def test_generate_csrf_token_length():
"""
We still want at least 20 characters of Base64 as for 2016
http://security.stackexchange.com/questions/6957/length-of-csrf-token
"""
token = security.generate_csrf_token()
assert len(token) >= 20
def item_add_route(category_id):
"""
Route to add new item
"""
target_category = get_category(category_id)
if target_category is None:
abort(404)
# adding some protection
csrf = generate_csrf_token()
if request.method == 'POST':
if csrf != request.form['csrf_token']:
abort(403)
else:
add_item(category_id)
flash('Item added')
return redirect(
url_for('category.category_route', category_id=category_id))
if request.method == 'GET':
return render_template('item_edit.html',
page={'title': 'Add category'},
user=user_info(),
content={
'is_edit': False,
'csrf_token': csrf,
'category': target_category
})
def category_delete_route(category_id):
"""
Deleting category from DB
"""
target_category = get_category(category_id)
# checking access rights
if target_category.owner != user_info()['id']:
flash('Only owner can delete category')
return redirect(url_for('category.categories_route'))
if target_category is None:
abort(404)
# adding some protection
csrf = generate_csrf_token()
if request.method == 'POST':
if csrf != request.form['csrf_token']:
abort(403)
else:
delete_category(category_id)
flash('Category deleted')
# sending user to list of categories after all he has done
return redirect(url_for('category.categories_route'))
# as polite people we will ask some configmation first,
# also we need it for CSRF check
if request.method == 'GET':
return render_template('confirm.html',
page={'title': 'Delete category'},
user=user_info(),
content={
'csrf_token':
csrf,
'message':
'Do you really want delete category ' +
target_category.name + '?'
})
def item_delete_route(item_id):
"""
Route to delete item
"""
target_item = get_item(item_id)
# checking access rights
if target_item.owner != user_info()['id']:
flash('Only owner can delete item')
return redirect(url_for('item.item_route', item_id=item_id))
if target_item is None:
abort(404)
# some protection
csrf = generate_csrf_token()
if request.method == 'POST':
if csrf != request.form['csrf_token']:
abort(403)
else:
delete_item(item_id)
flash('Item deleted')
# sending user to categories page for he has done
return redirect(url_for('category.categories_route'))
if request.method == 'GET':
return render_template('confirm.html',
page={'title': 'Delete item'},
user=user_info(),
content={
'csrf_token':
csrf,
'message':
'Do you really want delete item ' +
target_item.name + '?'
})
def item_edit_route(item_id):
"""
Route to edit item
"""
target_item = get_item(item_id)
# checking access rights
if target_item.owner != user_info()['id']:
flash('Only owner can edit item')
return redirect(url_for('item.item_route', item_id=item_id))
if target_item is None:
abort(404)
# some protection
csrf = generate_csrf_token()
if request.method == 'POST':
if csrf != request.form['csrf_token']:
abort(403)
else:
update_item(item_id)
flash('Item updated')
# sending user to item page after edit is done
return redirect(url_for('item.item_route', item_id=item_id))
if request.method == 'GET':
return render_template('item_edit.html',
page={'title': 'Edit item'},
user=user_info(),
content={
'is_edit': True,
'csrf_token': csrf,
'item': target_item
})
def category_edit_route(category_id):
"""
Updating category info
"""
target_category = get_category(category_id)
# checking access rights
if target_category.owner != user_info()['id']:
flash('Only owner can edit category')
return redirect(url_for('category.categories_route'))
if target_category is None:
abort(404)
csrf = generate_csrf_token()
if request.method == 'POST':
if csrf != request.form['csrf_token']:
abort(403)
else:
update_category(category_id)
flash('Category updated')
return redirect(url_for('category.categories_route'))
if request.method == 'GET':
return render_template(
'category_edit.html',
page={'title': 'Add category'},
user=user_info(),
content={
'is_edit':
True, # changing template appearance from add to edit
'csrf_token': csrf,
'category': target_category
})
def category_add_route():
"""
Add new category to data base
"""
# adding some protection
csrf = generate_csrf_token()
if request.method == 'POST':
if csrf != request.form['csrf_token']:
abort(403)
else:
add_category()
flash('Category added')
return redirect(url_for('category.categories_route'))
if request.method == 'GET':
return render_template('category_edit.html',
page={'title': 'Add category'},
user=user_info(),
content={
'is_edit': False,
'csrf_token': csrf
})
def test_generate_csrf_token():
token = security.generate_csrf_token()
assert token
def new_csrf_token():
"""Create CSRF token for the session or return one (if already exists)."""
if '_csrf_token' not in session:
session['_csrf_token'] = generate_csrf_token()
return session['_csrf_token']