def add():
form = request.form
token = request.args.get('token')
u = current_user()
if u.id == 1 and token in csrf_tokens and csrf_tokens[token] == u.id:
# 验证token和id
Board.new(form)
csrf_tokens.pop(token)
return redirect(url_for('.index'))
def delete(bid, token):
u = current_user()
if u is None or u.role != 1 or csrf_tokens.get(token) != u.id:
abort(403)
else:
csrf_tokens.pop(token)
board = Board.find(bid)
board.remove()
return redirect(url_for('.index'))
def add():
form = request.form
u = current_user()
token = request.args.get('token')
if token in csrf_tokens and csrf_tokens[token] == u.id:
t = Topic.new(form, user_id=u.id)
csrf_tokens.pop(token)
return redirect(url_for('topic.detail', id=t.id))
else:
abort(403)
def delete():
id = int(request.args.get('id'))
token = request.args.get('token')
u = current_user()
if u.id == 1 or u.id == Topic.find(id).user_id:
# 管理员或话题创建者才有权限
if token in csrf_tokens and csrf_tokens[token] == u.id:
# 验证token
Topic.delete(id)
Reply.delete_all(dict(topic_id=id))
csrf_tokens.pop(token)
return redirect(url_for('index.index'))
def delete(tid, token):
u = current_user()
if u is not None and csrf_tokens.get(token) == u.id:
csrf_tokens.pop(token)
topic = Topic.find(tid)
if u.id == topic.uid or u.role == 1:
topic.remove()
return redirect(url_for('.index'))
else:
abort(403)
else:
abort(403)
def update():
u = current_user()
form = request.form.to_dict()
id = int(form.pop('id'))
form['board_id'] = int(form.get('board_id'))
form['updated_time'] = int(time.time())
token = request.args.get('token')
if token in csrf_tokens and csrf_tokens[token] == u.id:
Topic.update(id, form)
csrf_tokens.pop(token)
return redirect(url_for('topic.detail', id=id))
else:
abort(403)
def change_pwd():
form = request.form
old_pwd = form.get('old_pass')
new_pwd = form.get('new_pass')
u = current_user()
token = request.args.get('token')
if token in csrf_tokens and csrf_tokens[token] == u.id:
csrf_tokens.pop(token)
if u.validate_change_pwd(old_pwd, new_pwd):
flash('change pwd succeed')
return redirect(url_for('.setting'))
flash('change pwd failed')
return redirect(url_for('.setting'))
def change_name():
form = request.form
name = form.get('name')
signature = form.get('signature')
u = current_user()
token = request.args.get('token')
if token in csrf_tokens and csrf_tokens[token] == u.id:
csrf_tokens.pop(token)
if u.validate_change_name(name, signature):
flash('change name succeed ')
return redirect(url_for('.setting'))
flash('change name failed ')
return redirect(url_for('.setting'))
def reset_view():
token = request.args.get('token')
if token in csrf_tokens:
uid = csrf_tokens[token]
csrf_tokens.pop(token)
return render_template('reset/reset_update.html', user_id=uid)
