def login():
if request.method == "GET":
return render_template("auth/login.html")
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
# get password hash out of password
password_hash = hashlib.sha256(password.encode()).hexdigest()
# get user from database by her/his username and password
user = db.query(User).filter_by(username=username).first()
if not user:
return "This user does not exist"
else:
# if user exists, check if password hashes match
if password_hash == user.password_hash:
user.session_token = str(uuid.uuid4(
)) # if password hashes match, create a session token
db.add(user)
db.commit()
# save user's session token into a cookie
response = make_response(redirect(url_for('topic.index')))
response.set_cookie(
"session_token", user.session_token
) # you might want to set httponly=True on production
return response
else:
return "Your password is incorrect!"
def comment_edit(comment_id):
comment = Comment.get_comment(comment_id)
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only edit your own comments!"
if request.method == "GET":
csrf_token = set_csrf_token(username=user.username)
return render_template("comment/comment_edit.html",
comment=comment,
csrf_token=csrf_token)
elif request.method == "POST":
text = request.form.get("text")
csrf = request.form.get("csrf")
if is_valid_csrf(csrf, user.username):
comment.text = text
db.add(comment)
db.commit()
return redirect(
url_for('topic.topic_details', topic_id=comment.topic.id))
else:
return "CSRF error: tokens don't match!"
def topic_edit(topic_id):
topic = db.query(Topic).get(int(topic_id))
if request.method == "GET":
return render_template("topics/topic_edit.html", topic=topic)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
user = user_from_session_token()
# check if user is logged in and user is author
if not user:
redirect(url_for("auth/login"))
elif topic.author_id != user.id:
return "You are not an author"
else:
# update the topic fields
topic.title = title
topic.text = text
db.add(topic)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def card_edit(card_id):
card = db.query(Card).get(int(card_id)) # get card from db by ID
if request.method == "GET":
return render_template("card/card_edit.html", card=card)
elif request.method == "POST":
bauhjahr = request.form.get("baujahr")
maschinennummer = request.form.get("maschinennummer")
standort = request.form.get("standort")
# get current user (author)
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token).first()
# check if user is logged in and user is author
if not user:
return redirect(url_for('auth.login'))
elif card.author.id != user.id:
return "You are not the author!"
else:
# update the card fields
card.baujahr = bauhjahr
card.maschinennummer = maschinennummer
card.standort = standort
db.add(card)
db.commit()
return redirect(url_for('card/card.card_details', card_id=card_id))
def signup():
if request.method == "GET":
return render_template("auth/signup.html")
elif request.method == "POST":
vorname = request.form.get("vorname")
nachname = request.form.get("nachname")
email_adresse = request.form.get("email_adresse")
unternehmen = request.form.get("unternehmen")
position = request.form.get("position")
passwort = request.form.get("passwort")
passwort_wiederholen = request.form.get("passwort_wiederholen")
if passwort != passwort_wiederholen:
return "Passwords do not match! Go back and try again."
user = User(vorname=vorname, nachname=nachname, email_adresse=email_adresse,
unternehmen=unternehmen, position=position,
passwort_hash=hashlib.sha256(passwort.encode()).hexdigest(),
session_token=str(uuid.uuid4())
)
db.add(user) # add to the transaction (user is not yet in a database)
db.commit() # commit the transaction into the database (user is now added in the database)
# save user's session token into a cookie
response = make_response(redirect(url_for('card.index')))
response.set_cookie("session_token", user.session_token) # you might want to set httponly=True on production
return response
def signup():
if request.method == "GET":
return render_template("signup.html")
elif request.method == "POST":
username = request.form.get("username")
email = request.form.get("email")
password = request.form.get("password")
password_repeat = request.form.get("password_repeat")
if password != password_repeat:
return "Passwords don't match"
user = User(
username=username,
email=email,
password=hashlib.sha512(password.encode()).hexdigest(),
session_token=str(uuid.uuid4()),
)
db.add(user)
db.commit()
response = make_response(redirect(url_for("index")))
response.set_cookie("session_token",
user.session_token,
httponly=True,
samesite="Strict")
return response
def comment_delete(comment_id):
comment = db.query(Comment).get(int(comment_id)) # get comment from db by ID
# get current user
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token, verified=True).first()
# check if user logged in & if user is author
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only delete your own comments!"
# check CSRF tokens
csrf = request.form.get("csrf")
if validate_csrf(csrf, user.username):
# if it validates, delete the comment
topic_id = comment.topic.id # save the topic ID in a variable before you delete the comment
db.delete(comment)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=topic_id))
else:
return "CSRF error: tokens don't match!"
def topic_edit(topic_id):
topic = db.query(Topic).get(int(topic_id))
if request.method == "GET":
return render_template("topic_edit.html", topic=topic)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
# get current user (author)
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token).first()
# check if user is logged in and user is author
if not user:
return redirect(url_for('login'))
elif topic.author.id != user.id:
return "You are not the author!"
else:
# update the topic fields
topic.title = title
topic.text = text
db.add(topic)
db.commit()
return redirect(url_for('topic_details', topic_id=topic_id))
def get_all_bitts(cls):
bitts = db.query(cls).order_by(desc(
cls.created)).all() # get all bitts from the database
if not bitts:
# some pre-made bitts (you can delete them)
bitt1 = cls(username="******",
text="I'm fine. Thanks for not asking.")
db.add(bitt1)
bitt2 = cls(
username="******",
text="Sometimes you have to unfollow people in real life.")
db.add(bitt2)
bitt3 = cls(username="******",
text="I hope karma slaps you in the face before I do.")
db.add(bitt3)
db.commit()
bitts.append(bitt1)
bitts.append(bitt2)
bitts.append(bitt3)
return bitts
def create(cls, title, text, author):
topic = cls(title=title, tect=text, author=author)
db.add(topic)
db.commit()
return topic
def topic_edit(topic_id):
topic = db.query(Topic).get(int(topic_id)) # get topic from db by ID
if request.method == "GET":
return render_template("topic/topic_edit.html", topic=topic)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
# get current user (author)
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token).first()
# check if user is logged in and user is author
if not user:
return redirect(url_for('auth.login'))
elif topic.author.id != user.id:
return "You are not the author!"
else:
# update the topic fields
topic.title = title
topic.text = text
db.add(topic)
db.commit()
# START test background tasks (TODO: delete this code later)
if os.getenv('REDIS_URL'):
from tasks import get_random_num
get_random_num()
# END test background tasks
return redirect(url_for('topic/topic.topic_details', topic_id=topic_id))
def login():
if request.method == "GET":
return render_template("auth/login.html")
elif request.method == "POST":
user_name = request.form.get("username")
password = request.form.get("password")
password_hash = hashlib.sha256(password.encode()).hexdigest()
user = db.query(User).filter_by(username=user_name).first()
if not user:
return "This user does not exist"
else:
if password_hash == user.password_hash:
user.session_token = str(uuid.uuid4())
db.add(user)
db.commit()
response = make_response(redirect(url_for('topic.index')))
response.set_cookie("session_token",
user.session_token,
httponly=True,
samesite='Strict')
return response
else:
return "Your Passwrod isnt correct"
def signup():
if request.method == "GET":
return render_template("auth/signup.html")
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
repeat = request.form.get("repeat")
if password != repeat:
return "Passwords do not match! try again."
user = User(username=username,
password_hash=hashlib.sha256(
password.encode()).hexdigest(),
session_token=str(uuid.uuid4()))
db.add(user)
db.commit()
response = make_response(redirect(url_for('topic.index')))
response.set_cookie("session_token",
user.session_token,
httponly=True,
samesite='Strict')
return response
def comment_edit(comment_id):
comment = db.query(Comment).get(
int(comment_id)) # get comment from db by ID
# get current user
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token).first()
# check if user is logged in and user is author
if not user:
redirect(url_for("auth/login"))
elif comment.author.id != user.id:
return "You are not an author"
if request.method == "GET":
return render_template("topics/comment_edit.html", comment=comment)
# POST request
elif request.method == "POST":
text = request.form.get("text")
comment.text = text
db.add(comment)
db.commit()
return redirect(
url_for('topic.topic_details', topic_id=comment.topic.id))
def comment_edit(comment_id):
comment = db.query(Comment).get(int(comment_id)) # get comment from db by ID
# get current user
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token, verified=True).first()
# check if user logged in & if user is author
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only edit your own comments!"
# GET request
if request.method == "GET":
csrf_token = create_csrf_token(username=user.username)
return render_template("comment/comment_edit.html", comment=comment, csrf_token=csrf_token)
# POST request
elif request.method == "POST":
text = request.form.get("text")
# check CSRF tokens
csrf = request.form.get("csrf")
if validate_csrf(csrf, user.username):
# if it validates, edit the comment
comment.text = text
db.add(comment)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=comment.topic.id))
else:
return "CSRF error: tokens don't match!"
def signup():
if request.method == "GET":
return render_template("auth/signup.html")
elif request.method == "POST":
username = request.form.get("username")
email_adress = request.form.get("email-adress")
password = request.form.get("password")
repeat = request.form.get("repeat")
if password != repeat:
return "Passwords do not match! Go back and try again."
user = User(username=username,
password_hash=hashlib.sha256(
password.encode()).hexdigest(),
session_token=str(uuid.uuid4()),
email_adress=email_adress)
db.add(user) # add to the transaction (user is not yet in a database)
db.commit(
) # commit the transaction into the database (user is now added in the database)
# save user's session token into a cookie
response = make_response(redirect(url_for('topic.index')))
response.set_cookie(
"session_token", user.session_token
) # you might want to set httponly=True on production
return response
def logout():
user = user_from_session_token()
user.session_token = ""
db.add(user)
db.commit()
return redirect(url_for('topic.index'))
def topic_delete(comment_id):
comment = db.query(Comment).get(int(comment_id))
if request.method == "GET":
db.delete(comment)
db.commit()
return redirect(url_for('index', comment=comment))
def logout():
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token).first()
user.session_token = ""
db.add(user)
db.commit()
return redirect(url_for('index'))
def create(cls, name, baujahr, maschinennummer, standort, author):
card = cls(name=name,
baujahr=baujahr,
maschinennummer=maschinennummer,
standort=standort,
author=author)
db.add(card)
db.commit()
return card
def verify_email(token):
user = db.query(User).filter_by(verification_token=token).first()
if user:
user.verified = True
db.add(user)
db.commit()
return render_template("auth/email_verification_result.html",
verified=user.verified)
def update(cls, topic_id, title, text):
topic = db.query(Topic).get(int(topic_id))
topic.title = title
topic.text = text
db.add(topic)
db.commit()
return topic
def logout():
if request.method == "GET":
session_token = request.cookies.get("session_token")
user = db.query(User).filter_by(session_token=session_token).first()
user.session_token = None
db.commit()
return render_template("login.html")
def create(cls, username, password_hash, email):
session_token = str(uuid.uuid4())
user = cls(username=username,
password_hash=password_hash,
session_token=session_token,
email=email)
db.add(user)
db.commit()
return user
def create(cls, text, author, topic):
comment = cls(text=text, author=author, topic=topic)
db.add(comment)
db.commit()
# only send of topic author has her/his email in the database
if topic.author.email:
send_email(receiver_email=topic.author.email, subject="New comment for your topic!",
text="Your topic {} has a new comment.".format(topic.title))
return comment
def create(cls, text, author, topic):
comment = cls(text=text, author=author, topic=topic)
db.add(comment)
db.commit()
if topic.author.email_address:
send_email(receiver_email=topic.author.email_address,
subject="New comment for your topic!",
text="Your topic {} has a new comment.".format(
topic.title))
return comment
def signup():
if request.method == "GET":
return render_template("auth/signup.html")
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
email_address = request.form.get("email-address")
repeat = request.form.get("repeat")
if password != repeat:
return "Passwords do not match! Go back and try again."
user = User(username=username,
password_hash=hashlib.sha256(
password.encode()).hexdigest(),
session_token=str(uuid.uuid4()),
email_address=email_address,
verification_token=str(uuid.uuid4()))
db.add(user) # add to the transaction (user is not yet in a database)
db.commit(
) # commit the transaction into the database (user is now added in the database)
# verification email message
subject = "Verify your email address"
domain = "{}.herokuapp.com".format(
os.getenv("HEROKU_APP_NAME"
)) # TODO: set HEROKU_APP_NAME config var on Heroku!
print("Domain: " + str(domain))
text = "Hi! Click on this link to verify your email address: {0}/verify-email/{1}".format(
domain, user.verification_token)
# send verification email
send_email(receiver_email=user.email_address,
subject=subject,
text=text)
# save user's session token into a cookie
response = make_response(redirect(url_for('topic.index')))
response.set_cookie(
"session_token", user.session_token
) # you might want to set httponly=True on production
return response
def login():
if request.method == "GET":
return render_template("login.html")
elif request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
# session_token = str(uuid.uuid4())
# get password hash out of password
password_hash = str(hashlib.sha256(password.encode()).hexdigest())
# get user form database by username and password
user = db.query(User).filter_by(username=username).first()
if not user:
return "User does not exist"
else:
if password_hash == user.password_hash:
user.session_token = str(uuid.uuid4())
db.add(user)
db.commit()
response = make_response(
redirect(
url_for('profile.profile',
user=user,
username=user.username,
password_hash=password_hash)))
response.set_cookie("session_token",
user.session_token,
httponly=True,
samesite='Strict')
# response = redirect(url_for('profile.profile', user=user, username=user.username, password_hash=password_hash))
# response.set_cookie("session_token", user.session_token, httponly=True, samesite='Strict')
return response
else:
return "Invalid Username or Password"
def comment_delete(comment_id):
comment = Comment.get_comment(comment_id)
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only delete your own comments!"
csrf = request.form.get("csrf")
if is_valid_csrf(csrf, user.username):
topic_id = comment.topic.id
db.delete(comment)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=topic_id))
else:
return "CSRF error: tokens don't match!"
def topic_delete(topic_id):
topic = db.query(Topic).get(int(topic_id)) # get topic from db by ID
if request.method == "GET":
return render_template("topic/delete.html", topic=topic)
elif request.method == "POST":
# get current user (author)
user = user_from_session_token()
# check if user is logged in and user is author
if not user:
return redirect(url_for('login'))
elif topic.author_id != user.id:
return "You are not the author!"
else: # if user IS logged in and current user IS author
# delete topic
db.delete(topic)
db.commit()
return redirect(url_for('index'))