Exemplo n.º 1
0
def add_manager(request):
    if request.method == 'POST':
        shop_name = request.POST.get('shop_name')
        target_id = request.POST.get('target_id')

        event = "ADD MANAGER"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            target_id, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            username = Consumer.loggedInUsers.get(login)

            store_manager = StoreManager(
                target_id, shop_name, request.POST.get('add_item_permission'),
                request.POST.get('remove_item_permission'),
                request.POST.get('edit_item_permission'),
                request.POST.get('reply_message_permission'),
                request.POST.get('get_all_message_permission'),
                request.POST.get('get_purchase_history_permission'),
                request.POST.get('get_discount_permission'),
                request.POST.get('set_policy_permission'))

            if username is not None:
                return HttpResponse(
                    UsersLogic.add_manager(username, store_manager))
        return HttpResponse('FAILED: You are not logged in')
Exemplo n.º 2
0
def register(request):
    if request.method == 'POST':
        username = request.POST.get('username')
        password = request.POST.get('password')
        state = request.POST.get('state')
        age = request.POST.get('age')
        sex = request.POST.get('sex')

        event = "REGISTER"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            username, event)
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            password, event)
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            state, event)
        suspect_sql_injection = LoggerLogic.identify_sql_injection(age, event)
        suspect_sql_injection = LoggerLogic.identify_sql_injection(sex, event)

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        return HttpResponse(
            UsersLogic.register_with_user_detail(
                RegisteredUser(username, password), state, age, sex))
Exemplo n.º 3
0
def update_details(request):
    if request.method == 'POST':
        state = request.POST.get('state')
        age = request.POST.get('age')
        sex = request.POST.get('sex')

        event = "UPDATE USER DETAILS"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            state, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            age, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            sex, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            return HttpResponse(
                UsersLogic.update_details(username, state, age, sex))

        return HttpResponse('FAILED: You are not logged in.')
Exemplo n.º 4
0
def edit_password(request):
    if request.method == 'POST':
        current_password = request.POST.get('current_password')
        new_password = request.POST.get('new_password')

        event = "EDIT PASSWORD"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            current_password, event)
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            new_password, event)

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            username = Consumer.loggedInUsers.get(login)

            if UsersLogic.login(RegisteredUser(username, current_password)):
                return HttpResponse(
                    UsersLogic.edit_password(
                        RegisteredUser(username, new_password)))

        return HttpResponse('FAILED: You are not logged in.')
Exemplo n.º 5
0
def login(request):
    if request.method == 'POST':
        username = request.POST.get('username')
        password = request.POST.get('password')

        event = "LOGIN"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            username, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            password, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        user = RegisteredUser(username, password)
        result = UsersLogic.login(user)
        if result[:7] == 'SUCCESS':
            access_token = hashlib.md5(username.encode()).hexdigest()
            Consumer.loggedInUsers[access_token] = username
            Consumer.loggedInUsersShoppingCart[
                access_token] = ShoppingLogic.get_cart_items(username)
            return HttpResponse(access_token)
        else:
            return HttpResponse(result)
Exemplo n.º 6
0
def search_item_in_shop(request):
    if request.method == 'GET':
        login = request.COOKIES.get('login_hash')
        topbar = loader.render_to_string('components/Topbar.html',
                                         context=None)
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            if username is not None:
                # html of a logged in user
                topbar = loader.render_to_string(
                    'components/TopbarLoggedIn.html',
                    context={'username': username})

        name = request.GET.get('item_name')
        shop_name = request.GET.get('shop_name')

        event = "SEARCH ITEM IN SHOP"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        item = SearchLogic.search_item_in_shop(name, shop_name)
        if item is not False:
            context = {'topbar': topbar, 'item': item}
            return render(request, 'SearchView.html', context)
Exemplo n.º 7
0
def add_review_on_shop(request):
    if request.method == 'POST':
        shop_name = request.POST.get('shop_name')
        description = request.POST.get('description')
        rank = int(request.POST.get('rank'))

        event = "ADD REVIEW ON SHOP"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            description, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            writer_id = Consumer.loggedInUsers.get(login)
            shop_review = ShopReview(writer_id, description, rank, shop_name)
            old_review = ShopLogic.get_shop_review_with_writer(
                shop_name, writer_id)
            if old_review is not False:
                return HttpResponse('has reviews')
            if ShopLogic.add_review_on_shop(shop_review):
                return HttpResponse('success')
        return HttpResponse('fail')
Exemplo n.º 8
0
def create_shop(request):
    if request.method == 'POST':
        # return HttpResponse('item added')
        shop_name = request.POST.get('name')
        shop_status = request.POST.get('status')

        event = "ADD SHOP"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_status, event) or suspect_sql_injection

        if suspect_sql_injection or shop_name == '':
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is None:
            login = request.POST.get('login_hash')
        if login is None:
            return HttpResponse('FAILED: You are not logged in')
        username = Consumer.loggedInUsers.get(login)
        if username is None:
            return HttpResponse('FAILED: You are not logged in')

        shop = Shop(shop_name, shop_status)
        return HttpResponse(ShopLogic.create_shop(shop, username))
Exemplo n.º 9
0
def add_review_on_item(request):
    if request.method == 'POST':
        item_id = request.POST.get('item_id')
        description = request.POST.get('description')
        rank = request.POST.get('rank')

        event = "ADD REVIEW"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            item_id, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            description, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            rank, event) or suspect_sql_injection
        if suspect_sql_injection:
            return HttpResponse(MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            writer_name = Consumer.loggedInUsers.get(login)
            old_review = ItemsLogic.get_item_review_with_writer(
                item_id, writer_name)
            if old_review is not False:
                return HttpResponse('has reviews')
            review = ItemReview(writer_name, item_id, description, rank)
            if ItemsLogic.add_review_on_item(review):
                return HttpResponse('success')
        return HttpResponse('fail')
Exemplo n.º 10
0
def update_permissions(request):
    if request.method == 'POST':
        shop_name = request.POST.get('shop_name')
        target_id = request.POST.get('target_id')

        event = "UPDATE PERMISSIONS"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            target_id, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            username = Consumer.loggedInUsers.get(login)

            store_manager = StoreManager(
                target_id, shop_name, request.POST.get('add_item_permission'),
                request.POST.get('remove_item_permission'),
                request.POST.get('edit_item_permission'),
                request.POST.get('reply_message_permission'),
                request.POST.get('get_all_message_permission'),
                request.POST.get('get_purchase_history_permission'),
                request.POST.get('get_discount_permission'),
                request.POST.get('set_policy_permission'))

            if UsersLogic.update_permissions(username, store_manager):
                return HttpResponse('success')
        return HttpResponse('fail')
Exemplo n.º 11
0
def send_message_from_shop(request):
    if request.method == 'POST':
        content = request.POST.get('content')
        from_shop = request.POST.get('from')
        to = request.POST.get('to')

        event = "SEND MESSAGE FROM SHOP"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            content, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            from_shop, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            to, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            message = Message(None, from_shop, to, content)
            return HttpResponse(
                MessagingLogic.send_message_from_shop(username, message))

        return HttpResponse('FAILED: You are not logged in')
Exemplo n.º 12
0
 def test_get_all_security(self):
     LoggerLogic.identify_sql_injection("#", "event1")
     LoggerLogic.identify_sql_injection("'SELECT * FROM Items;--", "event2")
     logs = Logger.get_all_security_logs()
     self.assertTrue(len(logs) == 2)
     security_log = logs[1]
     self.assertEqual(security_log.event, "event1")
     security_log = logs[0]
     self.assertEqual(security_log.event, "event2")
Exemplo n.º 13
0
def edit_shop_item(request):
    if request.method == 'POST':
        login = request.COOKIES.get('login_hash')
        username = None
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            if username is None:
                return HttpResponse('fail')
        item_id = request.POST.get('item_id')

        fields = ['quantity', 'category', 'keywords', 'price', 'url']
        new_values = [
            request.POST.get('item_quantity'),
            request.POST.get('item_category'),
            request.POST.get('item_keywords'),
            request.POST.get('item_price'),
            request.POST.get('item_url')
        ]

        event = "EDIT ITEM"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            new_values[0], event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            new_values[1], event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            new_values[2], event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            new_values[3], event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            new_values[4], event) or suspect_sql_injection
        if suspect_sql_injection:
            return HttpResponse(MESSAGE_SQL_INJECTION)

        item = ItemsLogic.get_item(item_id)
        if item is False:
            return HttpResponse('fail')
        if not UsersLogic.is_owner_of_shop(username, item.shop_name):
            if UsersLogic.is_manager_of_shop(username, item.shop_name):
                manager = UsersLogic.get_manager(username, item.shop_name)
                if manager.permission_edit_item is not 1:  # no permission
                    return HttpResponse('no permission to edit item')
            else:
                return HttpResponse('fail')  # not manager not owner

        for i in range(0, len(fields)):
            status = ItemsLogic.edit_shop_item(username, item_id, fields[i],
                                               new_values[i])
            if status is False:
                return HttpResponse('fail')
        return HttpResponse('success')
Exemplo n.º 14
0
def add_lottery_item_to_shop(request):
    if request.method == 'POST':
        item_name = request.POST.get('item_name')
        item_category = request.POST.get('item_category')
        item_keywords = request.POST.get('item_keyWords')
        item_price = request.POST.get('item_price')
        ticket_name = request.POST.get('ticket_name')
        ticket_price = request.POST.get('ticket_price')
        shop_name = request.POST.get('item_shop_name')
        final_date = request.POST.get('final_date')
        item = Item(None, shop_name, item_name, item_category, item_keywords, 0, 1, 'prize')
        ticket = Item(None, shop_name, ticket_name, item_category, item_keywords, ticket_price, 1, 'ticket')
        username = request.POST.get('username')

        event = "ADD LOTTERY ITEM"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(item_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(item_category, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(item_keywords, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(item_price, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(ticket_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(ticket_price, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(username, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(MESSAGE_SQL_INJECTION)

        LotteryLogic.add_lottery_and_items(item, ticket, item_price, final_date, username)
Exemplo n.º 15
0
def update_code_shopping_cart(request):
    if request.method == 'POST':
        code = request.POST.get("code")

        event = "UPDATE CODE SHOPPING CART"
        suspect_sql_injection = LoggerLogic.identify_sql_injection(code, event)

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        item = ItemsLogic.get_item_by_code(code)
        if item is False:
            return HttpResponse('fail')
        login = request.COOKIES.get('login_hash')
        if login is None or Consumer.loggedInUsers.get(login) is None:
            guest = request.COOKIES.get('guest_hash')
            if guest is None:
                return HttpResponse('fail')
            status = GuestShoppingCartLogic.update_code_shopping_cart_guest(
                guest, item.id, code)
        else:
            status = UserShoppingCartLogic.update_code_shopping_cart(
                login, item.id, code)
        if status is False:
            return HttpResponse('fail')
        else:
            return HttpResponse('OK')
Exemplo n.º 16
0
def search_shop(request):
    if request.method == 'GET':
        login = request.COOKIES.get('login_hash')
        topbar = loader.render_to_string('components/Topbar.html',
                                         context=None)
        words = []
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            if username is not None:
                # html of a logged in user
                topbar = loader.render_to_string(
                    'components/TopbarLoggedIn.html',
                    context={'username': username})
        name = request.GET.get('name')

        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            name, "SEARCH SHOP")
        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        shop = SearchLogic.search_shop(name)
        if shop is not False:
            context = {'topbar': topbar}
            return render(request, 'shop.html', context)
        else:
            words = SearchLogic.get_similar_words(name)
            words = words[:5]
            context = {'topbar': topbar, 'words': words}
            return render(request, 'ItemsNotFound.html', context)
Exemplo n.º 17
0
def add_owner(request):
    if request.method == 'POST':
        shop_name = request.POST.get('shop_name')
        target_id = request.POST.get('target_id')
        owner = Owner(target_id, shop_name, None)

        event = "ADD OWNER"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            target_id, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        login = request.COOKIES.get('login_hash')
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            return HttpResponse(UsersLogic.add_owner(username, owner))
        return HttpResponse('FAILED: You are not logged in')
Exemplo n.º 18
0
def add_system_manager(request):
    if request.method == 'POST':
        username = request.POST.get('username')
        password = request.POST.get('password')

        event = "ADD VISIBLE DISCOUNT"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            username, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            password, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        added_successfully = UsersLogic.add_system_manager(
            SystemManager(username, password))
        if added_successfully:
            return HttpResponse('added')
    return HttpResponse(
        'failed - probably username exist in RegisteredUsers or SystemManagers'
    )
Exemplo n.º 19
0
def add_discount(request):
    global result
    if request.method == 'POST':
        shop_name = request.POST.get('shop_name')
        percent = int(request.POST.get('percent'))
        kind = request.POST.get('kind')

        event = "ADD DISCOUNT"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            kind, event) or suspect_sql_injection

        if suspect_sql_injection:
            return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

        start_date = request.POST.get('start_date')
        end_date = request.POST.get('duration')
        end_date = end_date.split('-')
        end_date = end_date[0] + '-' + end_date[2] + '-' + end_date[1]
        start_date = start_date.split('-')
        start_date = start_date[0] + '-' + start_date[2] + '-' + start_date[1]

        if shop_name is None or ShopLogic.search_shop(shop_name) is False:
            return HttpResponse('invalid shop')
        login = request.COOKIES.get('login_hash')
        username = None
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            if username is None:
                return HttpResponse('user not logged in')
        if not UsersLogic.is_owner_of_shop(username, shop_name):
            if UsersLogic.is_manager_of_shop(username, shop_name):
                manager = UsersLogic.get_manager(username, shop_name)
                if manager.discount_permission is not 1:  # no permission
                    return HttpResponse('no permission to add discount')
            else:
                return HttpResponse('not owner or manager in this shop'
                                    )  # not manager not owner

        if kind == "visible_item":
            item_id = request.POST.get('item_id')

            if LoggerLogic.identify_sql_injection(item_id, event):
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

            item = ItemsLogic.get_item_without_lottery(item_id)
            if item is False or item.shop_name != shop_name:
                return HttpResponse("item with id=" + item_id +
                                    " doesnt exist in this shop or a ticket")
            discount = VisibleDiscount(item_id, shop_name, percent, start_date,
                                       end_date)
            result = DiscountLogic.add_visible_discount(discount, username)
        elif kind == "invisible_item":
            item_id = request.POST.get('item_id')
            code = request.POST.get('code')

            suspect_sql_injection = False
            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                item_id, event) or suspect_sql_injection
            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                code, event) or suspect_sql_injection

            if suspect_sql_injection:
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

            item = ItemsLogic.get_item_without_lottery(item_id)
            if item is False or item.shop_name != shop_name:
                return HttpResponse("item with id=" + item_id +
                                    " doesnt exist in this shop or a ticket")

            discount = InvisibleDiscount(code, item_id, shop_name, percent,
                                         start_date, end_date)
            result = DiscountLogic.add_invisible_discount(discount, username)
        elif kind == "visible_category":
            category = request.POST.get('category')

            if LoggerLogic.identify_sql_injection(category, event):
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

            discount = VisibleDiscountCategory(category, shop_name, percent,
                                               start_date, end_date)
            result = DiscountLogic.add_visible_discount_category(
                discount, username)
        elif kind == "invisible_category":
            category = request.POST.get('category')
            code = request.POST.get('code')

            suspect_sql_injection = False
            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                category, event) or suspect_sql_injection
            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                code, event) or suspect_sql_injection

            if suspect_sql_injection:
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

            discount = InvisibleDiscountCategory(code, category, shop_name,
                                                 percent, start_date, end_date)
            result = DiscountLogic.add_invisible_discount_category(
                discount, username)

        if result:
            return HttpResponse('success')
        else:
            return HttpResponse(
                'discount already exist for this item/category!')
    else:
        return HttpResponse('FAIL: not post request')
Exemplo n.º 20
0
def search_item(request):
    if request.method == 'GET':
        login = request.COOKIES.get('login_hash')
        guest = request.COOKIES.get('guest')
        topbar = Topbar_Navbar.get_top_bar(login)
        navbar = Topbar_Navbar.get_nav_bar(login, guest)
        search_by = request.GET.get('searchBy')
        items = []
        words = []
        event = "SEARCH ITEM"
        if search_by == 'name':
            name = request.GET.get('name')

            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                name, event)
            if suspect_sql_injection:
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)

            items = SearchLogic.search_by_name(name)
            for item in items:
                shop_name = item.shop_name
                item.price = (round(
                    item.price * item_discount(item.id, shop_name) *
                    category_discount(item.category, shop_name), 2))
            if len(items) != 0:
                context = {
                    'topbar': topbar,
                    'items': items,
                    'navbar': navbar,
                    'len': len(items)
                }
                return render(request, 'SearchView.html', context)
            else:
                words = SearchLogic.get_similar_words(name)
                words = words[:5]
                items_names_that_exists = []
                for each_item in words:
                    item = SearchLogic.search_by_name(each_item)
                    if len(item) != 0:
                        items_names_that_exists.append(each_item)
                context = {
                    'topbar': topbar,
                    'items': items_names_that_exists,
                    'navbar': navbar,
                    'type': 'name'
                }
                if len(items_names_that_exists) != 0:
                    return render(request, 'ItemsNotFound.html', context)
                else:
                    return render(request, 'ItemNotFoundNoSuggestions.html',
                                  context)
        if search_by == 'category':
            category = request.GET.get('category')
            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                category, event)
            if suspect_sql_injection:
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
            items = SearchLogic.search_by_category(request.GET.get('category'))
            for item in items:
                shop_name = item.shop_name
                item.price = (round(
                    item.price * item_discount(item.id, shop_name) *
                    category_discount(item.category, shop_name), 2))
                if len(items) != 0:
                    context = {
                        'topbar': topbar,
                        'items': items,
                        'navbar': navbar,
                        'len': len(items)
                    }
                    return render(request, 'SearchView.html', context)
            else:
                words = SearchLogic.get_similar_words(category)
                words = words[:5]
                items_names_that_exists = []
                for each_item in words:
                    item = SearchLogic.search_by_category(each_item)
                    if len(item) != 0:
                        items_names_that_exists.append(each_item)
                context = {
                    'topbar': topbar,
                    'items': items_names_that_exists,
                    'navbar': navbar,
                    'type': 'category'
                }
                if len(items_names_that_exists) != 0:
                    return render(request, 'ItemsNotFound.html', context)
                else:
                    return render(request, 'ItemNotFoundNoSuggestions.html',
                                  context)
        if search_by == 'keywords':
            keywords = request.GET.get('keywords')
            suspect_sql_injection = LoggerLogic.identify_sql_injection(
                keywords, event)
            if suspect_sql_injection:
                return HttpResponse(LoggerLogic.MESSAGE_SQL_INJECTION)
            items = SearchLogic.search_by_keywords(keywords)
            for item in items:
                shop_name = item.shop_name
                item.price = (round(
                    item.price * item_discount(item.id, shop_name) *
                    category_discount(item.category, shop_name), 2))
            if len(items) != 0:
                context = {
                    'topbar': topbar,
                    'items': items,
                    'navbar': navbar,
                    'len': len(items)
                }
                return render(request, 'SearchView.html', context)
            else:
                words = SearchLogic.get_similar_words(keywords)
                words = words[:5]
                items_names_that_exists = []
                for each_item in words:
                    item = SearchLogic.search_by_keywords(each_item)
                    if len(item) != 0:
                        items_names_that_exists.append(each_item)
                context = {
                    'topbar': topbar,
                    'items': items_names_that_exists,
                    'navbar': navbar,
                    'type': 'keywords'
                }
                if len(items_names_that_exists) != 0:
                    return render(request, 'ItemsNotFound.html', context)
                else:
                    return render(request, 'ItemNotFoundNoSuggestions.html',
                                  context)
Exemplo n.º 21
0
def add_item_to_shop(request):
    if request.method == 'POST':
        shop_name = request.POST.get('shop_name')
        item_name = request.POST.get('item_name')
        item_quantity = int(request.POST.get('item_quantity'))
        item_category = request.POST.get('item_category')
        item_keywords = request.POST.get('item_keywords')
        item_price = float(request.POST.get('item_price'))
        item_url = request.POST.get('item_url')
        item_kind = request.POST.get('item_kind')

        if item_name is None or item_name == '':
            return HttpResponse('invalid item name')

        if item_quantity < 0:
            return HttpResponse('invalid quantity')

        if item_category is None or item_category == '':
            return HttpResponse('invalid category')

        if item_keywords is None:
            return HttpResponse('invalid keywords')

        if item_price <= 0:
            return HttpResponse('invalid price')

        event = "ADD ITEM"
        suspect_sql_injection = False
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            shop_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            item_name, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            item_category, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            item_keywords, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            item_url, event) or suspect_sql_injection
        suspect_sql_injection = LoggerLogic.identify_sql_injection(
            item_kind, event) or suspect_sql_injection
        if suspect_sql_injection:
            return HttpResponse(MESSAGE_SQL_INJECTION)

        if shop_name is None or ShopLogic.search_shop(shop_name) is False:
            return HttpResponse('invalid shop')

        if item_url == '':
            item_url = None

        sale_date = None
        sale_hour = None
        sale_minutes = None
        if item_kind == 'prize':
            sale_date = request.POST.get('sale_date')
            sale_hour = request.POST.get('sale_hour')
            sale_minutes = request.POST.get('sale_minutes')

        login = request.COOKIES.get('login_hash')
        if login is None:
            login = request.POST.get('login_hash')
        username = None
        if login is not None:
            username = Consumer.loggedInUsers.get(login)
            if username is None:
                return HttpResponse('user not logged in')
        if not UsersLogic.is_owner_of_shop(username, shop_name):
            if UsersLogic.is_manager_of_shop(username, shop_name):
                manager = UsersLogic.get_manager(username, shop_name)
                if manager.permission_add_item is not 1:  # no permission
                    return HttpResponse('no permission to add item')
            else:
                return HttpResponse('not owner or manager in this shop'
                                    )  # not manager not owner

        status = False
        if item_kind == 'regular':
            regular_item = Item(None, shop_name, item_name, item_category,
                                item_keywords, item_price, item_quantity,
                                item_kind, item_url, 0, 0, 0)
            status = ItemsLogic.add_item_to_shop(regular_item, username)
        elif item_kind == 'prize':
            prize = Item(None, shop_name, item_name, item_category,
                         item_keywords, item_price, 1, item_kind, item_url, 0,
                         0, 0)
            ticket = Item(None, shop_name, 'Ticket for ' + item_name,
                          item_category, item_keywords, item_price,
                          item_quantity, 'ticket', item_url, 0, 0, 0)
            status = LotteryLogic.add_lottery_and_items_and_return_id(
                prize, ticket, ticket.price,
                sale_date + ' ' + sale_hour + ':' + sale_minutes, username)
        if status is False:
            return HttpResponse('could not add item')
        return HttpResponse('success')