def POST_EDIT(username, **k):
form = config.web.input() # get form data
username = config.check_secure_val(str(username)) # HMAC user validate
user = config.model_users.get_users(username) # search for the user
pwd = user.password # get database user password
if pwd == form.password: # compare the database user password with form new password
pwdhash = pwd # its the same password
else: # has a new password
pwdhash = hashlib.md5(form.password + config.secret_key).hexdigest() # encrypt the new password
form.username = config.check_secure_val(str(form.username)) # validate HMAC username
# edit user with new data
result = config.model_users.edit_users(
form['username'],
pwdhash,
form['privilege'],
form['status'],
form['name'],
form['email'],
form['other_data'],
form['user_hash'],
form['change_pwd'],
form['api_access'],
)
if result == None: # Error on udpate values
username = config.check_secure_val(str(username)) # validate HMAC username
result = config.model_users.get_users(username) # search for username data
result.username = config.make_secure_val(str(result.username)) # apply HMAC to username
message = "Error al editar el registro" # Error message
return config.render.edit(result, message) # render edit.html again
else: # update user data succefully
raise config.web.seeother('/users') # render users index.html
def GET(self, username):
if app.session.loggedin is True: # validate if the user is logged
# get now time
now = datetime.datetime.now()
now_str = str(now).split('.')[0]
expires = config.check_secure_val(app.session.expires)
print "now : ", now_str
print "expires: ", expires
expires = config.check_secure_val(app.session.expires)
if (now_str > expires): # compare now with time login
raise config.web.seeother('/logout')
# session_username = config.check_secure_val(app.session.username) # get the session_username
session_privilege = int(
config.check_secure_val(
app.session.privilege)) # get the session_privilege
if session_privilege == 0: # admin user
return self.GET_VIEW(username) # call GET_VIEW() function
elif session_privilege == 1: # guess user
raise config.web.seeother('/guess') # render guess.html
else: # the user dont have logged
raise config.web.seeother('/login') # render login.html
def POST(self, **k):
if app.session.loggedin is True: # validate if the user is logged
session_username = config.check_secure_val(
app.session.username) # get the session_username
session_privilege = int(
config.check_secure_val(
app.session.privilege)) # get the session_privilege
if session_privilege == 0: # admin user
return self.POST_CHANGE_PWD(
session_username) # call POST_CHANGE_PWD() function
elif session_privilege == 1: # guess user
return self.POST_CHANGE_PWD(
session_username) # call POST_CHANGE_PWD() function
else: # the user is not logged
raise config.web.seeother('/login') # render login.html
def GET_VIEW(username):
username = config.check_secure_val(str(username)) # HMAC username validate
result = config.model.get_users(username) # search for the user data
user_hash = str(result.user_hash)
print user_hash
config.create_tsa(username, user_hash)
return config.render.view(result) # render view.html with user data
def POST_DELETE(username, **k):
form = config.web.input() # get form data
username = config.check_secure_val(str(
form['username'])) # HMAC user validate
session_username = app.session.username # get session_username
if username != session_username: # compare username with sesion_username
result = config.model_users.delete_users(
username) # call model delelete
if result is None: # delete error
message = "Can not delete" # Error messate
result = config.model_users.get_users(
username) # get username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC to username
return config.render.delete(
result, message) # render delete.html again
else: # user delete correctly
raise config.web.seeother('/users') # render index.html
else: # username and session_username its the same
message = "User active, it can not be deleted" # Error message
result = config.model_users.get_users(
username) # get username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC to username
return config.render.delete(result, message) # render delete.html
def GET_EDIT(user, **k):
message = None # Error message
user = config.check_secure_val(str(user)) # HMAC user validate
result = config.model.get_users(user) # search for the user
result.user = config.make_secure_val(str(
result.user)) # apply HMAC for username
return config.render.edit(result, message) # render edit.html
def GET_DELETE(username, **k):
message = None # Error message
username = config.check_secure_val(str(username)) # HMAC user validate
result = config.model.get_users(username) # search for the user
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.delete(
result, message) # render delete.html with user data
def POST(self, user, **k):
if app.session.loggedin is True: # validate if the user is logged
# get now time
now = datetime.datetime.now()
now_str = str(now).split('.')[0]
expires = config.check_secure_val(app.session.expires)
print "now : ", now_str
print "expires: ", expires
if (now_str > expires): # compare now with time login
raise config.web.seeother('/logout')
# session_user = app.session.user
session_privilege = app.session.privilege
if session_privilege == 0: # admin user
return self.POST_DELETE(user) # call POST_DELETE function
elif session_privilege == 1: # guess user
raise config.web.seeother('/') # render guess.html
else: # the user dont have logged
raise config.web.seeother('/login') # render login.html
def GET(self):
if app.session.loggedin is True:
# get now time
now = datetime.datetime.now()
now_str = str(now).split('.')[0]
expires = config.check_secure_val(app.session.expires)
print "now : ", now_str
print "expires: ", expires
if (now_str > expires): # compare now with time login
raise config.web.seeother('/logout')
session_user = app.session.user
session_user = app.session.privilege # get the session_privilege
if session_user == 0: # admin user
return self.GET_INSERT() # call GET_INSERT() function
elif session_user == 1: # guess user
raise config.web.seeother('/') # render guess.html
else: # the user dont have logged
raise config.web.seeother('/login') # render login.html
def POST_DELETE(user, **k):
form = config.web.input() # get form data
user = config.check_secure_val(str(form['user'])) # HMAC user validate
print "User " + str(user)
session_user = app.session.user # get session_username
if user != session_user: # compare username with sesion_username
result = config.model.delete_users(user) # call model delelete
print "Result delete " + str(result)
if result is None: # delete error
message = "The row can't be deleted!!" # Error messate
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.delete(
result, message) # render delete.html again
else: # user delete correctly
raise config.web.seeother('/users') # render index.html
else: # username and session_username its the same
message = "The active user can't be deleted!!" # Error message
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.delete(result, message) # render delete.html
def GET_VIEW(username):
username = config.check_secure_val(
str(username)) # HMAC username validate
result = config.model_users.get_users(
username) # search for the user data
return config.render.view(result) # render view.html with user data
def POST_EDIT(user, **k):
form = config.web.input() # get form data
user = config.check_secure_val(str(user)) # HMAC user validate
user_hash = hashlib.md5(
form.user +
config.secret_key).hexdigest() # create a new user_hash
form.user = config.check_secure_val(str(
form.user)) # validate HMAC username
session_user = app.session.user # get session_username
message = None
if user != session_user: # compare username with sesion_username
# edit user with new data
result = config.model.edit_users(form['user'], form['privilege'],
form['status'], form['username'],
form['email'], form['other_data'],
user_hash)
if result == None: # Error on udpate values
user = config.check_secure_val(
str(user)) # validate HMAC username
result = config.model.get_users(
user) # search for username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
message = "Error in Update" # Error message
return config.render.edit(result,
message) # render edit.html again
else: # update user data succefully
raise config.web.seeother('/users') # render users index.html
elif user == session_user:
if form['status'] == '0':
message = "Can't change logged user to disabled user" # Error message
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.edit(result, message) # render edit.html
elif form['privilege'] == '1':
message = "Can't change logged user to guess privilge user" # Error message
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.edit(result, message) # render edit.html
else:
# edit user with new data
result = config.model.edit_users(form['user'], 0, 1,
form['username'],
form['email'],
form['other_data'], user_hash)
if result == None: # Error on udpate values
user = config.check_secure_val(
str(user)) # validate HMAC username
result = config.model.get_users(
user) # search for username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
message = "Error in Update" # Error message
return config.render.edit(
result, message) # render edit.html again
else: # update user data succefully
raise config.web.seeother(
'/users') # render users index.html
