def topic_create():
user = user_from_session_token()
# only logged in users can create topic
if not user:
return redirect(url_for('auth/login'))
if request.method == "GET":
csrf_token = create_csrf_token(user.username)
return render_template(
"topics/topic_create.html", user=user,
csrf_token=csrf_token) # send CSRF token into HTML template
elif request.method == "POST":
csrf = request.form.get("csrf") # csrf from HTML
if validate_csrf(
csrf,
user.username): # if they match, allow user to create a topic
title = request.form.get("title")
text = request.form.get("text")
# create a topic object
topic = Topic.create(title=title, text=text, author=user)
return redirect(url_for('index'))
else:
return "CSRF token is not valid"
def topic_create():
# get current user (author)
user = user_from_session_token()
if request.method == "GET":
csrf_token = set_csrf_token(
username=user.username) # create CSRF token
return render_template("topic/create.html", csrf_token=csrf_token)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
csrf = request.form.get("csrf") # csrf from HTML
# only logged in users can create a topic
if not user:
return redirect(url_for('login'))
if not is_valid_csrf(csrf=csrf, username=user.username):
return "CSRF token is not valid!"
# create a Topic object
Topic.create(title=title, text=text, author=user)
return redirect(url_for('index'))
def topic_edit(topic_id):
topic = db.query(Topic).get(int(topic_id))
if request.method == "GET":
return render_template("topics/topic_edit.html", topic=topic)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
user = user_from_session_token()
# check if user is logged in and user is author
if not user:
redirect(url_for("auth/login"))
elif topic.author_id != user.id:
return "You are not an author"
else:
# update the topic fields
topic.title = title
topic.text = text
db.add(topic)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def comment_edit(comment_id):
comment = Comment.get_comment(comment_id)
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only edit your own comments!"
if request.method == "GET":
csrf_token = set_csrf_token(username=user.username)
return render_template("comment/comment_edit.html",
comment=comment,
csrf_token=csrf_token)
elif request.method == "POST":
text = request.form.get("text")
csrf = request.form.get("csrf")
if is_valid_csrf(csrf, user.username):
comment.text = text
db.add(comment)
db.commit()
return redirect(
url_for('topic.topic_details', topic_id=comment.topic.id))
else:
return "CSRF error: tokens don't match!"
def logout():
user = user_from_session_token()
user.session_token = ""
db.add(user)
db.commit()
return redirect(url_for('topic.index'))
def topic_details(topic_id):
user = user_from_session_token()
topic = Topic.read(topic_id)
comments = Comment.read_all(topic)
csrf_token = set_csrf_token(username=user.username)
return render_template("topic/topic_details.html",
topic=topic,
user=user,
csrf_token=csrf_token,
comments=comments)
def topic_details(topic_id):
user = user_from_session_token()
topic = Topic.read(topic_id)
comments = Comment.read_all(topic)
csrf_token = set_csrf_token(username=user.username)
# START test background tasks (TODO: delete this code later)
# if os.getenv('REDIS_URL'):
# from tasks import get_random_num
# get_random_num()
# END test background tasks
return render_template("topic/details.html",
topic=topic,
user=user,
comments=comments,
csrf_token=csrf_token)
def comment_create(topic_id):
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
csrf = request.form.get("csrf")
if not validate_csrf(csrf, user.username):
return "CSRF token is not valid!"
text = request.form.get("text")
topic = Topic.read(topic_id)
Comment.create(topic=topic, text=text, author=user)
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def topic_details(topic_id):
topic = db.query(Topic).get(int(topic_id))
user = user_from_session_token()
comments = db.query(Comment).filter_by(topic=topic).all()
# START test background tasks (TODO: delete this code later)
if os.getenv('REDIS_URL'):
from task import get_random_num
get_random_num()
# END test background tasks €wsee¸dx;:
return render_template("topics/topic_details.html",
topic=topic,
user=user,
csrf_token=create_csrf_token(user.username),
comments=comments)
def comment_create(topic_id):
user = user_from_session_token()
# only logged in users can create a comment
if not user:
return redirect(url_for('auth.login'))
csrf = request.form.get("csrf")
if not is_valid_csrf(csrf, user.username):
return "CSRF token is not valid!"
text = request.form.get("text")
# query the topic object from the database
topic = Topic.read(topic_id)
# create a Comment object
Comment.create(topic=topic, text=text, author=user)
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def topic_delete(topic_id):
topic = db.query(Topic).get(int(topic_id)) # get topic from db by ID
if request.method == "GET":
return render_template("topic/delete.html", topic=topic)
elif request.method == "POST":
# get current user (author)
user = user_from_session_token()
# check if user is logged in and user is author
if not user:
return redirect(url_for('login'))
elif topic.author_id != user.id:
return "You are not the author!"
else: # if user IS logged in and current user IS author
# delete topic
db.delete(topic)
db.commit()
return redirect(url_for('index'))
def comment_delete(comment_id):
comment = Comment.get_comment(comment_id)
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only delete your own comments!"
csrf = request.form.get("csrf")
if is_valid_csrf(csrf, user.username):
topic_id = comment.topic.id
db.delete(comment)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=topic_id))
else:
return "CSRF error: tokens don't match!"
def topic_create():
user = user_from_session_token()
if request.method == "GET":
csrf_token = set_csrf_token(username=user.username)
return render_template("topic/create.html", csrf_token=csrf_token)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
csrf = request.form.get("csrf")
if not user:
return redirect(url_for('login'))
if not is_valid_csrf(csrf=csrf, username=user.username):
return "CSRF token is not valid!"
Topic.create(title=title, text=text, author=user)
return redirect(url_for('index'))
def topic_delete(topic_id):
topic = Topic.read(topic_id)
if request.method == "GET":
return render_template("topic/topic_delete.html", topic=topic)
elif request.method == "POST":
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif topic.author_id != user.id:
return "You are not the author!"
else:
comments = Comment.read_all(topic)
for comment in comments:
db.delete(comment)
db.delete(topic)
db.commit()
return redirect(url_for('topic.index'))
def topic_edit(topic_id):
topic = db.query(Topic).get(int(topic_id))
user = user_from_session_token()
if request.method == "GET":
csrf_token = set_csrf_token(username=user.username)
return render_template("topic/edit.html",
topic=topic,
csrf_token=csrf_token)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
if not user:
return redirect(url_for('login'))
elif topic.author.id != user.id:
return "You are not the author!"
else:
Topic.update(topic_id, title, text)
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def index():
user = user_from_session_token()
# get all topics from db
topics = db.query(Topic).all()
return render_template("index.html", user=user, topics=topics)
