def add_manager(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') target_id = request.POST.get('target_id') event = "ADD MANAGER" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( target_id, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) store_manager = StoreManager( target_id, shop_name, request.POST.get('add_item_permission'), request.POST.get('remove_item_permission'), request.POST.get('edit_item_permission'), request.POST.get('reply_message_permission'), request.POST.get('get_all_message_permission'), request.POST.get('get_purchase_history_permission'), request.POST.get('get_discount_permission'), request.POST.get('set_policy_permission')) if username is not None: return HttpResponse( UsersLogic.add_manager(username, store_manager)) return HttpResponse('FAILED: You are not logged in')
def register(request): if request.method == 'POST': username = request.POST.get('username') password = request.POST.get('password') state = request.POST.get('state') age = request.POST.get('age') sex = request.POST.get('sex') event = "REGISTER" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( username, event) suspect_sql_injection = LoggerLogic.identify_sql_injection( password, event) suspect_sql_injection = LoggerLogic.identify_sql_injection( state, event) suspect_sql_injection = LoggerLogic.identify_sql_injection(age, event) suspect_sql_injection = LoggerLogic.identify_sql_injection(sex, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) return HttpResponse( UsersLogic.register_with_user_detail( RegisteredUser(username, password), state, age, sex))
def update_details(request): if request.method == 'POST': state = request.POST.get('state') age = request.POST.get('age') sex = request.POST.get('sex') event = "UPDATE USER DETAILS" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( state, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( age, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( sex, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) return HttpResponse( UsersLogic.update_details(username, state, age, sex)) return HttpResponse('FAILED: You are not logged in.')
def edit_password(request): if request.method == 'POST': current_password = request.POST.get('current_password') new_password = request.POST.get('new_password') event = "EDIT PASSWORD" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( current_password, event) suspect_sql_injection = LoggerLogic.identify_sql_injection( new_password, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) if UsersLogic.login(RegisteredUser(username, current_password)): return HttpResponse( UsersLogic.edit_password( RegisteredUser(username, new_password))) return HttpResponse('FAILED: You are not logged in.')
def login(request): if request.method == 'POST': username = request.POST.get('username') password = request.POST.get('password') event = "LOGIN" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( username, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( password, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) user = RegisteredUser(username, password) result = UsersLogic.login(user) if result[:7] == 'SUCCESS': access_token = hashlib.md5(username.encode()).hexdigest() Consumer.loggedInUsers[access_token] = username Consumer.loggedInUsersShoppingCart[ access_token] = ShoppingLogic.get_cart_items(username) return HttpResponse(access_token) else: return HttpResponse(result)
def search_item_in_shop(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') topbar = loader.render_to_string('components/Topbar.html', context=None) if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: # html of a logged in user topbar = loader.render_to_string( 'components/TopbarLoggedIn.html', context={'username': username}) name = request.GET.get('item_name') shop_name = request.GET.get('shop_name') event = "SEARCH ITEM IN SHOP" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) item = SearchLogic.search_item_in_shop(name, shop_name) if item is not False: context = {'topbar': topbar, 'item': item} return render(request, 'SearchView.html', context)
def add_review_on_shop(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') description = request.POST.get('description') rank = int(request.POST.get('rank')) event = "ADD REVIEW ON SHOP" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( description, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: writer_id = Consumer.loggedInUsers.get(login) shop_review = ShopReview(writer_id, description, rank, shop_name) old_review = ShopLogic.get_shop_review_with_writer( shop_name, writer_id) if old_review is not False: return HttpResponse('has reviews') if ShopLogic.add_review_on_shop(shop_review): return HttpResponse('success') return HttpResponse('fail')
def create_shop(request): if request.method == 'POST': # return HttpResponse('item added') shop_name = request.POST.get('name') shop_status = request.POST.get('status') event = "ADD SHOP" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_status, event) or suspect_sql_injection if suspect_sql_injection or shop_name == '': return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is None: login = request.POST.get('login_hash') if login is None: return HttpResponse('FAILED: You are not logged in') username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse('FAILED: You are not logged in') shop = Shop(shop_name, shop_status) return HttpResponse(ShopLogic.create_shop(shop, username))
def add_review_on_item(request): if request.method == 'POST': item_id = request.POST.get('item_id') description = request.POST.get('description') rank = request.POST.get('rank') event = "ADD REVIEW" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( item_id, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( description, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( rank, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: writer_name = Consumer.loggedInUsers.get(login) old_review = ItemsLogic.get_item_review_with_writer( item_id, writer_name) if old_review is not False: return HttpResponse('has reviews') review = ItemReview(writer_name, item_id, description, rank) if ItemsLogic.add_review_on_item(review): return HttpResponse('success') return HttpResponse('fail')
def update_permissions(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') target_id = request.POST.get('target_id') event = "UPDATE PERMISSIONS" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( target_id, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) store_manager = StoreManager( target_id, shop_name, request.POST.get('add_item_permission'), request.POST.get('remove_item_permission'), request.POST.get('edit_item_permission'), request.POST.get('reply_message_permission'), request.POST.get('get_all_message_permission'), request.POST.get('get_purchase_history_permission'), request.POST.get('get_discount_permission'), request.POST.get('set_policy_permission')) if UsersLogic.update_permissions(username, store_manager): return HttpResponse('success') return HttpResponse('fail')
def send_message_from_shop(request): if request.method == 'POST': content = request.POST.get('content') from_shop = request.POST.get('from') to = request.POST.get('to') event = "SEND MESSAGE FROM SHOP" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( content, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( from_shop, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( to, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) message = Message(None, from_shop, to, content) return HttpResponse( MessagingLogic.send_message_from_shop(username, message)) return HttpResponse('FAILED: You are not logged in')
def test_get_all_security(self): LoggerLogic.identify_sql_injection("#", "event1") LoggerLogic.identify_sql_injection("'SELECT * FROM Items;--", "event2") logs = Logger.get_all_security_logs() self.assertTrue(len(logs) == 2) security_log = logs[1] self.assertEqual(security_log.event, "event1") security_log = logs[0] self.assertEqual(security_log.event, "event2")
def edit_shop_item(request): if request.method == 'POST': login = request.COOKIES.get('login_hash') username = None if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse('fail') item_id = request.POST.get('item_id') fields = ['quantity', 'category', 'keywords', 'price', 'url'] new_values = [ request.POST.get('item_quantity'), request.POST.get('item_category'), request.POST.get('item_keywords'), request.POST.get('item_price'), request.POST.get('item_url') ] event = "EDIT ITEM" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[0], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[1], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[2], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[3], event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( new_values[4], event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(MESSAGE_SQL_INJECTION) item = ItemsLogic.get_item(item_id) if item is False: return HttpResponse('fail') if not UsersLogic.is_owner_of_shop(username, item.shop_name): if UsersLogic.is_manager_of_shop(username, item.shop_name): manager = UsersLogic.get_manager(username, item.shop_name) if manager.permission_edit_item is not 1: # no permission return HttpResponse('no permission to edit item') else: return HttpResponse('fail') # not manager not owner for i in range(0, len(fields)): status = ItemsLogic.edit_shop_item(username, item_id, fields[i], new_values[i]) if status is False: return HttpResponse('fail') return HttpResponse('success')
def add_lottery_item_to_shop(request): if request.method == 'POST': item_name = request.POST.get('item_name') item_category = request.POST.get('item_category') item_keywords = request.POST.get('item_keyWords') item_price = request.POST.get('item_price') ticket_name = request.POST.get('ticket_name') ticket_price = request.POST.get('ticket_price') shop_name = request.POST.get('item_shop_name') final_date = request.POST.get('final_date') item = Item(None, shop_name, item_name, item_category, item_keywords, 0, 1, 'prize') ticket = Item(None, shop_name, ticket_name, item_category, item_keywords, ticket_price, 1, 'ticket') username = request.POST.get('username') event = "ADD LOTTERY ITEM" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection(item_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(item_category, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(item_keywords, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(item_price, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(ticket_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(ticket_price, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection(username, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(MESSAGE_SQL_INJECTION) LotteryLogic.add_lottery_and_items(item, ticket, item_price, final_date, username)
def update_code_shopping_cart(request): if request.method == 'POST': code = request.POST.get("code") event = "UPDATE CODE SHOPPING CART" suspect_sql_injection = LoggerLogic.identify_sql_injection(code, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) item = ItemsLogic.get_item_by_code(code) if item is False: return HttpResponse('fail') login = request.COOKIES.get('login_hash') if login is None or Consumer.loggedInUsers.get(login) is None: guest = request.COOKIES.get('guest_hash') if guest is None: return HttpResponse('fail') status = GuestShoppingCartLogic.update_code_shopping_cart_guest( guest, item.id, code) else: status = UserShoppingCartLogic.update_code_shopping_cart( login, item.id, code) if status is False: return HttpResponse('fail') else: return HttpResponse('OK')
def search_shop(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') topbar = loader.render_to_string('components/Topbar.html', context=None) words = [] if login is not None: username = Consumer.loggedInUsers.get(login) if username is not None: # html of a logged in user topbar = loader.render_to_string( 'components/TopbarLoggedIn.html', context={'username': username}) name = request.GET.get('name') suspect_sql_injection = LoggerLogic.identify_sql_injection( name, "SEARCH SHOP") if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) shop = SearchLogic.search_shop(name) if shop is not False: context = {'topbar': topbar} return render(request, 'shop.html', context) else: words = SearchLogic.get_similar_words(name) words = words[:5] context = {'topbar': topbar, 'words': words} return render(request, 'ItemsNotFound.html', context)
def add_owner(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') target_id = request.POST.get('target_id') owner = Owner(target_id, shop_name, None) event = "ADD OWNER" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( target_id, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) login = request.COOKIES.get('login_hash') if login is not None: username = Consumer.loggedInUsers.get(login) return HttpResponse(UsersLogic.add_owner(username, owner)) return HttpResponse('FAILED: You are not logged in')
def add_system_manager(request): if request.method == 'POST': username = request.POST.get('username') password = request.POST.get('password') event = "ADD VISIBLE DISCOUNT" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( username, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( password, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) added_successfully = UsersLogic.add_system_manager( SystemManager(username, password)) if added_successfully: return HttpResponse('added') return HttpResponse( 'failed - probably username exist in RegisteredUsers or SystemManagers' )
def add_discount(request): global result if request.method == 'POST': shop_name = request.POST.get('shop_name') percent = int(request.POST.get('percent')) kind = request.POST.get('kind') event = "ADD DISCOUNT" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( kind, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) start_date = request.POST.get('start_date') end_date = request.POST.get('duration') end_date = end_date.split('-') end_date = end_date[0] + '-' + end_date[2] + '-' + end_date[1] start_date = start_date.split('-') start_date = start_date[0] + '-' + start_date[2] + '-' + start_date[1] if shop_name is None or ShopLogic.search_shop(shop_name) is False: return HttpResponse('invalid shop') login = request.COOKIES.get('login_hash') username = None if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse('user not logged in') if not UsersLogic.is_owner_of_shop(username, shop_name): if UsersLogic.is_manager_of_shop(username, shop_name): manager = UsersLogic.get_manager(username, shop_name) if manager.discount_permission is not 1: # no permission return HttpResponse('no permission to add discount') else: return HttpResponse('not owner or manager in this shop' ) # not manager not owner if kind == "visible_item": item_id = request.POST.get('item_id') if LoggerLogic.identify_sql_injection(item_id, event): return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) item = ItemsLogic.get_item_without_lottery(item_id) if item is False or item.shop_name != shop_name: return HttpResponse("item with id=" + item_id + " doesnt exist in this shop or a ticket") discount = VisibleDiscount(item_id, shop_name, percent, start_date, end_date) result = DiscountLogic.add_visible_discount(discount, username) elif kind == "invisible_item": item_id = request.POST.get('item_id') code = request.POST.get('code') suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( item_id, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( code, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) item = ItemsLogic.get_item_without_lottery(item_id) if item is False or item.shop_name != shop_name: return HttpResponse("item with id=" + item_id + " doesnt exist in this shop or a ticket") discount = InvisibleDiscount(code, item_id, shop_name, percent, start_date, end_date) result = DiscountLogic.add_invisible_discount(discount, username) elif kind == "visible_category": category = request.POST.get('category') if LoggerLogic.identify_sql_injection(category, event): return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) discount = VisibleDiscountCategory(category, shop_name, percent, start_date, end_date) result = DiscountLogic.add_visible_discount_category( discount, username) elif kind == "invisible_category": category = request.POST.get('category') code = request.POST.get('code') suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( category, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( code, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) discount = InvisibleDiscountCategory(code, category, shop_name, percent, start_date, end_date) result = DiscountLogic.add_invisible_discount_category( discount, username) if result: return HttpResponse('success') else: return HttpResponse( 'discount already exist for this item/category!') else: return HttpResponse('FAIL: not post request')
def search_item(request): if request.method == 'GET': login = request.COOKIES.get('login_hash') guest = request.COOKIES.get('guest') topbar = Topbar_Navbar.get_top_bar(login) navbar = Topbar_Navbar.get_nav_bar(login, guest) search_by = request.GET.get('searchBy') items = [] words = [] event = "SEARCH ITEM" if search_by == 'name': name = request.GET.get('name') suspect_sql_injection = LoggerLogic.identify_sql_injection( name, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) items = SearchLogic.search_by_name(name) for item in items: shop_name = item.shop_name item.price = (round( item.price * item_discount(item.id, shop_name) * category_discount(item.category, shop_name), 2)) if len(items) != 0: context = { 'topbar': topbar, 'items': items, 'navbar': navbar, 'len': len(items) } return render(request, 'SearchView.html', context) else: words = SearchLogic.get_similar_words(name) words = words[:5] items_names_that_exists = [] for each_item in words: item = SearchLogic.search_by_name(each_item) if len(item) != 0: items_names_that_exists.append(each_item) context = { 'topbar': topbar, 'items': items_names_that_exists, 'navbar': navbar, 'type': 'name' } if len(items_names_that_exists) != 0: return render(request, 'ItemsNotFound.html', context) else: return render(request, 'ItemNotFoundNoSuggestions.html', context) if search_by == 'category': category = request.GET.get('category') suspect_sql_injection = LoggerLogic.identify_sql_injection( category, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) items = SearchLogic.search_by_category(request.GET.get('category')) for item in items: shop_name = item.shop_name item.price = (round( item.price * item_discount(item.id, shop_name) * category_discount(item.category, shop_name), 2)) if len(items) != 0: context = { 'topbar': topbar, 'items': items, 'navbar': navbar, 'len': len(items) } return render(request, 'SearchView.html', context) else: words = SearchLogic.get_similar_words(category) words = words[:5] items_names_that_exists = [] for each_item in words: item = SearchLogic.search_by_category(each_item) if len(item) != 0: items_names_that_exists.append(each_item) context = { 'topbar': topbar, 'items': items_names_that_exists, 'navbar': navbar, 'type': 'category' } if len(items_names_that_exists) != 0: return render(request, 'ItemsNotFound.html', context) else: return render(request, 'ItemNotFoundNoSuggestions.html', context) if search_by == 'keywords': keywords = request.GET.get('keywords') suspect_sql_injection = LoggerLogic.identify_sql_injection( keywords, event) if suspect_sql_injection: return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION) items = SearchLogic.search_by_keywords(keywords) for item in items: shop_name = item.shop_name item.price = (round( item.price * item_discount(item.id, shop_name) * category_discount(item.category, shop_name), 2)) if len(items) != 0: context = { 'topbar': topbar, 'items': items, 'navbar': navbar, 'len': len(items) } return render(request, 'SearchView.html', context) else: words = SearchLogic.get_similar_words(keywords) words = words[:5] items_names_that_exists = [] for each_item in words: item = SearchLogic.search_by_keywords(each_item) if len(item) != 0: items_names_that_exists.append(each_item) context = { 'topbar': topbar, 'items': items_names_that_exists, 'navbar': navbar, 'type': 'keywords' } if len(items_names_that_exists) != 0: return render(request, 'ItemsNotFound.html', context) else: return render(request, 'ItemNotFoundNoSuggestions.html', context)
def add_item_to_shop(request): if request.method == 'POST': shop_name = request.POST.get('shop_name') item_name = request.POST.get('item_name') item_quantity = int(request.POST.get('item_quantity')) item_category = request.POST.get('item_category') item_keywords = request.POST.get('item_keywords') item_price = float(request.POST.get('item_price')) item_url = request.POST.get('item_url') item_kind = request.POST.get('item_kind') if item_name is None or item_name == '': return HttpResponse('invalid item name') if item_quantity < 0: return HttpResponse('invalid quantity') if item_category is None or item_category == '': return HttpResponse('invalid category') if item_keywords is None: return HttpResponse('invalid keywords') if item_price <= 0: return HttpResponse('invalid price') event = "ADD ITEM" suspect_sql_injection = False suspect_sql_injection = LoggerLogic.identify_sql_injection( shop_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( item_name, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( item_category, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( item_keywords, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( item_url, event) or suspect_sql_injection suspect_sql_injection = LoggerLogic.identify_sql_injection( item_kind, event) or suspect_sql_injection if suspect_sql_injection: return HttpResponse(MESSAGE_SQL_INJECTION) if shop_name is None or ShopLogic.search_shop(shop_name) is False: return HttpResponse('invalid shop') if item_url == '': item_url = None sale_date = None sale_hour = None sale_minutes = None if item_kind == 'prize': sale_date = request.POST.get('sale_date') sale_hour = request.POST.get('sale_hour') sale_minutes = request.POST.get('sale_minutes') login = request.COOKIES.get('login_hash') if login is None: login = request.POST.get('login_hash') username = None if login is not None: username = Consumer.loggedInUsers.get(login) if username is None: return HttpResponse('user not logged in') if not UsersLogic.is_owner_of_shop(username, shop_name): if UsersLogic.is_manager_of_shop(username, shop_name): manager = UsersLogic.get_manager(username, shop_name) if manager.permission_add_item is not 1: # no permission return HttpResponse('no permission to add item') else: return HttpResponse('not owner or manager in this shop' ) # not manager not owner status = False if item_kind == 'regular': regular_item = Item(None, shop_name, item_name, item_category, item_keywords, item_price, item_quantity, item_kind, item_url, 0, 0, 0) status = ItemsLogic.add_item_to_shop(regular_item, username) elif item_kind == 'prize': prize = Item(None, shop_name, item_name, item_category, item_keywords, item_price, 1, item_kind, item_url, 0, 0, 0) ticket = Item(None, shop_name, 'Ticket for ' + item_name, item_category, item_keywords, item_price, item_quantity, 'ticket', item_url, 0, 0, 0) status = LotteryLogic.add_lottery_and_items_and_return_id( prize, ticket, ticket.price, sale_date + ' ' + sale_hour + ':' + sale_minutes, username) if status is False: return HttpResponse('could not add item') return HttpResponse('success')