def login_view():
if current_user.is_authenticated:
return redirect(url_for("account_view"))
form = LoginForm()
if form.validate_on_submit():
email = form.email.data
password = form.password.data
user = User.query.filter_by(email=email).one_or_none()
if not user:
form.email.errors.append("Такого пользователя не существует.")
elif not user.password_valid(password):
form.password.errors.append("Неверный пароль.")
else:
login_user(user)
if current_user.is_admin:
return redirect("/admin")
next_ = request.args.get("next")
if next_ and not is_safe_url(next_):
return abort(404)
return redirect(next_ or url_for("index_view"))
return render_template("login.html", form=form)
def login():
if current_user.is_authenticated:
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
if next:
return redirect(next)
else:
return redirect(url_for('auth.account'))
linking_line = True if request.args.get('linking_line') == 'yes' else False
form = LoginForm()
if form.validate_on_submit():
# authenticate the user
user = db.session.query(StaffAccount).filter_by(
email=form.email.data).first()
if user:
pwd = form.password.data
if user.verify_password(pwd):
status = login_user(user, form.remember_me.data)
# session.pop('_flashes', None) # this line clears all unconsumed flash messages.
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
flash(u'You have just logged in. ลงทะเบียนเข้าใช้งานเรียบร้อย',
'success')
return redirect(next or url_for('index'))
else:
flash(
u'Wrong password, try again. รหัสผ่านไม่ถูกต้อง กรุณาลองอีกครั้ง',
'danger')
return redirect(url_for('auth.login'))
else:
flash(u'User does not exists. ไม่พบบัญชีผู้ใช้ในระบบ', 'danger')
return redirect(url_for('auth.login'))
return render_template('/auth/login.html',
form=form,
errors=form.errors,
linking_line=linking_line)
def test_is_safe_url():
app = flask.Flask(__name__)
with app.test_request_context("http://127.0.0.1/admin/car/edit/"):
assert helpers.is_safe_url("http://127.0.0.1/admin/car/")
assert helpers.is_safe_url("https://127.0.0.1/admin/car/")
assert helpers.is_safe_url("/admin/car/")
assert helpers.is_safe_url("admin/car/")
assert not helpers.is_safe_url("http://127.0.0.2/admin/car/")
assert not helpers.is_safe_url(" javascript:alert(document.domain)")
assert not helpers.is_safe_url("javascript:alert(document.domain)")
def login_view(self):
# handle user login
form = LoginForm(request.form)
if helpers.validate_form_on_submit(form):
user = form.get_user()
login.login_user(user)
if login.current_user.is_authenticated:
next_url = request.args.get("next")
if next_url and not is_safe_url(next_url):
return abort(400)
return redirect(next_url or url_for('.index'))
self._template_args['form'] = form
return super(AdminIndexView, self).index()
def create_redirector(self):
"""Redirect to the appropriate create_view endpoint
base on the value of `page_type` field in the form
"""
form = self.get_child_page_type_form()
url = form.url.data if is_safe_url(form.url.data) else url_for(".index_view")
if form.validate_on_submit():
return redirect(
url_for(
f"{form.page_type.data}.create_view",
parent_pk=form.parent_pk.data,
url=url,
)
)
else:
return redirect(url)
def home():
"""Home page."""
form = LoginForm(request.form)
# Handle logging in
if request.method == 'POST':
if form.validate_on_submit():
login_user(form.user)
flash('You are logged in.', 'success')
redirect_url = request.args.get('next') or url_for('member.members')
if not is_safe_url(redirect_url):
return abort(400)
return redirect(redirect_url)
else:
flash_errors(form)
return render_template('root/home.html', form=form)
def login():
form = LoginForm()
if form.validate_on_submit() and request.method == 'POST':
email = form.email.data
password = form.password.data
user = User.query.filter_by(email=email).first()
if user and user.verify_password(password):
login_user(user)
flash('Logged in successfully.')
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
return redirect(next or url_for('routes.home'))
else:
flash('Invalid Email and/or password.')
return render_template('login.html', form=form)
else:
return render_template('login.html', form=form)
def register_view():
if current_user.is_authenticated:
return redirect(url_for("account_view"))
form = RegistrationForm()
if form.validate_on_submit():
name = form.name.data
email = form.email.data
password = form.password.data
user_exists = User.query.filter_by(email=email).one_or_none()
if user_exists:
form.email.errors.append("Такой пользователь уже существует.")
else:
user = User(name=name, email=email, password=password)
user.save()
login_user(user)
next_ = request.args.get("next")
if next_ and not is_safe_url(next_):
return abort(404)
return redirect(next_ or url_for("account_view"))
return render_template("register.html", form=form)
def test_is_safe_url():
app = flask.Flask(__name__)
with app.test_request_context('http://127.0.0.1/admin/car/edit/'):
assert helpers.is_safe_url('http://127.0.0.1/admin/car/')
assert helpers.is_safe_url('https://127.0.0.1/admin/car/')
assert helpers.is_safe_url('/admin/car/')
assert helpers.is_safe_url('admin/car/')
assert helpers.is_safe_url('http////www.google.com')
assert not helpers.is_safe_url('http://127.0.0.2/admin/car/')
assert not helpers.is_safe_url(' javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascrip\nt:alert(document.domain)')
assert not helpers.is_safe_url(r'\\www.google.com')
assert not helpers.is_safe_url(r'\\/www.google.com')
assert not helpers.is_safe_url('/////www.google.com')
assert not helpers.is_safe_url('http:///www.google.com')
assert not helpers.is_safe_url('https:////www.google.com')
