def remove_item_from_shop(request): if request.method == 'POST': login = request.COOKIES.get('login_hash') username = None if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse('fail') item_id = request.POST.get('item_id') item = ItemsLogic.get_item(item_id) if item is False: return HttpResponse('fail') if not UsersLogic.is_owner_of_shop(username, item.shop_name): if UsersLogic.is_manager_of_shop(username, item.shop_name): manager = UsersLogic.get_manager(username, item.shop_name) if manager.permission_remove_item is not 1: # no permission return HttpResponse('no permission to remove item') else: return HttpResponse('fail') # not manager not owner status = ItemsLogic.remove_item_from_shop(item_id, username) if status is False: return HttpResponse('fail') return HttpResponse('success')
def setUp(self): init_database('db.sqlite3') register(RegisteredUser('YoniYoni', '1234567878')) register(RegisteredUser('StoreManager1', '1234567878')) shop = Shop('My Shop', 'Active') ShopLogic.create_shop(shop, 'YoniYoni') UsersLogic.add_manager('YoniYoni', StoreManager('StoreManager1', 'My Shop', 1, 1, 1, 1, 1, 1, 1, 1))
def test_add_login(self): UsersLogic.register(RegisteredUser("user1user1", "13245678")) self.assertTrue(LoggerLogic.add_login_log("user1user1")) logs = Logger.get_all_login_logs() self.assertTrue(len(logs) == 1) login_log = logs[0] self.assertEqual(login_log.username, "user1user1")
def add_discount_page(request): if request.method == 'GET': shop_name = request.GET.get('shop_name') login = request.COOKIES.get('login_hash') guest = request.COOKIES.get('guest_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse(error_login_owner) else: return HttpResponse(error_login_owner) if not UsersLogic.is_owner_of_shop(username, shop_name): if UsersLogic.is_manager_of_shop(username, shop_name): manager = UsersLogic.get_manager(username, shop_name) if manager.discount_permission is not 1: # no permission return HttpResponse('no permission to add discount') else: return HttpResponse('fail') # not manager not owner every_html = { 'top_bar': Topbar_Navbar.get_top_bar(login), 'nav_bar': Topbar_Navbar.get_nav_bar(login, guest) } return render(request, 'shop_add_discount.html', context={ 'every_html': every_html, 'shop_name': shop_name })
def edit_password(request): if request.method == 'POST': current_password = request.POST.get('current_password') new_password = request.POST.get('new_password') event = "EDIT PASSWORD" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( current_password, event) suspect_sql_injection = LoggerLogic.identify_sql_injection( new_password, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if UsersLogic.login(RegisteredUser(username, current_password)): return HttpResponse( UsersLogic.edit_password( RegisteredUser(username, new_password))) return HttpResponse('FAILED: You are not logged in.')
def get_system_users(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: if UsersLogic.is_system_manager(username): users_html = "" users = UsersLogic.get_all_users() for user in users: shops_own = len( UsersLogic.get_owned_shops(user.username)) shop_manage = len( UsersLogic.get_managed_shops(user.username)) users_html += loader.render_to_string( 'components/user.html', context={ 'username': user.username, 'shop_own_count': shops_own, 'shop_manage_count': shop_manage, }) context = { 'topbar': Topbar_Navbar.get_top_bar(login), 'navbar': Topbar_Navbar.get_nav_bar(login, None) } context.update({'users': users_html}) return render(request, 'system-users.html', context=context) return HttpResponse("You don't have the privilege to be here")
def get_account(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') if login is None: login = request.GET.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: # html of a logged in user system_hidden = "hidden" if UsersLogic.is_system_manager(username): system_hidden = "" details = {'state': "AFG", 'age': "AFG", 'sex': "AFG"} else: details = UsersLogic.get_user_details(username) context = { 'topbar': Topbar_Navbar.get_top_bar(login), 'navbar': Topbar_Navbar.get_nav_bar(login, None) } context.update({ 'system_hidden': system_hidden, 'state': details.get('state'), 'age': details.get('age'), 'sex': details.get('sex') }) return render(request, 'customer-account.html', context=context) return HttpResponse('You are not logged in!')
def test_add_manager(self): ShopLogic.create_shop(SHOP, USERNAME) UsersLogic.register(OTHER_USER) manager = StoreManager(OTHER_USERNAME, SHOP_NAME, PERMISSIONS[0], PERMISSIONS[1], PERMISSIONS[2], PERMISSIONS[3], PERMISSIONS[4], PERMISSIONS[5], PERMISSIONS[6], PERMISSIONS[7]) is_added = UsersLogic.add_manager(USERNAME, manager) self.assertTrue(is_added)
def test_modify_notifications(self): ShopLogic.create_shop(SHOP, USERNAME) UsersLogic.modify_notifications(USERNAME, 0, SHOP.name) owner = Owners.get_owner(USERNAME, SHOP_NAME) self.assertEqual(0, owner.should_notify) UsersLogic.modify_notifications(USERNAME, 1, SHOP.name) owner = Owners.get_owner(USERNAME, SHOP_NAME) self.assertEqual(1, owner.should_notify)
def get_messages(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') content = request.GET.get('content') if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: # html of a logged in user messages_html = "" if content == 'received': if UsersLogic.is_system_manager(username): messages = MessagingLogic.get_received_system_messages( ) else: messages = MessagingLogic.get_all_messages(username) for message in messages: messages_html += loader.render_to_string( 'components/Message.html', context={ 'id': message.message_id, 'from': message.from_username, 'to': message.to_username, 'content': message.content }) received_on = "class=active" sent_on = "" elif content == 'sent': if UsersLogic.is_system_manager(username): messages = MessagingLogic.get_sent_system_messages() else: messages = MessagingLogic.get_all_sent_messages( username) for message in messages: messages_html += loader.render_to_string( 'components/Message.html', context={ 'id': message.message_id, 'from': message.from_username, 'to': message.to_username, 'content': message.content }) received_on = "" sent_on = "class=active" else: return HttpResponse('You are not logged in!') context = { 'topbar': Topbar_Navbar.get_top_bar(login), 'navbar': Topbar_Navbar.get_nav_bar(login, None) } context.update({ 'messages': messages_html, 'received_on': received_on, 'sent_on': sent_on }) return render(request, 'messages.html', context=context) return HttpResponse('You are not logged in!')
def test_send_message_and_get_messages_of_users(self): UsersLogic.register(RegisteredUser('TomerTomer', '1234567878')) UsersLogic.register(RegisteredUser('ShaharShahar', '1234567878')) MessagingLogic.send_message(Message(1, 'TomerTomer', 'ShaharShahar', 'Hello 1')) MessagingLogic.send_message(Message(2, 'ShaharShahar', 'TomerTomer', 'Hello 2')) messages1 = MessagingLogic.get_all_messages('TomerTomer') messages2 = MessagingLogic.get_all_messages('ShaharShahar') self.assertTrue(messages1[0].content == 'Hello 2') self.assertTrue(messages2[0].content == 'Hello 1')
def test_torture1(self): # Adding Users status = UsersLogic.register(RegisteredUser('user1user1', 'asdas12da')) self.assertTrue(status) status = UsersLogic.register(RegisteredUser('user2user2', 'cse12fdsf')) self.assertTrue(status) status = UsersLogic.register(RegisteredUser('user3user3', '12312124')) self.assertTrue(status) status = UsersLogic.register(RegisteredUser('user4user4', '1344321324')) self.assertTrue(status) status = UsersLogic.register(RegisteredUser('user5user5', '1c24c143c1')) self.assertTrue(status) # Adding System Managers status = UsersLogic.add_system_manager( SystemManager('sys1sys1', 'POWER123')) self.assertTrue(status) status = UsersLogic.edit_password( RegisteredUser('user5user5', '12312456')) self.assertTrue(status) user = RegisteredUsers.get_user('user5user5') UsersLogic.remove_user('sys1sys1', user) status = RegisteredUsers.get_user('user5user5') self.assertFalse(status)
def edit_shop_item(request): if request.method == 'POST': login = request.COOKIES.get('login_hash') username = None if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse('fail') item_id = request.POST.get('item_id') fields = ['quantity', 'category', 'keywords', 'price', 'url'] new_values = [ request.POST.get('item_quantity'), request.POST.get('item_category'), request.POST.get('item_keywords'), request.POST.get('item_price'), request.POST.get('item_url') ] event = "EDIT ITEM" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[0], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[1], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[2], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[3], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[4], event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(MESSAGE_SQL_INJECTION) item = ItemsLogic.get_item(item_id) if item is False: return HttpResponse('fail') if not UsersLogic.is_owner_of_shop(username, item.shop_name): if UsersLogic.is_manager_of_shop(username, item.shop_name): manager = UsersLogic.get_manager(username, item.shop_name) if manager.permission_edit_item is not 1: # no permission return HttpResponse('no permission to edit item') else: return HttpResponse('fail') # not manager not owner for i in range(0, len(fields)): status = ItemsLogic.edit_shop_item(username, item_id, fields[i], new_values[i]) if status is False: return HttpResponse('fail') return HttpResponse('success')
def test_add_invisible_discount_bad(self): register(RegisteredUser('YoniYoni', '1234567878')) register(RegisteredUser('StoreManager1', '1234567878')) shop = Shop('My Shop', 'Active') ShopLogic.create_shop(shop, 'YoniYoni') UsersLogic.add_manager( 'YoniYoni', StoreManager('StoreManager1', 'My Shop', 1, 1, 1, 1, 1, 1, 1, 1)) item1 = Item(1, 'My Shop', 'milk', 'diary', 'good', 12, 100, 'regular', None, 0, 0, 0) ItemsLogic.add_item_to_shop(item1, 'StoreManager1') invdisc = InvisibleDiscount('ABCDEFGHIJKLMNO', item1.id, shop.name, -1, '2018-12-01', '2019-12-01') self.assertFalse(add_invisible_discount(invdisc, 'YoniYoni'))
def test_bad_no_get_all_premss_send_message_and_get_messages_of_shops(self): register(RegisteredUser('TomerTomer1', '1234567878')) shop1 = Shop('My Shop1', 'Active') ShopLogic.create_shop(shop1, 'TomerTomer1') register(RegisteredUser('TomerTomer2', '1234567878')) shop2 = Shop('My Shop2', 'Active') ShopLogic.create_shop(shop2, 'TomerTomer2') UsersLogic.add_manager('TomerTomer1', StoreManager('TomerTomer2', 'My Shop1', 1, 1, 1, 1, 0, 1, 1, 1)) UsersLogic.add_manager('TomerTomer2', StoreManager('TomerTomer1', 'My Shop2', 1, 1, 1, 1, 0, 1, 1, 1)) MessagingLogic.send_message_from_shop('TomerTomer2', Message(1, 'My Shop1', 'My Shop2', 'Hello 1')) MessagingLogic.send_message_from_shop('TomerTomer1', Message(2, 'My Shop2', 'My Shop1', 'Hello 2')) messages1 = MessagingLogic.get_all_shop_messages('TomerTomer2', 'My Shop1') messages2 = MessagingLogic.get_all_shop_messages('TomerTomer1', 'My Shop2') self.assertFalse(messages1) self.assertFalse(messages2)
def test_bad_no_permssion_send_message_and_get_messages_of_shops(self): register(RegisteredUser('TomerTomer1', '1234567878')) shop1 = Shop('My Shop1', 'Active') ShopLogic.create_shop(shop1, 'TomerTomer1') register(RegisteredUser('TomerTomer2', '1234567878')) shop2 = Shop('My Shop2', 'Active') ShopLogic.create_shop(shop2, 'TomerTomer2') UsersLogic.add_manager('TomerTomer1', StoreManager('TomerTomer2', 'My Shop1', 1, 1, 1, 0, 1, 1, 1, 1)) UsersLogic.add_manager('TomerTomer2', StoreManager('TomerTomer1', 'My Shop2', 1, 1, 1, 0, 1, 1, 1, 1)) self.assertEqual(MessagingLogic.send_message_from_shop('TomerTomer2', Message(1, 'My Shop1', 'My Shop2', 'Hello 1')) , "FAILED: You don't have the permissions") self.assertEqual(MessagingLogic.send_message_from_shop('TomerTomer1', Message(2, 'My Shop2', 'My Shop1', 'Hello 2')) , "FAILED: You don't have the permissions")
def get_system_shops(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: if UsersLogic.is_system_manager(username): orders_html = "" shops_html = "" shops = ShopLogic.get_all_shops() for shop in shops: shops_html += loader.render_to_string( 'components/shop.html', context={ 'shop_name': shop.name, 'status': shop.status }) context = { 'topbar': Topbar_Navbar.get_top_bar(login), 'navbar': Topbar_Navbar.get_nav_bar(login, None) } context.update({'shops': shops_html}) return render(request, 'system-shops.html', context=context) return HttpResponse("You don't have the privilege to be here")
def login(request): if request.method == 'POST': username = request.POST.get('username') password = request.POST.get('password') event = "LOGIN" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( username, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( password, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) user = RegisteredUser(username, password) result = UsersLogic.login(user) if result[:7] == 'SUCCESS': access_token = hashlib.md5(username.encode()).hexdigest() Consumer.loggedInUsers[access_token] = username Consumer.loggedInUsersShoppingCart[ access_token] = ShoppingLogic.get_cart_items(username) return HttpResponse(access_token) else: return HttpResponse(result)
def test_add_manager_bad_username(self): manager = StoreManager(OTHER_USERNAME, SHOP_NAME, PERMISSIONS[0], PERMISSIONS[1], PERMISSIONS[2], PERMISSIONS[3], PERMISSIONS[4], PERMISSIONS[5], PERMISSIONS[6], PERMISSIONS[7],) manager = StoreManager(OTHER_USERNAME, SHOP_NAME, PERMISSIONS[0], PERMISSIONS[1], PERMISSIONS[2], PERMISSIONS[3], PERMISSIONS[4], PERMISSIONS[5], PERMISSIONS[6], PERMISSIONS[7],) is_added = UsersLogic.add_manager(USERNAME, manager) self.assertNotEqual(is_added, 'SUCCESS')
def update_permissions(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') target_id = request.POST.get('target_id') event = "UPDATE PERMISSIONS" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( target_id, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) store_manager = StoreManager( target_id, shop_name, request.POST.get('add_item_permission'), request.POST.get('remove_item_permission'), request.POST.get('edit_item_permission'), request.POST.get('reply_message_permission'), request.POST.get('get_all_message_permission'), request.POST.get('get_purchase_history_permission'), request.POST.get('get_discount_permission'), request.POST.get('set_policy_permission')) if UsersLogic.update_permissions(username, store_manager): return HttpResponse('success') return HttpResponse('fail')
def get_system_log(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: if UsersLogic.is_system_manager(username): logs_html = "" log_items = LoggerLogic.get_all_event_logs() for log_item in log_items: logs_html += loader.render_to_string( 'components/log_table_event.html', context={ 'username': log_item.username, 'time': log_item.time, 'event': log_item.event }) context = { 'topbar': Topbar_Navbar.get_top_bar(login), 'navbar': Topbar_Navbar.get_nav_bar(login, None) } return render(request, 'system-logger.html', context=context) return HttpResponse("You don't have the privilege to be here")
def add_manager(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') target_id = request.POST.get('target_id') event = "ADD MANAGER" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( target_id, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) store_manager = StoreManager( target_id, shop_name, request.POST.get('add_item_permission'), request.POST.get('remove_item_permission'), request.POST.get('edit_item_permission'), request.POST.get('reply_message_permission'), request.POST.get('get_all_message_permission'), request.POST.get('get_purchase_history_permission'), request.POST.get('get_discount_permission'), request.POST.get('set_policy_permission')) if username is not None: return HttpResponse( UsersLogic.add_manager(username, store_manager)) return HttpResponse('FAILED: You are not logged in')
def register(request): if request.method == 'POST': username = request.POST.get('username') password = request.POST.get('password') state = request.POST.get('state') age = request.POST.get('age') sex = request.POST.get('sex') event = "REGISTER" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( username, event) suspect_sql_injection = LoggerLogic.identify_sql_injection( password, event) suspect_sql_injection = LoggerLogic.identify_sql_injection( state, event) suspect_sql_injection = LoggerLogic.identify_sql_injection(age, event) suspect_sql_injection = LoggerLogic.identify_sql_injection(sex, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) return HttpResponse( UsersLogic.register_with_user_detail( RegisteredUser(username, password), state, age, sex))
def update_details(request): if request.method == 'POST': state = request.POST.get('state') age = request.POST.get('age') sex = request.POST.get('sex') event = "UPDATE USER DETAILS" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( state, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( age, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( sex, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) return HttpResponse( UsersLogic.update_details(username, state, age, sex)) return HttpResponse('FAILED: You are not logged in.')
def test_get_visible_discount_bad_item(self): register(RegisteredUser('YoniYoni', '1234567878')) register(RegisteredUser('StoreManager1', '1234567878')) shop = Shop('My Shop', 'Active') ShopLogic.create_shop(shop, 'YoniYoni') UsersLogic.add_manager( 'YoniYoni', StoreManager('StoreManager1', 'My Shop', 1, 1, 1, 1, 1, 1, 1, 1)) item1 = Item(1, 'My Shop', 'milk', 'diary', 'good', 12, 100, 'regular', None, 0, 0, 0) item2 = Item(2, 'My Shop', 'milk1', 'diary1', 'good', 12, 100, 'regular', None, 0, 0, 0) ItemsLogic.add_item_to_shop(item1, 'StoreManager1') disc = VisibleDiscount(item1.id, shop.name, 50, '2018-12-01', '2019-12-01') self.assertTrue(add_visible_discount(disc, 'YoniYoni')) self.assertFalse(get_visible_discount(item2.id, shop.name))
def re_open_shop(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if UsersLogic.re_open_shop(username, shop_name): return HttpResponse('success') return HttpResponse('fail')
def test_get_visible_discount(self): register(RegisteredUser('YoniYoni', '1234567878')) register(RegisteredUser('StoreManager1', '1234567878')) shop = Shop('My Shop', 'Active') ShopLogic.create_shop(shop, 'YoniYoni') UsersLogic.add_manager( 'YoniYoni', StoreManager('StoreManager1', 'My Shop', 1, 1, 1, 1, 1, 1, 1, 1)) item1 = Item(1, 'My Shop', 'milk', 'diary', 'good', 12, 100, 'regular', None, 0, 0, 0) ItemsLogic.add_item_to_shop(item1, 'StoreManager1') disc = VisibleDiscount(item1.id, shop.name, 50, '2018-12-01', '2019-12-01') self.assertTrue(add_visible_discount(disc, 'YoniYoni')) getted = get_visible_discount(item1.id, shop.name) self.assertEqual(getted.item_id, disc.item_id) self.assertEqual(getted.shop_name, disc.shop_name) self.assertEqual(getted.percentage, disc.percentage)
def login_gap(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: if UsersLogic.is_system_manager(username): return HttpResponse(len(Consumer.loggedInUsers)) return HttpResponse("You don't have the privilege to be here")
def watch_purchase_history(request): if request.method == 'GET': shop_name = request.GET.get('shop_name') login = request.COOKIES.get('login_hash') guest = request.COOKIES.get('guest_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse(error_login_owner) else: return HttpResponse(error_login_owner) if not UsersLogic.is_owner_of_shop(username, shop_name): if UsersLogic.is_manager_of_shop(username, shop_name): manager = UsersLogic.get_manager(username, shop_name) if manager.permission_get_purchased_history is not 1: # no permission return HttpResponse( 'no permission to watch purchase history') else: return HttpResponse('fail') # not manager not owner every_html = { 'top_bar': Topbar_Navbar.get_top_bar(login), 'nav_bar': Topbar_Navbar.get_nav_bar(login, guest) } shop_items = ShopLogic.get_shop_purchase_history(username, shop_name) string_items = "" for item in shop_items: string_items += loader.render_to_string( 'components/purchase_item_owner.html', { 'purchase_id': item.purchase_id, 'item_id': item.item_id, 'quantity': item.quantity, 'price': item.price }) return render(request, 'shop_view_purchase_history.html', context={ 'every_html': every_html, 'items': string_items, 'shop_name': shop_name }) return HttpResponse(not_get_request)
def modify_notifications(request): if request.method == 'POST': should_notify = request.POST.get('modify_notifications') shop_name = request.POST.get('shop_name') login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if UsersLogic.modify_notifications(username, should_notify, shop_name): return HttpResponse('success') return HttpResponse('fail')