def register_student_csv(self, csv_data_file, lecturer):
csv_reader = csv.reader(csv_data_file)
data = list(csv_reader)
auth = []
reg = []
pas = Password()
first = True
for i in data:
if first:
first = False
continue
name = handle_tr(i[0]).title()
surname = handle_tr(i[1]).title()
student_number = str(int(float(i[2])))
mail = i[3]
role = 4
username = name.split()[0].lower() + surname.lower()
password = passwordGenerator(8)
try:
self.execute(
"INSERT INTO members(PersonID, Role, Name, Surname, Username, Password, Email) "
"values(%s, '%s', '%s', '%s', '%s', '%s', '%s');" %
(student_number, role, name, surname, username,
pas.hash_password(password), mail))
auth.append((name + " " + surname, mail, password, username))
except IntegrityError:
pass
reg.append(student_number)
threading.Thread(target=send_mail_first_login,
args=(auth, lecturer)).start()
self.register_student(reg)
return "Done"
from User import User
from Password import Password
import hashlib
import os
import bcrypt
#Example to trigger a sonar vulnerability
#import socket
#ip = '127.0.0.1'
#sock = socket.socket()
#sock.bind((ip, 9090))
#Hari gajmer developer
#typical bandit findings
#>>> bandit -r <folder>
#deprecated md5 will not be found by sonar...
password = os.getenv("123_x&5s")
hash_object = bcrypt.hashpw((b'123_x32&'), bcrypt.gensalt())
password = "******".encode()
user1 = User()
user1.set_name("Bert")
p = Password()
hashed_password = p.hash_password(password)
user1.set_password(hashed_password)
hashed_password = user1.get_password()
p.hash_check(password, hashed_password)
def test_password(self):
user_hash_pwd = Password.hash_password(self.password)
self.assertTrue(Password.hash_check(self.password, user_hash_pwd),
(True))
def test_hash_password_hash_check(self):
hashed_pwd = Password.hash_password(self.password)
self.assertTrue(Password.hash_check(self.password, hashed_pwd), (True))
class User:
def __init__(self, db, organization, username):
self.db = db
self.execute = db.execute
self.execute("USE %s" % organization)
self.username = username
self.organization = organization
self.allowed_extensions = {'png', 'jpg', 'jpeg'}
self.pass_word = Password()
self.user_id = None
self.role = None
self.name = None
self.surname = None
self.hashed_pass = None
self.email = None
self.department = None
self.profile_pic_path = None
self.role_name = None
self.get = self.get_user_info()
def get_user_info(self):
"""
:return: List, [studentID, roleID, name, surname, username, password_hash, email, department, profile_pic_path]
"""
try:
self.user_id, self.role, self.name, self.surname, self.username, \
self.hashed_pass, self.email, self.department, self.profile_pic_path = \
self.execute("SELECT * FROM members WHERE Username='******'" % self.username)[0]
self.role_name = self.execute(
"SELECT Role FROM roles WHERE roleID = %s" % self.role)[0][0]
return [
self.username, self.name, self.surname, self.user_id,
self.role_name, self.email, self.department
]
except InterfaceError:
return "No such a person!"
def change_password_or_email(self, old_password, new_val, email=False):
if self.pass_word.verify_password_hash(old_password, self.hashed_pass):
if email:
self.execute(
"UPDATE members SET Email='%s' WHERE Username = '******'" %
(new_val, self.username))
return "Mail Changed"
else:
print new_val
password = self.pass_word.hash_password(new_val)
self.execute(
"UPDATE members SET Password='******' WHERE Username = '******'" %
(password, self.username))
return "Password Changed"
else:
return "Not Authorized"
def allowed_file(self, filename): # to check if file type is appropriate.
return '.' in filename and filename.rsplit(
'.', 1)[1].lower() in self.allowed_extensions
def upload_profile_pic(self, pic):
if pic and self.allowed_file(pic.filename):
extension = "." + pic.filename.rsplit('.', 1)[1].lower()
base_path = "/var/www/SEAS/uploads/%s/profile_pictures/" % self.organization
path = base_path + str(self.user_id) + extension
if not os.path.exists(base_path):
os.makedirs(base_path)
with open(path, "wb") as f:
data = None
while data != "":
data = pic.read()
f.write(data)
self.execute(
"update members set ProfilePic = '%s' where PersonID = '%s';" %
(path, self.user_id))
return "Done"
return "Not allowed extension."
def get_profile_picture(self, ):
return self.profile_pic_path
def verify_password(self, password):
return self.pass_word.verify_password_hash(password, self.hashed_pass)
def reset_password(self):
password = passwordGenerator(8)
try:
password_ = self.pass_word.hash_password(password)
self.execute("INSERT INTO temporary_passwords (UserID, Password)"
"VALUES (%d, '%s');" % (int(self.user_id), password_))
self.execute(
"CREATE EVENT user_%d ON SCHEDULE AT date_add(now(), INTERVAL 30 MINUTE) "
"DO DELETE FROM temporary_passwords WHERE UserID = %d;" %
(int(self.user_id), int(self.user_id)))
auth = [
"%s %s" % (self.name, self.surname), self.email, password,
self.username
]
threading.Thread(target=send_mail_password_reset,
args=(auth, )).start()
return "Check your mail address for credentials."
except IntegrityError:
return "Your account has been reset already."
def check_and_change_password(self, temp_pass, new_pass):
password = self.execute(
"SELECT Password FROM temporary_passwords WHERE UserID = %d;" %
(int(self.user_id)))[0][0]
if self.pass_word.verify_password_hash(temp_pass, password):
try:
self.execute(
"DELETE FROM temporary_passwords WHERE UserID = %d;" %
(int(self.user_id)))
except IndexError:
return "There is not any reset request for the user!"
new_pass = self.pass_word.hash_password(new_pass)
return self.execute(
"UPDATE members SET members.Password = '******' WHERE PersonID = %d;"
% (new_pass, int(self.user_id)))
return "Wrong Temporary Password!"
def get_last_activity(self, endpoint):
if endpoint == "last_login":
rtn = self.execute(
"SELECT Api_Endpoint, Time, IP FROM istanbul_sehir_university.last_activities "
"where username = '******' and Api_Endpoint = 'sign_in' order by Time DESC limit 5;"
% self.username)
else:
rtn = self.execute(
"SELECT Api_Endpoint, Time, IP FROM istanbul_sehir_university.last_activities "
"where username = '******' order by Time DESC limit 5;" %
self.username)
while len(rtn) < 5:
rtn.append("")
return rtn
