def login(): if request.method == "POST": user = request.form['user'] passw = request.form['passw'] else: return "False" # get user collection users = util.get_collection('users') # find the user in the collection user_data = users.find_one({"user": user}) # if the login details match up if user_data and user_data['passw'] == util.sha512(user + passw): # create a salt so the same session key is only valid once session_salt = util.sha512(os.urandom(512)) # add the salt to the database so we can verify it later util.update_user(user_data['_id'], {"session_salt": session_salt}) # construct a session key from the salt session_key = util.sha512(session_salt + user_data['passw']) userID = str(user_data['_id']) del user_data['_id']# delete sensitive variables del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^ del user_data['session_salt']# ^^^^^^^^^^^^^^^^^ # User logged in. Gibbe (session) cookies return json.dumps({ "session": session_key, "userID": userID, "details": user_data }) else: return "False"
def edit_profile(): user = g.db_session.query(User).filter(User.id == session['user']).first() if not user: message = u'未知のエラーです' return internal_server_error(message) if request.method == 'GET': return render_template('update_user.htm', path=request.base_url, user=user, conf=g.config) result = util.update_user(request, g, user) if not result['status']: return result['page'] return redirect(url_for('user_index'))
def update_user(): userID = request.form['userID'] session = request.form['session'] new_details = request.form['new_details'] user = util.auth(userID, session) if user: # User is authed, do some stuff new_details = json.loads(new_details) update_query = { "details": user['details'].update(new_details) } if util.update_user(user['_id'], update_query): return "success" else: return "error"
def change_password(): if request.method == "POST": userID = request.form['userID'] session = request.form['session'] passw = request.form['passw'] new_passw = request.form['new_passw'] else: return False # Make sure the user is legit user = util.auth(userID, session) if user: # check if the old password matches the current password # it should be, but just in case they're cookie stealing if util.sha512(user['user'] + passw) == user['passw']: return util.update_user( userID, {"passw": util.sha512(user['user'] + new_passw)} ) else: return "incorrect password" else: return "invalid user"
def register(): result = util.update_user(request, g) if not result['status']: return result['page'] return redirect(url_for('user_index'))