def register():
if request.method == 'POST':
json = request.get_json()
# requested_privilege = request.get_json()['requested_privilege']
db = get_db()
error = None
if 'username' not in json or json['username'] == '': return send_error('Username is required.')
if 'password' not in json or json['password'] == '': return send_error('Password is required.')
if 'privilege' not in json or json['privilege'] == '': return send_error('Privilege is required.')
username = json['username']
password = json['password']
privilege = -1
if json['privilege'] == 'administrator':
privilege = 1
elif json['privilege'] == 'user':
privilege = 0
if privilege == -1:
return send_error('Invalid privilege.')
if db.execute(
'SELECT id FROM user WHERE username = ?', (username,)
).fetchone() is not None:
return send_error('Username already exists.')
db.execute(
'INSERT INTO user (username, password, privilege) VALUES (?, ?, ?)',
(username, generate_password_hash(password), privilege)
)
db.commit()
return send_success()
return ""
def load_logged_in_user():
user_id = session.get('user_id')
user_privilege = session.get('user_privilege')
if user_id is None:
g.user = None
else:
g.user = get_db().execute('SELECT * FROM user WHERE id = ?',
(user_id, )).fetchone()
def check_one(command, args):
try:
db = get_db()
info = db.execute(command, args).fetchone()
return [info, None]
except Exception as e:
print(e)
return [None, e]
def debug():
ignore_image = 0
if request.args.get('ignore_image') and request.args.get(
'ignore_image') == '1':
ignore_image = 1
db = get_db()
info = db.execute('SELECT * FROM poster').fetchall()
posters = [buildRowDictNonNull(i, 1, ignore_image, 1) for i in info]
if len(posters) == 0: return 'No posters.'
return jsonify(posters)
def get_rows(command, args, privilege=-1, ignore_image=0, force_uploader=0):
try:
db = get_db()
info = db.execute(command, args).fetchall()
rows = [
buildRowDictNonNull(i, privilege, ignore_image, force_uploader)
for i in info
]
return [rows, None]
except Exception as e:
print(e)
return [None, e]
def debug():
db = get_db()
info = db.execute('SELECT * FROM user').fetchall()
ls = []
for user in info:
d = {}
d['username'] = user[1]
d['privilege'] = user[3]
ls.append(d)
if len(ls) == 0: return 'No users.'
return jsonify(ls)
def approveAsNeeded():
db = get_db()
info = db.execute(
'Select * from poster WHERE status = "approved"').fetchall()
if info is None or len(info) == 0:
return
for i in info:
if i[14] == None: continue
to_post = i[14]
now = datetime.now()
if now > to_post:
db.execute(
'UPDATE poster set status="posted" WHERE id = {}'.format(i[0]))
print('Posted {}'.format(i[0]))
db.commit()
def cancel():
'''
Allows a user to cancel posters uploaded by themselves if they have not
been displayed, or approved.
'''
user_id, user_privilege, error = check_user_and_privilege(session, [0, 1])
if error: return send_error(error)
json = request.get_json()
if 'id' not in json: return send_error('id not provided.')
# TODO: shorten
info, error = check_one('SELECT * FROM poster WHERE id = ?',
(json['id'], ))
if error: return send_error(error)
if info is None: return send_error('No poster the given id.')
info, error = check_one(
'SELECT * FROM poster WHERE uploader_id = ? AND id = ?', (
user_id,
json['id'],
))
if error: return send_error(error)
if info is None:
return send_error(
'Cannot delete poster not uploaded by the current user.')
info, error = check_one(
'SELECT * FROM poster WHERE uploader_id = ? AND id = ? AND status IN ("pending", "approved", "rejected", "expired")',
(
user_id,
json['id'],
))
if error: return send_error(error)
if info is None: return send_error('Poster not pending / approved.')
db = get_db()
db.execute('DELETE FROM poster WHERE uploader_id = ? AND id = ?', (
user_id,
json['id'],
))
db.commit()
return send_success()
def login():
if request.method == 'POST':
json = request.get_json()
privilege = -1
db = get_db()
error = None
if 'username' not in json or json['username'] == '': return send_error('Username is required.')
if 'password' not in json or json['password'] == '': return send_error('Password is required.')
if 'requested_privilege' in json:
if json['requested_privilege'] == 'administrator': privilege = 1
elif json['requested_privilege'] == 'user': privilege = 0
else:
return send_error('Privilege is required.')
if privilege == -1: return send_error('Invalid privilege requested.')
username = json['username']
password = json['password']
user = db.execute(
'SELECT * FROM user WHERE username = ?', (username,)
).fetchone()
if not user: return send_error('Invalid username or password.')
if not check_password_hash(user['password'], password):
return send_error('Invalid username or password.')
if privilege > user['privilege']:
return send_error('Unauthorized')
session.clear()
session['user_id'] = user['id']
session['user_privilege'] = user['privilege']
return jsonify(status = 'success', privilege = user['privilege'])
return ""
def posters():
if request.method == 'GET':
approveAsNeeded()
expireAsNeeded()
user_id, user_privilege, error = check_user_and_privilege(
session, [-1, 0, 1], ignore_id=True)
if error: return send_error(error)
ignore_image = check_ignore_image(request)
requested_id = request.args.get('id')
requested_status = request.args.get('status')
extra = ' WHERE status="posted"' if user_privilege < 1 else ''
if requested_id:
rows, error = get_rows('SELECT * FROM poster WHERE id = ?' + extra,
(requested_id, ),
privilege=user_privilege,
ignore_image=ignore_image)
if error: return send_error(error)
if rows is None: return send_error('Requested id not found.')
return jsonify(rows)
if requested_status:
if user_privilege < 1:
return send_error('Non-admin cannot request for a status.')
rows, error = get_rows('SELECT * FROM poster WHERE status = ?',
(requested_status, ),
privilege=user_privilege,
ignore_image=ignore_image)
if error: return send_error(error)
if rows is None:
return send_error('No posters matching the requested status.')
return jsonify(rows)
rows, error = get_rows('SELECT * FROM poster' + extra, [],
privilege=user_privilege,
ignore_image=ignore_image)
if error: return send_error(error)
return jsonify(rows)
if request.method == 'POST':
user_id, user_privilege, error = check_user_and_privilege(
session, [0, 1])
if error: return send_error(error)
json = request.get_json()
db = get_db()
if 'id' not in json:
# New Posters.
if 'title' not in json or json['title'] == "":
return send_error(
'Missing title. New posters must have a title.')
title = json['title']
json['uploader_id'] = user_id
res, error = check_one('SELECT id FROM poster WHERE title = ?',
(title, ))
if error: return send_error(error)
if res is not None:
return send_error('Poster already exists with given title.')
db.execute('INSERT INTO poster (title, status) VALUES (?, ?)',
(title, 'pending'))
json.pop('title')
ls = []
for key in json:
if key.startswith('date') and json[key]:
if ' ' not in json[key]:
return send_error('Invalid date format')
s = json[key].split(' ')
if len(s[0].split('-')) != 3 or len(s[1].split(':')) != 3:
return send_error('Invalid date format')
value = '"{}"'.format(json[key]) if json[key] else 'NULL'
ls.append('{} = {}'.format(key, value))
try:
db.execute('UPDATE poster SET ' + ', '.join(ls) +
' WHERE title = "' + str(title) + '"')
except sqlite3.OperationalError as e:
print(e)
return send_error('Invalid parameter. {}'.format(e))
except Exception as e:
print(e)
return send_error(
'Error in updating the databse. {}'.format(e))
db.commit()
return send_success()
else:
# Editing existing posters.
id = json['id']
if id == '': return send_error('Missing Id in request.')
json.pop('id')
res, error = check_one('SELECT * FROM poster WHERE id = ?', (id, ))
if error: return send_error(error)
if res is None: return send_error('Requested id not found.')
ls = []
for key in json:
if key.startswith('date'):
if json[key] and len(json[key].split(' ')) == 1:
return send_error(
'Invalid date format for {}'.format(key))
ls.append('{} = "{}"'.format(key, json[key]))
try:
db.execute('UPDATE poster SET ' + ', '.join(ls) +
' WHERE id = ' + str(id))
except sqlite3.OperationalError:
return send_error('Invalid parameter.')
except:
return send_error('Error in updating the databse.')
db.commit()
return send_success()
if request.method == 'DELETE':
user_id, user_privilege, error = check_user_and_privilege(session, [1])
if error: return send_error(error)
requested_id = request.args.get('id')
if requested_id == None: return send_error('Id not specified.')
db = get_db()
info = db.execute('SELECT * FROM poster WHERE id = ?',
(requested_id, )).fetchone()
if info is None: return send_error('Id not found.')
db.execute('DELETE FROM poster WHERE id = ?', (requested_id, ))
db.commit()
return send_success()