def input_2():
if current_user.get_admin():
return redirect(url_for('admin'))
if current_user.get_post_num() > 1:
return redirect(url_for('input_0'))
form = MiddleForm()
if form.validate_on_submit():
file = form.__class__.__name__ + '-' + secure_filename(
form.upload.data.filename)
file_path = current_user.path
if not os.path.exists(file_path):
os.makedirs(file_path)
filedata = os.listdir(file_path)
if file not in filedata:
filedata.append(file)
form.upload.data.save(file_path + '/' + file)
post = {
'schedule': form.schedule.data,
'preview': form.preview.data,
'post': form.post.data,
'upload': filedata,
}
p = Post(current_user.name, post_2=post)
p.submit()
current_user.set_post_num(3)
return redirect(url_for('input_0'))
return render_template('MiddleForm.html', title='中期检查', form=form)
def targets_add_one():
#Tarkista, että käyttäjä on admin
messages = []
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
#Tässä vaiheessa varmaankin täytyy tehdä linkitys Kohteen ja Sijainnin
#välille.
#Älä luo kohdetta, jos tietokannassa ei ole yhtään sijaintia TAI
#luo kohde ilman sijaintia, ja hoida sijainnittoman kohteen käsittely jotenkin
name = request.form.get("name")
location = request.form.get("location")
form = TargetForm(request.form)
if not request.form.get("location"):
messages.append(msg_target_no_loc)
if not form.validate() or messages:
locations = Location.query.all()
return render_template("targets/new.html",
form=form,
locations=locations)
new_target = Target(name, location)
#new_target.location_id = location
db.session().add(new_target)
db.session().commit()
return redirect(url_for("targets_get_one", id=new_target.id))
def input_3():
if current_user.get_admin():
return redirect(url_for('admin'))
if current_user.get_post_num() > 3:
return redirect(url_for('input_0'))
form = FinalForm()
if form.validate_on_submit():
file = form.__class__.__name__ + '-' + secure_filename(
form.upload.data.filename)
file_path = current_user.path
if not os.path.exists(file_path):
os.makedirs(file_path)
filedata = os.listdir(file_path)
if file not in filedata:
filedata.append(file)
form.upload.data.save(file_path + '/' + file)
post = {
'change': form.change.data,
'achievement': form.achievement.data,
'post': form.post.data,
'upload': filedata,
}
p = Post(current_user.name, post_3=post)
p.submit()
current_user.set_post_num(7)
return redirect(url_for('input_0'))
return render_template('FinalForm.html', title='成果验收', form=form)
def input_1():
if current_user.get_admin():
return redirect(url_for('admin'))
if current_user.get_post_num() > 0:
return redirect(url_for('input_0'))
form = BeginForm()
if form.validate_on_submit():
file = form.__class__.__name__ + '-' + secure_filename(
form.upload.data.filename)
file_path = current_user.path
if not os.path.exists(file_path):
os.makedirs(file_path)
filedata = os.listdir(file_path)
if file not in filedata:
filedata.append(file)
form.upload.data.save(file_path + '/' + file)
post = {
'project': form.project.data,
'person': form.person.data,
'money': form.money.data,
'post': form.post.data,
'upload': filedata,
}
p = Post(current_user.name, post_1=post)
p.submit()
current_user.set_post_num(1)
return redirect(url_for('input_0'))
return render_template('BeginForm.html', title='项目申请', form=form)
def get(self):
try:
admin = current_user.get_admin()
except:
admin = 'n'
product_list = []
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("SELECT * FROM products ")
products = c.fetchall()
if admin == 'y':
for product in products:
product_list.append({
"productName": product[1],
"productImage": product[2],
"productDescription": product[3],
"productSellingPrice": product[4],
"productCostPrice": product[5],
"productCategory": product[6],
"status": product[7],
"productStock": product[8]
})
else:
for product in products:
if product[7] == "active":
product_list.append({
"productName": product[1],
"productImage": product[2],
"productDescription": product[3],
"productCostPrice": product[5],
"productCategory": product[6],
"status": product[7]
})
return jsonify(data=product_list)
def targets_modify_one(id):
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
form = TargetForm(request.form)
messages = []
if not request.form.get("location"):
messages.append(msg_target_no_loc)
if not form.validate() or messages:
return render_template("targets/edit.html",
target=Target.query.get(id),
locations=Location.query.all(),
form=form,
messages=messages)
target = Target.query.get(id)
name = request.form.get("name")
location = request.form.get("location")
messages = []
target.name = name
target.location_id = location
db.session().commit()
return redirect(url_for("targets_get_one", id=target.id))
def locations_delete_one(id):
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
Location.query.filter_by(id=id).delete()
db.session().commit()
return redirect(url_for("locations_get_all"))
def executors_edit(id):
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
executor = Executor.query.get(id)
db.session().commit()
return render_template("executors/edit.html",
executor=executor,
form=ExecutorForm(obj=executor))
def actions_delete_one(id):
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
to_be_deleted = Action.query.filter_by(id=id).first()
db.session().delete(to_be_deleted)
db.session().commit()
return redirect(url_for('actions_get_all'))
def post():
if not current_user.get_admin():
return redirect(url_for('index'))
form = ProfileForm()
if form.validate_on_submit():
users = mongo.db.users
user = users.find_one({'name': form.username.data})
user['pass'] = True
users.save(user)
return redirect(url_for('profile', username=form.username.data))
return abort(404)
def admin():
if(current_user.get_admin()):
return(redirect(url_for("index", title = "Home")))
form = AdminForm()
if(form.validate_on_submit()):
if(ADMIN_PIN == form.pin.data):
current_user.set_admin(True)
flash("Congratulations you are now an admin", "success")
return(redirect(url_for("index")))
flash("PIN incorrect", "errors")
return(render_template("admin.html", form = form, title = "Admin"))
def delete_poll(id):
user_id = int(current_user.id)
admin = current_user.get_admin()
poll = Poll.query.filter_by(id = id).first()
if(not poll):
flash("Poll to delete not found")
return(redirect(url_for("index", title = "Home")))
poll_owner = int(poll.user_id)
if(admin or user_id == poll_owner):
poll.delete()
flash("Poll deleted forever", category = "info")
return(redirect(url_for("index", title = "Home")))
def add_voucher():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
return render_template("admin/Vouchers/Add_Voucher.html",
title="Add Voucher")
def show_product():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
return render_template("admin/Products/Show_Product.html",
title="Products")
def delete_user(id):
admin = current_user.get_admin()
id = int(id)
user_id = int(current_user.id)
deleting_self = (id == user_id)
if(admin or deleting_self):
user = User.query.filter_by(id = id).first()
username = user.username
user.delete()
flash("User " + username + " is gone forever!", category = "info")
return(redirect(url_for("index", title = "Home")))
else:
return(redirect(url_for("index", title = "Home")))
def admin():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
return render_template("admin/Admin.html",
title="Dashboard",
cookie=request.headers['cookie'])
def put(self):
try:
admin = current_user.get_admin()
has_account = True
except:
admin = 'n'
has_account = False
if admin == "y":
request_json_data = request.get_json(force=True)
product_name = request_json_data['product_name']
product_status = request_json_data['product_status'].lower()
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
# validate product name, check if it is in database
c.execute("SELECT * FROM products WHERE name = ?",
(product_name, ))
if not c.fetchone():
response = jsonify(
f"Invalid product name, product name {product_name} not found."
)
response.status_code = 400
return response
# validate product status
if product_status not in ["inactive", "active"]:
response = jsonify("Invalid product status")
response.status_code = 400
return response
c.execute("UPDATE products SET status = ? WHERE name = ?",
(product_status, product_name))
conn.commit()
return jsonify(data="Success")
else:
# logging
log_type = "Unauthorized Access"
if has_account:
log_details = f"A user with the username {current_user.get_username()} tried to change status of a product."
else:
log_details = "An unknown user tried to change status of a product."
Logging(log_type, log_details)
response = jsonify(
data="You do not have authorized access to perform this action."
)
response.status_code = 401
return response
def put(self):
try:
identity = current_user.get_username()
admin = current_user.get_admin()
has_account = True
except:
identity = None
admin = 'n'
has_account = False
if admin == "y":
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
request_json_data = request.get_json(force=True)
voucher_name = request_json_data['voucher_name']
voucher_status = request_json_data['voucher_status'].lower()
# validate voucher_name
c.execute("SELECT * FROM vouchers WHERE title=?", (voucher_name, ))
if not c.fetchone():
response = jsonify(data="No such Voucher Title.")
response.status_code = 400
return response
# validate voucher_status
if voucher_status not in ["active", "inactive"]:
response = jsonify(data="Invalid voucher status.")
response.status_code = 400
return response
# prevent sql injection
c.execute("UPDATE vouchers SET status = ? WHERE title = ?", (
voucher_status,
voucher_name,
))
conn.commit()
return jsonify(data="Success. Voucher Status Updated.")
else:
# logging
log_type = "Unauthorized Access"
if has_account:
log_details = f"A user with the username {identity} tried to change status of voucher."
else:
log_details = "An unknown user tried to change status of a voucher."
Logging(log_type, log_details)
response = jsonify(data="Unauthorized access")
response.status_code = 401
return response
def executors_delete_one(id):
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
#ADMIN-käyttäjän poistaminen on estetty toistaiseksi kokonaan
user = Executor.query.get(id)
if user.admin:
db.session().commit()
return render_template(
"index.html",
msg="Admin käyttäjien poistaminen ei ole mahdollista!")
to_be_deleted = Executor.query.filter_by(id=id).first()
db.session().delete(to_be_deleted)
db.session().commit()
return redirect(url_for("executors_get_all"))
def locations_add_one():
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
form = LocationForm(request.form)
messages = []
if not form.validate():
return render_template("locations/new.html", form=form)
name = request.form.get("name")
location = Location(name)
db.session().add(location)
db.session().commit()
return render_template("locations/location.html", location=location)
def add_product():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
category_list = ['barbell', 'bench', 'racks', 'plates']
return render_template("admin/Products/Add_Product.html",
title="Add Product",
category_list=category_list,
cookie=request.headers['cookie'])
def activities_logs():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("Select * from logs")
queries = c.fetchall()
conn.close()
return render_template("admin/Logging/activities_logs.html",
title='Activities Logs',
data=queries)
def locations_modify_one(id):
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
form = LocationForm(request.form)
messages = []
if not form.validate():
return render_template("locations/edit.html",
form=form,
location=Location.query.get(id))
name = request.form.get("name")
loc = Location.query.get(id)
loc.name = name
db.session().commit()
return redirect(url_for('locations_get_one', id=id))
def profile(username):
if not current_user.get_admin():
return redirect(url_for('index'))
form = ProfileForm()
users = mongo.db.users
user = users.find_one({'name': username})
if 'pass' not in user.keys():
user['passed'] = False
mongo.db.users.save(user)
post = user['pass']
if not user or user['post_num'] < 1:
abort(404)
return render_template('Profile.html',
forms=user['posts'],
form=form,
post=post,
username=username,
admin=False)
def technical_logs():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
token = "e96e83862dab40a0ad31c8c9caa963b8741acd8ee1304f1b9d2e37776d78c27f"
url = "https://sentry.io/api/0/projects/indirect-bi/indirect-bi/issues/"
header = {"Authorization": f"Bearer {token}"}
my_response = requests.get(url, headers=header)
data = my_response.json()
return render_template("admin/Logging/technical_log.html",
title="Technical Logs",
data=data)
def post(self, user_id):
try:
admin = current_user.get_admin()
has_account = True
except:
admin = 'n'
has_account = False
if admin == 'y':
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
request_json_data = request.get_json(force=True)
voucher_title = request_json_data["title"]
# Validate if voucher code is in database
while True:
voucher_code = get_random_alphanumeric_string(8)
c.execute("SELECT * FROM vouchers WHERE code=?", (voucher_code,))
if not c.fetchone():
break
voucher_image = ""
voucher_description = request_json_data["description"]
voucher_amount = request_json_data["amount"]
voucher_status = "unused"
used_date = ""
c.execute("INSERT INTO vouchers VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
(voucher_title, voucher_code, voucher_description, voucher_image, voucher_amount, voucher_status,
used_date, user_id))
conn.commit()
conn.close()
return jsonify(data="Voucher created with user id of {}".format(user_id))
else:
# logging
log_type = "Unauthorized Access"
if has_account:
log_details = f"A user with the username {current_user.get_username()} tried to add a new product."
else:
log_details = "An unknown user tried to change status of a product."
Logging(log_type, log_details)
response = jsonify(data="You do not have authorized access to perform this action.")
response.status_code = 401
return response
def manage_user():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("SELECT * FROM users")
users = c.fetchall()
conn.close()
return render_template("admin/Manage_Users/manage_user.html",
title="users",
users=users)
def Queries():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute("SELECT rowid, * FROM query")
query = c.fetchall()
conn.close()
return render_template("admin/Query/Queries.html",
title="query",
query=query)
def add_user_voucher():
isAdmin = False
try:
if current_user.get_admin() == 'y':
isAdmin = True
else:
abort(404)
except:
abort(404)
if isAdmin:
conn = sqlite3.connect(os.path.join(file_directory, "storage.db"))
c = conn.cursor()
c.execute(
"SELECT username, user_id FROM users WHERE admin <> 'y' and user_id <> 0"
)
users = c.fetchall()
return render_template("admin/Vouchers/Add_User_Voucher.html",
title="Add User Voucher",
users=users)
def executors_add_one():
#Siivoa tämä?
if current_user.is_authenticated:
if not current_user.get_admin():
return render_template("index.html", msg=msg_only_admin)
users = db.session.query(Executor).count()
if users != 0 and not current_user.is_authenticated:
return render_template("index.html", msg=msg_only_admin)
pword = request.form.get("pword")
name = request.form.get("name")
existing = Executor.query.filter_by(name=name).first()
if existing:
return render_template("executors/new.html",
msg="Käyttäjänimi on jo käytössä")
form = ExecutorForm(request.form)
if not form.validate():
return render_template("executors/new.html", form=form)
title = request.form.get("title")
# hash password here
admin = False
new = Executor(name, title, pword, admin)
if users == 0:
admin = True
new.admin = admin
db.session().add(new)
db.session().commit()
return redirect(url_for('executors_get_one', id=new.id))
