def register_post():
if g.redis.exists("register:" + request.headers["X-Forwarded-For"]):
return redirect(referer_or_home() + "?register_error=ip")
# Don't accept blank fields.
if request.form["username"] == "" or request.form["password"] == "":
return redirect(referer_or_home() + "?register_error=blank")
# Make sure the two passwords match.
if request.form["password"] != request.form["password_again"]:
return redirect(referer_or_home() + "?register_error=passwords_didnt_match")
# Check email address against email_validator.
# Silently truncate it because the only way it can be longer is if they've hacked the front end.
email_address = request.form["email_address"].strip()[:100]
if email_address != "" and email_validator.match(email_address) is None:
return redirect(referer_or_home() + "?register_error=invalid_email")
# Check username against username_validator.
# Silently truncate it because the only way it can be longer is if they've hacked the front end.
username = request.form["username"][:50]
if username_validator.match(username) is None:
return redirect(referer_or_home() + "?register_error=invalid_username")
# XXX DON'T ALLOW USERNAMES STARTING WITH GUEST_.
# Make sure this username hasn't been taken before.
# Also check against reserved usernames.
existing_username = g.db.query(User.id).filter(
func.lower(User.username) == username.lower()
).count()
if existing_username == 1 or username.lower() in reserved_usernames:
return redirect(referer_or_home() + "?register_error=username_taken")
new_user = User(
username=username,
email_address=email_address if email_address != "" else None,
# XXX uncomment this when we release it to the public.
#group="active",
last_ip=request.headers["X-Forwarded-For"],
)
new_user.set_password(request.form["password"])
g.db.add(new_user)
g.db.flush()
g.redis.set("session:" + g.session_id, new_user.id)
g.redis.setex("register:" + request.headers["X-Forwarded-For"], 86400, 1)
g.db.commit()
redirect_url = referer_or_home()
# Make sure we don't go back to the log in page.
if redirect_url == url_for("register", _external=True):
return redirect(url_for("home"))
return redirect(redirect_url)
def validate_character_form(form):
try:
search_character_id = int(form["search_character_id"])
g.db.query(SearchCharacter).filter(SearchCharacter.id == search_character_id).one()
except (KeyError, ValueError, NoResultFound):
# id 1 always exists so fall back to that.
search_character_id = 1
shortcut = form.get("shortcut", "").strip()
if shortcut and not username_validator.match(shortcut):
abort(400)
# Don't allow a blank name.
if form["name"] == "":
abort(400)
# Validate color.
# <input type="color"> always prefixes with a #.
if form["color"][0] == "#":
color = form["color"][1:]
else:
color = form["color"]
if not color_validator.match(color):
abort(400)
# Validate case.
if form["case"] not in case_options:
abort(400)
# XXX PUT LENGTH LIMIT ON REPLACEMENTS?
# Zip replacements.
replacements = zip(
form.getlist("quirk_from"),
form.getlist("quirk_to"),
)
# Strip out any rows where from is blank or the same as to.
replacements = [_ for _ in replacements if _[0] != "" and _[0] != _[1]]
# And encode as JSON.
json_replacements = json.dumps(replacements)
# XXX PUT LENGTH LIMIT ON REGEXES?
# Zip regexes.
regexes = zip(
form.getlist("regex_from"),
form.getlist("regex_to"),
)
# Strip out any rows where from is blank or the same as to.
regexes = [_ for _ in regexes if _[0] != "" and _[0] != _[1]]
# And encode as JSON.
json_regexes = json.dumps(regexes)
return {
# There are length limits on the front end so silently truncate these.
"title": form["title"][:50] if "title" in form else "",
"search_character_id": search_character_id,
"shortcut": shortcut if len(shortcut) != 0 else None,
"name": form["name"][:50],
"acronym": form["acronym"][:15],
"color": color,
"quirk_prefix": form["quirk_prefix"][:100],
"quirk_suffix": form["quirk_suffix"][:100],
"case": form["case"],
"replacements": json_replacements,
"regexes": json_regexes,
}
