def login():
if request.method == "POST":
user = request.form['user']
passw = request.form['passw']
else:
return "False"
# get user collection
users = util.get_collection('users')
# find the user in the collection
user_data = users.find_one({"user": user})
# if the login details match up
if user_data and user_data['passw'] == util.sha512(user + passw):
# create a salt so the same session key is only valid once
session_salt = util.sha512(os.urandom(512))
# add the salt to the database so we can verify it later
util.update_user(user_data['_id'], {"session_salt": session_salt})
# construct a session key from the salt
session_key = util.sha512(session_salt + user_data['passw'])
userID = str(user_data['_id'])
del user_data['_id']# delete sensitive variables
del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^
del user_data['session_salt']# ^^^^^^^^^^^^^^^^^
# User logged in. Gibbe (session) cookies
return json.dumps({
"session": session_key,
"userID": userID,
"details": user_data
})
else:
return "False"
def edit_profile():
user = g.db_session.query(User).filter(User.id == session['user']).first()
if not user:
message = u'未知のエラーです'
return internal_server_error(message)
if request.method == 'GET':
return render_template('update_user.htm', path=request.base_url,
user=user, conf=g.config)
result = util.update_user(request, g, user)
if not result['status']:
return result['page']
return redirect(url_for('user_index'))
def update_user():
userID = request.form['userID']
session = request.form['session']
new_details = request.form['new_details']
user = util.auth(userID, session)
if user: # User is authed, do some stuff
new_details = json.loads(new_details)
update_query = {
"details": user['details'].update(new_details)
}
if util.update_user(user['_id'], update_query):
return "success"
else:
return "error"
def change_password():
if request.method == "POST":
userID = request.form['userID']
session = request.form['session']
passw = request.form['passw']
new_passw = request.form['new_passw']
else:
return False
# Make sure the user is legit
user = util.auth(userID, session)
if user:
# check if the old password matches the current password
# it should be, but just in case they're cookie stealing
if util.sha512(user['user'] + passw) == user['passw']:
return util.update_user(
userID,
{"passw": util.sha512(user['user'] + new_passw)}
)
else:
return "incorrect password"
else:
return "invalid user"
def register():
result = util.update_user(request, g)
if not result['status']:
return result['page']
return redirect(url_for('user_index'))
