def signup(): # handle incoming form if request.method == 'POST': # retrieve form data args = { 'firstname': request.form.get('firstname', type=str), 'lastname': request.form.get('lastname', type=str), 'username': request.form.get('username', type=str), 'password': request.form.get('password', type=str), 'password_confirm': request.form.get('password_confirm', type=str) } # check for valid data and no user conflicts if any(x == None for x in args.values()): flash('All fields are required', 'alert-danger') elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()): flash( 'Fields may not exceed {} characters'.format( Model.TEXT_MAX_LEN), 'alert-danger') elif (pw_complexity(args['password']) == False): flash( "Password needs 8 characters minimum, with at least 1 digit, 1 minuscule and 1 majuscule.", 'alert-danger') elif args['password'] != args['password_confirm']: flash("Passwords don't match", 'alert-danger') elif User.find(args['username']): flash('Username is already used', 'alert-danger') else: # create new account and redirect to login page User.insert(False, args['firstname'], args['lastname'], args['username'], hash_pw(args['password'])) flash('Account created successfully', 'alert-success') return redirect('/login') return render_template('signup.html', title='Create an account')
def change_password(): user = current_user() # handle incoming form if request.method == 'POST': # retrieve form data args = { 'newPassword': request.form.get('newPassword', type=str), 'repeatPassword': request.form.get('repeatPassword', type=str), 'currentPassword': request.form.get('currentPassword', type=str), } # check for valid data if any(x == None for x in args.values()): flash('All fields are required', 'alert-danger') elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()): flash( 'Fields may not exceed {} characters'.format( Model.TEXT_MAX_LEN), 'alert-danger') elif args['newPassword'] != args['repeatPassword']: flash("New passwords don't match", 'alert-danger') elif args['newPassword'] == args['currentPassword']: flash('New password is the same as the current one', 'alert-danger') elif not check_pw(args['currentPassword'], user.password): flash('Current password is incorrect', 'alert-danger') else: User.change_pass(user.username, args['newPassword']) flash('Password successfully changed', 'alert-success') return logout(False) return render_template('changePassword.html', title='Change password', user=user)
def user_add(): user = current_user() # handle incoming form if request.method == 'POST': # retrieve form data args = { 'firstname': request.form.get('firstname', type=str), 'lastname': request.form.get('lastname', type=str), 'username': request.form.get('username', type=str), 'password': request.form.get('password', type=str), 'password_confirm': request.form.get('password_confirm', type=str) } # check for valid data and no user conflicts if any(x == None for x in args.values()): flash('All fields are required', 'alert-danger') elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()): flash( 'Fields may not exceed {} characters'.format( Model.TEXT_MAX_LEN), 'alert-danger') elif args['password'] != args['password_confirm']: flash("Passwords don't match", 'alert-danger') elif User.find(args['username']): flash('Username is already used', 'alert-danger') else: # create new account and redirect to login page User.insert(False, args['firstname'], args['lastname'], args['username'], hash_pw(args['password'])) flash('Account created successfully', 'alert-success') return redirect('/admin') return render_template('user_add.html', title='Add new user', user=user)
def login(): form = LoginForm() if request.method == 'POST' and form.validate_on_submit(): user = db['users'].find_one({"username": form.username.data}) if user and User.validate_login(user['hash'], form.password.data): user_obj = User(user['username']) login_user(user_obj) flash("Login successful") return redirect(url_for('index')) flash("Wrong username or password") return render_template('login.html', form=form, title="Login")
def user_id(username): user = current_user() if len(username) > Model.TEXT_MAX_LEN: flash('Bad username', 'alert-danger') return redirect('/admin') otheruser = User.select(username) if not otheruser: flash("User doesn't exist", 'alert-danger') return redirect('/admin') # handle incoming form if request.method == 'POST': # retrieve form data args = { 'username': request.form.get('username', type=str), 'password': request.form.get('password', type=str), 'active': request.form.get('active', type=bool), 'admin': request.form.get('admin', type=bool), } # check if post username matches route if args['username'] != username: flash('Malformed request', 'alert-danger') return redirect('/admin') # prevent self corruption elif args['username'] == user.username: flash("Can't edit yourself !", 'alert-danger') return redirect('/admin') # create update dict update_dict = { 'active': True if args['active'] else False, 'admin': True if args['admin'] else False } if args['password']: update_dict['password'] = hash_pw(args['password']) # patch user User.update(args['username'], update_dict) Session.terminate_user(args['username']) flash('User successfully updated', 'alert-success') return redirect('/admin') return render_template('user_id.html', title="Manager user '{}'".format(username), user=user, otheruser=otheruser)
def compose(msg_title=None, msg_recipient=None): user = current_user() if request.method == 'POST': # retrieve form data args = { 'recipient': request.form.get('recipient', type=str), 'title': request.form.get('title', type=str), 'body': request.form.get('body', type=str), } # ensure fields are present and within database limits if any(x == None for x in args.values()): flash('All fields are required', 'alert-danger') elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()): flash( 'Fields may not exceed {} characters'.format( Model.TEXT_MAX_LEN), 'alert-danger') # check if recipient exists elif not User.find(args['recipient']): flash("Recipient doesn't exist", 'alert-danger') # create new message else: message = Message.insert(sender_name=user.username, recipient_name=args['recipient'], date=get_current_timestamp(), title=args['title'], body=args['body']) flash('Message successfully sent', 'alert-success') return render_template('compose.html', title='New message', user=user, msg_title=msg_title, msg_recipient=msg_recipient)
def admin(): user = current_user() return render_template('admin.html', title='Administration', user=user, users=User.all())
def decorated_function(*args, **kwargs): # What is GEN ? Baby don't duplicate me, don't duplicate me, oh no # check if session cookie is present cookie = request.cookies.get('auth') if not cookie: flash('You must log in first to access this page.', 'alert-danger') return redirect('/login') # check if a valid JWT came in the cookie payload = jwt_decode(cookie) if not payload: flash('You must log in first to access this page.', 'alert-danger') return redirect('/login') # check if the named session exists session = Session.select(payload['session']) if not session: flash('You must log in first to access this page.', 'alert-danger') return redirect('/login') # check if the session has expired if session.expiry <= dt.datetime.now(): flash('Session expired, please log in again.', 'alert-danger') Session.delete(session.id) return redirect('/login') # check if the named session exists user = User.select(session.username) if not user.admin: flash('This resource is currently unavailable.', 'alert-danger') return redirect('/inbox') return f(*args, **kwargs)
def user_delete(username): user = current_user() if len(username) > Model.TEXT_MAX_LEN: flash('Bad username', 'alert-danger') return redirect('/admin') otheruser = User.select(username) if not otheruser: flash("User doesn't exist", 'alert-danger') return redirect('/admin') if username == user.username: flash("Can't delete yourself !", 'alert-danger') return redirect('/admin') User.delete(username) flash('User successfully deleted', 'alert-success') return redirect('/admin')
def inbox(): user = current_user() senders = {} if user.messages: for msg in user.messages: senders[msg.sender_name] = '{}'.format(User.select( msg.sender_name)) return render_template('inbox.html', title='Inbox', user=user, senders=senders)
def login(): # handle incoming form if request.method == 'POST': # retrieve form data args = { 'username': request.form.get('username', type=str), 'password': request.form.get('password', type=str), } # get matching user user = User.select(args['username']) # check for valid data and no user conflicts if any(x == None for x in args.values()): flash('All fields are required', 'alert-danger') elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()): flash( 'Fields may not exceed {} characters'.format( Model.TEXT_MAX_LEN), 'alert-danger') elif not (user and check_pw(args['password'], user.password)): flash('Bad credentials', 'alert-danger') elif not user.active: flash('Account disabled, please contact an administrator', 'alert-danger') else: # generate new session expiry = get_current_timestamp() session_id = gen_rand_string() Session.insert(session_id=session_id, username=user.username, expiry=expiry, ip=request.remote_addr, user_agent=request.user_agent.string) # set cookie in response and redirect to inbox res = make_response(redirect('/inbox')) # TODO secure=True res.set_cookie( key='auth', value=jwt_encode({ 'session': session_id, 'exp': expiry }), expires=expiry, samesite='Strict', ) flash('Successfully logged in', 'alert-success') return res return render_template('login.html', title='Log in')
def message_id(message_id): user = current_user() if len(message_id) > Model.TEXT_MAX_LEN: flash('Bad message ID', 'alert-danger') return redirect('/inbox') message = Message.select(message_id) if not message: flash("Message doesn't exist", 'alert-danger') return redirect('/inbox') elif message.recipient_name != user.username: flash("Can't view messages from other users", 'alert-danger') return redirect('/inbox') sender = '{}'.format(User.select(message.sender_name)) return render_template('message_id.html', title=message.title, user=user, message=message, sender=sender)
def current_user(): # What is GEN ? Baby don't duplicate me, don't duplicate me, oh no # check if session cookie is present cookie = request.cookies.get('auth') if not cookie: return None # check if a valid JWT came in the cookie payload = jwt_decode(cookie) if not payload: return None # check if the named session exists session = Session.select(payload['session']) if not session: return None # check if the session has expired if session.expiry <= dt.datetime.now(): return None return User.from_session(get_current_jwt()['session'])
def load_user(username): u = db['users'].find_one({"username": username}) print(u) if not u: return None return User(u["username"])