def login():
status_code = 200
referrer = request.args.get('next')
if request.method == 'POST':
username = escape(request.form['username'])
password = escape(request.form['password'])
db = get_db()
error = None
user = db.execute('SELECT * FROM user WHERE username = ?',
(username, )).fetchone()
if user is None:
error = 'Incorrect username.'
elif not check_password_hash(user['password'], password):
error = 'Incorrect password.'
if error is None:
session.clear()
session['user_id'] = user['id']
url = referrer if referrer else url_for('story.story_list')
response = make_response(redirect(url))
expiry = datetime.now() + timedelta(minutes=60)
response.set_cookie('pirate',
value='shiver_me_timbers',
expires=expiry)
return response
if error:
flash(error)
status_code = 401
return render_template('auth/login.html',
form_groups=get_user_form('login')), status_code
def register():
if request.method == 'POST':
username = escape(request.form['username'])
password = escape(request.form['password'])
db = get_db()
error = None
if not username:
error = 'Username is required.'
elif not password:
error = 'Password is required.'
elif db.execute('SELECT id FROM user WHERE username = ?',
(username, )).fetchone() is not None:
error = f'User {username} is already registered.'
if error is None:
db.execute('INSERT INTO user (username, password) VALUES (?, ?)',
(username, generate_password_hash(password)))
db.commit()
return login()
flash(error)
return render_template('auth/register.html',
form_groups=get_user_form('register'))
def update_access_time():
if g.user is not None:
db = get_db()
db.execute(
'UPDATE user SET last_access = CURRENT_TIMESTAMP WHERE id = ?',
(g.user['id'], ))
db.commit()
def load_logged_in_user():
user_id = session.get('user_id')
if user_id is None:
g.user = None
else:
g.user = get_db().execute('SELECT * FROM user WHERE id = ?',
(user_id, )).fetchone()
def story_list():
db = get_db()
stories = db.execute(
'SELECT *, (\
SELECT COUNT(id) FROM chapter WHERE story_id = story.id\
) chapter_count FROM story INNER JOIN user ON story.uploader_id=user.id'
).fetchall()
return render_template('story/list.html', stories=stories)
def delete(story_id):
db = get_db()
db.execute(
'DELETE FROM chapter WHERE story_id = ?', (story_id,)
)
db.execute(
'DELETE FROM story WHERE id = ?', (story_id,)
)
db.commit()
return redirect(url_for('story.story_list'))
def add():
db = get_db()
groups = {
'details': {
'group_title': 'Details',
'story_title': gen_form_item('title', placeholder='Title',
required=True),
'author': gen_form_item('author', placeholder='Author')
},
'attributes': {
'group_title': 'Attributes',
'container': gen_form_item('container',
placeholder='Container CSS',
autocomplete='on'),
'heading': gen_form_item('heading',
placeholder='Chapter heading CSS',
autocomplete='on')
},
'upload': {
'group_title': 'Location',
'file': gen_form_item('file', placeholder='Story file',
item_type='file')
},
'submit': {
'button': gen_form_item('btn-submit', item_type='submit',
value='Add')
},
}
if request.method == 'POST':
filepath = upload_file()
if not filepath:
return render_template('story/add.html',
form_groups=preserve_form_data(groups))
story = add_story_to_db(db)
if not story:
return render_template('story/add.html',
form_groups=preserve_form_data(groups))
add_chapters_to_db(db, filepath, story['id'],
escape(request.form['container']),
escape(request.form['heading']))
return render_template('story/add.html', form_groups=groups)
def display(story_id):
db = get_db()
chapter_rows = db.execute(
'SELECT chapter_title title, chapter_content content FROM chapter \
WHERE story_id = ?', (story_id,)
).fetchall()
story = db.execute(
'SELECT title FROM story WHERE id = ?', (story_id,)
).fetchone()['title']
if chapter_rows:
chapters = [dict(row) for row in chapter_rows]
else:
flash('No chapters found for that story')
return redirect(url_for('story.story_list'))
return render_template('story/display.html', chapters=chapters,
title=story)
def edit(uid):
user = get_user(uid)
admin_levels = g.privilege_levels
if request.method == 'POST' and g.user['admin'] == 'read-write':
error = None
username = escape(request.form['username'])
admin = request.form['admin']
access = escape(request.form['access'])
db = get_db()
username_new = (username != user['username'])
username_exists = db.execute('SELECT id FROM user WHERE username = ?',
(username, )).fetchone() is not None
if username_new:
if username_exists:
error = 'Username exists'
else:
db.execute('UPDATE user SET username = ? WHERE id = ?',
(username, uid))
if admin in admin_levels:
db.execute('UPDATE user SET admin = ? WHERE id = ?', (admin, uid))
else:
error = error + '\n' if error else ''
error += f'{admin}\nAdmin Status must be one of:'
error += ' {}'.format(', '.join(admin_levels))
db.execute('UPDATE user SET access_approved = ? WHERE id = ?',
(access, uid))
if error:
flash(error)
else:
db.commit()
return redirect(url_for('users.list'))
elif request.method == 'POST' and g.user['admin'] != 'read-write':
flash('Write access required')
groups = generate_form_groups(user)
return render_template('users/edit.html', form_groups=groups)
def change_password(uid):
user = get_user(uid)
db = get_db()
if (not g.user or g.user['id'] != uid) and g.user['admin'] != 'read-write':
error = 'Could not change password for the specified user.'
flash(error)
return redirect(url_for('index'))
if request.method == 'POST':
error = None
old_pass = escape(request.form['old_pass'])
new_pass = escape(request.form['new_pass'])
confirm_pass = escape(request.form['confirm_pass'])
if new_pass != confirm_pass:
error = 'Passwords do not match.'
if not check_password_hash(user['password'], old_pass) and \
g.user['admin'] != 'read-write':
error = 'Existing password incorrect.'
if error:
flash(error)
return redirect(url_for('users.change_password', uid=uid))
query = 'UPDATE user SET password = ? WHERE id = ?'
params = (generate_password_hash(new_pass), uid)
db.execute(query, params)
db.commit()
flash('Password updated.')
return redirect(url_for('index'))
groups = gen_pass_groups(user)
return render_template('users/edit.html', form_groups=groups)
def list():
db = get_db()
users = db.execute('SELECT * FROM user').fetchall()
return render_template('users/list.html', users=users)
def get_user(uid):
db = get_db()
user = db.execute('SELECT * FROM user WHERE id = ?', (uid, )).fetchone()
return user
def disallow(uid):
db = get_db()
db.execute('UPDATE user SET access_approved = false WHERE id = ?', (uid, ))
db.commit()
return redirect(url_for('users.list'))
def delete(uid):
db = get_db()
db.execute('DELETE FROM user WHERE id = ?', (uid, ))
db.commit()
return redirect(url_for('users.list'))
