Esempio n. 1
0
def view(actor_id):
    logging_prefix = logger_prefix + "view({}) - ".format(actor_id)
    log.info(logging_prefix + "Starting")

    editors = None
    
    try:
        populate_simple_choices()
        form, editors = es_to_form(actor_id)

        search_form = forms.searchForm()
    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)
        form = forms.actorForm()

    #render the template, passing the variables we need
    #   templates live in the templates folder
    return render_template("actor.html",
                        page_title="View Actor",
                        role="VIEW",
                        actor_id=actor_id,
                        form=form,
                        editors=editors,
                        search_form = search_form
            )
Esempio n. 2
0
def view(report_id):
    logging_prefix = logger_prefix + "view({}) - ".format(report_id)
    log.info(logging_prefix + "Starting")

    editors = None

    try:
        form, editors = es_to_form(report_id)
        search_form = forms.searchForm()
    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error, "danger")
        log.exception(logging_prefix + error)
        form = forms.reportForm()

    # render the template, passing the variables we need
    #   templates live in the templates folder
    return render_template(
        "report.html",
        page_title="View Report",
        role="VIEW",
        report_id=report_id,
        form=form,
        editors=editors,
        search_form=search_form,
    )
Esempio n. 3
0
def add(template=None):
    logging_prefix = logger_prefix + "add({}) - ".format(template)
    log.info(logging_prefix + "Starting")

    error = None
    try:
        populate_simple_choices()
        form = forms.actorForm(request.form)
        search_form = forms.searchForm()

        if request.method == 'POST':
            #trick the form validation into working with our dynamic drop downs
            for sub_form in form.actor_class:
                sub_form.a_id.choices = fetch_child_data('tpx_classification',sub_form.a_family.data)

            #convert the field that lists the related_element_choices 
            #choices = []
            #rec = json.loads(form.related_element_choices.data)
            #for k,v in rec.items():
            #    choices.append((v,k))

            if form.validate():
                log.info(logging_prefix + "Add Detected")

                #create an actor id
                actor_id = str(uuid.uuid4())

                #convert the form to ES format
                form_to_es(form, actor_id)
               
                #rebuild the form from ES
                #flash('Not requerying ES, this should change', 'warning')
                form, editors = es_to_form(actor_id)

                flash(Markup('<a href="/actor/view/'+actor_id+'" style="text-decoration:none; color:#3c763d;">New Actor Successfully Added. Click here to view this actor</a>') , "success")

                #return redirect("/add/{}/".format(actor_id), code=302)
            else:
                #if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)
        
        elif template:
            form, editors = es_to_form(template)
        else:
            #populate certain fields with default data
            form.actor_class[0].a_family.data = 'Actors'
            form.actor_class[0].a_id.choices = fetch_child_data('tpx_classification','Actors')

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)

    return render_template("actor.html",
                        page_title="Add New Actor",
                        role="ADD",
                        form=form,
                        search_form = search_form
            )
Esempio n. 4
0
def issues():
    search_form = forms.searchForm()

    return render_template("issues.html",
                        page_title="Trouble Logging In",
                        search_form=search_form
            )
Esempio n. 5
0
def password_reset(user_id=None, expiration_ts=None, password_reset_hash=None):
    logging_prefix = logger_prefix + "password_reset({},{},{}) - ".format(user_id, expiration_ts, password_reset_hash)
    log.info(logging_prefix + "Starting")
    
    try:
        if sha256(SALTS['user'],user_id+expiration_ts) != password_reset_hash:
            flash("There was an error completing your request", 'danger')
            return redirect("/user/password/request_reset/")

        form = forms.passwordPerformResetForm(request.form)
        search_form = forms.searchForm()

        now = int(time.time())

        if now > int(expiration_ts): # passworD1!
            flash("This link has expired", 'danger')
            return redirect("/user/password/request_reset/")

        conn=get_mysql().cursor(DictCursor)
        conn.execute("SELECT COUNT(*) as count FROM password_reset_hashes WHERE hash = %s AND user_id = %s", (password_reset_hash,user_id))
        result = conn.fetchone()
        conn.close()

        if not result:
            flash("This link has expired", 'danger')
            return redirect("/user/password/request_reset/")

        if result['count'] == 0:
            flash("This link has expired", 'danger')
            return redirect("/user/password/request_reset/")

        if request.method == 'POST':
            if form.validate():
                password = form.user_password.data
                salted_password = sha256(SALTS['user'],password)

                conn=get_mysql().cursor()
                conn.execute("UPDATE users SET password = %s WHERE id = %s", (salted_password,user_id))
                conn.execute("DELETE FROM password_reset_hashes WHERE user_id = %s", (user_id,))
                get_mysql().commit()
                conn.close()

                flash("Your password has been updated", "success")
                return redirect("/user/login")
            else:
                print(form.errors)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)

    log.info(logging_prefix + "Rendering")
    return render_template("password_reset.html",
                        page_title="Reset Your Password",
                        page_type="PERFORM",
                        form=form,
                        search_form=search_form
            )
Esempio n. 6
0
def add(template=None):
    logging_prefix = logger_prefix + "add({}) - ".format(template)
    log.info(logging_prefix + "Starting")

    error = None
    try:
        form = forms.reportForm(request.form)
        search_form = forms.searchForm()

        if request.method == "POST":
            # trick the form validation into working with our dynamic drop downs
            for sub_form in form.report_class:
                sub_form.a_id.choices = fetch_child_data("tpx_classification", sub_form.a_family.data)

            # convert the field that lists the related_element_choices
            # choices = []
            # rec = json.loads(form.related_element_choices.data)
            # for k,v in rec.items():
            # choices.append((v,k))

            if form.validate():
                log.info(logging_prefix + "Add Detected")

                # create a ttp id
                report_id = str(uuid.uuid4())

                # convert the form to ES format
                form_to_es(form, report_id)

                # rebuild the form from ES
                form, editors = es_to_form(report_id)

                flash(
                    Markup(
                        '<a href="/report/view/'
                        + report_id
                        + '" style="text-decoration:none; color:#3c763d;">New Report Successfully Added. Click here to view this Report</a>'
                    ),
                    "success",
                )
            else:
                # if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)

        elif template:
            form, editors = es_to_form(template)
        else:
            # populate certain fields with default data
            form.report_class[0].a_family.data = "Actors"
            form.report_class[0].a_id.choices = fetch_child_data("tpx_classification", "Actors")

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error, "danger")
        log.exception(logging_prefix + error)
        form = forms.reportForm()

    return render_template("report.html", page_title="Add New Report", role="ADD", form=form, search_form=search_form)
Esempio n. 7
0
def edit(ttp_id):
    logging_prefix = logger_prefix + "edit({}) - ".format(ttp_id)
    log.info(logging_prefix + "Starting")

    error = None
    try:
        editors = None
        search_form = forms.searchForm()
        if request.method == 'POST':
            form = forms.ttpForm(request.form)

            #trick the form validation into working with our dynamic drop downs
            for sub_form in form.ttp_class:
                sub_form.a_id.choices = fetch_child_data(
                    'tpx_classification', sub_form.a_family.data)

            #convert the field that lists the related_element_choices
            #choices = []
            #rec = json.loads(form.related_element_choices.data)
            #for k,v in rec.items():
            #choices.append((v,k))

            if form.validate():
                log.info(logging_prefix + "Edit Detected")

                #convert the form to ES format
                form_to_es(form, ttp_id)

                #rebuild the form from ES
                form, editors = es_to_form(ttp_id)

                flash("TTP Update Successful!", "success")
            else:
                #if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)
        else:
            form, editors = es_to_form(ttp_id)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(
            e)
        flash(error, 'danger')
        log.exception(logging_prefix + error)
        form = forms.ttpForm()

    #render the template, passing the variables we need
    #   templates live in the templates folder
    return render_template("ttp.html",
                           page_title="Edit TTP",
                           role="EDIT",
                           ttp_id=ttp_id,
                           form=form,
                           editors=editors,
                           search_form=search_form)
Esempio n. 8
0
def edit(report_id):
    logging_prefix = logger_prefix + "edit({}) - ".format(report_id)
    log.info(logging_prefix + "Starting")

    error = None
    try:
        search_form = forms.searchForm()
        editors = None
        if request.method == "POST":
            form = forms.reportForm(request.form)

            # trick the form validation into working with our dynamic drop downs
            for sub_form in form.report_class:
                sub_form.a_id.choices = fetch_child_data("tpx_classification", sub_form.a_family.data)

            # convert the field that lists the related_element_choices
            # choices = []
            # rec = json.loads(form.related_element_choices.data)
            # for k,v in rec.items():
            # choices.append((v,k))

            if form.validate():
                log.info(logging_prefix + "Edit Detected")

                # convert the form to ES format
                form_to_es(form, report_id)

                # rebuild the form from ES
                form, editors = es_to_form(report_id)

                flash("Report Update Successful!", "success")
            else:
                # if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)
        else:
            form, editors = es_to_form(report_id)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error, "danger")
        log.exception(logging_prefix + error)
        form = forms.reportForm()

    # render the template, passing the variables we need
    #   templates live in the templates folder
    return render_template(
        "report.html",
        page_title="Edit Report",
        role="EDIT",
        report_id=report_id,
        form=form,
        editors=editors,
        search_form=search_form,
    )
Esempio n. 9
0
def password_request_reset():
    logging_prefix = logger_prefix + "password_request_reset() - "
    log.info(logging_prefix + "Starting")
    try:
        form = forms.userEmailForm(request.form)
        search_form = forms.searchForm()

        if request.method == 'POST':
            if form.validate():
                email = form.user_email.data

                #make sure the email exists in the system
                conn=get_mysql().cursor(DictCursor)
                conn.execute("SELECT id FROM users WHERE email = %s", (email,))
                user = conn.fetchone()
                conn.close()

                if user:
                    expiration_ts = int(time.time()) + 3600
                    password_reset_hash = sha256(SALTS['user'],str(user['id']) + str(expiration_ts))

                    #set this value in the database, so it can be expired after the password is changed
                    conn=get_mysql().cursor(DictCursor)
                    conn.execute("INSERT INTO password_reset_hashes (user_id,hash) VALUES (%s,%s)", (user['id'],password_reset_hash))
                    get_mysql().commit()
                    conn.close()

                    password_reset_link = "/user/password/reset/{}/{}/{}/".format(user['id'],expiration_ts,password_reset_hash)

                    sendPasswordResetEmail(email, password_reset_link)

                    flash("An email has been sent to '{}' with a link to reset your password. This link expires in 1 hour.".format(email),'success')
                else:
                    flash("The email you entered was not found", "danger")

            else:
                print(form.errors)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)

    return render_template("password_reset.html",
                        page_title="Reset Your Password",
                        page_type="REQUEST",
                        form=form,
                        search_form=search_form
            )
Esempio n. 10
0
def edit(actor_id):
    logging_prefix = logger_prefix + "edit({}) - ".format(actor_id)
    log.info(logging_prefix + "Starting")
    
    try:
        populate_simple_choices()
        form = forms.actorForm(request.form)
        editors = None
        search_form = forms.searchForm()

        if request.method == 'POST':
            #trick the form validation into working with our dynamic drop downs
            for sub_form in form.actor_class:
                sub_form.a_id.choices = fetch_child_data('tpx_classification',sub_form.a_family.data)

            if form.validate():
                log.info(logging_prefix + "Edit Detected")

                #convert the form to ES format
                form_to_es(form, actor_id)
               
                #rebuild the form from ES
                form, editors = es_to_form(actor_id)

                flash("Actor Update Successful!" , "success")
                #return redirect("/edit/{}/".format(actor_id), code=302)
            else:
                #if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)
        else:
            form, editors = es_to_form(actor_id)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)

    #render the template, passing the variables we need
    #   templates live in the templates folder
    return render_template("actor.html",
                        page_title="Edit Actor",
                        role="EDIT",
                        actor_id=actor_id,
                        form=form,
                        editors=editors,
                        search_form = search_form
            )
Esempio n. 11
0
def reverify():
    logging_prefix = logger_prefix + "reverify() - "
    log.info(logging_prefix + "Starting")
    try:
        form = forms.userEmailForm(request.form)
        search_form = forms.searchForm()

        if request.method == 'POST':
            if form.validate():
                email = form.user_email.data

                #make sure the email exists in the system
                conn=get_mysql().cursor(DictCursor)
                conn.execute("SELECT verification_hash FROM users WHERE email = %s", (email,))
                user = conn.fetchone()
                conn.close()

                if user:
                    sendAccountVerificationEmail(email, user['verification_hash'])

                    flash("A verification email has been sent to '{}' with a link to verify your account.".format(email),'success')
                else:
                    flash("The email you entered was not found", "danger")

            else:
                print(form.errors)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)

    return render_template("account_reverify.html",
                        page_title="Verify Account",
                        form=form,
                        search_form=search_form
            )
Esempio n. 12
0
def view_all(t, page=1):
    if t == 'favicon.ico':
        return jsonify({}), 404

    page = int(page)

    logging_prefix = logger_prefix + "view_all() - "
    log.info(logging_prefix +
             "Loading view all page {} for {}".format(page, t))

    form = forms.searchForm(request.form)
    error = None
    page_size = 50
    offset = (page - 1) * page_size
    url = "/{}/{}/".format(t, page)
    search_url = ""
    results_text = ""
    try:

        #this is the default query for actors in ES, i'd imagine this will be recently added/modified actors
        es_query = {
            "query": {
                "match_all": {}
            },
            "size": page_size,
            "from": offset,
            "sort": {
                "last_updated_s": {
                    "order": "desc"
                }
            }
        }

        #pull the query out of the url
        query_string = request.args.get("q")

        #someone is searching for something
        if request.method == 'POST' and not query_string:
            if form.validate():
                print("VALID SEARCH OPERATION DETECTED, redirecting...")

                #get the value
                value = form.query.data

                log.info(value)

                #redirect to this same page, but setting the query value in the url
                return redirect("/{}/1/?q={}".format(t, quote_plus(value)),
                                code=307)

            else:
                #if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)

        elif query_string:
            #now that the query_string is provided as ?q=, perform the search
            print("VALID SEARCH OPERATION DETECTED")

            #do some searching...
            es_query = {
                "query": {
                    "query_string": {
                        "query": query_string
                    }
                },
                "size": page_size,
                "from": offset
            }

            search_url = "?q=" + query_string
            #set the form query value to what the user is searching for
            form.query.data = query_string
        '''
        Fetch the data from ES
        '''

        data = {}
        data['hits'] = {}
        data['hits']['hits'] = []

        if t == 'actor':
            index = ES_PREFIX + 'threat_actors'
            doc_type = 'actor'
            salt = SALTS['actor']
            link_prefix = 'actor'
            data_header = 'Actors'
            field_header = 'Actor Name'
        elif t == 'report':
            index = ES_PREFIX + 'threat_reports'
            doc_type = 'report'
            salt = SALTS['report']
            link_prefix = 'report'
            data_header = 'Reports'
            field_header = 'Report Title'
        elif t == 'ttp':
            index = ES_PREFIX + 'threat_ttps'
            doc_type = 'ttp'
            salt = SALTS['ttp']
            link_prefix = 'ttp'
            data_header = 'TTPs'
            field_header = 'TTP Name'
        else:
            raise Exception("Unknown type {}".format(t))

        try:
            data = get_es().search(index, doc_type, es_query)
            num_hits = len(data['hits']['hits'])

            #set up previous link
            if page == 1:
                prev_url = None
            else:
                prev_url = "/{}/{}/{}".format(t, (page - 1), search_url)

            if ((page - 1) * page_size) + num_hits < data['hits']['total']:
                next_url = "/{}/{}/{}".format(t, (page + 1), search_url)
            else:
                next_url = None

            url += search_url

            for d in data['hits']['hits']:
                s = salt + d['_id']
                hash_object = hashlib.sha256(s.encode('utf-8'))
                hex_dig = hash_object.hexdigest()
                d["_source"]['id_hash'] = hex_dig

            if num_hits == 0:
                results_text = ""
            else:
                f = ((page - 1) * page_size) + 1
                l = f + (num_hits - 1)
                results_text = "Showing {} to {} of {} total results".format(
                    f, l, data['hits']['total'])

        except TransportError as te:

            #if the index was not found, this is most likely becuase theres no data there
            if te.status_code == 404:
                log.warning("Index '{}' was not found".format(index))
            else:
                error = "There was an error fetching {}. Details: {}".format(
                    t, te)
                flash(error, 'danger')
                log.exception(logging_prefix + error)

        except Exception as e:
            error = "The was an error fetching {}. Error: {}".format(t, e)
            log.exception(error)
            flash(error, "danger")

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(
            e)
        log.exception(error)
        flash(error, "danger")
        return redirect("/")

    return render_template("view_all.html",
                           page_title="View All",
                           form=form,
                           data_header=data_header,
                           results_text=results_text,
                           field_header=field_header,
                           data=data,
                           link_prefix=link_prefix,
                           prev_url=prev_url,
                           next_url=next_url,
                           url=quote_plus(url))
Esempio n. 13
0
def contact():
    search_form = forms.searchForm()

    return render_template("contact.html",
                           page_title="Contact",
                           search_form=search_form)
Esempio n. 14
0
def index():
    logging_prefix = logger_prefix + "index() - "
    log.info(logging_prefix + "Loading home page")

    form = forms.searchForm(request.form)
    error = None
    url = "/"
    query_string_url = ""
    try:
        #this is the default query for actors in ES, i'd imagine this will be recently added/modified actors
        es_query = {
            "query": {
                "match_all": {}
            },
            "size": 10,
            "sort": {
                "last_updated_s": {
                    "order": "desc"
                }
            }
        }

        #pull the query out of the url
        query_string = request.args.get("q")

        #someone is searching for something
        if request.method == 'POST' and not query_string:
            if form.validate():

                #get the value
                value = form.query.data

                #redirect to this same page, but setting the query value in the url
                return redirect("/?q={}".format(quote_plus(value)), code=307)

            else:
                #if there was an error print the error dictionary to the console
                #   temporary help, these should also appear under the form field
                print(form.errors)

        elif query_string:
            #now that the query_string is provided as ?q=, perform the search
            print("VALID SEARCH OPERATION DETECTED")

            #do some searching...
            es_query = {
                "query": {
                    "query_string": {
                        "query": query_string
                    }
                },
                "size": 10
            }

            url += "?q=" + query_string
            query_string_url = "?q=" + query_string

            #set the form query value to what the user is searching for
            form.query.data = query_string
        '''
        Fetch the data from ES
        '''

        actors = {}
        actors['hits'] = {}
        actors['hits']['hits'] = []

        reports = dict(actors)

        ttps = dict(actors)

        try:
            actors = get_es().search(ES_PREFIX + 'threat_actors', 'actor',
                                     es_query)
        except TransportError as te:
            #if the index was not found, this is most likely becuase theres no data there
            if te.status_code == 404:
                log.warning("Index 'threat_actors' was not found")
            else:
                error = "There was an error fetching actors. Details: {}".format(
                    te)
                flash(error, 'danger')
                log.exception(logging_prefix + error)
        except Exception as e:
            error = "The was an error fetching Actors. Error: {}".format(e)
            log.exception(error)
            flash(error, "danger")

        try:
            reports = get_es().search(ES_PREFIX + 'threat_reports', 'report',
                                      es_query)
        except TransportError as te:
            #if the index was not found, this is most likely becuase theres no data there
            if te.status_code == 404:
                log.warning("Index 'threat_reports' was not found")
            else:
                error = "There was an error fetching reports. Details: {}".format(
                    te)
                flash(error, 'danger')
                log.exception(logging_prefix + error)
        except Exception as e:
            error = "The was an error fetching Reports. Error: {}".format(e)
            log.exception(error)
            flash(error, "danger")

        try:
            ttps = get_es().search(ES_PREFIX + 'threat_ttps', 'ttp', es_query)
        except TransportError as te:
            #if the index was not found, this is most likely becuase theres no data there
            if te.status_code == 404:
                log.warning("Index 'threat_ttps' was not found")
            else:
                error = "There was an error ttps. Details: {}".format(te)
                flash(error, 'danger')
                log.exception(logging_prefix + error)
        except Exception as e:
            error = "The was an error fetching TTPs. Error: {}".format(e)
            log.exception(error)
            flash(error, "danger")
        '''
        Modify the data as needed
        '''

        for actor in actors['hits']['hits']:
            s = SALTS['actor'] + actor['_id']
            hash_object = hashlib.sha256(s.encode('utf-8'))
            hex_dig = hash_object.hexdigest()
            actor["_source"]['id_hash'] = hex_dig

        for report in reports['hits']['hits']:
            s = SALTS['report'] + report['_id']
            hash_object = hashlib.sha256(s.encode('utf-8'))
            hex_dig = hash_object.hexdigest()
            report["_source"]['id_hash'] = hex_dig

        for ttp in ttps['hits']['hits']:
            s = SALTS['ttp'] + ttp['_id']
            hash_object = hashlib.sha256(s.encode('utf-8'))
            hex_dig = hash_object.hexdigest()
            ttp["_source"]['id_hash'] = hex_dig

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(
            e)
        log.exception(error)
        flash(error, "danger")

    #render the template, passing the variables we need
    #   templates live in the templates folder
    return render_template("index.html",
                           page_title="ActorTrackr",
                           form=form,
                           query_string_url=query_string_url,
                           actors=actors,
                           reports=reports,
                           ttps=ttps,
                           url=quote_plus(url))
Esempio n. 15
0
def register():
    logging_prefix = logger_prefix + "register() - "
    log.info(logging_prefix + "Starting")
    try:

        form = forms.registerForm(request.form)
        search_form = forms.searchForm()

        if request.method == 'POST':

            #verify captcha
            perform_validate = True
            try:
                if RECAPTCHA_ENABLED:
                    captcha_value = request.form['g-recaptcha-response']
                    r = requests.post("https://www.google.com/recaptcha/api/siteverify", data={
                            'secret': RECAPTCHA_PRIVATE_KEY,
                            'response': request.form['g-recaptcha-response']
                        })
                    r_json = json.loads(r.text)

                    if not r_json['success']:
                        flash("Bots are not allowed",'danger')
                        perform_validate = False

            except Exception as s:
                log.exception(logging_prefix + "Error preforming captcha validation")
                raise s

            if perform_validate and form.validate():
                log.info(logging_prefix + "Sign up Detected")

                #get data from form
                name = form.user_name.data
                email = form.user_email.data 
                password = form.user_password.data
                company = form.user_company.data
                reason = form.user_reason.data

                #create the necessary hashes
                salted_password = sha256(SALTS['user'],password)
                verification_hash = sha256(SALTS['email_verification'], email)

                #insert data into mysql
                insert = "INSERT INTO users (email, password, name, company, justification, email_verified, verification_hash) VALUES (%s,%s,%s,%s,%s,%s,%s)"
                values = (email, salted_password, name, company, reason, 0, verification_hash)
                log.info(logging_prefix + "Adding new user {}".format(values))

                try:
                    conn=get_mysql().cursor()
                    conn.execute(insert, values)
                    get_mysql().commit()
                    conn.close()
                except Exception as s:
                    conn.close()
                    raise s

                #email the user to verify email
                try:
                    sendAccountVerificationEmail(email, verification_hash)
                except Exception as s:
                    log.exception(logging_prefix + "Unable to send email to {} with verification_hash {}".format(email, verification_hash))
                    raise s

                flash("You have been registered. A verification email with an actviation link has been sent to {} from [email protected]".format(email),'success')
            else:

                print(form.errors)
        else:
            pass

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)


    return render_template("register.html",
                        page_title="Register",
                        form=form,
                        recaptcha_enabled=RECAPTCHA_ENABLED,
                        recaptcha_key=RECAPTCHA_PUBLIC_KEY,
                        search_form=search_form
            )
Esempio n. 16
0
def login():
    logging_prefix = logger_prefix + "login() - "
    log.info(logging_prefix + "Starting")

    try:
        form = forms.loginForm(request.form)
        search_form = forms.searchForm()

        if request.method == 'POST':
            if form.validate():
                email = form.user_email.data 
                password = form.user_password.data

                hashed_password = sha256(SALTS['user'], password)

                conn=get_mysql().cursor(DictCursor)
                #since email is unique
                conn.execute("SELECT id, password, name, email_verified, approved, write_permission, delete_permission, admin FROM users WHERE email = %s", (email,))
                user = conn.fetchone()
                

                if user:
            
                    if user['password'] == hashed_password:
                        #we have found a valid user

                        if user['email_verified']==0:
                            #the user has not verified their email address
                            flash("Your email address has not been verified. Click here if you did not receive a verification email", "danger")

                        elif user['approved']==0:
                            #the user has not been approved, or their access has been disapproved
                            flash("Your account has been approved yet, you will receive an email when your account has been approved", "danger")

                        else:
                            #woohoo successful login, set up session variables
                            session['logged_in']    =   True
                            session['id']           =   user['id']
                            session['name']         =   user['name']
                            session['email']        =   email
                            session['approved']     =   (user['approved'] == 1)
                            session['write']        =   (user['write_permission'] == 1)
                            session['delete']       =   (user['delete_permission'] == 1)
                            session['admin']        =   (user['admin'] == 1)
                            session['expires']      =   math.ceil(time.time()) + SESSION_EXPIRE
                                                                            #now + 10 minutes of inactivity
                                                                            #each time this user loads a page
                                                                            #the expiration time gets now + 10m

                            #update last login timestamp
                            conn=get_mysql().cursor(DictCursor)
                            conn.execute("UPDATE users SET last_login=%s WHERE id = %s", (datetime.now(), user['id']))
                            get_mysql().commit()
                            conn.close()

                            flash("You have been logged in", "success")

                            if request.args.get("r"):
                                return redirect(request.args.get("r"))
                            else:
                                return redirect("/") 
                    else:
                        log.warning(logging_prefix + "Invalid login attempt for {}".format(email))
                        flash("The username or password is incorrect", "danger")
                else:
                    log.warning(logging_prefix + "Invalid login attempt for {}".format(email))
                    flash("The username or password is incorrect", "danger")
            else:
                print(form.errors)

    except Exception as e:
        error = "There was an error completing your request. Details: {}".format(e)
        flash(error,'danger')
        log.exception(logging_prefix + error)

    return render_template("login.html",
                        page_title="Login",
                        form=form,
                        search_form=search_form
            ) 
Esempio n. 17
0
def about():
    search_form = forms.searchForm()

    return render_template("about.html",
                           page_title="About",
                           search_form=search_form)