def login(): status_code = 200 referrer = request.args.get('next') if request.method == 'POST': username = escape(request.form['username']) password = escape(request.form['password']) db = get_db() error = None user = db.execute('SELECT * FROM user WHERE username = ?', (username, )).fetchone() if user is None: error = 'Incorrect username.' elif not check_password_hash(user['password'], password): error = 'Incorrect password.' if error is None: session.clear() session['user_id'] = user['id'] url = referrer if referrer else url_for('story.story_list') response = make_response(redirect(url)) expiry = datetime.now() + timedelta(minutes=60) response.set_cookie('pirate', value='shiver_me_timbers', expires=expiry) return response if error: flash(error) status_code = 401 return render_template('auth/login.html', form_groups=get_user_form('login')), status_code
def register(): if request.method == 'POST': username = escape(request.form['username']) password = escape(request.form['password']) db = get_db() error = None if not username: error = 'Username is required.' elif not password: error = 'Password is required.' elif db.execute('SELECT id FROM user WHERE username = ?', (username, )).fetchone() is not None: error = f'User {username} is already registered.' if error is None: db.execute('INSERT INTO user (username, password) VALUES (?, ?)', (username, generate_password_hash(password))) db.commit() return login() flash(error) return render_template('auth/register.html', form_groups=get_user_form('register'))
def update_access_time(): if g.user is not None: db = get_db() db.execute( 'UPDATE user SET last_access = CURRENT_TIMESTAMP WHERE id = ?', (g.user['id'], )) db.commit()
def load_logged_in_user(): user_id = session.get('user_id') if user_id is None: g.user = None else: g.user = get_db().execute('SELECT * FROM user WHERE id = ?', (user_id, )).fetchone()
def story_list(): db = get_db() stories = db.execute( 'SELECT *, (\ SELECT COUNT(id) FROM chapter WHERE story_id = story.id\ ) chapter_count FROM story INNER JOIN user ON story.uploader_id=user.id' ).fetchall() return render_template('story/list.html', stories=stories)
def delete(story_id): db = get_db() db.execute( 'DELETE FROM chapter WHERE story_id = ?', (story_id,) ) db.execute( 'DELETE FROM story WHERE id = ?', (story_id,) ) db.commit() return redirect(url_for('story.story_list'))
def add(): db = get_db() groups = { 'details': { 'group_title': 'Details', 'story_title': gen_form_item('title', placeholder='Title', required=True), 'author': gen_form_item('author', placeholder='Author') }, 'attributes': { 'group_title': 'Attributes', 'container': gen_form_item('container', placeholder='Container CSS', autocomplete='on'), 'heading': gen_form_item('heading', placeholder='Chapter heading CSS', autocomplete='on') }, 'upload': { 'group_title': 'Location', 'file': gen_form_item('file', placeholder='Story file', item_type='file') }, 'submit': { 'button': gen_form_item('btn-submit', item_type='submit', value='Add') }, } if request.method == 'POST': filepath = upload_file() if not filepath: return render_template('story/add.html', form_groups=preserve_form_data(groups)) story = add_story_to_db(db) if not story: return render_template('story/add.html', form_groups=preserve_form_data(groups)) add_chapters_to_db(db, filepath, story['id'], escape(request.form['container']), escape(request.form['heading'])) return render_template('story/add.html', form_groups=groups)
def display(story_id): db = get_db() chapter_rows = db.execute( 'SELECT chapter_title title, chapter_content content FROM chapter \ WHERE story_id = ?', (story_id,) ).fetchall() story = db.execute( 'SELECT title FROM story WHERE id = ?', (story_id,) ).fetchone()['title'] if chapter_rows: chapters = [dict(row) for row in chapter_rows] else: flash('No chapters found for that story') return redirect(url_for('story.story_list')) return render_template('story/display.html', chapters=chapters, title=story)
def edit(uid): user = get_user(uid) admin_levels = g.privilege_levels if request.method == 'POST' and g.user['admin'] == 'read-write': error = None username = escape(request.form['username']) admin = request.form['admin'] access = escape(request.form['access']) db = get_db() username_new = (username != user['username']) username_exists = db.execute('SELECT id FROM user WHERE username = ?', (username, )).fetchone() is not None if username_new: if username_exists: error = 'Username exists' else: db.execute('UPDATE user SET username = ? WHERE id = ?', (username, uid)) if admin in admin_levels: db.execute('UPDATE user SET admin = ? WHERE id = ?', (admin, uid)) else: error = error + '\n' if error else '' error += f'{admin}\nAdmin Status must be one of:' error += ' {}'.format(', '.join(admin_levels)) db.execute('UPDATE user SET access_approved = ? WHERE id = ?', (access, uid)) if error: flash(error) else: db.commit() return redirect(url_for('users.list')) elif request.method == 'POST' and g.user['admin'] != 'read-write': flash('Write access required') groups = generate_form_groups(user) return render_template('users/edit.html', form_groups=groups)
def change_password(uid): user = get_user(uid) db = get_db() if (not g.user or g.user['id'] != uid) and g.user['admin'] != 'read-write': error = 'Could not change password for the specified user.' flash(error) return redirect(url_for('index')) if request.method == 'POST': error = None old_pass = escape(request.form['old_pass']) new_pass = escape(request.form['new_pass']) confirm_pass = escape(request.form['confirm_pass']) if new_pass != confirm_pass: error = 'Passwords do not match.' if not check_password_hash(user['password'], old_pass) and \ g.user['admin'] != 'read-write': error = 'Existing password incorrect.' if error: flash(error) return redirect(url_for('users.change_password', uid=uid)) query = 'UPDATE user SET password = ? WHERE id = ?' params = (generate_password_hash(new_pass), uid) db.execute(query, params) db.commit() flash('Password updated.') return redirect(url_for('index')) groups = gen_pass_groups(user) return render_template('users/edit.html', form_groups=groups)
def list(): db = get_db() users = db.execute('SELECT * FROM user').fetchall() return render_template('users/list.html', users=users)
def get_user(uid): db = get_db() user = db.execute('SELECT * FROM user WHERE id = ?', (uid, )).fetchone() return user
def disallow(uid): db = get_db() db.execute('UPDATE user SET access_approved = false WHERE id = ?', (uid, )) db.commit() return redirect(url_for('users.list'))
def delete(uid): db = get_db() db.execute('DELETE FROM user WHERE id = ?', (uid, )) db.commit() return redirect(url_for('users.list'))