def login():
if request.method == 'GET':
return render_template("login.html")
username = request.form['username']
password = request.form['password']
user = g.db.users.find_one({'username': username})
errors = False
if not user:
flash(messages.INVALID_USERNAME_PASSWORD, 'error')
errors = True
else:
if utils.encrypt_password(password, app.config['SECRET_KEY']) == user['password']:
auth_token = str(uuid.uuid4())
g.db.users.update({'username': username}, {"$set": {'auth_token': auth_token} })
session['user_id'] = user['uuid']
session['user'] = username
session['role'] = user['role']
session['auth_token'] = auth_token
else:
flash(messages.INVALID_USERNAME_PASSWORD, 'error')
errors = True
if errors:
url = url_for('login')
else:
if request.args.has_key('next'):
url = request.args['next']
else:
url = url_for('index')
return redirect(url)
def register():
form = RegisterForm()
if form.validate_on_submit():
user = models.User.query.filter_by(username = \
str(form.username.data)).first()
if user is not None:
flash('Username %s already exists. Try another one.' \
% str(form.username.data))
return redirect(url_for('register'))
else:
user = models.User(username = str(form.username.data),
first_name = str(form.first_name.data),
last_name = str(form.last_name.data),
age = str(form.age.data),
gender = str(form.gender.data),
password = \
encrypt_password(str(form.password.data)))
db.session.add(user)
db.session.commit()
flash('Registration successful for username ' + form.username.data)
return redirect(url_for('index'))
return render_template('register.html',
title='Register',
form=form,
user=g.user)
async def join_channel(request):
data = await request.json()
channel = data.get('channel')
if channel is None or channel == '':
return web.json_response({'error': 'Channel cant be empty'})
async with aiosqlite.connect('../database.db') as db:
cursor = await db.execute('SELECT id, name, passwd FROM channels where id=?', (channel,))
row = await cursor.fetchone()
if row is None:
return web.json_response({'error': 'Channel does not exists'})
password = data.get('password')
sha256 = encrypt_password(password)
success = False
if row[2]:
if sha256 == row[2]:
success = True
else:
success = False
else:
success = True
if success:
resp = web.json_response({"status": "success"})
resp.set_cookie('channels', row[0])
return resp
else:
return web.json_response({'error': 'Invalid credentials.'})
def register():
form = RegistrationForm()
if form.validate_on_submit():
user = User()
form.populate_obj(user)
encrypted_password = encrypt_password(form.password.data)
user.passhash = encrypted_password
db.session.add(user)
db.session.commit()
form.dispose_password()
# http://flask.pocoo.org/snippets/50/
serialized_token = get_serialized_token(user, 'activate')
send_verification_mail(user, serialized_token)
flash(msgs['CREATE_ACCOUNT_SUCCESS'])
return redirect(url_for('.login'))
for field in form.errors:
flash('<strong>' + field.capitalize() + '</strong>' + ': ' + form.errors[field][0], 'error')
login_link = '<p>Already have an account? <a href="' + url_for('.login') + '">Click here to log in.</a></p>'
return render_template('register.html', form=form, login=login_link)
def reset_password(serialized_token):
expired, invalid, user = unserialize_token(serialized_token, 'reset')
if expired:
flash(msgs['LINK_EXPIRED'], 'error')
return redirect(url_for('.index'))
if invalid:
flash(msgs['LINK_INVALID'], 'error')
return redirect(url_for('.index'))
form = ResetPasswordForm()
form.login.data = user.login
if form.validate_on_submit():
encrypted_password = encrypt_password(form.password.data)
user.passhash = encrypted_password
db.session.add(user)
db.session.commit()
form.dispose_password()
flash(msgs['RESET_PASSWORD_SUCCESS'])
return redirect(url_for('.login'))
for field in form.errors:
flash('<strong>' + field.capitalize() + '</strong>' + ': ' + form.errors[field][0], 'error')
return render_template('reset_password.html', form=form, serialized_token=serialized_token)
def admin_profile(login):
user = User.query.filter_by(login=login).first()
if user == None:
flash('User ' + login + ' not found.', 'error')
return redirect(url_for('admin_index'))
form = EditForm()
if request.method == 'POST':
form.login.data = user.login;
if form.validate():
if form.password.data == '':
user.first_name = form.first_name.data
user.last_name = form.last_name.data
user.email = form.email.data
else:
form.populate_obj(user)
user.passhash = encrypt_password(form.password.data)
form.dispose_password()
db.session.add(user)
db.session.commit()
flash(msgs['EDIT_SUCCESS'])
return redirect(url_for('admin_profile', login=login))
for field in form.errors:
flash('<strong>' + field.capitalize() + '</strong>' + ': ' + form.errors[field][0], 'error')
return render_template('admin/profile.html', form=form, user=user)
def test_encrypt_password(self):
from utils import encrypt_password
p = encrypt_password('', log_rounds=1)
p2 = encrypt_password('', log_rounds=1)
self.assertNotEqual(p, p2)
self.assertTrue(isinstance(p, unicode))
self.assertTrue('$bcrypt$' in p)
# simulate what the User class's check_password does
import bcrypt
p = 'secret'
r = encrypt_password(p, log_rounds=2)
hashed = r.split('$bcrypt$')[-1].encode('utf8')
self.assertEqual(hashed, bcrypt.hashpw(p, hashed))
def signup():
an_error_has_ocurred = False
username = request.form.get('username')
password = request.form.get('password')
repeat_password = request.form.get('password-repeat')
errors = {}
if not username or not utils.validate_data(username, 'username'):
errors['username_error'] = 'Use alphanumeric characters (3 to 20) only'
an_error_has_ocurred = True
elif User.exist(username=username):
errors['username_error'] = 'This username is already on use'
an_error_has_ocurred = True
if not password or not utils.validate_data(password, 'password'):
errors['password_error'] = 'Use alphanumeric characters (3 to 20) only'
an_error_has_ocurred = True
elif not repeat_password or repeat_password != password:
errors['repeat_password_error'] = 'The passwords do not match'
an_error_has_ocurred = True
if not an_error_has_ocurred:
new_user = User(username=username, hashed_password=utils.encrypt_password(password))
new_user.save()
response = make_response(redirect('/'))
response.set_cookie('user-token', utils.gen_secure_cookie(new_user.id))
return response
return render_template('index.html', username=username, **errors)
def get_aac_token(self, email, password):
token_param = 'Token'
enc_password = utils.encrypt_password(email, password)
params = {
'Email': email,
'EncryptedPasswd': enc_password,
'add_account': '1',
'accountType': 'HOSTED_OR_GOOGLE',
'google_play_services_version': '11951438',
'has_permission': '1',
'source': 'android',
'device_country': 'de',
'lang': 'de',
'client_sig': '38918a453d07199354f8b19af05ec6562ced5788',
'callerSig': '38918a453d07199354f8b19af05ec6562ced5788',
'service': 'sj',
'callerPkg': 'com.google.android.gms'
}
raw_response = requests.post(constants.AUTH_URL, data=params)
if raw_response.status_code >= 400:
print(raw_response.text.split())
return None
if raw_response.status_code == 200:
response = raw_response.text.split()
for param in response:
if param.startswith(token_param):
return param[6:]
else:
return None
def register():
if request.method == 'GET':
return render_template('register.html', page='signup')
elif request.method == 'POST':
username = request.form.get('username', None)
nickname = request.form.get('nickname', None)
password = request.form.get('password', None)
password_again = request.form.get('password_again', None)
if username is None or nickname is None or password is None or password_again is None:
flash(u'请检查输入是否为空', 'danger')
return redirect(url_for('register'))
password, password_again, username, nickname = unicode(password), unicode(password_again), unicode(username), unicode(nickname)
# 1. 用户名是否存在
user = User.query.filter_by(username=username).first()
if user:
flash(u'该用户名已被注册', 'danger')
return redirect(url_for('register'))
# 2. 密码输入不一致
if password != password_again:
flash(u'两次密码输入不一致', 'danger')
return redirect(url_for('register'))
proc_password = utils.encrypt_password(password, salt=config.SALT)
User.add(User(username, proc_password, nickname))
flash(u'注册成功', 'success')
return redirect(url_for('login'))
def login():
if request.method == 'GET':
return render_template("login.html")
username = request.form['username']
password = request.form['password']
user = g.db.users.find_one({'username': username})
errors = False
if not user:
flash(messages.INVALID_USERNAME_PASSWORD, 'error')
errors = True
else:
if utils.encrypt_password(
password, app.config['SECRET_KEY']) == user['password']:
auth_token = str(uuid.uuid4())
g.db.users.update({'username': username},
{"$set": {
'auth_token': auth_token
}})
session['user_id'] = user['uuid']
session['user'] = username
session['role'] = user['role']
session['auth_token'] = auth_token
else:
flash(messages.INVALID_USERNAME_PASSWORD, 'error')
errors = True
if errors:
url = url_for('login')
else:
if request.args.has_key('next'):
url = request.args['next']
else:
url = url_for('index')
return redirect(url)
def register():
if request.method == 'GET':
return render_template('register.html', page='signup')
elif request.method == 'POST':
username = request.form.get('username', None)
nickname = request.form.get('nickname', None)
password = request.form.get('password', None)
password_again = request.form.get('password_again', None)
if username is None or nickname is None or password is None or password_again is None:
flash(u'请检查输入是否为空', 'danger')
return redirect(url_for('register'))
password, password_again, username, nickname = unicode(
password), unicode(password_again), unicode(username), unicode(
nickname)
# 1. 用户名是否存在
user = User.query.filter_by(username=username).first()
if user:
flash(u'该用户名已被注册', 'danger')
return redirect(url_for('register'))
# 2. 密码输入不一致
if password != password_again:
flash(u'两次密码输入不一致', 'danger')
return redirect(url_for('register'))
proc_password = utils.encrypt_password(password, salt=config.SALT)
User.add(User(username, proc_password, nickname))
flash(u'注册成功', 'success')
return redirect(url_for('login'))
def test_change_account(self):
user = self.db.User()
user.username = u"peter"
user.first_name = u"Ptr"
user.password = encrypt_password(u"secret")
user.save()
other_user = self.db.User()
other_user.username = u'peterbe'
other_user.save()
data = dict(username=user.username, password="******")
response = self.post('/auth/login/', data, follow_redirects=False)
self.assertEqual(response.code, 302)
user_cookie = self.decode_cookie_value('user', response.headers['Set-Cookie'])
guid = base64.b64decode(user_cookie.split('|')[0])
self.assertEqual(user.username, u'peter')
cookie = 'user=%s;' % user_cookie
response = self.get('/user/', headers={'Cookie':cookie})
self.assertEqual(response.code, 200)
self.assertTrue('value="Ptr"' in response.body)
# not logged in
response = self.post('/user/', {})
self.assertEqual(response.code, 403)
# no username supplied
response = self.post('/user/', {}, headers={'Cookie':cookie})
self.assertEqual(response.code, 404)
data = {'username':'******'}
response = self.post('/user/', data, headers={'Cookie':cookie})
self.assertEqual(response.code, 400)
#data = {'email':'*****@*****.**'}
#response = self.post('/user/account/', data, headers={'Cookie':cookie})
#self.assertEqual(response.code, 400)
data = {'username':'******', 'email':' [email protected] ', 'last_name': ' Last Name \n'}
response = self.post('/user/', data, headers={'Cookie':cookie},
follow_redirects=False)
self.assertEqual(response.code, 302)
user = self.db.User.one(dict(email='*****@*****.**'))
self.assertEqual(user.last_name, data['last_name'].strip())
user = self.db.User.one(dict(username='******'))
self.assertEqual(user.last_name, data['last_name'].strip())
self.assertEqual(user.first_name, u'')
# log out
response = self.get('/auth/logout/', headers={'Cookie':cookie},
follow_redirects=False)
self.assertEqual(response.code, 302)
self.assertTrue('user=;' in response.headers['Set-Cookie'])
def test_create_user(self):
user = self.db.User()
user.username = u'peterbe'
assert user.add_date
assert user.modify_date
user.save()
inst = self.db.users.User.one()
assert inst.username
from utils import encrypt_password
inst.password = encrypt_password('secret')
inst.save()
self.assertFalse(inst.check_password('Secret'))
self.assertTrue(inst.check_password('secret'))
def test_create_user(self):
user = self.db.User()
assert user.guid
assert user.add_date
assert user.modify_date
user.save()
inst = self.db.users.User.one()
assert inst.guid
from utils import encrypt_password
inst.password = encrypt_password('secret')
inst.save()
self.assertFalse(inst.check_password('Secret'))
self.assertTrue(inst.check_password('secret'))
def post(self):
if self.get_current_user():
raise tornado.web.HTTPError(403)
name = self.get_argument('name')
pwd = self.get_argument('password')
if name == '' or pwd == '':
self.write('用户名和密码不能为空!')
return
pwd = encrypt_password(pwd)
sql = "SELECT uid FROM user WHERE name=? AND password=? AND type>=10 LIMIT 1"
user = self.db.get(sql, name, pwd)
print user
if user:
self.set_secure_cookie("admin", str(user.uid))
self.redirect(self.get_argument('next', '/admin'))
else:
self.write('用户名或密码不正确!')
def login():
if request.method == 'POST':
name = request.form['name']
password = request.form['password']
if not name:
return redirect(url_for('login', error='no_name', goto=request.args.get('goto')))
if not password:
return redirect(url_for('login', error='no_password', name=name, goto=request.args.get('goto')))
user = model.User.query.filter_by(name=name).first()
if not user:
return redirect(url_for('login', error='bad_password', name=name, goto=request.args.get('goto')))
password_hash = utils.encrypt_password(password, name)
if user.password_hash != password_hash:
return redirect(url_for('login', error='bad_password', name=name, goto=request.args.get('goto')))
session['logged_in_user'] = request.form['name']
return redirect(urldecode(request.args.get('goto') or '') or url_for('main'), code=303)
else:
return render_template('login.html')
def login():
username = request.form['username']
password = request.form['password']
user_key = schema.USERS.format(username)
user = g.db.get(user_key)
if not user:
flash(messages.INVALID_USERNAME_PASSWORD, 'error')
else:
user_data = json.loads(user)
if utils.encrypt_password(password, app.config['SECRET_KEY']) == user_data['password']:
auth_token = str(uuid.uuid4())
user_data['auth_token'] = auth_token
g.db.set(user_key, json.dumps(user_data))
session['user'] = username
session['role'] = user_data['role']
session['auth_token'] = auth_token
else:
flash(messages.INVALID_USERNAME_PASSWORD, 'error')
return redirect(url_for('index'))
def user_authorize(self):
print(Color.BLUE, end='')
print('Выберите роль:')
print('1. Ученик')
print('2. Учитель')
print('3. Администратор')
print('0. Выход')
print(Color.RESET, end='')
self.user_role = None
while self.user_role not in ('0', '1', '2', '3'):
self.user_role = input('? ')
if self.user_role is '0':
exit(0)
self.user_role = Role.get_role(self.user_role)
user_login = input('Логин: ')
user_password = encrypt_password(getpass.getpass('Пароль: '))
if self.user_role is Role.STUDENT:
self.db_execute('SELECT user_id, student_id FROM users_students WHERE login = %s AND PASSWORD = %s;', user_login, user_password)
elif self.user_role is Role.TEACHER:
self.db_execute('SELECT user_id, teacher_id FROM users_teachers WHERE login = %s AND PASSWORD = %s;', user_login, user_password)
elif self.user_role is Role.ADMINISTRATOR:
self.db_execute('SELECT user_id FROM users_admins WHERE login = %s AND PASSWORD = %s;', user_login, user_password)
result = self.cursor.fetchall()
if not result:
print(Color.RED, end='')
print('Неправильная пара логин/пароль')
print(Color.RESET, end='')
exit(0)
self.authorization_success = True
self.user_id = result[0][0]
if self.user_role is Role.STUDENT:
self.student_id = result[0][1]
elif self.user_role is Role.TEACHER:
self.teacher_id = result[0][1]
self.hello_message()
def insert_superuser(username, password):
name = username
type = 1
accesstype = 2
comment = ''
encrypted_password = utils.encrypt_password(password)
print 'enc : %s' % encrypted_password
try:
defuser = DefUser.objects.get(name__iexact=name)
return
except DefUser.DoesNotExist:
pass
try:
defuser = DefUser.objects.create(name=name, type=type, accesstype=accesstype, comment=comment)
o = DefUserName.objects.create(id=defuser, displayname=name, password=encrypted_password)
except:
pass
def register():
error = None
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if username.strip() == '' or password.strip() == '':
error = 'username or password cannot be empty'
else:
cursor = g.db.execute('select * from user where username = ?',
[username])
if cursor.fetchone() != None:
error = 'This name has been used, please change another one :) '
else:
g.db.execute(
'insert into user (username,password) values (?,?)', [
username,
utils.encrypt_password(request.form['password'], None)
])
g.db.commit()
select_cur = g.db.execute(
'select * from user where username = ?', [username])
create_table(select_cur.fetchone()[0])
return render_template('login.html')
return render_template('register.html', error=error)
def edit_teacher(session):
print(Color.BLUE, end='')
print('### Редактирование учителя ###')
print(Color.RESET, end='')
teacher_id = input('Введите id учителя: ')
try:
teacher_id = int(teacher_id)
except ValueError:
print(Color.RED, end='')
print('Ожидалось число')
print(Color.RESET, end='')
return None
session.db_execute(
'SELECT teacher_id FROM teachers WHERE teacher_id = %s;', teacher_id)
if not session.cursor.fetchall():
print(Color.RED, end='')
print('Учитель с id ' + str(teacher_id) + ' не существует')
print(Color.RESET, end='')
return None
teacher = Teacher(session, teacher_id)
print('Фамилия:', str(teacher.get(Teacher.name_last)))
print('Имя:', str(teacher.get(Teacher.name_first)))
name_middle = teacher.get(Teacher.name_middle)
print('Отчество:', str(name_middle) if name_middle else '')
phone = teacher.get(Teacher.phone)
print('Телефон:', str(phone) if phone else '')
while True:
print(Color.BLUE, end='')
print('Выберите действие:')
print('1. Изменить телефон')
print('2. Создать аккаунт в системе')
print('3. Уволить учителя')
print('0. Назад')
print(Color.RESET, end='')
option = None
while option not in ('0', '1', '2', '3', '4'):
option = input('? ')
if option is '0':
return None
if option is '1':
phone = input('Новый телефон: ')
if len(phone) > 30:
print(Color.RED, end='')
print('Длина телефона не может быть более 30 символов')
print(Color.RESET, end='')
continue
teacher.set(Teacher.phone, phone if len(phone) else None)
session.connection.commit()
print(Color.GREEN, end='')
print('Телефон изменён')
print(Color.RESET, end='')
elif option is '2':
login = input('Введите логин нового аккаунта: ')
password = encrypt_password(
input('Введите пароль нового аккаунта: '))
if not password or not login:
print(Color.RED, end='')
print('Пароль/логин не могут быть пустыми')
print(Color.RESET, end='')
continue
try:
session.db_execute(
'INSERT INTO users_teachers (login, password, teacher_id) VALUES (%s, %s, %s);',
login, password, teacher.id)
except psycopg2.IntegrityError as err:
if err.pgcode == '23505': # unique_violation
if err.diag.constraint_name == 'users_teachers_teacher_id_key':
print(Color.RED, end='')
print('У данного учителя уже существует аккаунт')
print(Color.RESET, end='')
elif err.diag.constraint_name == 'users_teachers_login_key':
print(Color.RED, end='')
print('Этот логин уже занят')
print(Color.RESET, end='')
else:
raise err
session.connection.rollback()
continue
raise err
session.connection.commit()
print(Color.GREEN, end='')
print('Аккаунт с логином', login, 'создан')
print(Color.RESET, end='')
elif option is '3':
try:
session.db_execute(
'DELETE FROM users_teachers WHERE teacher_id = %s;',
teacher.id)
session.db_execute(
'DELETE FROM teachers WHERE teacher_id = %s;', teacher.id)
except psycopg2.IntegrityError as err:
if err.pgcode == '23503':
print(Color.RED, end='')
print(
'Удаление невозможно: учитель до сих пор является классным руководителем'
)
print(Color.RESET, end='')
session.connection.rollback()
continue
raise err
session.connection.commit()
print(Color.GREEN, end='')
print('Учитель уволен')
print(Color.RESET, end='')
return None
def edit_student(session):
print(Color.BLUE, end='')
print('### Редактирование ученика ###')
print(Color.RESET, end='')
student_id = input('Введите id ученика: ')
try:
student_id = int(student_id)
except ValueError:
print(Color.RED, end='')
print('Ожидалось число')
print(Color.RESET, end='')
return None
session.db_execute(
'SELECT student_id FROM students WHERE student_id = %s;', student_id)
if not session.cursor.fetchall():
print(Color.RED, end='')
print('Ученик с id ' + str(student_id) + ' не существует')
print(Color.RESET, end='')
return None
student = Student(session, student_id)
print('Фамилия:', str(student.get(Student.name_last)))
print('Имя:', str(student.get(Student.name_first)))
name_middle = student.get(Student.name_middle)
print('Отчество:', str(name_middle) if name_middle else '')
phone = student.get(Student.phone)
print('Телефон:', str(phone) if phone else '')
student_class = Class(session, int(student.get(Student.class_id)))
print(
'Класс:',
str(student_class.get(Class.class_number)) +
str(student_class.get(Class.class_letter)))
while True:
print(Color.BLUE, end='')
print('Выберите действие:')
print('1. Изменить телефон')
print('2. Изменить класс')
print('3. Создать аккаунт в системе')
print('4. Выгнать ученика')
print('0. Назад')
print(Color.RESET, end='')
option = None
while option not in ('0', '1', '2', '3', '4'):
option = input('? ')
if option is '0':
return None
if option is '1':
phone = input('Новый телефон: ')
if len(phone) > 30:
print(Color.RED, end='')
print('Длина телефона не может быть более 30 символов')
print(Color.RESET, end='')
continue
student.set(Student.phone, phone if len(phone) else None)
session.connection.commit()
print(Color.GREEN, end='')
print('Телефон изменён')
print(Color.RESET, end='')
elif option is '2':
class_id = input('Введите id класса: ')
try:
class_id = int(class_id)
except ValueError:
print(Color.RED, end='')
print('Ожидалось число')
print(Color.RESET, end='')
continue
try:
student.set(Student.class_id, class_id)
except psycopg2.IntegrityError as err:
if err.pgcode == '23503': # foreign_key_violation
print(Color.RED, end='')
print('Класс с id ' + str(class_id) + ' не существует')
print(Color.RESET, end='')
session.connection.rollback()
continue
raise err
session.connection.commit()
print(Color.GREEN, end='')
print('Класс изменен')
print(Color.RESET, end='')
elif option is '3':
login = input('Введите логин нового аккаунта: ')
password = encrypt_password(
input('Введите пароль нового аккаунта: '))
if not password or not login:
print(Color.RED, end='')
print('Пароль/логин не могут быть пустыми')
print(Color.RESET, end='')
continue
try:
session.db_execute(
'INSERT INTO users_students (login, password, student_id) VALUES (%s, %s, %s);',
login, password, student.id)
except psycopg2.IntegrityError as err:
if err.pgcode == '23505': # unique_violation
if err.diag.constraint_name == 'users_students_student_id_key':
print(Color.RED, end='')
print('У данного ученика уже существует аккаунт')
print(Color.RESET, end='')
elif err.diag.constraint_name == 'users_students_login_key':
print(Color.RED, end='')
print('Этот логин уже занят')
print(Color.RESET, end='')
else:
raise err
session.connection.rollback()
continue
raise err
session.connection.commit()
print(Color.GREEN, end='')
print('Аккаунт с логином', login, 'создан')
print(Color.RESET, end='')
elif option is '4':
session.db_execute(
'DELETE FROM users_students WHERE student_id = %s;',
student.id)
session.db_execute('DELETE FROM students WHERE student_id = %s;',
student.id)
session.connection.commit()
print(Color.GREEN, end='')
print('Ученик изгнан')
print(Color.RESET, end='')
return None
def set_password(self, raw_password):
if isinstance(raw_password, unicode):
raw_password = raw_password.encode('utf8')
self.password = encrypt_password(raw_password)
def __init__(self, name, password, create_time=None):
self.name = name
self.password_hash = utils.encrypt_password(password, name)
self.create_time = datetime.utcnow()
def set_password(self, raw_password):
if isinstance(raw_password, unicode):
raw_password = raw_password.encode('utf8')
self.password = encrypt_password(raw_password)
