def add_manager(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
target_id = request.POST.get('target_id')
event = "ADD MANAGER"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
target_id, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
store_manager = StoreManager(
target_id, shop_name, request.POST.get('add_item_permission'),
request.POST.get('remove_item_permission'),
request.POST.get('edit_item_permission'),
request.POST.get('reply_message_permission'),
request.POST.get('get_all_message_permission'),
request.POST.get('get_purchase_history_permission'),
request.POST.get('get_discount_permission'),
request.POST.get('set_policy_permission'))
if username is not None:
return HttpResponse(
UsersLogic.add_manager(username, store_manager))
return HttpResponse('FAILED: You are not logged in')
def register(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
state = request.POST.get('state')
age = request.POST.get('age')
sex = request.POST.get('sex')
event = "REGISTER"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
username, event)
suspect_sql_injection = LoggerLogic.identify_sql_injection(
password, event)
suspect_sql_injection = LoggerLogic.identify_sql_injection(
state, event)
suspect_sql_injection = LoggerLogic.identify_sql_injection(age, event)
suspect_sql_injection = LoggerLogic.identify_sql_injection(sex, event)
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
return HttpResponse(
UsersLogic.register_with_user_detail(
RegisteredUser(username, password), state, age, sex))
def update_details(request):
if request.method == 'POST':
state = request.POST.get('state')
age = request.POST.get('age')
sex = request.POST.get('sex')
event = "UPDATE USER DETAILS"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
state, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
age, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
sex, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
return HttpResponse(
UsersLogic.update_details(username, state, age, sex))
return HttpResponse('FAILED: You are not logged in.')
def edit_password(request):
if request.method == 'POST':
current_password = request.POST.get('current_password')
new_password = request.POST.get('new_password')
event = "EDIT PASSWORD"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
current_password, event)
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_password, event)
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
if UsersLogic.login(RegisteredUser(username, current_password)):
return HttpResponse(
UsersLogic.edit_password(
RegisteredUser(username, new_password)))
return HttpResponse('FAILED: You are not logged in.')
def login(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
event = "LOGIN"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
username, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
password, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
user = RegisteredUser(username, password)
result = UsersLogic.login(user)
if result[:7] == 'SUCCESS':
access_token = hashlib.md5(username.encode()).hexdigest()
Consumer.loggedInUsers[access_token] = username
Consumer.loggedInUsersShoppingCart[
access_token] = ShoppingLogic.get_cart_items(username)
return HttpResponse(access_token)
else:
return HttpResponse(result)
def search_item_in_shop(request):
if request.method == 'GET':
login = request.COOKIES.get('login_hash')
topbar = loader.render_to_string('components/Topbar.html',
context=None)
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is not None:
# html of a logged in user
topbar = loader.render_to_string(
'components/TopbarLoggedIn.html',
context={'username': username})
name = request.GET.get('item_name')
shop_name = request.GET.get('shop_name')
event = "SEARCH ITEM IN SHOP"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = SearchLogic.search_item_in_shop(name, shop_name)
if item is not False:
context = {'topbar': topbar, 'item': item}
return render(request, 'SearchView.html', context)
def add_review_on_shop(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
description = request.POST.get('description')
rank = int(request.POST.get('rank'))
event = "ADD REVIEW ON SHOP"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
description, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
writer_id = Consumer.loggedInUsers.get(login)
shop_review = ShopReview(writer_id, description, rank, shop_name)
old_review = ShopLogic.get_shop_review_with_writer(
shop_name, writer_id)
if old_review is not False:
return HttpResponse('has reviews')
if ShopLogic.add_review_on_shop(shop_review):
return HttpResponse('success')
return HttpResponse('fail')
def create_shop(request):
if request.method == 'POST':
# return HttpResponse('item added')
shop_name = request.POST.get('name')
shop_status = request.POST.get('status')
event = "ADD SHOP"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_status, event) or suspect_sql_injection
if suspect_sql_injection or shop_name == '':
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is None:
login = request.POST.get('login_hash')
if login is None:
return HttpResponse('FAILED: You are not logged in')
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('FAILED: You are not logged in')
shop = Shop(shop_name, shop_status)
return HttpResponse(ShopLogic.create_shop(shop, username))
def add_review_on_item(request):
if request.method == 'POST':
item_id = request.POST.get('item_id')
description = request.POST.get('description')
rank = request.POST.get('rank')
event = "ADD REVIEW"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_id, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
description, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
rank, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
writer_name = Consumer.loggedInUsers.get(login)
old_review = ItemsLogic.get_item_review_with_writer(
item_id, writer_name)
if old_review is not False:
return HttpResponse('has reviews')
review = ItemReview(writer_name, item_id, description, rank)
if ItemsLogic.add_review_on_item(review):
return HttpResponse('success')
return HttpResponse('fail')
def update_permissions(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
target_id = request.POST.get('target_id')
event = "UPDATE PERMISSIONS"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
target_id, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
store_manager = StoreManager(
target_id, shop_name, request.POST.get('add_item_permission'),
request.POST.get('remove_item_permission'),
request.POST.get('edit_item_permission'),
request.POST.get('reply_message_permission'),
request.POST.get('get_all_message_permission'),
request.POST.get('get_purchase_history_permission'),
request.POST.get('get_discount_permission'),
request.POST.get('set_policy_permission'))
if UsersLogic.update_permissions(username, store_manager):
return HttpResponse('success')
return HttpResponse('fail')
def send_message_from_shop(request):
if request.method == 'POST':
content = request.POST.get('content')
from_shop = request.POST.get('from')
to = request.POST.get('to')
event = "SEND MESSAGE FROM SHOP"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
content, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
from_shop, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
to, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
message = Message(None, from_shop, to, content)
return HttpResponse(
MessagingLogic.send_message_from_shop(username, message))
return HttpResponse('FAILED: You are not logged in')
def test_get_all_security(self):
LoggerLogic.identify_sql_injection("#", "event1")
LoggerLogic.identify_sql_injection("'SELECT * FROM Items;--", "event2")
logs = Logger.get_all_security_logs()
self.assertTrue(len(logs) == 2)
security_log = logs[1]
self.assertEqual(security_log.event, "event1")
security_log = logs[0]
self.assertEqual(security_log.event, "event2")
def edit_shop_item(request):
if request.method == 'POST':
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('fail')
item_id = request.POST.get('item_id')
fields = ['quantity', 'category', 'keywords', 'price', 'url']
new_values = [
request.POST.get('item_quantity'),
request.POST.get('item_category'),
request.POST.get('item_keywords'),
request.POST.get('item_price'),
request.POST.get('item_url')
]
event = "EDIT ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[0], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[1], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[2], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[3], event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
new_values[4], event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item(item_id)
if item is False:
return HttpResponse('fail')
if not UsersLogic.is_owner_of_shop(username, item.shop_name):
if UsersLogic.is_manager_of_shop(username, item.shop_name):
manager = UsersLogic.get_manager(username, item.shop_name)
if manager.permission_edit_item is not 1: # no permission
return HttpResponse('no permission to edit item')
else:
return HttpResponse('fail') # not manager not owner
for i in range(0, len(fields)):
status = ItemsLogic.edit_shop_item(username, item_id, fields[i],
new_values[i])
if status is False:
return HttpResponse('fail')
return HttpResponse('success')
def add_lottery_item_to_shop(request):
if request.method == 'POST':
item_name = request.POST.get('item_name')
item_category = request.POST.get('item_category')
item_keywords = request.POST.get('item_keyWords')
item_price = request.POST.get('item_price')
ticket_name = request.POST.get('ticket_name')
ticket_price = request.POST.get('ticket_price')
shop_name = request.POST.get('item_shop_name')
final_date = request.POST.get('final_date')
item = Item(None, shop_name, item_name, item_category, item_keywords, 0, 1, 'prize')
ticket = Item(None, shop_name, ticket_name, item_category, item_keywords, ticket_price, 1, 'ticket')
username = request.POST.get('username')
event = "ADD LOTTERY ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(item_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(item_category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(item_keywords, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(item_price, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(ticket_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(ticket_price, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(username, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
LotteryLogic.add_lottery_and_items(item, ticket, item_price, final_date, username)
def update_code_shopping_cart(request):
if request.method == 'POST':
code = request.POST.get("code")
event = "UPDATE CODE SHOPPING CART"
suspect_sql_injection = LoggerLogic.identify_sql_injection(code, event)
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_by_code(code)
if item is False:
return HttpResponse('fail')
login = request.COOKIES.get('login_hash')
if login is None or Consumer.loggedInUsers.get(login) is None:
guest = request.COOKIES.get('guest_hash')
if guest is None:
return HttpResponse('fail')
status = GuestShoppingCartLogic.update_code_shopping_cart_guest(
guest, item.id, code)
else:
status = UserShoppingCartLogic.update_code_shopping_cart(
login, item.id, code)
if status is False:
return HttpResponse('fail')
else:
return HttpResponse('OK')
def search_shop(request):
if request.method == 'GET':
login = request.COOKIES.get('login_hash')
topbar = loader.render_to_string('components/Topbar.html',
context=None)
words = []
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is not None:
# html of a logged in user
topbar = loader.render_to_string(
'components/TopbarLoggedIn.html',
context={'username': username})
name = request.GET.get('name')
suspect_sql_injection = LoggerLogic.identify_sql_injection(
name, "SEARCH SHOP")
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
shop = SearchLogic.search_shop(name)
if shop is not False:
context = {'topbar': topbar}
return render(request, 'shop.html', context)
else:
words = SearchLogic.get_similar_words(name)
words = words[:5]
context = {'topbar': topbar, 'words': words}
return render(request, 'ItemsNotFound.html', context)
def add_owner(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
target_id = request.POST.get('target_id')
owner = Owner(target_id, shop_name, None)
event = "ADD OWNER"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
target_id, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
return HttpResponse(UsersLogic.add_owner(username, owner))
return HttpResponse('FAILED: You are not logged in')
def add_system_manager(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
event = "ADD VISIBLE DISCOUNT"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
username, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
password, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
added_successfully = UsersLogic.add_system_manager(
SystemManager(username, password))
if added_successfully:
return HttpResponse('added')
return HttpResponse(
'failed - probably username exist in RegisteredUsers or SystemManagers'
)
def add_discount(request):
global result
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
percent = int(request.POST.get('percent'))
kind = request.POST.get('kind')
event = "ADD DISCOUNT"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
kind, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
start_date = request.POST.get('start_date')
end_date = request.POST.get('duration')
end_date = end_date.split('-')
end_date = end_date[0] + '-' + end_date[2] + '-' + end_date[1]
start_date = start_date.split('-')
start_date = start_date[0] + '-' + start_date[2] + '-' + start_date[1]
if shop_name is None or ShopLogic.search_shop(shop_name) is False:
return HttpResponse('invalid shop')
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('user not logged in')
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.discount_permission is not 1: # no permission
return HttpResponse('no permission to add discount')
else:
return HttpResponse('not owner or manager in this shop'
) # not manager not owner
if kind == "visible_item":
item_id = request.POST.get('item_id')
if LoggerLogic.identify_sql_injection(item_id, event):
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_without_lottery(item_id)
if item is False or item.shop_name != shop_name:
return HttpResponse("item with id=" + item_id +
" doesnt exist in this shop or a ticket")
discount = VisibleDiscount(item_id, shop_name, percent, start_date,
end_date)
result = DiscountLogic.add_visible_discount(discount, username)
elif kind == "invisible_item":
item_id = request.POST.get('item_id')
code = request.POST.get('code')
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_id, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
code, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_without_lottery(item_id)
if item is False or item.shop_name != shop_name:
return HttpResponse("item with id=" + item_id +
" doesnt exist in this shop or a ticket")
discount = InvisibleDiscount(code, item_id, shop_name, percent,
start_date, end_date)
result = DiscountLogic.add_invisible_discount(discount, username)
elif kind == "visible_category":
category = request.POST.get('category')
if LoggerLogic.identify_sql_injection(category, event):
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
discount = VisibleDiscountCategory(category, shop_name, percent,
start_date, end_date)
result = DiscountLogic.add_visible_discount_category(
discount, username)
elif kind == "invisible_category":
category = request.POST.get('category')
code = request.POST.get('code')
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
code, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
discount = InvisibleDiscountCategory(code, category, shop_name,
percent, start_date, end_date)
result = DiscountLogic.add_invisible_discount_category(
discount, username)
if result:
return HttpResponse('success')
else:
return HttpResponse(
'discount already exist for this item/category!')
else:
return HttpResponse('FAIL: not post request')
def search_item(request):
if request.method == 'GET':
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest')
topbar = Topbar_Navbar.get_top_bar(login)
navbar = Topbar_Navbar.get_nav_bar(login, guest)
search_by = request.GET.get('searchBy')
items = []
words = []
event = "SEARCH ITEM"
if search_by == 'name':
name = request.GET.get('name')
suspect_sql_injection = LoggerLogic.identify_sql_injection(
name, event)
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
items = SearchLogic.search_by_name(name)
for item in items:
shop_name = item.shop_name
item.price = (round(
item.price * item_discount(item.id, shop_name) *
category_discount(item.category, shop_name), 2))
if len(items) != 0:
context = {
'topbar': topbar,
'items': items,
'navbar': navbar,
'len': len(items)
}
return render(request, 'SearchView.html', context)
else:
words = SearchLogic.get_similar_words(name)
words = words[:5]
items_names_that_exists = []
for each_item in words:
item = SearchLogic.search_by_name(each_item)
if len(item) != 0:
items_names_that_exists.append(each_item)
context = {
'topbar': topbar,
'items': items_names_that_exists,
'navbar': navbar,
'type': 'name'
}
if len(items_names_that_exists) != 0:
return render(request, 'ItemsNotFound.html', context)
else:
return render(request, 'ItemNotFoundNoSuggestions.html',
context)
if search_by == 'category':
category = request.GET.get('category')
suspect_sql_injection = LoggerLogic.identify_sql_injection(
category, event)
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
items = SearchLogic.search_by_category(request.GET.get('category'))
for item in items:
shop_name = item.shop_name
item.price = (round(
item.price * item_discount(item.id, shop_name) *
category_discount(item.category, shop_name), 2))
if len(items) != 0:
context = {
'topbar': topbar,
'items': items,
'navbar': navbar,
'len': len(items)
}
return render(request, 'SearchView.html', context)
else:
words = SearchLogic.get_similar_words(category)
words = words[:5]
items_names_that_exists = []
for each_item in words:
item = SearchLogic.search_by_category(each_item)
if len(item) != 0:
items_names_that_exists.append(each_item)
context = {
'topbar': topbar,
'items': items_names_that_exists,
'navbar': navbar,
'type': 'category'
}
if len(items_names_that_exists) != 0:
return render(request, 'ItemsNotFound.html', context)
else:
return render(request, 'ItemNotFoundNoSuggestions.html',
context)
if search_by == 'keywords':
keywords = request.GET.get('keywords')
suspect_sql_injection = LoggerLogic.identify_sql_injection(
keywords, event)
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
items = SearchLogic.search_by_keywords(keywords)
for item in items:
shop_name = item.shop_name
item.price = (round(
item.price * item_discount(item.id, shop_name) *
category_discount(item.category, shop_name), 2))
if len(items) != 0:
context = {
'topbar': topbar,
'items': items,
'navbar': navbar,
'len': len(items)
}
return render(request, 'SearchView.html', context)
else:
words = SearchLogic.get_similar_words(keywords)
words = words[:5]
items_names_that_exists = []
for each_item in words:
item = SearchLogic.search_by_keywords(each_item)
if len(item) != 0:
items_names_that_exists.append(each_item)
context = {
'topbar': topbar,
'items': items_names_that_exists,
'navbar': navbar,
'type': 'keywords'
}
if len(items_names_that_exists) != 0:
return render(request, 'ItemsNotFound.html', context)
else:
return render(request, 'ItemNotFoundNoSuggestions.html',
context)
def add_item_to_shop(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
item_name = request.POST.get('item_name')
item_quantity = int(request.POST.get('item_quantity'))
item_category = request.POST.get('item_category')
item_keywords = request.POST.get('item_keywords')
item_price = float(request.POST.get('item_price'))
item_url = request.POST.get('item_url')
item_kind = request.POST.get('item_kind')
if item_name is None or item_name == '':
return HttpResponse('invalid item name')
if item_quantity < 0:
return HttpResponse('invalid quantity')
if item_category is None or item_category == '':
return HttpResponse('invalid category')
if item_keywords is None:
return HttpResponse('invalid keywords')
if item_price <= 0:
return HttpResponse('invalid price')
event = "ADD ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_keywords, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_url, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_kind, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
if shop_name is None or ShopLogic.search_shop(shop_name) is False:
return HttpResponse('invalid shop')
if item_url == '':
item_url = None
sale_date = None
sale_hour = None
sale_minutes = None
if item_kind == 'prize':
sale_date = request.POST.get('sale_date')
sale_hour = request.POST.get('sale_hour')
sale_minutes = request.POST.get('sale_minutes')
login = request.COOKIES.get('login_hash')
if login is None:
login = request.POST.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('user not logged in')
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.permission_add_item is not 1: # no permission
return HttpResponse('no permission to add item')
else:
return HttpResponse('not owner or manager in this shop'
) # not manager not owner
status = False
if item_kind == 'regular':
regular_item = Item(None, shop_name, item_name, item_category,
item_keywords, item_price, item_quantity,
item_kind, item_url, 0, 0, 0)
status = ItemsLogic.add_item_to_shop(regular_item, username)
elif item_kind == 'prize':
prize = Item(None, shop_name, item_name, item_category,
item_keywords, item_price, 1, item_kind, item_url, 0,
0, 0)
ticket = Item(None, shop_name, 'Ticket for ' + item_name,
item_category, item_keywords, item_price,
item_quantity, 'ticket', item_url, 0, 0, 0)
status = LotteryLogic.add_lottery_and_items_and_return_id(
prize, ticket, ticket.price,
sale_date + ' ' + sale_hour + ':' + sale_minutes, username)
if status is False:
return HttpResponse('could not add item')
return HttpResponse('success')
