def add(): form = request.form token = request.args.get('token') u = current_user() if u.id == 1 and token in csrf_tokens and csrf_tokens[token] == u.id: # 验证token和id Board.new(form) csrf_tokens.pop(token) return redirect(url_for('.index'))
def delete(bid, token): u = current_user() if u is None or u.role != 1 or csrf_tokens.get(token) != u.id: abort(403) else: csrf_tokens.pop(token) board = Board.find(bid) board.remove() return redirect(url_for('.index'))
def add(): form = request.form u = current_user() token = request.args.get('token') if token in csrf_tokens and csrf_tokens[token] == u.id: t = Topic.new(form, user_id=u.id) csrf_tokens.pop(token) return redirect(url_for('topic.detail', id=t.id)) else: abort(403)
def delete(): id = int(request.args.get('id')) token = request.args.get('token') u = current_user() if u.id == 1 or u.id == Topic.find(id).user_id: # 管理员或话题创建者才有权限 if token in csrf_tokens and csrf_tokens[token] == u.id: # 验证token Topic.delete(id) Reply.delete_all(dict(topic_id=id)) csrf_tokens.pop(token) return redirect(url_for('index.index'))
def delete(tid, token): u = current_user() if u is not None and csrf_tokens.get(token) == u.id: csrf_tokens.pop(token) topic = Topic.find(tid) if u.id == topic.uid or u.role == 1: topic.remove() return redirect(url_for('.index')) else: abort(403) else: abort(403)
def update(): u = current_user() form = request.form.to_dict() id = int(form.pop('id')) form['board_id'] = int(form.get('board_id')) form['updated_time'] = int(time.time()) token = request.args.get('token') if token in csrf_tokens and csrf_tokens[token] == u.id: Topic.update(id, form) csrf_tokens.pop(token) return redirect(url_for('topic.detail', id=id)) else: abort(403)
def change_pwd(): form = request.form old_pwd = form.get('old_pass') new_pwd = form.get('new_pass') u = current_user() token = request.args.get('token') if token in csrf_tokens and csrf_tokens[token] == u.id: csrf_tokens.pop(token) if u.validate_change_pwd(old_pwd, new_pwd): flash('change pwd succeed') return redirect(url_for('.setting')) flash('change pwd failed') return redirect(url_for('.setting'))
def change_name(): form = request.form name = form.get('name') signature = form.get('signature') u = current_user() token = request.args.get('token') if token in csrf_tokens and csrf_tokens[token] == u.id: csrf_tokens.pop(token) if u.validate_change_name(name, signature): flash('change name succeed ') return redirect(url_for('.setting')) flash('change name failed ') return redirect(url_for('.setting'))
def reset_view(): token = request.args.get('token') if token in csrf_tokens: uid = csrf_tokens[token] csrf_tokens.pop(token) return render_template('reset/reset_update.html', user_id=uid)