def do_post(self, is_self=True):
id = self.get_argument('id', self.current_user.id)
self_id = self.current_user.id
if is_self:
old_password = self.get_argument('old_password', '')
if not check_sql_injection(old_password):
self.do_get(is_self=True)
return
r = self.db.get("SELECT id FROM T_ADMINISTRATOR"
" WHERE password = password(%s)"
" AND id = %s",
old_password, id)
if not r:
self.render("administrator/password.html",
is_response=True,
is_self=is_self,
message=ErrorCode.WRONG_PASSWORD)
return
new_password = self.get_argument('new_password')
new_password2 = self.get_argument('new_password2')
if not (check_sql_injection(new_password) and check_sql_injection(new_password2)):
self.do_get(is_self=False)
return
administrators = self.db.query("SELECT id, login"
" FROM T_ADMINISTRATOR"
" WHERE id != %s"
" AND valid = %s",
self_id, XXT.VALID.VALID)
# TODO: how can this be? they are checked in the webpage. so, I am sure
# this is dead codes.
if new_password != new_password2:
self.render("administrator/password.html",
administrators=administrators,
is_response=True,
is_self=is_self,
message=ErrorCode.WRONG_NEW_PASSWORD)
return
r = self.db.execute("UPDATE T_ADMINISTRATOR"
" SET password = PASSWORD(%s)"
" WHERE id = %s",
new_password, id)
self.render("administrator/password.html",
administrators=administrators,
is_self=is_self,
is_response=True,
message=ErrorCode.UPDATE_PASSWORD_OK)
def get(self):
""" """
status = ErrorCode.SUCCESS
try:
page_number = int(self.get_argument('pagenum'))
page_count = int(self.get_argument('pagecnt'))
#reserved API
fields = DotDict(name="name LIKE '%%%%%s%%%%'")
for key in fields.iterkeys():
v = self.get_argument(key, None)
if v:
if not check_sql_injection(v):
status = ErrorCode.SELECT_CONDITION_ILLEGAL
self.write_ret(status)
return
fields[key] = fields[key] % (v,)
else:
fields[key] = None
except Exception as e:
status = ErrorCode.ILLEGAL_DATA_FORMAT
logging.exception("[UWEB] cid: %s get line data format illegal. Exception: %s",
self.current_user.cid, e.args)
self.write_ret(status)
return
try:
where_clause = ' AND '.join([v for v in fields.itervalues()
if v is not None])
page_size = UWEB.LIMIT.PAGE_SIZE
if where_clause:
where_clause = ' AND ' + where_clause
if page_count == -1:
sql = "SELECT count(id) as count FROM T_LINE" + \
" WHERE 1=1 " + where_clause
sql += " AND cid = %s" % (self.current_user.cid,)
res = self.db.get(sql)
count = res.count
d, m = divmod(count, page_size)
page_count = (d + 1) if m else d
sql = "SELECT id AS line_id, name AS line_name FROM T_LINE" +\
" WHERE 1=1 " + where_clause
sql += " AND cid = %s LIMIT %s, %s" % (self.current_user.cid, page_number * page_size, page_size)
lines = self.db.query(sql)
for line in lines:
stations = self.db.query("SELECT name, latitude, longitude, seq "
" FROM T_STATION "
" WHERE line_id = %s",
line.line_id)
line["stations"] = stations
self.write_ret(status,
dict_=DotDict(lines=lines,
pagecnt=page_count))
except Exception as e:
logging.exception("[UWEB] cid: %s get line failed. Exception: %s",
self.current_user.cid, e.args)
status = ErrorCode.SERVER_BUSY
self.write_ret(status)
def put(self):
"""Update the parameters of terminal.
"""
status = ErrorCode.SUCCESS
try:
data = DotDict(json_decode(self.request.body))
tid = data.get('tid', None)
# check tid whether exist in request and update current_user
self.check_tid(tid)
logging.info("[UWEB] Terminal request: %s, uid: %s, tid: %s",
data, self.current_user.uid, self.current_user.tid)
except Exception as e:
status = ErrorCode.ILLEGAL_DATA_FORMAT
self.write_ret(status)
return
try:
terminal = QueryHelper.get_available_terminal(
self.current_user.tid, self.db)
if not terminal:
status = ErrorCode.LOGIN_AGAIN
logging.error("[UWEB] The terminal with tid: %s does not exist,"
" redirect to login.html",
self.current_user.tid)
self.write_ret(status)
return
user = QueryHelper.get_user_by_uid(self.current_user.uid, self.db)
if not user:
status = ErrorCode.LOGIN_AGAIN
logging.error("[UWEB] The user with uid: %s does not exist,"
" redirect to login.html",
self.current_user.uid)
self.write_ret(status)
return
# sql injection
if data.has_key('corp_cnum') and not check_cnum(data.corp_cnum):
status = ErrorCode.ILLEGAL_CNUM
self.write_ret(status)
return
# NOTE: deprecated
if data.has_key('white_list'):
white_list = ":".join(data.white_list)
if not check_sql_injection(white_list):
status = ErrorCode.ILLEGAL_WHITELIST
self.write_ret(status)
return
self.update_terminal_db(data)
# NOTE: wspush to client
if status == ErrorCode.SUCCESS:
WSPushHelper.pushS7(tid, self.db, self.redis)
self.write_ret(status)
except Exception as e:
logging.exception("[UWEB] uid:%s, tid:%s update terminal info failed. Exception: %s",
self.current_user.uid, self.current_user.tid, e.args)
status = ErrorCode.SERVER_BUSY
self.write_ret(status)
def post(self):
"""Retrieve the log of delegation.
"""
# check administrator_id
start_time = int(self.get_argument("start_time"))
end_time = int(self.get_argument("end_time"))
select_clause = (
"SELECT T_ADMINISTRATOR.name as administrator, T_ADMINISTRATOR.login,"
+ " T_DELEGATION_LOG.timestamp, T_TERMINAL_INFO.mobile as tmobile,"
+ " T_USER.name as user_name "
)
from_table_clause = " FROM T_DELEGATION_LOG, T_ADMINISTRATOR, T_TERMINAL_INFO, T_USER "
where_clause = (
" WHERE T_DELEGATION_LOG.timestamp BETWEEN %s AND %s"
+ " AND T_DELEGATION_LOG.administrator_id = T_ADMINISTRATOR.id"
+ " AND T_DELEGATION_LOG.uid = T_USER.uid"
+ " AND T_DELEGATION_LOG.tid = T_TERMINAL_INFO.tid"
)
where_clause = where_clause % (start_time, end_time)
fields = DotDict(
administrator="T_ADMINISTRATOR.name LIKE '%%%%%s%%%%'",
login="******",
user_name="T_USER.name LIKE '%%%%%s%%%%'",
mobile="T_USER.mobile LIKE '%%%%%s%%%%'",
tmobile="T_TERMINAL_INFO.mobile LIKE '%%%%%s%%%%'",
)
for key in fields.iterkeys():
v = self.get_argument(key, None)
if v:
if not check_sql_injection(v):
self.get()
return
fields[key] = fields[key] % (v,)
else:
fields[key] = None
terms = [where_clause] + [v for v in fields.itervalues() if v]
where_clause = " AND ".join(terms)
sql = select_clause + from_table_clause + where_clause
sql += " ORDER BY T_DELEGATION_LOG.timestamp DESC"
logs = self.db.query(sql)
for i, log in enumerate(logs):
log["id"] = i + 1
self.render("delegation/log.html", logs=logs, interval=[start_time, end_time])
def post(self, tmobile):
"""Modify a business."""
fields = DotDict(cnum="",
ctype="",
ccolor="",
cbrand="",
uname="",
umobile="",
tmobile="",
service_status="",
begintime="",
endtime="",
address="",
email="")
for key in fields.iterkeys():
fields[key] = self.get_argument(key, "")
if fields[key]:
if not check_sql_injection(fields[key]):
logging.error("Edit business condition contain SQL inject. %s : %s",
key, fields[key])
self.render('errors/error.html',
message=ErrorCode.ERROR_MESSAGE[ErrorCode.EDIT_CONDITION_ILLEGAL])
return
try:
self.db.execute("UPDATE T_USER"
" SET name = %s,"
" address = %s,"
" email = %s "
" WHERE mobile = %s",
fields.uname, fields.address,
fields.email, fields.umobile)
self.db.execute("UPDATE T_TERMINAL_INFO"
" SET begintime = %s,"
" endtime = %s,"
" service_status = %s "
" WHERE mobile = %s",
fields.begintime, fields.endtime,
fields.service_status, fields.tmobile)
terminal = self.db.get("SELECT tid "
" FROM T_TERMINAL_INFO"
" WHERE mobile = %s",
fields.tmobile)
self.db.execute("UPDATE T_CAR"
" SET cnum = %s,"
" type = %s,"
" color = %s,"
" brand = %s "
" WHERE tid = %s",
fields.cnum, fields.ctype,
fields.ccolor, fields.cbrand, terminal.tid)
terminal_info_key = get_terminal_info_key(terminal.tid)
terminal_info = self.redis.getvalue(terminal_info_key)
if terminal_info:
terminal_info['alias'] = fields.cnum if fields.cnum else fields.tmobile
self.redis.setvalue(terminal_info_key, terminal_info)
fields.sms_status = self.get_sms_status(fields.tmobile)
self.render('business/list.html',
business=fields,
status=ErrorCode.SUCCESS,
message='')
except Exception as e:
logging.exception("Edit business failed.mobile: %s, Exception: %s",
tmobile, e.args)
self.render('errors/error.html',
message=ErrorCode.ERROR_MESSAGE[ErrorCode.EDIT_USER_FAILURE])
def post(self):
"""Query businesses according to the given params.
"""
corplist = self.db.query("SELECT id, cid, name FROM T_CORP")
corps = self.get_argument('corps', None)
begintime = int(self.get_argument('begintime',0))
endtime = int(self.get_argument('endtime',0))
interval=[begintime, endtime]
if not corps:
corps = self.db.query("SELECT cid FROM T_CORP")
corps = [str(corp.cid) for corp in corps]
sql = "SELECT id FROM T_GROUP WHERE corp_id IN %s" % (tuple(corps + DUMMY_IDS),)
groups = self.db.query(sql)
groups = [str(group.id) for group in groups] + [-1,]
else:
groups = self.db.query("SELECT id FROM T_GROUP WHERE corp_id = %s", corps)
groups = [str(group.id) for group in groups]
fields = DotDict(umobile="tu.mobile LIKE '%%%%%s%%%%'",
tmobile="tt.mobile LIKE '%%%%%s%%%%'",
begintime="tt.begintime >= %s",
endtime="tt.begintime <= %s",
login="******")
for key in fields.iterkeys():
#BIG NOTE: if online is to be got, "tt.login != 0" is good
if key == 'login' and self.get_argument(key, None) == '1':
fields[key] = "tt.login != 0"
continue
v = self.get_argument(key, None)
if v:
if not check_sql_injection(v):
logging.error("Search business condition contain SQL inject. %s : %s", key, v)
self.render('errors/error.html',
message=ErrorCode.ERROR_MESSAGE[ErrorCode.SELECT_CONDITION_ILLEGAL])
return
else:
fields[key] = fields[key] % (v,)
else:
fields[key] = None
where_clause = ' AND '.join([v for v in fields.itervalues()
if v is not None])
try:
sql = ("SELECT tt.tid, tt.login, tu.name as uname, tu.mobile as umobile, tt.mobile as tmobile,"
" tt.softversion, tt.begintime, tt.endtime, tt.move_val, tt.static_val,"
" tt.service_status, tt.bt_name, tt.bt_mac, tt.biz_type,"
" tc.cnum, tcorp.name as ecname, tcorp.mobile as cmobile"
" FROM T_TERMINAL_INFO as tt LEFT JOIN T_CAR as tc ON tt.tid = tc.tid"
" LEFT JOIN T_USER as tu ON tt.owner_mobile = tu.mobile"
" LEFT JOIN T_GROUP as tg ON tt.group_id = tg.id"
" LEFT JOIN T_CORP as tcorp ON tg.corp_id = tcorp.cid"
" WHERE tt.service_status=1 AND tt.group_id IN %s ") % (tuple(groups + DUMMY_IDS),)
if where_clause:
sql += ' AND ' + where_clause
businesses = self.db.query(sql)
for i, business in enumerate(businesses):
business['seq'] = i + 1
#business['sms_status'] = self.get_sms_status(business['tmobile'])
business['corp_name'] = ''
#NOTE: if login !=0(offline), set login as 1(online)
business['login'] = business['login'] if business['login']==0 else 1
#biz = QueryHelper.get_biz_by_mobile(business['tmobile'], self.db)
#business['biz_type'] = biz['biz_type'] if biz else 1
terminal = QueryHelper.get_terminal_info(business['tid'], self.db, self.redis)
business['pbat'] = terminal['pbat'] if terminal.get('pbat', None) is not None else 0
business['alias'] = business['cnum'] if business['cnum'] else business['tmobile']
for key in business:
if business[key] is None:
business[key] = ''
# keep data in redis
m = hashlib.md5()
m.update(self.request.body)
hash_ = m.hexdigest()
mem_key = self.get_memcache_key(hash_)
self.redis.setvalue(mem_key, businesses,
time=self.MEMCACHE_EXPIRY)
self.render('business/search.html',
status=ErrorCode.SUCCESS,
message='',
interval=interval,
businesses=businesses,
corplist=corplist,
hash_=hash_)
except Exception as e:
logging.exception("Search business failed. Exception: %s.",
e.args)
self.render('errors/error.html',
message=ErrorCode.ERROR_MESSAGE[ErrorCode.SEARCH_BUSINESS_FAILURE])
def post(self):
"""Check the parameters of login and check whether or not prevent it.
"""
login = self.get_argument('username', '')
password = self.get_argument('password', '')
captcha = self.get_argument('captcha', '')
# NOTE: Get captchahash from cookie
captchahash = self.get_secure_cookie("captchahash")
# must check username and password avoid sql injection.
if not login.isalnum():
self.render("login.html",
username="",
password="",
message_captcha=None,
message=ErrorCode.LOGIN_FAILED)
return
if not (check_sql_injection(login) and check_sql_injection(password)):
self.render("login.html",
username="",
password="",
message_captcha=None,
message=ErrorCode.LOGIN_FAILED)
return
# check the captcha(hash)
m = hashlib.md5()
m.update(captcha.lower())
hash_ = m.hexdigest()
if hash_.lower() != captchahash.lower():
self.render("login.html",
username=login,
password='',
message=None,
message_captcha=ErrorCode.WRONG_CAPTCHA)
return
# check username and password
r = self.db.get("SELECT id, name, type FROM T_ADMINISTRATOR"
" WHERE login = %s"
" AND password = password(%s)"
" AND valid = %s",
login, password, XXT.VALID.VALID)
if r:
self.__log(r.id)
self.bookkeep(dict(id=r.id,
session_id=uuid.uuid4().hex),
quote(safe_utf8(r.name)))
# update the privilege_area for current user.(through BaseMixin)
key = self.get_area_memcache_key(r.id)
areas = self.get_privilege_area(r.id)
self.redis.setvalue(key, areas)
self.clear_cookie('captchahash')
self.redirect(self.get_argument("next", "/"))
else:
self.render("login.html",
username=login,
password='',
message_captcha=None,
message=ErrorCode.LOGIN_FAILED)
def prepare_data(self, hash_):
mem_key = self.get_memcache_key(hash_)
data = self.redis.getvalue(mem_key)
if data:
return data
# defaulty, we consider parents to be selected
category = str(self.get_argument('category', XXT.USER_TYPE.PARENT))
city = int(self.get_argument('cities', 0))
terms = []
users = []
if int(city) == 0:
cities = [city.city_id for city in self.cities]
else:
cities = [city,]
select_clause = "SELECT T_XXT_USER.name AS pname,"\
+ " T_XXT_USER.optype AS poptype,"\
+ " T_XXT_USER.status AS jxq_status,"\
+ " T_XXT_USER.plan_id AS pplan,"\
+ " T_XXT_USER.timestamp AS ptimestamp,"\
+ " T_XXT_TARGET.mobile AS tmobile, T_XXT_TARGET.lbmp_status,"\
+ " T_XXT_TARGET.optype AS toptype,"\
+ " T_XXT_TARGET.name AS tname,"\
+ " T_XXT_TARGET.plan_id AS tplan,"\
+ " T_XXT_TARGET.timestamp AS ttimestamp,"\
+ " T_HLR_CITY.city_name AS city,"\
+ " T_XXT_GROUP.name AS group_name,"
USER_BIND_TARGET = " FROM T_XXT_USER LEFT JOIN T_XXT_TARGET"\
" ON (T_XXT_USER.mobile = T_XXT_TARGET.parent_mobile"\
" AND T_XXT_USER.service_id = T_XXT_TARGET.service_id),"
TARGET_BIND_USER = "******"\
" ON (T_XXT_USER.mobile = T_XXT_TARGET.parent_mobile"\
" AND T_XXT_USER.service_id = T_XXT_TARGET.service_id),"
from_table_clause = "T_HLR_CITY, T_XXT_GROUP"
where_clause = " WHERE T_XXT_GROUP.xxt_id in %s "
if int(self.type) == 1:
groups = self.db.query("SELECT txg.xxt_id as id"
" FROM T_XXT_GROUP AS txg,"
" T_ADMINISTRATOR AS ta"
" WHERE ta.login = txg.phonenum"
" AND ta.id = %s",
self.current_user.id)
else:
groups = self.db.query("SELECT DISTINCT xxt_id as id"
" FROM T_XXT_GROUP AS txg,"
" T_HLR_CITY AS thc"
" WHERE thc.city_id IN %s"
" AND txg.city_id = thc.region_code",
tuple(cities + DUMMY_IDS))
group_ids = [int(group.id) for group in groups]
groups = tuple(group_ids + DUMMY_IDS)
terms.append(where_clause)
if category == XXT.USER_TYPE.PARENT:
fields = DotDict(name="T_XXT_USER.name LIKE '%%%%%s%%%%' ",
mobile=" T_XXT_USER.mobile LIKE '%%%%%s%%%%' ")
for item in fields.iterkeys():
v = self.get_argument(item, None)
if v:
if not check_sql_injection(v):
return []
fields[item] = fields[item] % (v, )
else:
fields[item] = None
user_terms = [v for v in fields.itervalues() if v]
terms += user_terms
else:
fields = DotDict(name="T_XXT_TARGET.name LIKE '%%%%%s%%%%' ",
mobile=" T_XXT_TARGET.mobile LIKE '%%%%%s%%%%' ",
plan_id="T_XXT_TARGET.plan_id = %s ")
for item in fields.iterkeys():
v = self.get_argument(item, None)
if v:
if not check_sql_injection(v):
return []
fields[item] = fields[item] % (v,)
else:
fields[item] = None
child_terms = [v for v in fields.itervalues() if v]
terms += child_terms
USER_BIND_GROUP = " T_XXT_USER.group_id = T_XXT_GROUP.xxt_id "
TARGET_BIND_GROUP = " T_XXT_TARGET.group_id = T_XXT_GROUP.xxt_id "
GROUP_BIND_CITY = " T_XXT_GROUP.city_id = T_HLR_CITY.region_code"
terms.append(GROUP_BIND_CITY)
terms.append(USER_BIND_GROUP)
select_clause1 = select_clause + " T_XXT_USER.mobile AS pmobile"
sql1 = ''.join((select_clause1, USER_BIND_TARGET, from_table_clause, ' AND '.join(terms)))
terms.remove(USER_BIND_GROUP)
terms.append(TARGET_BIND_GROUP)
select_clause2 = select_clause + " T_XXT_TARGET.parent_mobile AS pmobile"
sql2 = ''.join((select_clause2, TARGET_BIND_USER, from_table_clause, ' AND '.join(terms)))
sql = sql1 + ' union ' + sql2
users = self.db.query(sql, groups, groups)
plans = self.db.query("SELECT xxt_id, name FROM T_XXT_PLAN")
d_plan = dict()
for plan in plans:
d_plan[plan.xxt_id] = plan.name
for i, user in enumerate(users):
user['id'] = i + 1
for key in user:
if key in ('pplan', 'tplan'):
user[key] = d_plan[user[key]] if user[key] else ''
else:
user[key] = user[key] if user[key] else ''
self.redis.setvalue(mem_key, users, time=self.MEMCACHE_EXPIRY)
return users
