def newItem(category_name): if request.method == 'POST': # Strip off the extra spaces the user may have entered name = request.form['name'].strip() description = request.form['description'] # Ensure we have needed item info if name and description: db = DBConnect() isUsed = db.itemNameUsed(name) # Check if the item name has already been used somewhere else if not isUsed['used']: category = db.getCategoryByName(category_name) userID = db.getUserIDByEmail(session['email']) db.addItem(name, description, category.id, userID) return redirect( url_for('showItem\ ', category_name=category_name, item_name=name)) return redirect( url_for('error', error='This\ item name has already been used')) return redirect( url_for('error', error='You need to enter\ both a name and description')) if request.method == 'GET': user = session.get('username') if user is None: return redirect(url_for('showLogin')) return render_template('newItem.html', categoryName=category_name)
def editItem(category_name, item_name): db = DBConnect() item = db.getItemByName(item_name) if request.method == 'POST': name = request.form['name'] description = request.form['description'] categoryName = request.form['category'] if name and description and categoryName: category = db.getCategoryByName(categoryName) db.editItem(item, name, description, category.id) return redirect( url_for('showItem', category_name=category.name, item_name=name)) if request.method == 'GET': # Authorization check before serving the edit page userEmail = session.get('email') userID = db.getUserIDByEmail(userEmail) if userID != item.user.id: return redirect( url_for('error', error='You are not\ authorized to edit this item')) categories = db.getAllCategories() return render_template('editItem.html', selectedItem=item, categories=categories)
def showItem(category_name, item_name): db = DBConnect() selectedItem = db.getItemByName(item_name) userEmail = session.get('email') userID = db.getUserIDByEmail(userEmail) if userID != selectedItem.user.id: return render_template('publicShowItem.html\ ', selectedItem=selectedItem, categoryName=category_name) return render_template('showItem.html\ ', selectedItem=selectedItem, categoryName=category_name)
def deleteItem(category_name, item_name): db = DBConnect() item = db.getItemByName(item_name) if request.method == 'POST': db.deleteItem(item) return redirect(url_for('showCategory', category_name=category_name)) if request.method == 'GET': # Authorization check before serving the delete page userEmail = session.get('email') userID = db.getUserIDByEmail(userEmail) if userID != item.user.id: return redirect( url_for('error', error='You are not\ authorized to delete this item')) return render_template('deleteItem.html', categoryName=category_name, itemName=item_name)
def gconnect(): # Verify that the token the client sends the server matches the one # that was sent if request.args.get('state') != session['state']: # If they do not match then respond with an error response = make_response(json.dumps('Invalid state token'), 401) response.headers['Content-Type'] = 'application/json' return response # If the state tokens match then we take our code code = request.data # Try to use the one time code and exchange it for a # credentials object try: # Create oauth flow object and adds client secret key info to # that object oauth_flow = flow_from_clientsecrets('secret/client_secrets.json', scope='') # Specify that this the one time code flow this server sends off oauth_flow.redirect_uri = 'postmessage' # Init exchange credentials = oauth_flow.step2_exchange(code) # Handle the case where an error occurs during the exchange except FlowExchangeError: response = make_response( json.dumps('Failed to upgrade the\ authorization code'), 401) response.headers['Content-Type'] = 'application/json' return response # Check to see if there is a valid access token inside of the # returned credentials access_token = credentials.access_token url = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s'\ % access_token h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1]) if result.get('error') is not None: response = make_response(json.dumps(result['error']), 500) response.headers['Content-Type'] = 'application/json' return response # Compare id in the credentials object against the id returned # by the google api server gplus_id = credentials.id_token['sub'] if result['user_id'] != gplus_id: response = make_response( json.dumps('Token user ID does not\ match given user ID'), 401) response.headers['Content-Type'] = 'application/json' return response # Compare client IDs if result['issued_to'] != CLIENT_ID: response = make_response( json.dumps('Token client ID does not\ match the apps ID'), 401) print('Token client ID does not match the apps ID') response.headers['Content-Type'] = 'application/json' return response # Check if the user is already logged into the system stored_credentials = session.get('credentials') stored_gplus_id = session.get('gplus_id') if stored_credentials is not None and stored_gplus_id == gplus_id: response = make_response( json.dumps('Current user is\ already logged in'), 200) response.headers['Content-Type'] = 'application/json' return response # Store credentials and google plus id in this session session['credentials'] = credentials.access_token session['gplus_id'] = gplus_id # Get more information about the user from the google plus api userinfo_url = 'https://www.googleapis.com/oauth2/v1/userinfo' params = {'access_token': credentials.access_token, 'alt': 'json'} answer = requests.get(userinfo_url, params=params) data = json.loads(answer.text) # Store user info in login session session['username'] = data['email'] session['email'] = data['email'] session['picture'] = data['picture'] db = DBConnect() userID = db.getUserIDByEmail(session['email']) if userID is None: db.createUser(session['username'], session['email'], session['picture']) userID = db.getUserIDByEmail(session['email']) session['user_id'] = userID output = '' output += '<h1>Welcome, ' output += session['username'] return output