def login():
form = LoginForm(request.form)
if request.method == 'POST' and form.validate():
username_email = form.username_email.data
password = form.password.data
if is_email(username_email):
user = User.query.filter_by(email=username_email).first()
else:
user = User.query.filter_by(username=username_email).first()
if user is not None and user.verify_password(password) and user.active:
# log user in
login_user(user)
next_url = request.args.get('next')
# is_safe_url should check if the url is safe for redirects
if not is_safe_url(next_url):
return abort(400)
return redirect(next_url or url_for('admin.dashboard'))
else:
# when login details are incorrect
flash('Please check your credentials', 'danger')
data = {
'title': 'Login',
'form': form,
}
return render_template('auth/login.html', **data)
def user(id=None):
if id is None:
return abort(404)
if not current_user.is_admin:
return abort(403)
user = User.query.get(id)
if user is None:
return abort(404)
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("core.users")
form = UserForm(obj=user)
if form.validate_on_submit():
form.populate_obj(user)
db.session.commit()
return redirect(next)
current_app.logger.error(form.errors.values())
return render_template("core/user_edit.html",
title="User - Admin",
form=form,
next=next,
user=user)
def edit_talk(id=None):
talk = Talk() if id is None else Talk.query.get(id)
if id is not None and talk is None:
return abort(404)
if not current_user.is_admin and (
id is not None and not talk.can_edit(current_user)
or len(current_user.edited_collections) == 0):
return abort(403)
if request.args.get("copy", False):
talk = copy_row(talk, ["id"])
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("core.talks")
is_new = talk.id is None
form = TalkForm(obj=talk)
if form.validate_on_submit():
form.populate_obj(talk)
HistoryItem.build_for(talk)
if is_new:
db.session.add(talk)
db.session.commit()
return redirect(next)
return render_template("core/talk_edit.html",
title="Talk",
form=form,
new=is_new,
next=next,
talk=talk)
def handle_login(form):
def show_safe_err(err):
if "@" in username:
flash("Incorrect email or password", "danger")
else:
flash(err, "danger")
username = form.username.data.strip()
user = User.query.filter(or_(User.username == username, User.email == username)).first()
if user is None:
return show_safe_err("User {} does not exist".format(username))
if not check_password_hash(user.password, form.password.data):
return show_safe_err("Incorrect password. Did you set one?")
if not user.is_active:
flash("You need to confirm the registration email", "danger")
return
addAuditLog(AuditSeverity.USER, user, "Logged in using password",
url_for("users.profile", username=user.username))
db.session.commit()
login_user(user, remember=form.remember_me.data)
flash("Logged in successfully.", "success")
next = request.args.get("next")
if next and not is_safe_url(next):
abort(400)
return redirect(next or url_for("homepage.home"))
def user_signin():
if current_user.is_authenticated:
return redirect(url_for('user_show'))
form = LoginForm()
if not form.validate_on_submit():
return render_template('signin.html',
form=form,
active_page='user_signin',
testing=app.testing)
else:
username = form.username.data
password = form.password.data
user = User.validate(username, password)
if user is None:
crx_flash('BAD_USERNAME_OR_PWD')
return render_template('signin.html',
form=form,
active_page='user_signin',
testing=app.testing)
else:
login_user(user, remember=False)
crx_flash('WELCOME_BACK', user.username)
next = request.args.get('next')
if next is not None and utils.is_safe_url(request, next):
return redirect(next)
else:
return redirect(url_for('user_show'))
def subscription(id):
subscription = Subscription.query.filter(Subscription.user == current_user,
Subscription.collection_id == id)
if not subscription:
return abort(404)
else:
subscription = subscription[0]
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("auth.profile")
form = SubscriptionForm(obj=subscription)
if form.validate_on_submit():
form.populate_obj(subscription)
db.session.commit()
return redirect(next)
return render_template(
"auth/subscription.html",
title=_l("Subscription to %(collection)s",
collection=subscription.collection.title),
subscription=subscription,
form=form,
next=next,
)
def subscribe(id):
collection = Collection.query.get(id)
if collection is None:
return abort(404)
db.session.add(Subscription(user=current_user, collection=collection))
db.session.commit()
next = request.args.get("next")
return (abort(400) if not is_safe_url(next) else redirect(
next or url_for("auth.subscription", id=id)))
def post_login(user: User, next_url):
if next_url and is_safe_url(next_url):
return redirect(next_url)
if not current_user.password:
return redirect(url_for("users.set_password", optional=True))
notif_count = len(user.notifications)
if notif_count > 0:
if notif_count >= 10:
flash("You have a lot of notifications, you should either read or clear them", "info")
return redirect(url_for("notifications.list_all"))
return redirect(url_for("homepage.home"))
def login():
if current_user.is_authenticated:
next = request.args.get("next")
if next and not is_safe_url(next):
abort(400)
return redirect(next or url_for("homepage.home"))
form = LoginForm(request.form)
if form.validate_on_submit():
ret = handle_login(form)
if ret:
return ret
return render_template("users/login.html", form=form)
def login():
form = Authorization()
if form.validate_on_submit():
user = db.session.query(Owner).filter(
Owner.login == form.login.data).first()
if user and user.check_password_hash(form.password.data):
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
if user.role == 0:
login_user(user, remember=False)
return redirect(url_for('main.cabinet', id=user.id))
elif user.role == 1:
login_user(user, remember=False)
return redirect(next or url_for('admin_panel.admin_main'))
return render_template('auth/login.html', form=form)
def login_process():
form = LoginForm()
if form.validate_on_submit():
user = User.query.filter(User.name == form.name.data).first()
if user is None:
flash('User not found.')
return redirect(url_for('login'))
if user.password != form.password.data:
flash('Password is wrong.')
return redirect(url_for('login'))
login_user(user)
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
return redirect(next or url_for('index'))
return render_template('login.html', form=form)
def edit_collection(id=None):
collection = Collection() if id is None else Collection.query.get(id)
can_create = current_user.is_organizer or current_user.is_admin
if collection is None and id is not None:
return abort(404)
if (id is not None and not collection.can_edit(current_user)
or id is None and not can_create):
return abort(403)
if request.args.get("copy", False):
collection = copy_row(collection, ["id"])
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("core.collections")
is_new = collection.id is None
if is_new:
collection.organizer = current_user
has_full_access = current_user.is_admin or collection.organizer == current_user
form = CollectionForm(obj=collection)
if not has_full_access:
del form["editors"]
del form["organizer"]
del form["is_meta"]
del form["meta_collections"]
if form.validate_on_submit():
form.populate_obj(collection)
HistoryItem.build_for(collection)
if is_new:
db.session.add(collection)
db.session.commit()
return redirect(next)
return render_template(
"core/collection_edit.html",
title="Collection - Admin",
form=form,
new=is_new,
has_full_access=has_full_access,
next=next,
collection=collection,
)
def unsubscribe(id):
subscription = Subscription.query.filter(Subscription.collection_id == id,
Subscription.user == current_user)
if not subscription:
return abort(404)
else:
subscription = subscription[0]
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("auth.profile")
db.session.delete(subscription)
db.session.commit()
return redirect(next)
def login():
form = LoginForm()
if form.validate_on_submit():
username = form.username.data
password = form.password.data
remember = form.remember_me.data
user = User.query.filter_by(username=username).first()
if user and user.check_password(password):
login_user(user, remember=remember)
next = request.args.get('next')
flash('登录成功!', 'success')
if next: # 验证有没有next
if is_safe_url(next):
return redirect(next)
return redirect(url_for('main.index'))
flash('用户名或密码不正确', 'warning')
return render_template('auth/login.html', form=form)
def delete_talk(id):
talk = Talk.query.get(id)
if talk is None:
return abort(404)
if not (talk.can_edit(current_user) or current_user.is_admin):
return abort(403)
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("core.talks")
db.session.delete(talk)
HistoryItem.build_for(talk)
db.session.commit()
return redirect(next)
def delete_collection(id):
collection = Collection.query.get(id)
if collection is None:
return abort(404)
if not (collection.organizer == current_user or current_user.is_admin):
return abort(403)
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("core.collections")
db.session.delete(collection)
HistoryItem.build_for(collection)
db.session.commit()
return redirect(next)
def login():
if current_user.is_authenticated:
return redirect(url_for('auth.account'))
form = LoginForm()
if form.validate_on_submit():
user = User.query.filter_by(username=form.username.data).first()
if user is None or not user.check_password(form.password.data):
flash('Invalid username or password', 'warning')
return redirect(url_for('auth.login'))
flash('Successful login.', 'info')
login_user(user, remember=form.remember_me.data)
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
if user.role == 'admin':
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
return redirect(next or url_for('main.index'))
return render_template('auth/login.html', title='Sign In', form=form)
def login():
if current_user.is_authenticated:
return redirect(url_for("core.index"))
form = LoginForm(request.form)
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if user is None or not user.check_password(form.password.data):
flash(_("Invalid email or password"), "danger")
return redirect(url_for("auth.login"))
login_user(user, remember=form.remember_me.data)
flash(
_("Logged in as %(display_name)s.",
display_name=user.display_name), "info")
current_app.logger.info(f"User logged in: {user}")
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
return redirect(next or url_for("core.index"))
return render_template("auth/login.html", title="Sign In", form=form)
def login():
form = LoginForm()
if request.method == 'GET':
return render_template('main/login.html', form=form)
if form.validate_on_submit():
user = User.query.filter(
or_(User.username == form.account.data,
User.email == form.account.data)).first()
if user and user.check_password(form.password.data.encode('utf-8')):
if not user.is_active:
# todo:
raise ValidationError('User is not active.')
# login
login_user(user, form.remember_me.data)
# next
next = request.args.get('next')
if not is_safe_url(next):
next = None
return redirect(next or url_for('main.index'))
# todo:
raise ValidationError('User does not exist, or password is wrong.')
return render_template('main/login.html', form=form)
def token_login(uuid):
form = AccessTokenForm(request.form)
if form.validate_on_submit():
token = AccessToken.query.filter_by(uuid=uuid).first()
if token is None:
return abort(404)
if not token.check_password(form.password.data):
flash(_("Invalid password"), "error")
return redirect(url_for("auth.token_login", uuid=uuid))
if "access_tokens" not in session:
session["access_tokens"] = []
session["access_tokens"].append(token.id)
session.modified = True
flash(_("Enabled access token %(uuid)s.", uuid=uuid), "info")
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
return redirect(next or url_for("core.index"))
return render_template("auth/token_login.html",
title="Enable token access",
uuid=uuid,
form=form)
def reverify():
send_mail.delay(
recipient=current_user.email,
subject="Mail Verification",
template="messages/verification.html",
context={
"user": current_user.display_name,
"verification_code": current_user.generate_verification_code(),
},
)
db.session.commit()
flash(
_("Remember to verify your email address to make full use of Talks.Tue!"
),
"warning",
)
next = request.args.get("next")
if not is_safe_url(next):
return abort(400)
else:
next = next or url_for("core.index")
return redirect(next)
def test_is_safe_url(self):
with self.app.test_request_context():
self.assertFalse(is_safe_url('http://externalsite.com'))
self.assertTrue(is_safe_url('http://' + self.app.config['SERVER_NAME']))
self.assertTrue(is_safe_url('safe_internal_link'))
def redirect(self, endpoint='index', **values):
if is_safe_url(self.next.data):
return redirect(self.next.data)
target = get_redirect_target()
return redirect(target or url_for(endpoint, **values))
