.is_foss:
self.score *= 0.1
class MetaPackage(db.Model):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(100), unique=True, nullable=False)
dependencies = db.relationship("Dependency", backref="meta_package", lazy="dynamic")
def __init__(self, name=None): = name
def __str__(self):
def ListToSpec(list):
return ",".join([str(x) for x in list])
def GetOrCreate(name, cache={}):
mp = cache.get(name)
if mp is None:
mp = MetaPackage.query.filter_by(name=name).first()
if mp is None:
mp = MetaPackage(name)
cache[name] = mp
return mp
def SpecToList(spec, cache={}):
retval = []
arr = spec.split(",")
import re
pattern = re.compile("^([a-z0-9_]+)$")
for x in arr:
x = x.strip()
if x == "":
if not pattern.match(x):
retval.append(MetaPackage.GetOrCreate(x, cache))
return retval
class Tag(db.Model):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(100), unique=True, nullable=False)
title = db.Column(db.String(100), nullable=False)
backgroundColor = db.Column(db.String(6), nullable=False)
textColor = db.Column(db.String(6), nullable=False)
def __init__(self, title, backgroundColor="000000", textColor="ffffff"):
self.title = title
self.backgroundColor = backgroundColor
self.textColor = textColor
import re
regex = re.compile("[^a-z_]") = regex.sub("", self.title.lower().replace(" ", "_"))
class MinetestRelease(db.Model):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(100), unique=True, nullable=False)
protocol = db.Column(db.Integer, nullable=False, default=0)
def __init__(self, name=None): = name
def getActual(self):
return None if == "None" else self
class PackageRelease(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""))
title = db.Column(db.String(100), nullable=False)
releaseDate = db.Column(db.DateTime, nullable=False)
url = db.Column(db.String(200), nullable=False)
approved = db.Column(db.Boolean, nullable=False, default=False)
task_id = db.Column(db.String(37), nullable=True)
commit_hash = db.Column(db.String(41), nullable=True, default=None)
downloads = db.Column(db.Integer, nullable=False, default=0)
min_rel_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True, server_default=None)
min_rel = db.relationship("MinetestRelease", foreign_keys=[min_rel_id])
max_rel_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True, server_default=None)
max_rel = db.relationship("MinetestRelease", foreign_keys=[max_rel_id])
def getEditURL(self):
return url_for("edit_release_page",,,
def getDownloadURL(self):
return url_for("download_release_page",,,
def __init__(self):
self.releaseDate =
class PackageReview(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""))
thread_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
recommend = db.Column(db.Boolean, nullable=False, default=True)
class PackageScreenshot(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""))
title = db.Column(db.String(100), nullable=False)
url = db.Column(db.String(100), nullable=False)
approved = db.Column(db.Boolean, nullable=False, default=False)
def getEditURL(self):
return url_for("edit_screenshot_page",,,
def getThumbnailURL(self, level=2):
return self.url.replace("/uploads/", ("/thumbnails/{:d}/").format(level))
class EditRequest(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""))
author_id = db.Column(db.Integer, db.ForeignKey(""))
title = db.Column(db.String(100), nullable=False)
desc = db.Column(db.String(1000), nullable=True)
# 0 - open
# 1 - merged
# 2 - rejected
status = db.Column(db.Integer, nullable=False, default=0)
changes = db.relationship("EditRequestChange", backref="request",
def getURL(self):
return url_for("view_editrequest_page",,,
def getApproveURL(self):
return url_for("approve_editrequest_page",,,
def getRejectURL(self):
return url_for("reject_editrequest_page",,,
def getEditURL(self):
return url_for("create_edit_editrequest_page",,,
def applyAll(self, package):
for change in self.changes:
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to EditRequest.checkPerm()")
isOwner = user ==
# Members can edit their own packages, and editors can edit any packages
if perm == Permission.EDIT_EDITREQUEST:
return isOwner or user.rank.atLeast(UserRank.EDITOR)
raise Exception("Permission {} is not related to packages".format(
class EditRequestChange(db.Model):
id = db.Column(db.Integer, primary_key=True)
request_id = db.Column(db.Integer, db.ForeignKey(""))
key = db.Column(db.Enum(PackagePropertyKey), nullable=False)
# TODO: make diff instead
oldValue = db.Column(db.Text, nullable=True)
newValue = db.Column(db.Text, nullable=True)
def apply(self, package):
if self.key == PackagePropertyKey.tags:
for tagTitle in self.newValue.split(","):
tag = Tag.query.filter_by(title=tagTitle.strip()).first()
setattr(package,, self.newValue)
watchers = db.Table("watchers",
db.Column("user_id", db.Integer, db.ForeignKey(""), primary_key=True),
db.Column("thread_id", db.Integer, db.ForeignKey(""), primary_key=True)
class Thread(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
package = db.relationship("Package", foreign_keys=[package_id])
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
title = db.Column(db.String(100), nullable=False)
private = db.Column(db.Boolean, server_default="0")
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
replies = db.relationship("ThreadReply", backref="thread", lazy="dynamic")
watchers = db.relationship("User", secondary=watchers, lazy="subquery", \
backref=db.backref("watching", lazy=True))
def getSubscribeURL(self):
return url_for("thread_subscribe_page",
def getUnsubscribeURL(self):
return url_for("thread_unsubscribe_page",
def checkPerm(self, user, perm):
if not user.is_authenticated:
return not self.private
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to Thread.checkPerm()")
isOwner = user == or (self.package is not None and == user)
if perm == Permission.SEE_THREAD:
return not self.private or isOwner or user.rank.atLeast(UserRank.EDITOR)
raise Exception("Permission {} is not related to threads".format(
class ThreadReply(db.Model):
id = db.Column(db.Integer, primary_key=True)
thread_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
comment = db.Column(db.String(500), nullable=False)
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
REPO_BLACKLIST = [".zip", "", "", "", \
"", "", "", \
"", "", "", \
"", ""]
class ForumTopic(db.Model):
topic_id = db.Column(db.Integer, primary_key=True, autoincrement=False)
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
author = db.relationship("User")
wip = db.Column(db.Boolean, server_default="0")
discarded = db.Column(db.Boolean, server_default="0")
type = db.Column(db.Enum(PackageType), nullable=False)
title = db.Column(db.String(200), nullable=False)
name = db.Column(db.String(30), nullable=True)
link = db.Column(db.String(200), nullable=True)
posts = db.Column(db.Integer, nullable=False)
views = db.Column(db.Integer, nullable=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
def getRepoURL(self):
if is None:
return None
for item in REPO_BLACKLIST:
if item in
return None
return"", "")
def getAsDictionary(self):
return {
"type": self.type.toName(),
"title": self.title,
"id": self.topic_id,
"posts": self.posts,
"views": self.views,
"is_wip": self.wip,
"discarded": self.discarded,
"created_at": self.created_at.isoformat(),
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to ForumTopic.checkPerm()")
if perm == Permission.TOPIC_DISCARD:
return == user or user.rank.atLeast(UserRank.EDITOR)
raise Exception("Permission {} is not related to topics".format(
# Setup Flask-User
db_adapter = SQLAlchemyAdapter(db, User) # Register the User model
user_manager = UserManager(db_adapter, app) # Initialize Flask-User

View File

@ -1,177 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
from flask_migrate import Migrate
from flask_sqlalchemy import SQLAlchemy
from sqlalchemy_searchable import make_searchable
from app import app
# Initialise database
db = SQLAlchemy(app)
migrate = Migrate(app, db)
from .packages import *
from .users import *
from .threads import *
class APIToken(db.Model):
id = db.Column(db.Integer, primary_key=True)
access_token = db.Column(db.String(34), unique=True, nullable=False)
name = db.Column(db.String(100), nullable=False)
owner_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
owner = db.relationship("User", foreign_keys=[owner_id], back_populates="tokens")
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
package_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
package = db.relationship("Package", foreign_keys=[package_id], back_populates="tokens")
def canOperateOnPackage(self, package):
if self.package and self.package != package:
return False
return == self.owner
class AuditSeverity(enum.Enum):
NORMAL = 0 # Normal user changes
USER = 1 # Security user changes
EDITOR = 2 # Editor changes
MODERATION = 3 # Destructive / moderator changes
def __str__(self):
def getTitle(self):
return"_", " ").title()
def choices(cls):
return [(choice, choice.getTitle()) for choice in cls]
def coerce(cls, item):
return item if type(item) == AuditSeverity else AuditSeverity[item.upper()]
class AuditLogEntry(db.Model):
id = db.Column(db.Integer, primary_key=True)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
causer_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
causer = db.relationship("User", foreign_keys=[causer_id], back_populates="audit_log_entries")
severity = db.Column(db.Enum(AuditSeverity), nullable=False)
title = db.Column(db.String(100), nullable=False)
url = db.Column(db.String(200), nullable=True)
package_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
package = db.relationship("Package", foreign_keys=[package_id], back_populates="audit_log_entries")
description = db.Column(db.Text, nullable=True, default=None)
def __init__(self, causer, severity, title, url, package=None, description=None):
if len(title) > 100:
title = title[:99] + ""
self.causer = causer
self.severity = severity
self.title = title
self.url = url
self.package = package
self.description = description
REPO_BLACKLIST = [".zip", "", "", "",
"", "", "",
"", "", "",
"", ""]
class ForumTopic(db.Model):
topic_id = db.Column(db.Integer, primary_key=True, autoincrement=False)
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
author = db.relationship("User", back_populates="forum_topics")
wip = db.Column(db.Boolean, default=False, nullable=False)
discarded = db.Column(db.Boolean, default=False, nullable=False)
type = db.Column(db.Enum(PackageType), nullable=False)
title = db.Column(db.String(200), nullable=False)
name = db.Column(db.String(30), nullable=True)
link = db.Column(db.String(200), nullable=True)
posts = db.Column(db.Integer, nullable=False)
views = db.Column(db.Integer, nullable=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
def getRepoURL(self):
if is None:
return None
for item in REPO_BLACKLIST:
if item in
return None
return"", "")
def getAsDictionary(self):
return {
"type": self.type.toName(),
"title": self.title,
"id": self.topic_id,
"posts": self.posts,
"views": self.views,
"is_wip": self.wip,
"discarded": self.discarded,
"created_at": self.created_at.isoformat(),
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to ForumTopic.checkPerm()")
if perm == Permission.TOPIC_DISCARD:
return == user or user.rank.atLeast(UserRank.EDITOR)
raise Exception("Permission {} is not related to topics".format(
if app.config.get("LOG_SQL"):
import logging

View File

@ -1,240 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import datetime
from typing import Tuple, List
from flask import url_for
from . import db
from .users import Permission, UserRank
from .packages import Package
watchers = db.Table("watchers",
db.Column("user_id", db.Integer, db.ForeignKey(""), primary_key=True),
db.Column("thread_id", db.Integer, db.ForeignKey(""), primary_key=True)
class Thread(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
package = db.relationship("Package", foreign_keys=[package_id], back_populates="threads")
is_review_thread = db.relationship("Package", foreign_keys=[Package.review_thread_id], back_populates="review_thread")
review_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
review = db.relationship("PackageReview", foreign_keys=[review_id], cascade="all, delete")
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
author = db.relationship("User", back_populates="threads", foreign_keys=[author_id])
title = db.Column(db.String(100), nullable=False)
private = db.Column(db.Boolean, server_default="0", nullable=False)
locked = db.Column(db.Boolean, server_default="0", nullable=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
replies = db.relationship("ThreadReply", back_populates="thread", lazy="dynamic",
order_by=db.asc("thread_reply_id"), cascade="all, delete, delete-orphan")
watchers = db.relationship("User", secondary=watchers, backref="watching")
def get_description(self):
comment = self.replies[0].comment.replace("\r\n", " ").replace("\n", " ").replace(" ", " ")
if len(comment) > 100:
return comment[:97] + "..."
return comment
def getViewURL(self, absolute=False):
if absolute:
from ..utils import abs_url_for
return abs_url_for("threads.view",
return url_for("threads.view",, _external=False)
def getSubscribeURL(self):
return url_for("threads.subscribe",
def getUnsubscribeURL(self):
return url_for("threads.unsubscribe",
def checkPerm(self, user, perm):
if not user.is_authenticated:
return perm == Permission.SEE_THREAD and not self.private
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to Thread.checkPerm()")
isMaintainer = user == or (self.package is not None and == user)
if self.package:
isMaintainer = isMaintainer or user in self.package.maintainers
canSee = not self.private or isMaintainer or user.rank.atLeast(UserRank.APPROVER)
if perm == Permission.SEE_THREAD:
return canSee
elif perm == Permission.COMMENT_THREAD:
return canSee and (not self.locked or user.rank.atLeast(UserRank.MODERATOR))
elif perm == Permission.LOCK_THREAD:
return user.rank.atLeast(UserRank.MODERATOR)
elif perm == Permission.DELETE_THREAD:
from app.utils.models import get_system_user
return ( == get_system_user() and self.package and
user in self.package.maintainers) or user.rank.atLeast(UserRank.MODERATOR)
raise Exception("Permission {} is not related to threads".format(
def get_latest_reply(self):
return ThreadReply.query.filter_by(
class ThreadReply(db.Model):
id = db.Column(db.Integer, primary_key=True)
thread_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
thread = db.relationship("Thread", back_populates="replies", foreign_keys=[thread_id])
comment = db.Column(db.String(2000), nullable=False)
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
author = db.relationship("User", back_populates="replies", foreign_keys=[author_id])
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
def get_url(self):
return url_for('threads.view', + "#reply-" + str(
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to ThreadReply.checkPerm()")
if perm == Permission.EDIT_REPLY:
return user.rank.atLeast(UserRank.MEMBER if user == else UserRank.MODERATOR) and not self.thread.locked
elif perm == Permission.DELETE_REPLY:
return user.rank.atLeast(UserRank.MODERATOR) and self.thread.replies[0] != self
raise Exception("Permission {} is not related to threads".format(
class PackageReview(db.Model):
id = db.Column(db.Integer, primary_key=True)
package_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
package = db.relationship("Package", foreign_keys=[package_id], back_populates="reviews")
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
author_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
author = db.relationship("User", foreign_keys=[author_id], back_populates="reviews")
recommends = db.Column(db.Boolean, nullable=False)
thread = db.relationship("Thread", uselist=False, back_populates="review")
votes = db.relationship("PackageReviewVote", back_populates="review", cascade="all, delete, delete-orphan")
score = db.Column(db.Integer, nullable=False, default=1)
def get_totals(self, current_user = None) -> Tuple[int,int,bool]:
votes: List[PackageReviewVote] = self.votes
pos = sum([ 1 for vote in votes if vote.is_positive ])
neg = sum([ 1 for vote in votes if not vote.is_positive])
user_vote = next(filter(lambda vote: vote.user == current_user, votes), None)
return pos, neg, user_vote.is_positive if user_vote else None
def getAsDictionary(self, include_package=False):
pos, neg, _user = self.get_totals()
ret = {
"is_positive": self.recommends,
"user": {
"created_at": self.created_at.isoformat(),
"votes": {
"helpful": pos,
"unhelpful": neg,
"title": self.thread.title,
"comment": self.thread.replies[0].comment,
if include_package:
ret["package"] = self.package.getAsDictionaryKey()
return ret
def asSign(self):
return 1 if self.recommends else -1
def getEditURL(self):
return self.package.getURL("")
def getDeleteURL(self):
return url_for("packages.delete_review",,,
def getVoteUrl(self, next_url=None):
return url_for("packages.review_vote",,,,
def update_score(self):
(pos, neg, _) = self.get_totals()
self.score = 3 * (pos - neg) + 1
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to PackageReview.checkPerm()")
if perm == Permission.DELETE_REVIEW:
return user == or user.rank.atLeast(UserRank.MODERATOR)
raise Exception("Permission {} is not related to reviews".format(
class PackageReviewVote(db.Model):
review_id = db.Column(db.Integer, db.ForeignKey(""), primary_key=True)
review = db.relationship("PackageReview", foreign_keys=[review_id], back_populates="votes")
user_id = db.Column(db.Integer, db.ForeignKey(""), primary_key=True)
user = db.relationship("User", foreign_keys=[user_id], back_populates="review_votes")
is_positive = db.Column(db.Boolean, nullable=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)

@ -1,479 +0,0 @@
# ContentDB
# Copyright (C) 2018-21 rubenwardy
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <>.
import datetime
import enum
from flask_login import UserMixin
from sqlalchemy import desc, text
from app import gravatar
from . import db
class UserRank(enum.Enum):
BOT = 7
def atLeast(self, min):
return self.value >= min.value
def getTitle(self):
return"_", " ").title()
def toName(self):
def __str__(self):
def choices(cls):
return [(choice, choice.getTitle()) for choice in cls]
def coerce(cls, item):
return item if type(item) == UserRank else UserRank[item.upper()]
class Permission(enum.Enum):
# Only return true if the permission is valid for *all* contexts
# See Package.checkPerm for package-specific contexts
def check(self, user):
if not user.is_authenticated:
return False
if self == Permission.APPROVE_NEW or \
self == Permission.APPROVE_RELEASE or \
self == Permission.APPROVE_SCREENSHOT or \
self == Permission.SEE_THREAD:
return user.rank.atLeast(UserRank.APPROVER)
elif self == Permission.EDIT_TAGS or self == Permission.CREATE_TAG:
return user.rank.atLeast(UserRank.EDITOR)
raise Exception("Non-global permission checked globally. Use Package.checkPerm or User.checkPerm instead.")
def checkPerm(user, perm):
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to Permission.check")
return perm.check(user)
def display_name_default(context):
return context.get_current_parameters()["username"]
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
created_at = db.Column(db.DateTime, nullable=True, default=datetime.datetime.utcnow)
# User authentication information
username = db.Column(db.String(50, collation="NOCASE"), nullable=False, unique=True, index=True)
password = db.Column(db.String(255), nullable=True, server_default=None)
reset_password_token = db.Column(db.String(100), nullable=False, server_default="")
def get_id(self):
return self.username
rank = db.Column(db.Enum(UserRank), nullable=False)
# Account linking
github_username = db.Column(db.String(50, collation="NOCASE"), nullable=True, unique=True)
forums_username = db.Column(db.String(50, collation="NOCASE"), nullable=True, unique=True)
# Access token for webhook setup
github_access_token = db.Column(db.String(50), nullable=True, server_default=None)
# User email information
email = db.Column(db.String(255), nullable=True, unique=True)
email_confirmed_at = db.Column(db.DateTime(), nullable=True, server_default=None)
locale = db.Column(db.String(10), nullable=True, default=None)
# User information
profile_pic = db.Column(db.String(255), nullable=True, server_default=None)
is_active = db.Column("is_active", db.Boolean, nullable=False, server_default="0")
display_name = db.Column(db.String(100), nullable=False, default=display_name_default)
# Links
website_url = db.Column(db.String(255), nullable=True, default=None)
donate_url = db.Column(db.String(255), nullable=True, default=None)
# Content
notifications = db.relationship("Notification", foreign_keys="Notification.user_id",
order_by=desc(text("Notification.created_at")), back_populates="user", cascade="all, delete, delete-orphan")
caused_notifications = db.relationship("Notification", foreign_keys="Notification.causer_id",
back_populates="causer", cascade="all, delete, delete-orphan", lazy="dynamic")
notification_preferences = db.relationship("UserNotificationPreferences", uselist=False, back_populates="user",
cascade="all, delete, delete-orphan")
email_verifications = db.relationship("UserEmailVerification", foreign_keys="UserEmailVerification.user_id",
back_populates="user", cascade="all, delete, delete-orphan", lazy="dynamic")
audit_log_entries = db.relationship("AuditLogEntry", foreign_keys="AuditLogEntry.causer_id", back_populates="causer",
order_by=desc("audit_log_entry_created_at"), lazy="dynamic")
maintained_packages = db.relationship("Package", lazy="dynamic", secondary="maintainers", order_by=db.asc("package_title"))
packages = db.relationship("Package", back_populates="author", lazy="dynamic", order_by=db.asc("package_title"))
reviews = db.relationship("PackageReview", back_populates="author", order_by=db.desc("package_review_created_at"), cascade="all, delete, delete-orphan")
review_votes = db.relationship("PackageReviewVote", back_populates="user", cascade="all, delete, delete-orphan")
tokens = db.relationship("APIToken", back_populates="owner", lazy="dynamic", cascade="all, delete, delete-orphan")
threads = db.relationship("Thread", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
replies = db.relationship("ThreadReply", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan", order_by=db.desc("created_at"))
forum_topics = db.relationship("ForumTopic", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
def __init__(self, username=None, active=False, email=None, password=None):
self.username = username
self.display_name = username
self.is_active = active = email
self.password = password
self.rank = UserRank.NOT_JOINED
def canAccessTodoList(self):
return Permission.APPROVE_NEW.check(self) or \
def isClaimed(self):
return self.rank.atLeast(UserRank.NEW_MEMBER)
def getProfilePicURL(self):
if self.profile_pic:
return self.profile_pic
elif self.rank == UserRank.BOT:
return "/static/bot_avatar.png"
return gravatar( or f"{self.username}")
def checkPerm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to User.checkPerm()")
# Members can edit their own packages, and editors can edit any packages
if perm == Permission.CHANGE_AUTHOR:
return user.rank.atLeast(UserRank.EDITOR)
elif perm == Permission.CHANGE_USERNAMES:
return user.rank.atLeast(UserRank.MODERATOR)
elif perm == Permission.CHANGE_RANK:
return user.rank.atLeast(UserRank.MODERATOR) and not self.rank.atLeast(user.rank)
elif perm == Permission.CHANGE_EMAIL or perm == Permission.CHANGE_PROFILE_URLS:
return user == self or (user.rank.atLeast(UserRank.MODERATOR) and not self.rank.atLeast(user.rank))
elif perm == Permission.CHANGE_DISPLAY_NAME:
return user.rank.atLeast(UserRank.MEMBER if user == self else UserRank.MODERATOR)
elif perm == Permission.CREATE_TOKEN:
if user == self:
return user.rank.atLeast(UserRank.MEMBER)
return user.rank.atLeast(UserRank.MODERATOR) and user.rank.atLeast(self.rank)
raise Exception("Permission {} is not related to users".format(
def canCommentRL(self):
from app.models import ThreadReply
factor = 1
if self.rank.atLeast(UserRank.ADMIN):
return True
elif self.rank.atLeast(UserRank.TRUSTED_MEMBER):
factor *= 2
one_min_ago = datetime.datetime.utcnow() - datetime.timedelta(minutes=1)
if ThreadReply.query.filter_by(author=self) \
.filter(ThreadReply.created_at > one_min_ago).count() >= 3 * factor:
return False
hour_ago = datetime.datetime.utcnow() - datetime.timedelta(hours=1)
if ThreadReply.query.filter_by(author=self) \
.filter(ThreadReply.created_at > hour_ago).count() >= 20 * factor:
return False
return True
def canOpenThreadRL(self):
from app.models import Thread
factor = 1
if self.rank.atLeast(UserRank.ADMIN):
return True
elif self.rank.atLeast(UserRank.TRUSTED_MEMBER):
factor *= 5
hour_ago = datetime.datetime.utcnow() - datetime.timedelta(hours=1)
return Thread.query.filter_by(author=self) \
.filter(Thread.created_at > hour_ago).count() < 2 * factor
def __eq__(self, other):
if other is None:
return False
if not self.is_authenticated or not other.is_authenticated:
return False
assert > 0
return ==
def can_see_edit_profile(self, current_user):
return self.checkPerm(current_user, Permission.CHANGE_USERNAMES) or \
self.checkPerm(current_user, Permission.CHANGE_EMAIL) or \
self.checkPerm(current_user, Permission.CHANGE_RANK)
def can_delete(self):
from app.models import ForumTopic
return self.packages.count() == 0 and ForumTopic.query.filter_by(author=self).count() == 0
class UserEmailVerification(db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
email = db.Column(db.String(100), nullable=False)
token = db.Column(db.String(32), nullable=True)
user = db.relationship("User", foreign_keys=[user_id], back_populates="email_verifications")
is_password_reset = db.Column(db.Boolean, nullable=False, default=False)
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
class EmailSubscription(db.Model):
id = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(100), nullable=False, unique=True)
blacklisted = db.Column(db.Boolean, nullable=False, default=False)
token = db.Column(db.String(32), nullable=True, default=None)
def __init__(self, email): = email
self.blacklisted = False
self.token = None
class NotificationType(enum.Enum):
# Package / release / etc
# Approval review actions
# New thread
# New Review
# Posted reply to subscribed thread
# A bot notification
BOT = 6
# Added / removed as maintainer
# Editor misc
# Editor misc
# Any other
def getTitle(self):
return"_", " ").title()
def toName(self):
def get_description(self):
if self == NotificationType.PACKAGE_EDIT:
return "When another user edits your packages, releases, etc."
elif self == NotificationType.PACKAGE_APPROVAL:
return "Notifications from editors related to the package approval process."
elif self == NotificationType.NEW_THREAD:
return "When a thread is created on your package."
elif self == NotificationType.NEW_REVIEW:
return "When a user posts a review on your package."
elif self == NotificationType.THREAD_REPLY:
return "When someone replies to a thread you're watching."
elif self == NotificationType.BOT:
return "From a bot - for example, update notifications."
elif self == NotificationType.MAINTAINER:
return "When your package's maintainers change."
elif self == NotificationType.EDITOR_ALERT:
return "For editors: Important alerts."
elif self == NotificationType.EDITOR_MISC:
return "For editors: Minor notifications, including new threads."
elif self == NotificationType.OTHER:
return "Minor notifications not important enough for a dedicated category."
return ""
def __str__(self):
def __lt__(self, other):
return self.value < other.value
def choices(cls):
return [(choice, choice.getTitle()) for choice in cls]
def coerce(cls, item):
return item if type(item) == NotificationType else NotificationType[item.upper()]
class Notification(db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
user = db.relationship("User", foreign_keys=[user_id], back_populates="notifications")
causer_id = db.Column(db.Integer, db.ForeignKey(""), nullable=False)
causer = db.relationship("User", foreign_keys=[causer_id], back_populates="caused_notifications")
type = db.Column(db.Enum(NotificationType), nullable=False, default=NotificationType.OTHER)
emailed = db.Column(db.Boolean(), nullable=False, default=False)
title = db.Column(db.String(100), nullable=False)
url = db.Column(db.String(200), nullable=True)
package_id = db.Column(db.Integer, db.ForeignKey(""), nullable=True)
package = db.relationship("Package", foreign_keys=[package_id], back_populates="notifications")
created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow)
def __init__(self, user, causer, type, title, url, package=None):
if len(title) > 100:
title = title[:99] + ""
self.user = user
self.causer = causer
self.type = type
self.title = title
self.url = url
self.package = package
def can_send_email(self):
prefs = self.user.notification_preferences
return prefs and and prefs.get_can_email(self.type)
def can_send_digest(self):
prefs = self.user.notification_preferences
return prefs and and prefs.get_can_digest(self.type)
class UserNotificationPreferences(db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey(''), nullable=False)
user = db.relationship("User", back_populates="notification_preferences")
# 2 = immediate emails
# 1 = daily digest emails
# 0 = no emails
pref_package_edit = db.Column(db.Integer, nullable=False)
pref_package_approval = db.Column(db.Integer, nullable=False)
pref_new_thread = db.Column(db.Integer, nullable=False)
pref_new_review = db.Column(db.Integer, nullable=False)
pref_thread_reply = db.Column(db.Integer, nullable=False)
pref_bot = db.Column(db.Integer, nullable=False)
pref_maintainer = db.Column(db.Integer, nullable=False)
pref_editor_alert = db.Column(db.Integer, nullable=False)
pref_editor_misc = db.Column(db.Integer, nullable=False)
pref_other = db.Column(db.Integer, nullable=False)
def __init__(self, user):
self.user = user
self.pref_package_edit = 1
self.pref_package_approval = 1
self.pref_new_thread = 1
self.pref_new_review = 1
self.pref_thread_reply = 2
self.pref_bot = 1
self.pref_maintainer = 1
self.pref_editor_alert = 1
self.pref_editor_misc = 0
self.pref_other = 0
def get_can_email(self, notification_type):
return getattr(self, "pref_" + notification_type.toName()) == 2
def set_can_email(self, notification_type, value):
value = 2 if value else 0
setattr(self, "pref_" + notification_type.toName(), value)
def get_can_digest(self, notification_type):
return getattr(self, "pref_" + notification_type.toName()) >= 1
def set_can_digest(self, notification_type, value):
if self.get_can_email(notification_type):
value = 1 if value else 0
setattr(self, "pref_" + notification_type.toName(), value)

View File

@ -1,371 +0,0 @@
* Font Awesome Free 5.12.0 by @fontawesome -
* License - (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License)
svg:not(:root).svg-inline--fa {
overflow: visible; }
.svg-inline--fa {
display: inline-block;
font-size: inherit;
height: 1em;
overflow: visible;
vertical-align: -.125em; }
.svg-inline--fa.fa-lg {
vertical-align: -.225em; }
.svg-inline--fa.fa-w-1 {
width: 0.0625em; }
.svg-inline--fa.fa-w-2 {
width: 0.125em; }
.svg-inline--fa.fa-w-3 {
width: 0.1875em; }
.svg-inline--fa.fa-w-4 {
width: 0.25em; }
.svg-inline--fa.fa-w-5 {
width: 0.3125em; }
.svg-inline--fa.fa-w-6 {
width: 0.375em; }
.svg-inline--fa.fa-w-7 {
width: 0.4375em; }
.svg-inline--fa.fa-w-8 {
width: 0.5em; }
.svg-inline--fa.fa-w-9 {
width: 0.5625em; }
.svg-inline--fa.fa-w-10 {
width: 0.625em; }
.svg-inline--fa.fa-w-11 {
width: 0.6875em; }
.svg-inline--fa.fa-w-12 {
width: 0.75em; }
.svg-inline--fa.fa-w-13 {
width: 0.8125em; }
.svg-inline--fa.fa-w-14 {
width: 0.875em; }
.svg-inline--fa.fa-w-15 {
width: 0.9375em; }
.svg-inline--fa.fa-w-16 {
width: 1em; }
.svg-inline--fa.fa-w-17 {
width: 1.0625em; }
.svg-inline--fa.fa-w-18 {
width: 1.125em; }
.svg-inline--fa.fa-w-19 {
width: 1.1875em; }
.svg-inline--fa.fa-w-20 {
width: 1.25em; }
.svg-inline--fa.fa-pull-left {
margin-right: .3em;
width: auto; }
.svg-inline--fa.fa-pull-right {
margin-left: .3em;
width: auto; }
.svg-inline--fa.fa-border {
height: 1.5em; }
.svg-inline--fa.fa-li {
width: 2em; }
.svg-inline--fa.fa-fw {
width: 1.25em; }
.fa-layers svg.svg-inline--fa {
bottom: 0;
left: 0;
margin: auto;
position: absolute;
right: 0;
top: 0; }
.fa-layers {
display: inline-block;
height: 1em;
position: relative;
text-align: center;
vertical-align: -.125em;
width: 1em; }
.fa-layers svg.svg-inline--fa {
-webkit-transform-origin: center center;
transform-origin: center center; }
.fa-layers-text, .fa-layers-counter {
display: inline-block;
position: absolute;
text-align: center; }
.fa-layers-text {
left: 50%;
top: 50%;
-webkit-transform: translate(-50%, -50%);
transform: translate(-50%, -50%);
-webkit-transform-origin: center center;
transform-origin: center center; }
.fa-layers-counter {
background-color: #ff253a;
border-radius: 1em;
-webkit-box-sizing: border-box;
box-sizing: border-box;
color: #fff;
height: 1.5em;
line-height: 1;
max-width: 5em;
min-width: 1.5em;
overflow: hidden;
padding: .25em;
right: 0;
text-overflow: ellipsis;
top: 0;
-webkit-transform: scale(0.25);
transform: scale(0.25);
-webkit-transform-origin: top right;
transform-origin: top right; }
.fa-layers-bottom-right {
bottom: 0;
right: 0;
top: auto;
-webkit-transform: scale(0.25);
transform: scale(0.25);
-webkit-transform-origin: bottom right;
transform-origin: bottom right; }
.fa-layers-bottom-left {
bottom: 0;
left: 0;
right: auto;
top: auto;
-webkit-transform: scale(0.25);
transform: scale(0.25);
-webkit-transform-origin: bottom left;
transform-origin: bottom left; }
.fa-layers-top-right {
right: 0;
top: 0;
-webkit-transform: scale(0.25);
transform: scale(0.25);
-webkit-transform-origin: top right;
transform-origin: top right; }
.fa-layers-top-left {
left: 0;
right: auto;
top: 0;
-webkit-transform: scale(0.25);
transform: scale(0.25);
-webkit-transform-origin: top left;
transform-origin: top left; }
.fa-lg {
font-size: 1.33333em;
line-height: 0.75em;
vertical-align: -.0667em; }
.fa-xs {
font-size: .75em; }
.fa-sm {
font-size: .875em; }
.fa-1x {
font-size: 1em; }
.fa-2x {
font-size: 2em; }
.fa-3x {
font-size: 3em; }
.fa-4x {
font-size: 4em; }
.fa-5x {
font-size: 5em; }
.fa-6x {
font-size: 6em; }
.fa-7x {
font-size: 7em; }
.fa-8x {
font-size: 8em; }
.fa-9x {
font-size: 9em; }
.fa-10x {
font-size: 10em; }
.fa-fw {
text-align: center;
width: 1.25em; }
.fa-ul {
list-style-type: none;
margin-left: 2.5em;
padding-left: 0; }
.fa-ul > li {
position: relative; }
.fa-li {
left: -2em;
position: absolute;
text-align: center;
width: 2em;
line-height: inherit; }
.fa-border {
border: solid 0.08em #eee;
border-radius: .1em;
padding: .2em .25em .15em; }
.fa-pull-left {
float: left; }
.fa-pull-right {
float: right; }
.fab.fa-pull-left {
margin-right: .3em; }
.fab.fa-pull-right {
margin-left: .3em; }
.fa-spin {
-webkit-animation: fa-spin 2s infinite linear;
animation: fa-spin 2s infinite linear; }
.fa-pulse {
-webkit-animation: fa-spin 1s infinite steps(8);
animation: fa-spin 1s infinite steps(8); }
@-webkit-keyframes fa-spin {
0% {
-webkit-transform: rotate(0deg);
transform: rotate(0deg); }
100% {
-webkit-transform: rotate(360deg);
transform: rotate(360deg); } }
@keyframes fa-spin {
0% {
-webkit-transform: rotate(0deg);
transform: rotate(0deg); }
100% {
-webkit-transform: rotate(360deg);
transform: rotate(360deg); } }
.fa-rotate-90 {
-ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=1)";
-webkit-transform: rotate(90deg);
transform: rotate(90deg); }
.fa-rotate-180 {
-ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=2)";
-webkit-transform: rotate(180deg);
transform: rotate(180deg); }
.fa-rotate-270 {
-ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=3)";
-webkit-transform: rotate(270deg);
transform: rotate(270deg); }
.fa-flip-horizontal {
-ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=0, mirror=1)";
-webkit-transform: scale(-1, 1);
transform: scale(-1, 1); }
.fa-flip-vertical {
-ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1)";
-webkit-transform: scale(1, -1);
transform: scale(1, -1); }
.fa-flip-both, .fa-flip-horizontal.fa-flip-vertical {
-ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1)";
-webkit-transform: scale(-1, -1);
transform: scale(-1, -1); }
:root .fa-rotate-90,
:root .fa-rotate-180,
:root .fa-rotate-270,
:root .fa-flip-horizontal,
:root .fa-flip-vertical,
:root .fa-flip-both {
-webkit-filter: none;
filter: none; }
.fa-stack {
display: inline-block;
height: 2em;
position: relative;
width: 2.5em; }
.fa-stack-2x {
bottom: 0;
left: 0;
margin: auto;
position: absolute;
right: 0;
top: 0; }
.svg-inline--fa.fa-stack-1x {
height: 1em;
width: 1.25em; }
.svg-inline--fa.fa-stack-2x {
height: 2em;
width: 2.5em; }
.fa-inverse {
color: #fff; }
.sr-only {
border: 0;
clip: rect(0, 0, 0, 0);
height: 1px;
margin: -1px;
overflow: hidden;
padding: 0;
position: absolute;
width: 1px; }
.sr-only-focusable:active, .sr-only-focusable:focus {
clip: auto;
height: auto;
margin: 0;
overflow: visible;
position: static;
width: auto; }
.svg-inline--fa .fa-primary {
fill: var(--fa-primary-color, currentColor);
opacity: 1;
opacity: var(--fa-primary-opacity, 1); }
.svg-inline--fa .fa-secondary {
fill: var(--fa-secondary-color, currentColor);
opacity: 0.4;
opacity: var(--fa-secondary-opacity, 0.4); }
.svg-inline--fa.fa-swap-opacity .fa-primary {
opacity: 0.4;
opacity: var(--fa-secondary-opacity, 0.4); }
.svg-inline--fa.fa-swap-opacity .fa-secondary {
opacity: 1;
opacity: var(--fa-primary-opacity, 1); }
.svg-inline--fa mask .fa-primary,
.svg-inline--fa mask .fa-secondary {
fill: black; }
.fad.fa-inverse {
color: #fff; }

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

File diff suppressed because one or more lines are too long

Some files were not shown because too many files have changed in this diff Show More