def topic_create(): user = user_from_session_token() # only logged in users can create topic if not user: return redirect(url_for('auth/login')) if request.method == "GET": csrf_token = create_csrf_token(user.username) return render_template( "topics/topic_create.html", user=user, csrf_token=csrf_token) # send CSRF token into HTML template elif request.method == "POST": csrf = request.form.get("csrf") # csrf from HTML if validate_csrf( csrf, user.username): # if they match, allow user to create a topic title = request.form.get("title") text = request.form.get("text") # create a topic object topic = Topic.create(title=title, text=text, author=user) return redirect(url_for('index')) else: return "CSRF token is not valid"
def topic_create(): # get current user (author) user = user_from_session_token() if request.method == "GET": csrf_token = set_csrf_token( username=user.username) # create CSRF token return render_template("topic/create.html", csrf_token=csrf_token) elif request.method == "POST": title = request.form.get("title") text = request.form.get("text") csrf = request.form.get("csrf") # csrf from HTML # only logged in users can create a topic if not user: return redirect(url_for('login')) if not is_valid_csrf(csrf=csrf, username=user.username): return "CSRF token is not valid!" # create a Topic object Topic.create(title=title, text=text, author=user) return redirect(url_for('index'))
def topic_edit(topic_id): topic = db.query(Topic).get(int(topic_id)) if request.method == "GET": return render_template("topics/topic_edit.html", topic=topic) elif request.method == "POST": title = request.form.get("title") text = request.form.get("text") user = user_from_session_token() # check if user is logged in and user is author if not user: redirect(url_for("auth/login")) elif topic.author_id != user.id: return "You are not an author" else: # update the topic fields topic.title = title topic.text = text db.add(topic) db.commit() return redirect(url_for('topic.topic_details', topic_id=topic_id))
def comment_edit(comment_id): comment = Comment.get_comment(comment_id) user = user_from_session_token() if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only edit your own comments!" if request.method == "GET": csrf_token = set_csrf_token(username=user.username) return render_template("comment/comment_edit.html", comment=comment, csrf_token=csrf_token) elif request.method == "POST": text = request.form.get("text") csrf = request.form.get("csrf") if is_valid_csrf(csrf, user.username): comment.text = text db.add(comment) db.commit() return redirect( url_for('topic.topic_details', topic_id=comment.topic.id)) else: return "CSRF error: tokens don't match!"
def logout(): user = user_from_session_token() user.session_token = "" db.add(user) db.commit() return redirect(url_for('topic.index'))
def topic_details(topic_id): user = user_from_session_token() topic = Topic.read(topic_id) comments = Comment.read_all(topic) csrf_token = set_csrf_token(username=user.username) return render_template("topic/topic_details.html", topic=topic, user=user, csrf_token=csrf_token, comments=comments)
def topic_details(topic_id): user = user_from_session_token() topic = Topic.read(topic_id) comments = Comment.read_all(topic) csrf_token = set_csrf_token(username=user.username) # START test background tasks (TODO: delete this code later) # if os.getenv('REDIS_URL'): # from tasks import get_random_num # get_random_num() # END test background tasks return render_template("topic/details.html", topic=topic, user=user, comments=comments, csrf_token=csrf_token)
def comment_create(topic_id): user = user_from_session_token() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if not validate_csrf(csrf, user.username): return "CSRF token is not valid!" text = request.form.get("text") topic = Topic.read(topic_id) Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id))
def topic_details(topic_id): topic = db.query(Topic).get(int(topic_id)) user = user_from_session_token() comments = db.query(Comment).filter_by(topic=topic).all() # START test background tasks (TODO: delete this code later) if os.getenv('REDIS_URL'): from task import get_random_num get_random_num() # END test background tasks €wsee¸dx;: return render_template("topics/topic_details.html", topic=topic, user=user, csrf_token=create_csrf_token(user.username), comments=comments)
def comment_create(topic_id): user = user_from_session_token() # only logged in users can create a comment if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if not is_valid_csrf(csrf, user.username): return "CSRF token is not valid!" text = request.form.get("text") # query the topic object from the database topic = Topic.read(topic_id) # create a Comment object Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id))
def topic_delete(topic_id): topic = db.query(Topic).get(int(topic_id)) # get topic from db by ID if request.method == "GET": return render_template("topic/delete.html", topic=topic) elif request.method == "POST": # get current user (author) user = user_from_session_token() # check if user is logged in and user is author if not user: return redirect(url_for('login')) elif topic.author_id != user.id: return "You are not the author!" else: # if user IS logged in and current user IS author # delete topic db.delete(topic) db.commit() return redirect(url_for('index'))
def comment_delete(comment_id): comment = Comment.get_comment(comment_id) user = user_from_session_token() if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only delete your own comments!" csrf = request.form.get("csrf") if is_valid_csrf(csrf, user.username): topic_id = comment.topic.id db.delete(comment) db.commit() return redirect(url_for('topic.topic_details', topic_id=topic_id)) else: return "CSRF error: tokens don't match!"
def topic_create(): user = user_from_session_token() if request.method == "GET": csrf_token = set_csrf_token(username=user.username) return render_template("topic/create.html", csrf_token=csrf_token) elif request.method == "POST": title = request.form.get("title") text = request.form.get("text") csrf = request.form.get("csrf") if not user: return redirect(url_for('login')) if not is_valid_csrf(csrf=csrf, username=user.username): return "CSRF token is not valid!" Topic.create(title=title, text=text, author=user) return redirect(url_for('index'))
def topic_delete(topic_id): topic = Topic.read(topic_id) if request.method == "GET": return render_template("topic/topic_delete.html", topic=topic) elif request.method == "POST": user = user_from_session_token() if not user: return redirect(url_for('auth.login')) elif topic.author_id != user.id: return "You are not the author!" else: comments = Comment.read_all(topic) for comment in comments: db.delete(comment) db.delete(topic) db.commit() return redirect(url_for('topic.index'))
def topic_edit(topic_id): topic = db.query(Topic).get(int(topic_id)) user = user_from_session_token() if request.method == "GET": csrf_token = set_csrf_token(username=user.username) return render_template("topic/edit.html", topic=topic, csrf_token=csrf_token) elif request.method == "POST": title = request.form.get("title") text = request.form.get("text") if not user: return redirect(url_for('login')) elif topic.author.id != user.id: return "You are not the author!" else: Topic.update(topic_id, title, text) return redirect(url_for('topic.topic_details', topic_id=topic_id))
def index(): user = user_from_session_token() # get all topics from db topics = db.query(Topic).all() return render_template("index.html", user=user, topics=topics)