def emptycart():
db = get_db()
goods = db.execute(
'SELECT cart.amount, goods.* FROM cart \
INNER JOIN goods ON goods.id = cart.goodid \
WHERE cart.userid = ? AND cart.ticketid IS NULL',
(g.user['id'], )).fetchall()
if goods == []:
flash("Your cart is empty", category="error")
return redirect(request.referrer)
db.execute('DELETE FROM cart WHERE ticketid IS NULL AND userid = ?',
(g.user['id'], ))
db.commit()
return redirect(request.referrer)
def load_logged_in_user():
user_id = session.get('user_id')
if user_id is None:
g.user = None
g.shopuser = None
g.panuser = None
else:
db = get_db()
g.user = db.execute('SELECT * FROM user WHERE id = ?',
(user_id, )).fetchone()
g.shopuser = db.execute('SELECT * FROM shopuser WHERE userid = ?',
(g.user['id'], )).fetchone()
g.panuser = db.execute('SELECT * FROM panuser WHERE userid = ?',
(g.user['id'], )).fetchone()
def delete_link():
db=get_db()
info=db.execute(
'SELECT * FROM share_info WHERE link = ?',
(request.values['link'],)
).fetchone()
if info['userid']!=g.user['id']:
flash("非法操作",category="error")
return redirect(request.referrer)
db.execute(
'DELETE FROM share_info WHERE link = ?',
(request.values['link'],)
)
db.commit()
return redirect(url_for('pan.shares'))
def index():
db = get_db()
category = request.values.get('category')
goods = None
if category is None:
goods = db.execute(
'SELECT id, name, value, type, amount FROM goods where isOnsale=1'
).fetchall()
else:
goods = db.execute(
'SELECT id, name, value, type, amount FROM goods where isOnsale=1 AND type = ?',
(category, )).fetchall()
categories = db.execute('SELECT name FROM category').fetchall()
return render_template('shop/index.html',
goods=goods,
categories=categories,
search=False)
def login():
if request.method == 'POST':
username = request.form['username']
if re.fullmatch('[0-9A-Za-z]+', username) is None:
flash('The username must match [0-9A-Za-z]+', category='error')
return render_template('auth/login.html')
username = secure_filename(request.form['username'])
if username.strip() == "":
abort(400)
password = request.form['password']
db = get_db()
error = None
user = db.execute('SELECT * FROM user WHERE username = ?',
(username, )).fetchone()
if user is None:
error = 'Incorrect username.'
else:
try:
nacl.pwhash.verify(user['password'], password.encode('utf-8'))
except nacl.exceptions.InvalidkeyError:
error = 'Incorrect password.'
db.execute(
'INSERT INTO logs (userid, title, body) VALUES (?, ?, ?)',
(user['id'], "auth.login.failed",
"Somebody failed to login your account."))
db.commit()
if error is None:
session.clear()
session['user_id'] = user['id']
db.execute(
'INSERT INTO logs (userid, title, body) VALUES (?, ?, ?)',
(user['id'], "auth.login.success",
"You logged in the system successfully."))
db.commit()
return redirect(url_for('index'))
flash(error, category="error")
if current_app.config['SECRET_KEY'] == 'dev':
flash("You need to change your SECRET_KEY!", category='error')
return render_template('auth/login.html')
def changeuserinfo():
if request.method == 'GET':
return render_template('shop/userinfo.html', i=g.shopuser)
address = request.form.get('address')
postalcode = request.form.get('postalcode')
phone = request.form.get('phone')
email = request.form.get('email')
db = get_db()
db.execute(
'UPDATE shopuser SET phone = ?, email = ?, address = ?, postalcode = ? WHERE userid = ?',
(
phone,
email,
address,
postalcode,
g.user['id'],
))
db.commit()
return redirect(url_for('shop.index'))
def registerAdmin():
isAdmin = int(g.user['isadmin'])
if isAdmin == 0:
return redirect(url_for('auth.settings'))
else:
db = get_db()
user = db.execute('SELECT id FROM user WHERE username = ?',
(request.form['username'], )).fetchone()
if user is None:
return redirect(url_for('auth.settings'))
db.execute('UPDATE user SET isadmin = ? WHERE id = ?', (
1,
user['id'],
))
db.execute('INSERT INTO logs (userid, title, body) VALUES (?, ?, ?)',
(user['id'], "auth.registerAdmin",
"You are registered as Admin in the cardinal system."))
db.commit()
return redirect(url_for('auth.settings'))
def safes():
db=get_db()
info=db.execute(
'SELECT * FROM share_info WHERE link = ?',
(request.values['link'],)
).fetchone()
if info is None:
abort(404)
if info['expiretime'] is not None and datetime.datetime.utcnow()>info['expiretime']:
flash("分享链接已过期",category="error")
return redirect(url_for('index'))
if info['password'] is None:
flash("该文件无密码",category="error")
return redirect(url_for('index'))
try:
nacl.pwhash.verify(info['password'],str(request.form['password']).encode('utf-8'))
return send_file(info['filename'],as_attachment=True,conditional=True)
except Exception:
abort(403)
def delete(idnum):
db = get_db()
info = db.execute(
'SELECT amount FROM cart WHERE goodid = ? AND ticketid IS NULL AND userid = ?',
(
idnum,
g.user['id'],
)).fetchone()
if info is None:
flash("Illegal delete", category="error")
return redirect(request.referrer)
db.execute(
'DELETE FROM cart WHERE goodid = ? AND ticketid IS NULL AND userid = ?',
(
idnum,
g.user['id'],
))
db.commit()
flash("All goods have been remove from your cart")
return redirect(request.referrer)
def delete(idnum):
db = get_db()
info = db.execute(
'SELECT amount FROM cart WHERE goodid = ? AND ticketid IS NULL AND userid = ?',
(
idnum,
g.user['id'],
)).fetchone()
if info is None:
flash("非法删除操作", category="error")
return redirect(request.referrer)
db.execute(
'DELETE FROM cart WHERE goodid = ? AND ticketid IS NULL AND userid = ?',
(
idnum,
g.user['id'],
))
db.commit()
flash("商品已从购物车移除")
return redirect(request.referrer)
def register():
if request.method == 'POST':
username = request.form['username']
if re.fullmatch('[0-9A-Za-z]+', username) is None:
flash('The username must match [0-9A-Za-z]+', category='error')
return render_template('auth/register.html')
username = secure_filename(request.form['username'])
if username.strip() == "":
abort(400)
password = request.form['password']
db = get_db()
error = None
if not username:
error = '需要用户名。'
elif not password:
error = 'Password is required.'
elif db.execute('SELECT id FROM user WHERE username = ?',
(username, )).fetchone() is not None:
error = 'User {} is already registered.'.format(username)
elif zxcvbn(str(password), user_inputs=[str(username)])['score'] < 1:
error = "Insufficient password strength."
if error is None:
all_user = None
all_user = db.execute('SELECT * FROM user').fetchone()
if all_user is None:
db.execute(
'INSERT INTO user (username, password, isadmin) VALUES (?, ?, ?)',
(username, nacl.pwhash.str(password.encode('utf-8')), 1))
else:
db.execute(
'INSERT INTO user (username, password, isadmin) VALUES (?, ?, ?)',
(username, nacl.pwhash.str(password.encode('utf-8')), 0))
db.commit()
return redirect(url_for('auth.login'))
flash(error, category="error")
return render_template('auth/register.html')
def renamecategory(idnum):
db = get_db()
info = db.execute('SELECT * FROM category WHERE id = ?',
(idnum, )).fetchone()
if info is None:
flash("The category doesn't exist")
return redirect(request.referrer)
if request.method == 'GET':
return render_template("shop/createcategory.html")
name = request.form.get('name')
oldname = db.execute('SELECT name FROM category WHERE id = ?',
(idnum, )).fetchone()['name']
db.execute('UPDATE category SET name = ? WHERE id = ?', (
name,
idnum,
))
db.execute('UPDATE goods SET type = ? WHERE type = ?', (
name,
oldname,
))
db.commit()
return redirect(url_for("shop.categories"))
def registerPan():
isAdmin = int(g.user['isadmin'])
if isAdmin == 0:
return redirect(url_for('auth.settings'))
else:
db = get_db()
user = db.execute('SELECT * FROM user WHERE username = ?',
(request.form['username'], )).fetchone()
if user is None:
return redirect(url_for('auth.settings'))
currentUser = db.execute('SELECT * FROM panuser WHERE userid = ?',
(user['id'], )).fetchone()
if currentUser is not None:
error = 'User {} is already granted disk access.'.format(
user['username'])
flash(error, category="error")
return redirect(url_for('auth.settings'))
db.execute('INSERT INTO panuser (userid) VALUES (?)', (user['id'], ))
db.execute(
'INSERT INTO logs (userid, title, body) VALUES (?, ?, ?)',
(user['id'], "auth.registerPan", "You are granted disk access."))
db.commit()
return redirect(url_for('auth.settings'))
def search():
search_name = request.values.get('search_name')
category = request.values.get('category')
db = get_db()
goods = None
if search_name is None:
search_name = ''
if category is not None:
goods = db.execute(
'SELECT id, name, value, type, amount FROM goods where isOnsale=1 AND name LIKE ? AND type = ?',
(
"%" + search_name + "%",
category,
)).fetchall()
else:
goods = db.execute(
'SELECT id, name, value, type, amount FROM goods where isOnsale=1 AND name LIKE ?',
("%" + search_name + "%", )).fetchall()
categories = db.execute('SELECT name FROM category').fetchall()
return render_template('shop/index.html',
goods=goods,
categories=categories,
search=True,
search_name=search_name)
def calccart():
db = get_db()
goods = db.execute(
'SELECT cart.amount, goods.* FROM cart \
INNER JOIN goods ON goods.id = cart.goodid \
WHERE cart.userid = ? AND cart.ticketid IS NULL',
(g.user['id'], )).fetchall()
if goods == []:
flash("Your cart is empty", category="error")
return redirect(request.referrer)
existedgoods = db.execute(
'SELECT cart.amount AS cartamount, goods.* FROM cart \
INNER JOIN goods ON goods.id = cart.goodid \
WHERE cart.userid = ? AND cart.ticketid IS NULL AND goods.isOnsale=1',
(g.user['id'], )).fetchall()
isValid = True
for good in existedgoods:
try:
if good['amount'] is not None and good['amount'] != '' and int(
good['cartamount']) > int(good['amount']):
isValid = False
flash("There are only" + str(good['amount']) +
str(good['id']) + " - " + good['name'] + "in stock",
category="error")
except KeyError:
pass
if isValid == False:
return redirect(request.referrer)
for good in existedgoods:
try:
if good['amount'] is not None and good['amount'] != '':
db.execute('UPDATE goods SET amount = ? WHERE id = ?', (
int(good['amount']) - int(good['cartamount']),
good['id'],
))
except KeyError:
pass
deletedgoods = db.execute(
'SELECT cart.amount, goods.* FROM cart \
INNER JOIN goods ON goods.id = cart.goodid \
WHERE cart.userid = ? AND cart.ticketid IS NULL AND goods.isOnsale=0',
(g.user['id'], )).fetchall()
for deletedgood in deletedgoods:
db.execute(
'DELETE FROM cart WHERE userid = ? AND ticketid IS NULL AND goodid = ?',
(
g.user['id'],
deletedgood['id'],
))
if existedgoods == []:
flash("It only contains off-shore goods", category="error")
return redirect(request.referrer)
amount = db.execute(
'SELECT SUM(amount*value) AS VALUE \
FROM (SELECT cart.amount, goods.* FROM cart INNER JOIN goods ON goods.id = cart.goodid \
WHERE cart.userid = ? AND cart.ticketid IS NULL AND goods.isOnsale=1)',
(g.user['id'], )).fetchone()['value']
info = db.execute(
'INSERT INTO ticket (address, postalcode, value, userid, status) VALUES (?, ?, ?, ?, ?)',
(
g.shopuser['address'],
g.shopuser['postalcode'],
amount,
g.user['id'],
"pending",
))
db.execute(
'UPDATE cart SET ticketid = ? WHERE userid = ? AND ticketid IS NULL', (
info.lastrowid,
g.user['id'],
))
db.commit()
flash("Checkout Succed!")
return redirect(url_for("shop.tickets"))
def settings():
db = get_db()
logs = db.execute(
'SELECT * FROM logs WHERE userid = ? ORDER BY created DESC',
(g.user['id'], )).fetchall()
return render_template('auth/settings.html', logs=logs)
def categories():
db = get_db()
info = db.execute('SELECT * FROM category').fetchall()
return render_template("shop/categories.html", info=info)
def emptycart():
db = get_db()
db.execute('DELETE FROM cart WHERE ticketid IS NULL AND userid = ?',
(g.user['id'], ))
db.commit()
return redirect(request.referrer)
