def get_reviews(request):
if request.method == 'GET':
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest_hash')
context = {
'topbar': Topbar_Navbar.get_top_bar(login),
'navbar': Topbar_Navbar.get_nav_bar(login, guest)
}
shop_name = request.GET.get('shop_name')
shop = ShopLogic.search_shop(shop_name)
if shop is not False:
reviews = ShopLogic.get_shop_reviews(shop_name)
string_reviews = ""
for review in reviews:
string_reviews += loader.render_to_string(
'components/review.html', {
'writer_name': review.writerId,
'rank': review.rank,
'description': review.description
}, None, None)
context.update({
'shop_name': shop_name,
'reviews': string_reviews
})
return render(request, 'shop_reviews.html', context=context)
return HttpResponse(shop_not_exist)
return HttpResponse(not_get_request)
def add_discount(request):
global result
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
percent = int(request.POST.get('percent'))
kind = request.POST.get('kind')
event = "ADD DISCOUNT"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
kind, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
start_date = request.POST.get('start_date')
end_date = request.POST.get('duration')
end_date = end_date.split('-')
end_date = end_date[0] + '-' + end_date[2] + '-' + end_date[1]
start_date = start_date.split('-')
start_date = start_date[0] + '-' + start_date[2] + '-' + start_date[1]
if shop_name is None or ShopLogic.search_shop(shop_name) is False:
return HttpResponse('invalid shop')
login = request.COOKIES.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('user not logged in')
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.discount_permission is not 1: # no permission
return HttpResponse('no permission to add discount')
else:
return HttpResponse('not owner or manager in this shop'
) # not manager not owner
if kind == "visible_item":
item_id = request.POST.get('item_id')
if LoggerLogic.identify_sql_injection(item_id, event):
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_without_lottery(item_id)
if item is False or item.shop_name != shop_name:
return HttpResponse("item with id=" + item_id +
" doesnt exist in this shop or a ticket")
discount = VisibleDiscount(item_id, shop_name, percent, start_date,
end_date)
result = DiscountLogic.add_visible_discount(discount, username)
elif kind == "invisible_item":
item_id = request.POST.get('item_id')
code = request.POST.get('code')
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_id, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
code, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
item = ItemsLogic.get_item_without_lottery(item_id)
if item is False or item.shop_name != shop_name:
return HttpResponse("item with id=" + item_id +
" doesnt exist in this shop or a ticket")
discount = InvisibleDiscount(code, item_id, shop_name, percent,
start_date, end_date)
result = DiscountLogic.add_invisible_discount(discount, username)
elif kind == "visible_category":
category = request.POST.get('category')
if LoggerLogic.identify_sql_injection(category, event):
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
discount = VisibleDiscountCategory(category, shop_name, percent,
start_date, end_date)
result = DiscountLogic.add_visible_discount_category(
discount, username)
elif kind == "invisible_category":
category = request.POST.get('category')
code = request.POST.get('code')
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
code, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
discount = InvisibleDiscountCategory(code, category, shop_name,
percent, start_date, end_date)
result = DiscountLogic.add_invisible_discount_category(
discount, username)
if result:
return HttpResponse('success')
else:
return HttpResponse(
'discount already exist for this item/category!')
else:
return HttpResponse('FAIL: not post request')
def get_shop(request):
if request.method == 'GET':
shop_name = request.GET.get('shop_name')
shop = ShopLogic.search_shop(shop_name)
if shop is not False:
username = None
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
guest = request.COOKIES.get('guest_hash')
context = {
'topbar': Topbar_Navbar.get_top_bar(login),
'navbar': Topbar_Navbar.get_nav_bar(login, guest)
}
items = ShopLogic.get_shop_items(shop.name)
products = ""
for item in items:
if item.kind == 'prize':
continue
products += loader.render_to_string(
'components/item.html', {
'name':
item.name,
'price':
"{0:.2f}".format(
item.price * item_discount(item.id, shop_name) *
category_discount(item.category, shop_name)),
'url':
item.url,
'item_id':
item.id
}, None, None)
owner_manager_options = ""
render_edit_remove = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/items',
'id_param': 'edit_remove',
'shop_name': shop_name,
'button_text': 'Edit & Remove Items'
})
render_purchase_history = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/purchase_history',
'id_param': 'purchase_history',
'shop_name': shop_name,
'button_text': 'Purchase History'
})
render_add_item = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/items/add_item',
'id_param': 'add_item',
'shop_name': shop_name,
'button_text': 'Add Item'
})
render_add_discount = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/add_discount',
'id_param': 'add_discount',
'shop_name': shop_name,
'button_text': 'Add Discount'
})
render_delete_discount = loader.render_to_string(
'components/owner_manager_options.html', {
'path': 'owner/delete_discount',
'id_param': 'delete_discount',
'shop_name': shop_name,
'button_text': 'Delete Discount'
})
if UsersLogic.is_owner_of_shop(username, shop_name):
owner_manager_options += render_purchase_history + \
render_edit_remove + \
render_add_item + \
render_add_discount + \
render_delete_discount
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.permission_get_purchased_history == 1:
owner_manager_options += render_purchase_history
if manager.permission_edit_item == 1 or manager.permission_remove_item == 1:
owner_manager_options += render_edit_remove
if manager.permission_add_item == 1:
owner_manager_options += render_add_item
if manager.discount_permission == 1:
owner_manager_options += render_add_discount + render_delete_discount
context.update({
'shop_name': shop.name,
'shop_status': shop.status,
'products': products,
'owner_manager_options': owner_manager_options
})
return render(request, 'shop.html', context=context)
else:
login = request.COOKIES.get('login_hash')
guest = request.COOKIES.get('guest')
topbar = Topbar_Navbar.get_top_bar(login)
navbar = Topbar_Navbar.get_nav_bar(login, guest)
context = {'topbar': topbar, 'navbar': navbar}
return render(request, 'ShopNotFound.html', context)
return HttpResponse(not_get_request)
def add_item_to_shop(request):
if request.method == 'POST':
shop_name = request.POST.get('shop_name')
item_name = request.POST.get('item_name')
item_quantity = int(request.POST.get('item_quantity'))
item_category = request.POST.get('item_category')
item_keywords = request.POST.get('item_keywords')
item_price = float(request.POST.get('item_price'))
item_url = request.POST.get('item_url')
item_kind = request.POST.get('item_kind')
if item_name is None or item_name == '':
return HttpResponse('invalid item name')
if item_quantity < 0:
return HttpResponse('invalid quantity')
if item_category is None or item_category == '':
return HttpResponse('invalid category')
if item_keywords is None:
return HttpResponse('invalid keywords')
if item_price <= 0:
return HttpResponse('invalid price')
event = "ADD ITEM"
suspect_sql_injection = False
suspect_sql_injection = LoggerLogic.identify_sql_injection(
shop_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_name, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_category, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_keywords, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_url, event) or suspect_sql_injection
suspect_sql_injection = LoggerLogic.identify_sql_injection(
item_kind, event) or suspect_sql_injection
if suspect_sql_injection:
return HttpResponse(MESSAGE_SQL_INJECTION)
if shop_name is None or ShopLogic.search_shop(shop_name) is False:
return HttpResponse('invalid shop')
if item_url == '':
item_url = None
sale_date = None
sale_hour = None
sale_minutes = None
if item_kind == 'prize':
sale_date = request.POST.get('sale_date')
sale_hour = request.POST.get('sale_hour')
sale_minutes = request.POST.get('sale_minutes')
login = request.COOKIES.get('login_hash')
if login is None:
login = request.POST.get('login_hash')
username = None
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is None:
return HttpResponse('user not logged in')
if not UsersLogic.is_owner_of_shop(username, shop_name):
if UsersLogic.is_manager_of_shop(username, shop_name):
manager = UsersLogic.get_manager(username, shop_name)
if manager.permission_add_item is not 1: # no permission
return HttpResponse('no permission to add item')
else:
return HttpResponse('not owner or manager in this shop'
) # not manager not owner
status = False
if item_kind == 'regular':
regular_item = Item(None, shop_name, item_name, item_category,
item_keywords, item_price, item_quantity,
item_kind, item_url, 0, 0, 0)
status = ItemsLogic.add_item_to_shop(regular_item, username)
elif item_kind == 'prize':
prize = Item(None, shop_name, item_name, item_category,
item_keywords, item_price, 1, item_kind, item_url, 0,
0, 0)
ticket = Item(None, shop_name, 'Ticket for ' + item_name,
item_category, item_keywords, item_price,
item_quantity, 'ticket', item_url, 0, 0, 0)
status = LotteryLogic.add_lottery_and_items_and_return_id(
prize, ticket, ticket.price,
sale_date + ' ' + sale_hour + ':' + sale_minutes, username)
if status is False:
return HttpResponse('could not add item')
return HttpResponse('success')
def search_shop(shop_name):
return ShopLogic.search_shop(shop_name)
def get_shops(request):
if request.method == 'GET':
login = request.COOKIES.get('login_hash')
if login is not None:
username = Consumer.loggedInUsers.get(login)
if username is not None:
# html of a logged in user
owned_shops_html = ""
owned_shops = UsersLogic.get_owned_shops(username)
for owned_shop in owned_shops:
shop = ShopLogic.search_shop(owned_shop.shop_name)
rank = ShopLogic.get_shop_rank(shop.name)
checked = ""
if owned_shop.should_notify > 0:
checked = 'checked="checked"'
if shop.status == 'Active':
status_class = 'btn btn-success btn-sm'
elif shop.status == 'Inactive':
status_class = 'btn btn-warning btn-sm'
else:
status_class = 'btn btn-danger btn-sm'
owned_shops_html += loader.render_to_string(
'components/ShopYouOwn.html',
context={
'shop_name': owned_shop.shop_name,
'review': rank,
'status': shop.status,
'status_button_class': status_class,
})
managed_shops_html = ""
managed_shops = UsersLogic.get_managed_shops(username)
yes_no_array = ['No', 'Yes']
for managed_shop in managed_shops:
rank = ShopLogic.get_shop_rank(managed_shop.username)
_shop = ShopLogic.search_shop(managed_shop.store_name)
managed_shops_html += loader.render_to_string(
'components/ShopsYouManage.html',
context={
'shop_name':
_shop.name,
'review':
rank,
'status':
_shop.status,
'AIP':
yes_no_array[managed_shop.permission_add_item],
'RIP':
yes_no_array[managed_shop.permission_remove_item],
'EIP':
yes_no_array[managed_shop.permission_edit_item],
'RMP':
yes_no_array[
managed_shop.permission_reply_messages],
'GAP':
yes_no_array[
managed_shop.permission_get_all_messages],
'GPHP':
yes_no_array[
managed_shop.permission_get_purchased_history],
'DP':
yes_no_array[managed_shop.discount_permission],
'SP':
yes_no_array[managed_shop.permission_set_policy],
})
context = {
'topbar': Topbar_Navbar.get_top_bar(login),
'navbar': Topbar_Navbar.get_nav_bar(login, None)
}
context.update({
'owned_shops': owned_shops_html,
'managed_shops': managed_shops_html
})
return render(request, 'customer-shops.html', context=context)
return HttpResponse('You are not logged in!')