def POST_CHANGE_PWD(username, **k):
message = None # Error message
form = config.web.input() # get form data
password = hashlib.md5(
form.password + config.secret_key).hexdigest() # encrypt password
password2 = hashlib.md5(
form.password2 +
config.secret_key).hexdigest() # encrypt password2
if password == password2: # compare password with password2
result = config.model_users.update_password(username, password, 0)
if result == None:
message = "Error on change password" # Error message
result = config.model_users.get_users(
username) # search for username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.change_pwd(
result, message) # render chage_pwd.html
else:
raise config.web.seeother('/')
else:
message = "Password confirm is not the same" # Error message
result = config.model_users.get_users(
username) # search for username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.change_pwd(result,
message) # render chage_pwd.html
def POST_DELETE(username, **k):
form = config.web.input() # get form data
username = config.check_secure_val(str(
form['username'])) # HMAC user validate
session_username = app.session.username # get session_username
if username != session_username: # compare username with sesion_username
result = config.model_users.delete_users(
username) # call model delelete
if result is None: # delete error
message = "Can not delete" # Error messate
result = config.model_users.get_users(
username) # get username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC to username
return config.render.delete(
result, message) # render delete.html again
else: # user delete correctly
raise config.web.seeother('/users') # render index.html
else: # username and session_username its the same
message = "User active, it can not be deleted" # Error message
result = config.model_users.get_users(
username) # get username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC to username
return config.render.delete(result, message) # render delete.html
def GET_PRINTER():
result = config.model_users.get_all_users().list(
) # get all users data
for row in result:
row.username = config.make_secure_val(str(
row.username)) # apply HMAC to username
return config.render.printer(result) # render printer.html
def GET_EDIT(user, **k):
message = None # Error message
user = config.check_secure_val(str(user)) # HMAC user validate
result = config.model.get_users(user) # search for the user
result.user = config.make_secure_val(str(
result.user)) # apply HMAC for username
return config.render.edit(result, message) # render edit.html
def POST_EDIT(username, **k):
form = config.web.input() # get form data
username = config.check_secure_val(str(username)) # HMAC user validate
user = config.model_users.get_users(username) # search for the user
pwd = user.password # get database user password
if pwd == form.password: # compare the database user password with form new password
pwdhash = pwd # its the same password
else: # has a new password
pwdhash = hashlib.md5(form.password + config.secret_key).hexdigest() # encrypt the new password
form.username = config.check_secure_val(str(form.username)) # validate HMAC username
# edit user with new data
result = config.model_users.edit_users(
form['username'],
pwdhash,
form['privilege'],
form['status'],
form['name'],
form['email'],
form['other_data'],
form['user_hash'],
form['change_pwd'],
form['api_access'],
)
if result == None: # Error on udpate values
username = config.check_secure_val(str(username)) # validate HMAC username
result = config.model_users.get_users(username) # search for username data
result.username = config.make_secure_val(str(result.username)) # apply HMAC to username
message = "Error al editar el registro" # Error message
return config.render.edit(result, message) # render edit.html again
else: # update user data succefully
raise config.web.seeother('/users') # render users index.html
def GET_CHANGE_PWD(username, **k):
message = None # Error message
result = config.model.get_users(username) # search for username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.change_pwd(result,
message) # render chage_pwd.html
def GET_DELETE(username, **k):
message = None # Error message
username = config.check_secure_val(str(username)) # HMAC user validate
result = config.model.get_users(username) # search for the user
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.delete(
result, message) # render delete.html with user data
def GET_ATSA(username, **k):
message = None # Error message
result = config.model.get_users(username) # search for username data
user_hash = str(result.user_hash)
print user_hash
config.create_tsa(username, user_hash)
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.atsa(result, message) # render chage_pwd.html
def GET(self, **k):
if app.session.loggedin is True: # validate if the user is logged
session_username = app.session.username
session_privilege = app.session.privilege # get the session_privilege
session_username = config.make_secure_val(session_username)
if session_privilege == 0: # admin user
return self.GET_PROFILE(session_username) # call GET_VIEW() function
elif session_privilege == 1: # guess user
return self.GET_PROFILE(session_username) # call GET_VIEW() function
#raise config.web.seeother('/') # render guess.html
else: # the user dont have logged
raise config.web.seeother('/login') # render login.html
def POST_DELETE(user, **k):
form = config.web.input() # get form data
user = config.check_secure_val(str(form['user'])) # HMAC user validate
print "User " + str(user)
session_user = app.session.user # get session_username
if user != session_user: # compare username with sesion_username
result = config.model.delete_users(user) # call model delelete
print "Result delete " + str(result)
if result is None: # delete error
message = "The row can't be deleted!!" # Error messate
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.delete(
result, message) # render delete.html again
else: # user delete correctly
raise config.web.seeother('/users') # render index.html
else: # username and session_username its the same
message = "The active user can't be deleted!!" # Error message
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.delete(result, message) # render delete.html
def POST_ATSA(username, **k):
message = None # Error message
form = config.web.input() # get form data
result = config.model.update_two_step_authenticator(
username, form['two_step_authenticator'])
if result == None:
message = "Error on two step authenticator" # Error message
result = config.model.get_users(
username) # search for username data
result.username = config.make_secure_val(str(
result.username)) # apply HMAC for username
return config.render.atsa(result, message) # render chage_pwd.html
else:
raise config.web.seeother('/users')
def GET_INDEX():
result = config.model.get_all_users().list() # get users table list
for row in result:
row.user = config.make_secure_val(str(
row.user)) # apply HMAC to username (primary key)
return config.render.index(result) # render index.html
def POST_EDIT(user, **k):
form = config.web.input() # get form data
user = config.check_secure_val(str(user)) # HMAC user validate
user_hash = hashlib.md5(
form.user +
config.secret_key).hexdigest() # create a new user_hash
form.user = config.check_secure_val(str(
form.user)) # validate HMAC username
session_user = app.session.user # get session_username
message = None
if user != session_user: # compare username with sesion_username
# edit user with new data
result = config.model.edit_users(form['user'], form['privilege'],
form['status'], form['username'],
form['email'], form['other_data'],
user_hash)
if result == None: # Error on udpate values
user = config.check_secure_val(
str(user)) # validate HMAC username
result = config.model.get_users(
user) # search for username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
message = "Error in Update" # Error message
return config.render.edit(result,
message) # render edit.html again
else: # update user data succefully
raise config.web.seeother('/users') # render users index.html
elif user == session_user:
if form['status'] == '0':
message = "Can't change logged user to disabled user" # Error message
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.edit(result, message) # render edit.html
elif form['privilege'] == '1':
message = "Can't change logged user to guess privilge user" # Error message
result = config.model.get_users(user) # get username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
return config.render.edit(result, message) # render edit.html
else:
# edit user with new data
result = config.model.edit_users(form['user'], 0, 1,
form['username'],
form['email'],
form['other_data'], user_hash)
if result == None: # Error on udpate values
user = config.check_secure_val(
str(user)) # validate HMAC username
result = config.model.get_users(
user) # search for username data
result.user = config.make_secure_val(str(
result.user)) # apply HMAC to username
message = "Error in Update" # Error message
return config.render.edit(
result, message) # render edit.html again
else: # update user data succefully
raise config.web.seeother(
'/users') # render users index.html