def check_sudo(user): sudo_mode = flask.request.cookies.get("sudo_mode") if sudo_mode == None or read_cookie(sudo_mode) == None: return False if user != read_cookie(sudo_mode): return False return True
def logout(): referrer = flask.request.referrer try: referrer.index("/logout") except ValueError: pass else: referrer = "/" cookie = flask.request.cookies.get("session") if cookie == None: return flask.redirect(referrer) user_id = read_cookie(cookie) if user_id == None: return flask.redirect(referrer) cnx = get_pg_connection() response = flask.make_response(flask.redirect(referrer)) response.set_cookie("session", "", expires=0) response.set_cookie("sudo_mode", "", expires=0) write_log("logout", user_id, {"success": True}) return response
def render_template(template, **kwargs): args = { "title": "How do your end up here?", "body": "How do your end up here?" } try: cookie = read_cookie(flask.request.cookies["session"]) except KeyError: cookie = None try: sudo_mode = read_cookie(flask.request.cookies["sudo_mode"]) except KeyError: sudo_mode = None try: cnx = get_pg_connection() cursor = cnx.cursor() cursor.execute('SELECT name, category_id FROM category ORDER BY category_id') categories = list(cursor) cursor = cnx.cursor() cursor.execute('SELECT nick, email, admin FROM users WHERE user_id = %s', (cookie, )) result = cursor.fetchone() if result: user, avatar, admin = result avatar = hashlib.md5(avatar.strip().lower().encode("utf8")).hexdigest() else: user, avatar, admin = None, None, None finally: cnx.close() kwargs["categories"] = categories kwargs["user"] = user kwargs["avatar"] = avatar kwargs["user_id"] = cookie kwargs["admin"] = admin kwargs["sudo"] = sudo_mode return flask.render_template(template, **kwargs)
def drafts(order, page): try: user = read_cookie(flask.request.cookies["session"]) except: user = None if user == None: return flask.redirect("/") return list_threads(order, int(page), author=user, draft=True)
def new_thread(): now = datetime.datetime.now() try: userid = read_cookie(flask.request.cookies["session"]) except KeyError: flask.abort(401) if userid == None: flask.abort(401) try: title = flask.request.form["title"] category = flask.request.form["category"] renderer = flask.request.form["renderer"] content = flask.request.form["content"] is_draft = bool(int(flask.request.form["draft"])) except KeyError: flask.abort(400) thread_id = str(uuid.uuid4()).replace('-', '') post_id = str(uuid.uuid4()).replace('-', '') post_content_id = str(uuid.uuid4()).replace('-', '') cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO thread VALUES (" "%s, %s, %s, %s, %s, FALSE, %s )", (thread_id, userid, category, now, title, bool(is_draft))) cursor.execute( "INSERT INTO post VALUES (" "%s, %s, %s, %s, FALSE, %s, %s)", (post_id, userid, thread_id, now, now, post_content_id)) cursor.execute( "INSERT INTO post_content VALUES (" "%s, %s, %s, %s, %s)", (post_content_id, post_id, renderer, content, now)) cnx.commit() write_log("new_thread", userid, { "success": True, "id": thread_id, "title": title }) finally: cnx.close() return flask.redirect("/thread/view/" + thread_id)
def check_permission(): session = flask.request.cookies.get("session") if session == None or read_cookie(session) == None: write_log("dashboard_access", "", {"success": False}) flask.abort(401) user = read_cookie(session) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT * FROM users WHERE user_id = %s AND admin = TRUE", (user, )) result = (cursor.fetchone() != None) finally: cnx.close() if not result: write_log("dashboard_access", user, {"success": False}) flask.abort(401) return user
def deleted_post(post_id): user = flask.request.cookies.get("session") if user != None and read_cookie(user) != None: user = read_cookie(user) cnx = get_pg_connection() try: if user: cursor = cnx.cursor() cursor.execute("SELECT admin FROM users WHERE user_id = %s", (user, )) admin, = cursor.fetchone() else: admin = False if not admin: flask.abort(404) cursor = cnx.cursor() cursor.execute( "select post.post_id, users.nick, post.author, " "LOWER(MD5(TRIM(LOWER(users.email)))), " "post_content.content, post_content.datetime, post_content.renderer FROM post, users, post_content " "WHERE post.author = users.user_id " "AND post.content = post_content.content_id " "AND post.post_id = %s", (post_id, )) posts = cursor.fetchall() finally: cnx.close() return render_template("post.tmpl", posts=posts, page=1, post_per_page=1, total_pages=1, render_content=render_content, title="被删除的回复")
def reply(): now = datetime.datetime.now() try: userid = read_cookie(flask.request.cookies["session"]) except KeyError: flask.abort(401) if userid == None: flask.abort(401) try: renderer = flask.request.form["renderer"] content = flask.request.form["content"] thread_id = flask.request.form["thread_id"] except KeyError: flask.abort(400) post_id = str(uuid.uuid4()).replace('-', '') post_content_id = str(uuid.uuid4()).replace('-', '') cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO post VALUES (" "%s, %s, %s, %s, FALSE, %s, %s)", (post_id, userid, thread_id, now, now, post_content_id)) cursor.execute( "INSERT INTO post_content VALUES (" "%s, %s, %s, %s, %s)", (post_content_id, post_id, renderer, content, now)) cnx.commit() write_log("new_reply", userid, { "success": True, "post_id": post_id, "content_id": post_content_id }) finally: cnx.close() return flask.redirect(flask.request.referrer)
def list_threads(order, page, category=None, author=None, draft=False): order_sql = { 'publish': 'publish_datetime', 'reply': 'reply_count', 'last_modified': 'last_modified', 'random': 'RAND()' } category_sql = "AND thread.category = %s" if category else '' author_sql = "AND thread.author = %s" if author else '' try: sudo_mode = read_cookie(flask.request.cookies["sudo_mode"]) except KeyError: sudo_mode = None hidden = bool(sudo_mode) query = ( "SELECT thread.thread_id, thread.title, thread.datetime AS publish_datetime, " "users.nick, MAX(post.last_modified) AS last_modified, " "(SELECT COUNT(*) FROM post WHERE post.thread = thread.thread_id) AS reply_count FROM thread, post, users " "WHERE thread.hidden = FALSE " "AND post.thread = thread.thread_id " "AND users.user_id = thread.author " "AND thread.draft = %s {} {} " "GROUP BY thread.thread_id, users.nick " "ORDER BY {} DESC " "LIMIT {} " "OFFSET %s ").format(category_sql, author_sql, order_sql[order], config["paginator"]["thread_per_page"]) page_query = "SELECT COUNT(*) FROM thread WHERE hidden = FALSE AND draft = %s {} {}".format( category_sql, author_sql) category_query = "SELECT name FROM category WHERE category_id = %s" cnx = get_pg_connection() try: cursor = cnx.cursor() page_cursor = cnx.cursor() if category: category_cursor = cnx.cursor() if author: cursor.execute( query, (draft, category, author, (page - 1) * config["paginator"]["thread_per_page"])) else: cursor.execute( query, (draft, category, (page - 1) * config["paginator"]["thread_per_page"])) if author: page_cursor.execute(page_query, (draft, category, author)) else: page_cursor.execute(page_query, ( draft, category, )) category_cursor.execute(category_query, (category, )) category_name, = category_cursor.fetchone() title = "分类: " + category_name else: if author: cursor.execute( query, (draft, author, (page - 1) * config["paginator"]["thread_per_page"])) else: cursor.execute( query, (draft, (page - 1) * config["paginator"]["thread_per_page"])) if author: page_cursor.execute(page_query, (draft, author)) else: page_cursor.execute(page_query, (draft, )) title = "主页" total_pages, = page_cursor.fetchone() total_pages = int((total_pages - 1) / config["paginator"]["thread_per_page"] + 1) if draft: baseurl = "/drafts" elif category: baseurl = "/category/{}/{}".format(category, order) else: baseurl = "/index/" + order ret = render_template('list.tmpl', cursor=cursor, title=title, page=page, total_pages=total_pages, order=order, baseurl=baseurl) finally: cnx.close() return ret
def edit(edit_type, target_id): try: user = read_cookie(flask.request.cookies["session"]) except: user = None if user == None: flask.abort(401) cnx = get_pg_connection() try: cursor = cnx.cursor() if edit_type == 'thread': cursor.execute( "SELECT thread.title, thread.category, thread.draft, users.admin FROM thread, users " "WHERE thread.thread_id = %s AND users.user_id = %s AND (thread.author = users.user_id OR users.admin = TRUE)", (target_id, user)) title, category, is_draft, _ = cursor.fetchone() cursor.execute( "SELECT post.post_id, users.admin FROM post, users " "WHERE post.thread = %s AND users.user_id = %s AND (post.author = users.user_id OR users.admin = TRUE) " "ORDER BY datetime LIMIT 1 OFFSET 0", (target_id, user)) post_id = cursor.fetchone() if not post_id: flask.abort(404) post_id = post_id[0] else: post_id = target_id except: cnx.close() raise try: cursor = cnx.cursor() cursor.execute( "SELECT content, renderer FROM post_content WHERE post = %s ORDER BY datetime DESC LIMIT 1 OFFSET 0", (post_id, )) content, renderer = cursor.fetchone() finally: cnx.close() kwargs = { "renderer": renderer, "referrer": flask.request.referrer, "content": content, "post_id": post_id } if edit_type == "thread": print(title) kwargs["type"] = "edit_thread" kwargs["title"] = "编辑主题:" + title kwargs["current_category_id"] = category kwargs["draft"] = is_draft kwargs["thread_id"] = target_id else: kwargs["type"] = "edit_post" kwargs["title"] = "编辑回复" return render_template("edit.tmpl", **kwargs)
def post(thread, page): user = flask.request.cookies.get("session") if user != None and read_cookie(user) != None: user = read_cookie(user) cnx = get_pg_connection() try: if user: cursor = cnx.cursor() cursor.execute("SELECT admin FROM users WHERE user_id = %s", (user, )) admin, = cursor.fetchone() else: admin = False cursor = cnx.cursor() cursor.execute("SELECT title FROM thread WHERE thread_id = %s", (thread, )) title = cursor.fetchone()[0] cursor = cnx.cursor() cursor.execute("SELECT COUNT(*) FROM post WHERE thread = %s", (thread, )) post_count = cursor.fetchone()[0] cursor = cnx.cursor() cursor.execute("SELECT hidden FROM thread WHERE thread_id = %s", (thread, )) hidden, = cursor.fetchone() if hidden and not admin: flask.abort(404) query = ( "SELECT post.post_id, users.nick, post.author, " "LOWER(MD5(TRIM(LOWER(users.email)))), " "post_content.content, post_content.datetime, post_content.renderer FROM post, users, thread, post_content " "WHERE post.thread = %s AND post.hidden = FALSE " "AND post.thread = thread.thread_id " "AND post.author = users.user_id " "AND post.content = post_content.content_id " "ORDER BY post.datetime LIMIT {} OFFSET %s".format( config["paginator"]["post_per_page"])) cursor = cnx.cursor() cursor.execute( query, (thread, int( (int(page) - 1) * config["paginator"]["post_per_page"]))) posts = list(cursor) cursor = cnx.cursor() cursor.execute("SELECT thread.author FROM thread WHERE thread_id = %s", (thread, )) thread_author_id = cursor.fetchone()[0] finally: cnx.close() total_pages = int((post_count - 1) / config["paginator"]["post_per_page"] + 1) return render_template("post.tmpl", posts=posts, thread_hidden=hidden, page=int(page), total_pages=total_pages, thread_author_id=thread_author_id, baseurl="/thread/view/{}".format(thread), post_per_page=config["paginator"]["post_per_page"], render_content=render_content, title=title, thread_id=thread)
def userinfo(): try: user = read_cookie(flask.request.cookies["session"]) except KeyError: return flask.redirect("/") if not user: flask.redirect("/") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( 'SELECT name, email, nick, salt FROM users WHERE user_id = %s', (user, )) name, email, nick, salt = cursor.fetchone() finally: cnx.close() if flask.request.method == "GET": return render_template("userinfo.tmpl", error=False, name=name, email=email, nick=nick, title="User Info") else: try: new_email = flask.request.form["email"] new_nick = flask.request.form["nick"] old_password = flask.request.form["old_password"] new_password = flask.request.form["new_password"] except: return flask.abort(400) if new_password != "": cnx = get_pg_connection() cursor = cnx.cursor() try: hashed_old_password = hashlib.sha256( (old_password + salt).encode()).hexdigest().upper() cursor.execute( "SELECT user_id FROM users WHERE user_id = %s AND password = %s", (user, hashed_old_password)) if not cursor.fetchone(): cnx.close() write_log("update_userinfo", user, { "success": False, "reason": "wrong password" }) return render_template("userinfo.tmpl", error=True, name=name, email=email, nick=nick, title="User Info") except: cnx.close() raise salt = crypt.mksalt(crypt.METHOD_SHA256) hashed_password = hashlib.sha256( (new_password + salt).encode()).hexdigest().upper() else: hashed_password = None cnx = get_pg_connection() try: cursor = cnx.cursor() if hashed_password: cursor.execute( "UPDATE users SET email = %s, nick = %s, password = %s, salt = %s WHERE user_id = %s", (new_email, new_nick, hashed_password, salt, user)) else: cursor.execute( "UPDATE users SET email = %s, nick = %s WHERE user_id = %s", (new_email, new_nick, user)) cnx.commit() finally: cnx.close() log_data = { "success": True, "nick": [nick, new_nick], "email": [email, new_email], "password_changed": new_password != "" } write_log("update_userinfo", user, log_data) return flask.redirect("/userinfo")
def edit(edit_type): try: renderer = flask.request.form["renderer"] content = flask.request.form["content"] referrer = flask.request.form["referrer"] post_id = flask.request.form["post_id"] except KeyError: flask.abort(400) user = read_cookie(flask.request.cookies["session"]) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT post.author, users.admin, post.content FROM post, users " "WHERE post.post_id = %s AND users.user_id = %s " "AND (post.author = users.user_id OR users.admin = TRUE)", (post_id, user)) post_ret = cursor.fetchone() if not post_ret: cnx.close() flask.abort(401) _, _, old_content_id = post_ret except: cnx.close() raise if edit_type == "thread": try: thread_id = flask.request.form["thread_id"] title = flask.request.form["title"] category = flask.request.form["category"] is_draft = bool(int(flask.request.form["draft"])) except KeyError: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT title, category, draft FROM thread " "WHERE thread_id = %s", (thread_id, )) old_title, old_category, old_draft = cursor.fetchone() except TypeError: flask.abort(400) new_content_id = str(uuid.uuid4()).replace('-', '') cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO post_content VALUES (" "%s, %s, %s, %s, NOW())", (new_content_id, post_id, renderer, content)) cursor.execute( "UPDATE post SET content = %s, last_modified = NOW() WHERE post_id = %s", (new_content_id, post_id)) if edit_type == "thread": cursor.execute( "UPDATE thread SET title = %s, category = %s, draft = %s " "WHERE thread_id = %s", (title, category, is_draft, thread_id)) cnx.commit() except: traceback.print_exc() finally: cnx.close() log_data = { "success": True, "post_id": post_id, "type": edit_type, "rev": [old_content_id, new_content_id] } if edit_type == "thread": log_data["thread"] = { "title": [old_title, title], "category": [old_category, category], "draft": [old_draft, is_draft] } write_log("edit", user, log_data) return flask.redirect(referrer)