From ec7a04fdb3cb26d8fc8b2de2b10b82e17167f94f Mon Sep 17 00:00:00 2001
From: Ned Batchelder <ned@nedbatchelder.com>
Date: Fri, 22 Feb 2013 13:31:31 -0500
Subject: [PATCH] A /debug/run_python endpoint for staff to test the sandboxing
 of Python code.

---
 lms/djangoapps/debug/__init__.py         |  0
 lms/djangoapps/debug/models.py           |  3 +++
 lms/djangoapps/debug/views.py            | 29 ++++++++++++++++++++++++
 lms/envs/common.py                       |  1 +
 lms/templates/debug/run_python_form.html | 19 ++++++++++++++++
 lms/urls.py                              |  4 ++++
 6 files changed, 56 insertions(+)
 create mode 100644 lms/djangoapps/debug/__init__.py
 create mode 100644 lms/djangoapps/debug/models.py
 create mode 100644 lms/djangoapps/debug/views.py
 create mode 100644 lms/templates/debug/run_python_form.html

diff --git a/lms/djangoapps/debug/__init__.py b/lms/djangoapps/debug/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/lms/djangoapps/debug/models.py b/lms/djangoapps/debug/models.py
new file mode 100644
index 0000000000..71a8362390
--- /dev/null
+++ b/lms/djangoapps/debug/models.py
@@ -0,0 +1,3 @@
+from django.db import models
+
+# Create your models here.
diff --git a/lms/djangoapps/debug/views.py b/lms/djangoapps/debug/views.py
new file mode 100644
index 0000000000..5d58436ed6
--- /dev/null
+++ b/lms/djangoapps/debug/views.py
@@ -0,0 +1,29 @@
+"""Views for debugging and diagnostics"""
+
+import pprint
+
+from django.http import Http404
+from django.contrib.auth.decorators import login_required
+from django_future.csrf import ensure_csrf_cookie, csrf_exempt
+from mitxmako.shortcuts import render_to_response
+
+from codejail.safe_exec import safe_exec
+
+@login_required
+@ensure_csrf_cookie
+def run_python(request):
+    if not request.user.is_staff:
+        raise Http404
+    c = {}
+    c['code'] = ''
+    c['results'] = None
+    if request.method == 'POST':
+        py_code = c['code'] = request.POST.get('code')
+        g, l = {}, {}
+        try:
+            safe_exec(py_code, g, l)
+        except Exception as e:
+            c['results'] = str(e)
+        else:
+            c['results'] = pprint.pformat(l)
+    return render_to_response("debug/run_python_form.html", c)
diff --git a/lms/envs/common.py b/lms/envs/common.py
index b99efd60c3..1b492a3c56 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -589,6 +589,7 @@ INSTALLED_APPS = (
 
     # For testing
     'django.contrib.admin',   # only used in DEBUG mode
+    'debug',
 
     # Discussion forums
     'django_comment_client',
diff --git a/lms/templates/debug/run_python_form.html b/lms/templates/debug/run_python_form.html
new file mode 100644
index 0000000000..daecdf2abd
--- /dev/null
+++ b/lms/templates/debug/run_python_form.html
@@ -0,0 +1,19 @@
+<html><body>
+<div>
+<p>Python:</p>
+<form method='post'>
+    <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
+    <div>
+        <textarea name='code' rows='20' cols='80'>${code|h}</textarea>
+    </div>
+    <input type='submit' value='Run it!'/>
+</form>
+</div>
+%if results:
+<div>
+    <p>Results:</p>
+    <pre>
+${results|h}
+</pre>
+</div>
+%endif
diff --git a/lms/urls.py b/lms/urls.py
index 126d68c73e..dc558d6a54 100644
--- a/lms/urls.py
+++ b/lms/urls.py
@@ -358,6 +358,10 @@ urlpatterns += (
     url(r'^comm/foldit_ops', 'foldit.views.foldit_ops', name="foldit_ops"),
 )
 
+urlpatterns += (
+    url(r'^debug/run_python', 'debug.views.run_python'),
+)
+
 urlpatterns = patterns(*urlpatterns)
 
 if settings.DEBUG: