def post(self, user):
# grab the form
form = PostDeleteForm(self.request.params)
# validate csrf
if not self.validate_csrf(form.csrf_token.data):
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash('Please submit the form again.'))
return
# get the post please
try:
post = Key(urlsafe=form.key.data).get()
except:
post = None
# as usual, this really shouldn't
# be None unless unnatural navigation
if post is None:
self.redirect('/')
return
# the post exists, is it owned by the user?
if post.author != user:
self.redirect('/')
return
# check if the user is the owner or not
if post.author != user:
self.redirect('/')
return
# everything checks out so let's remove the post
# first though, we need to remove the comments
# assoc with the post and the likes
# TODO query these entities to make sure they are removed
comments = Comment.query(ancestor=post.key).fetch()
ks = put_multi(comments)
delete_multi(ks)
likes = Like.query(Like.post == post.key).fetch()
ks = put_multi(likes)
delete_multi(ks)
# got everything else removed, let's
# remove the post
try:
post.key.delete()
self.redirect('/')
return
except Exception as e:
# let them try again
form.csrf_token.data = self.generate_csrf()
self.r(form, post, flashes=flash())
return
def post(self):
user = self.validate_user()
if user is not None:
self.redirect('/')
return
form = RegisterForm(self.request.params)
# validate form
if not form.validate():
self.r(form)
return
# validate csrf
if not self.validate_csrf(form.csrf_token.data):
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash('Please submit the form again'))
return
# check for an existing account
# using the lowercase username as a key
# to ensure users are unique
username = form.username.data
username = re.sub(
r'[\!\@\#\$\%\^\&\*\-_=\+\?<>,\.\"\':;\{\}\[\]|\\~\/`]', '',
username)
try:
user = Key("User", lower(username)).get()
except:
user = None
if user is not None:
self.r(form, flashes=flash('That username is taken'))
return
# create the user
try:
user = User(
username=username,
password=pw.gen_hash(form.password.data),
)
user.key = Key("User", lower(user.username))
user.put()
# create a hash with our secret so we know the cookie is legit later
self.generate_sig(user.username)
self.redirect('/?welcome=%s' % user.username)
return
except: # guess something happened eh?
self.r(form, flashes=flash())
return
def index():
form = SecretForm()
if form.validate_on_submit():
secret = Secret(secret_value=form.secret.data, ttl=form.ttl.data, passphrase=form.passphrase.data)
try:
RedisRegistry(secret).save()
admin = Admin.create_admin(secret)
RedisRegistry(admin).save()
except ConnectionError as e:
current_app.logger.error(e)
return 500
flash('Secret created!')
return redirect(url_for('secret.secret_admin', admin_id=admin.obj_id))
return render_template('secrets/index.html', title=_('Create your secret now!'), form=form)
def post(self, user):
# grab the form
form = PostForm(self.request.params)
# check if the person exists in the db or not
try:
user = Key("User", lower(user)).get()
except:
user = None
# shouldn't be None if we got this far
# but check anyway
if user is None:
self.invalidate_sig()
self.redirect('/user/login')
return
# validate form
if not form.validate():
self.r(form)
return
# validate csrf
if not self.validate_csrf(form.csrf_token.data):
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash('Please submit the form again.'))
return
t = form.title.data
try:
# let's create the post
post = Post(
title=t,
author=user.username,
author_lower=lower(user.username),
subject=form.subject.data,
content=form.content.data
)
post.put()
# maybe they want to create another post?
self.r(PostForm(data={'csrf_token': self.generate_csrf()}),
flashes=flash('Your new post can be viewed <a href="/post/view?key=%s">here</a>.' % post.key.urlsafe(), 'success'))
return
except Exception as e:
# give them another chance
form.csrf_token.data = self.generate_csrf()
self.r(form)
return
def post(self):
user = self.validate_user()
if user is not None:
self.redirect('/')
return
form = RegisterForm(self.request.params)
# validate form
if not form.validate():
self.r(form)
return
# validate csrf
if not self.validate_csrf(form.csrf_token.data):
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash('Please submit the form again'))
return
# check for an existing account
# using the lowercase username as a key
# to ensure users are unique
username = form.username.data
username = re.sub(r'[\!\@\#\$\%\^\&\*\-_=\+\?<>,\.\"\':;\{\}\[\]|\\~\/`]', '', username)
try:
user = Key("User", lower(username)).get()
except:
user = None
if user is not None:
self.r(form, flashes=flash('That username is taken'))
return
# create the user
try:
user = User(
username=username,
password=pw.gen_hash(form.password.data),
)
user.key = Key("User", lower(user.username))
user.put()
# create a hash with our secret so we know the cookie is legit later
self.generate_sig(user.username)
self.redirect('/?welcome=%s' % user.username)
return
except: # guess something happened eh?
self.r(form, flashes=flash())
return
def set_password(token):
if current_user.is_authenticated:
flash(_('Looks like you have already activated your account.'))
return redirect(url_for('secret.index'))
user = User.verify_set_password_token(token)
if not user:
abort(404)
form = SetPasswordForm()
if form.validate_on_submit():
user.set_password(form.password.data)
db.session.commit()
flash(_('Your password has been setup.'))
return redirect(url_for('auth.login'))
return render_template('auth/set_password.html', form=form)
def get(self, user):
# get the title of the post
k = self.request.get('key', None)
if k is None:
self.redirect('/')
return
try:
# get the post please
post = Key(urlsafe=k).get()
except:
# key is invalid
post = None
# unnatural nav
if post is None:
self.r(flashes=flash('Post does not exist'))
return
# check if the user is the owner or not
if post.author != user:
self.redirect('/')
return
# get the form ready
form = PostEditForm(data={
'csrf_token': self.generate_csrf(),
'key': k,
'title': post.title,
'subject': post.subject,
'content': post.content
})
self.r(form, post)
def reset_password_request():
if current_app.config['LOGIN_DISABLED']:
abort(404)
if current_user.is_authenticated:
return redirect(url_for('secret.index'))
form = ResetPasswordRequestForm()
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if user:
send_password_reset_email(user)
flash(
_('Check your email for the instructions to reset your password'))
return redirect(url_for('auth.login'))
return render_template('auth/reset_password_request.html',
title=_('Reset Password'),
form=form)
def register():
if current_app.config['REGISTRATION_DISABLED'] or current_app.config[
'LOGIN_DISABLED']:
abort(404)
if current_user.is_authenticated:
return redirect(url_for('secret.index'))
form = RegistrationForm()
if form.validate_on_submit():
user = User(username=form.username.data, email=form.email.data)
db.session.add(user)
db.session.commit()
send_account_activation_token(user)
flash(
_('Congratulations, you are now a registered user! Check your e-mail to activate account.'
))
return redirect(url_for('auth.login'))
return render_template('auth/register.html',
title=_('Register'),
form=form)
def post(self):
user = self.validate_user()
if user is not None:
self.redirect('/')
return
form = LoginForm(self.request.params)
# validate form
if not form.validate():
self.r(form)
return
# validate csrf
if not self.validate_csrf(form.csrf_token.data):
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash('Please submit the form again'))
return
# check whether user account exists
username = form.username.data
try:
user = Key("User", lower(username)).get()
except:
user = None
if user is None:
self.r(form, flashes=flash('Could not sign in. Verify username and password are correct and try again.'))
return
# check whether passwords are correct or not
if not pw.is_pw(form.password.data, user.password):
self.r(form, flashes=flash('Could not sign in. Verify username and password are correct and try again.'))
return
# create a hash with our secret so we know the cookie is legit later
self.generate_sig(user.username)
self.redirect('/?welcome=%s' % user.username)
return
def secret_admin(admin_id):
admin = RedisRegistry.load(admin_id, Admin)
secret = RedisRegistry.load(admin.secret_id, Secret) if admin else False
if secret:
sms_form = SendPassphrase()
email_form = SendSecretLink()
burn_form = BurnSecretForm()
if sms_form.submit_sms.data and sms_form.validate():
flash('SMS sent!')
if email_form.submit_email.data and email_form.validate():
flash('Email sent!')
send_secret_link_email(recivers=[email_form.email.data], secret=secret)
if burn_form.submit.data and burn_form.validate():
if RedisRegistry(secret).destroy():
current_app.logger.debug(request.form)
flash('Secret destroyed!')
return redirect(url_for('secret.index'))
return render_template('secrets/secret_admin.html',
secret=secret,
secret_id=secret.obj_id,
admin_id=admin_id,
email_form=email_form,
sms_form=sms_form,
burn_form=burn_form
)
abort(404)
def login():
if current_app.config['LOGIN_DISABLED']:
abort(404)
if current_user.is_authenticated:
return redirect(url_for('secret.index'))
form = LoginForm()
if form.validate_on_submit():
user = User.query.filter_by(username=form.username.data).first()
if user is None or not user.check_password(form.password.data):
flash(_('Invalid username or password'), category='danger')
return redirect(url_for('auth.login'))
login_user(user, remember=form.remember_me.data)
next_page = request.args.get('next')
if not next_page or url_parse(next_page).netloc != '':
next_page = url_for('secret.index')
return redirect(next_page)
return render_template(
'auth/login.html',
title=_('Sign In'),
form=form,
not_register=current_app.config['REGISTRATION_DISABLED'])
def get(self):
welcome = self.request.get('welcome', None)
flashes = []
limit = 10
offset = self.request.get_range('offset',
min_value=0,
max_value=100000,
default=0)
# let's get the most recent posts
posts = Post.query().order(-Post.created).fetch(limit, offset=offset)
if len(posts) is 0 and offset > 0:
flashes = flash('No more posts available.')
offset -= limit
posts = Post.query().order(-Post.created).fetch(limit,
offset=offset)
if welcome is not None:
flashes = flash('Welcome, %s!' % welcome, 'success', flashes)
self.r(posts, offset, limit, flashes=flashes)
def post(self, user):
# grab the form
form = PostEditForm(self.request.params)
# validate csrf
if not self.validate_csrf(form.csrf_token.data):
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash('Please submit the form again.'))
return
# validate form
if not form.validate():
self.r(form)
return
# get the post please
post = Key(urlsafe=form.key.data).get()
if post is None:
self.r(flashes=flash('Post does not exist'))
return
# check if the user is the owner or not
if post.author != user:
self.redirect('/')
return
try:
t = form.title.data
post.title = t
post.title_lower = lower(t)
post.subject = form.subject.data
post.content = form.content.data
post.put()
self.redirect('/author/%s' % post.author)
return
except Exception as e:
form.csrf_token.data = self.generate_csrf()
self.r(form)
return
def post(self, user):
# grab the form
form = CommentForm(self.request.params)
if not form.validate():
form.csrf_token.data = self.generate_csrf()
self.r(form)
return
# get the comment
try:
comment = Key(urlsafe=form.key.data).get()
except:
# invalid key
comment = None
if comment is None:
self.redirect('/')
return
if comment.author != user:
self.redirect('/')
return
# better be a post here or else!
post = comment.key.parent().get()
if post is None:
self.redirect('/')
return
# update the comment
try:
comment.content = form.comment.data
comment.put()
self.redirect('/post/view?key=%s' % post.key.urlsafe())
return
except:
# let's give them another chance
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash())
return
def post(self, user):
# grab the form
form = CommentForm(self.request.params)
if not form.validate():
form.csrf_token.data = self.generate_csrf()
self.r(form)
return
# get the comment
try:
comment = Key(urlsafe=form.key.data).get()
except:
# invalid key
comment = None
if comment is None:
self.redirect('/')
return
if comment.author != user:
self.redirect('/')
return
# better be a post here or else!
post = comment.key.parent().get()
if post is None:
self.redirect('/')
return
# update the comment
try:
comment.content = form.comment.data
comment.put()
self.redirect('/post/view?key=%s' % post.key.urlsafe())
return
except:
# let's give them another chance
form.csrf_token.data = self.generate_csrf()
self.r(form, flashes=flash())
return
def get(self):
flashes = []
limit = 10
offset = self.request.get_range('offset',
min_value=0,
max_value=100000,
default=0)
user = self.request.path.split('/')[2]
user = unquote(user)
# let's get the most recent posts
posts = Post.query(
Post.author_lower == lower(user)).order(-Post.created).fetch(
limit, offset=offset)
if len(posts) is 0 and offset > 0:
flashes = flash('No more posts available.')
offset -= limit
posts = Post.query().order(-Post.created).fetch(limit,
offset=offset)
self.r(posts, offset, limit, user, flashes=flashes)
def post(self, user):
# let's get the form
form = CommentDeleteForm(self.request.params)
# validate the form please
if not form.validate():
self.redirect(self.request.referer)
return
try:
# grab the comment
comment = Key(urlsafe=form.key.data).get()
except:
# really this shouldn't be None
# unless unnatural nav
comment = None
# go back home
if comment is None:
self.redirect('/')
return
# this isn't the users comment!
if comment.author != user:
self.redirect('/')
return
# alright let's delete the comment
try:
comment.key.delete()
self.redirect('/')
return
except Exception as e:
# we'll give them another chance
form.csrf_token.data = self.generate_csrf()
self.r(form, comment, flashes=flash())
return