def sudo(): user = check_permission() redis = get_redis_connection() failed_attempts = redis.get('sudo_fail_{}'.format(user)) failed_attempts = int(failed_attempts) if failed_attempts != None else 0 if failed_attempts >= 5: write_log("dashboard_access", user, { "success": False, "reason": "too many attemps" }) return render_template("dashboard/sudo.tmpl", error=True, chances=0) if flask.request.method == "GET": return render_template("dashboard/sudo.tmpl") password = flask.request.form.get("password") if password == None: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute("SELECT salt FROM users WHERE user_id = %s", (user, )) salt = cursor.fetchone()[0] finally: cnx.close() hashed_password = hashlib.sha256( (password + salt).encode()).hexdigest().upper() cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT * FROM users WHERE user_id = %s AND password = %s", (user, hashed_password)) result = cursor.fetchone() finally: cnx.close() if result == None: write_log("dashboard_access", user, {"success": False}) redis = get_redis_connection() failed_attemps = int(redis.incr('sudo_fail_{}'.format(user))) redis.expire('sudo_fail_{}'.format(user), 300) ret = render_template("dashboard/sudo.tmpl", error=True, chances=max(5 - failed_attemps, 0)) return ret else: ret = flask.make_response(flask.redirect("/dashboard/")) ret.set_cookie("sudo_mode", create_cookie(user)) redis = get_redis_connection() redis.delete('sudo_fail_{}'.format(user)) write_log("dashboard_access", user, {"success": True}) return ret
def search(): query_string = flask.request.args.get('q') if not query_string: return render_template('search.tmpl', title="Search", query_string="") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT query.floor, query.post_id, query.thread_id, query.title, " "pgroonga_snippet_html(query.content, pgroonga_query_extract_keywords(%s)) FROM " "(SELECT post.post_id AS post_id, post.thread AS thread_id, post_content.content AS content, " "rank() OVER (PARTITION BY post.thread ORDER BY post.datetime) AS floor, thread.title AS title " "FROM post, post_content, thread WHERE post_content.post = post.post_id " "AND post.thread = thread.thread_id " "AND post.hidden = FALSE AND thread.hidden = FALSE " "AND thread.draft = FALSE " ") AS query WHERE query.content &@~ %s", (query_string, query_string)) ret = render_template("search.tmpl", title=query_string, cursor=cursor, query_string=query_string) finally: cnx.close() return ret
def userinfo(userid): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT name, nick, email, admin FROM users WHERE user_id = %s", (userid, )) userinfo = cursor.fetchone() finally: cnx.close() if user == None: flask.abort(404) username, nick, email, admin = userinfo user_avatar = hashlib.md5( email.lower().strip().encode()).hexdigest().lower() return render_template("dashboard/userinfo.tmpl", username=username, nick=nick, email=email, user_avatar=user_avatar, user_is_admin=admin, userid=userid)
def operate(operation, type): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") target_id = flask.request.args.get("target") if not target_id: flask.abort(400) hidden = True if operation == "delete" else False cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "UPDATE {0} SET hidden = %s WHERE {0}_id = %s ".format(type), (hidden, target_id)) cnx.commit() finally: cnx.close() referrer = "/" if type == "thread" else flask.request.referrer write_log(operation, user, {"type": type, "id": target_id}) return flask.redirect(referrer)
def index(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT log.type, users.name, log.data FROM log, users " "WHERE users.user_id = log.operator ORDER BY log.datetime DESC LIMIT 10" ) recent_events = list(cursor) cursor.execute( "SELECT log.datetime, log.data FROM log, users " "WHERE users.user_id = log.operator AND log.operator = %s " "AND log.type = 'dashboard_access' ORDER by log.datetime DESC LIMIT 10", (user, )) recent_access = list(cursor) finally: cnx.close() return render_template("dashboard/index.tmpl", recent_events=recent_events, recent_access=recent_access, log_type_to_string=log_type_to_string, log_data_simple=log_data_simple)
def logout(): referrer = flask.request.referrer try: referrer.index("/logout") except ValueError: pass else: referrer = "/" cookie = flask.request.cookies.get("session") if cookie == None: return flask.redirect(referrer) user_id = read_cookie(cookie) if user_id == None: return flask.redirect(referrer) cnx = get_pg_connection() response = flask.make_response(flask.redirect(referrer)) response.set_cookie("session", "", expires=0) response.set_cookie("sudo_mode", "", expires=0) write_log("logout", user_id, {"success": True}) return response
def new(): cnx = get_pg_connection() try: cursor = cnx.cursor() finally: cnx.close() return render_template("edit.tmpl", title="New Thread", type="new_thread")
def write_log(type, operator, comment): cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO log (type, operator, datetime, data) " "VALUES (%s, %s, NOW(), %s)", (type, operator, json_wrapper(comment))) cnx.commit() finally: cnx.close()
def new_thread(): now = datetime.datetime.now() try: userid = read_cookie(flask.request.cookies["session"]) except KeyError: flask.abort(401) if userid == None: flask.abort(401) try: title = flask.request.form["title"] category = flask.request.form["category"] renderer = flask.request.form["renderer"] content = flask.request.form["content"] is_draft = bool(int(flask.request.form["draft"])) except KeyError: flask.abort(400) thread_id = str(uuid.uuid4()).replace('-', '') post_id = str(uuid.uuid4()).replace('-', '') post_content_id = str(uuid.uuid4()).replace('-', '') cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO thread VALUES (" "%s, %s, %s, %s, %s, FALSE, %s )", (thread_id, userid, category, now, title, bool(is_draft))) cursor.execute( "INSERT INTO post VALUES (" "%s, %s, %s, %s, FALSE, %s, %s)", (post_id, userid, thread_id, now, now, post_content_id)) cursor.execute( "INSERT INTO post_content VALUES (" "%s, %s, %s, %s, %s)", (post_content_id, post_id, renderer, content, now)) cnx.commit() write_log("new_thread", userid, { "success": True, "id": thread_id, "title": title }) finally: cnx.close() return flask.redirect("/thread/view/" + thread_id)
def registration(): if flask.request.method == "GET": referrer = flask.request.referrer return render_template("login.tmpl", title="注册", referrer=referrer, type="registration") try: username = flask.request.form["username"] password = flask.request.form["password"] email = flask.request.form["email"] referrer = flask.request.form["referrer"] except KeyError: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute("SELECT * FROM users WHERE name = %s", (username, )) if cursor.fetchone() != None: write_log( "registration", "", { "success": False, "username": username, "reason": "user already exists" }) return render_template("login.tmpl", title="注册", referrer=referrer, error="用户 {} 已经存在".format(username)) user_id = str(uuid.uuid4()).replace('-', '').upper() salt = crypt.mksalt(crypt.METHOD_SHA256) hashed_password = hashlib.sha256( (password + salt).encode()).hexdigest().upper() cursor.execute( "INSERT INTO users VALUES ( " "%s, %s, %s, %s, %s, FALSE, FALSE, %s)", (user_id, username, email, hashed_password, username, salt)) cnx.commit() write_log("registration", user_id, {"success": True}) finally: cnx.close() cookie = create_cookie(user_id) response = flask.make_response(flask.redirect(referrer)) response.set_cookie("session", cookie, expires=32503680000) return response
def userinfo_update(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") try: userid = flask.request.form["id"] nick = flask.request.form["nick"] email = flask.request.form["email"] superuser = flask.request.form["superuser"] except KeyError: flask.abort(400) superuser = (superuser == "true") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT nick, email, admin FROM users WHERE user_id = %s", (userid, )) oldnick, oldemail, oldadmin = cursor.fetchone() cursor.execute( "UPDATE users SET (nick, email, admin) = ( " "%s, %s, %s ) WHERE user_id = %s", (nick, email, superuser, userid)) cnx.commit() finally: cnx.close() log_data = { "operator": user, "original": { "nick": oldnick, "email": oldemail, "superuser": oldadmin }, "new": { "nick": nick, "email": email, "superuser": superuser } } write_log("update_profile", user, log_data) return flask.redirect("/dashboard/userinfo/{}".format(userid))
def categories(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute('SELECT category_id, name FROM category') categories = cursor.fetchall() finally: cnx.close() return render_template("dashboard/category.tmpl", categories=categories)
def render_template(template, **kwargs): args = { "title": "How do your end up here?", "body": "How do your end up here?" } try: cookie = read_cookie(flask.request.cookies["session"]) except KeyError: cookie = None try: sudo_mode = read_cookie(flask.request.cookies["sudo_mode"]) except KeyError: sudo_mode = None try: cnx = get_pg_connection() cursor = cnx.cursor() cursor.execute('SELECT name, category_id FROM category ORDER BY category_id') categories = list(cursor) cursor = cnx.cursor() cursor.execute('SELECT nick, email, admin FROM users WHERE user_id = %s', (cookie, )) result = cursor.fetchone() if result: user, avatar, admin = result avatar = hashlib.md5(avatar.strip().lower().encode("utf8")).hexdigest() else: user, avatar, admin = None, None, None finally: cnx.close() kwargs["categories"] = categories kwargs["user"] = user kwargs["avatar"] = avatar kwargs["user_id"] = cookie kwargs["admin"] = admin kwargs["sudo"] = sudo_mode return flask.render_template(template, **kwargs)
def category_merge(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") try: src_id = flask.request.form["src"] dst_id = flask.request.form["dst"] except KeyError: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute('SELECT name FROM category WHERE category_id = %s', (src_id, )) src_name, = cursor.fetchone() cursor.execute('SELECT name FROM category WHERE category_id = %s', (dst_id, )) dst_name, = cursor.fetchone() cursor.execute('UPDATE thread SET category = %s WHERE category = %s', (dst_id, src_id)) cursor.execute('DELETE FROM category WHERE category_id = %s', (src_id, )) cnx.commit() finally: cnx.close() log_data = { "src": { "id": src_id, "name": src_name }, "dst": { "id": dst_id, "name": dst_name } } write_log("category_merge", user, log_data) return flask.redirect("/dashboard/category")
def reply(): now = datetime.datetime.now() try: userid = read_cookie(flask.request.cookies["session"]) except KeyError: flask.abort(401) if userid == None: flask.abort(401) try: renderer = flask.request.form["renderer"] content = flask.request.form["content"] thread_id = flask.request.form["thread_id"] except KeyError: flask.abort(400) post_id = str(uuid.uuid4()).replace('-', '') post_content_id = str(uuid.uuid4()).replace('-', '') cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO post VALUES (" "%s, %s, %s, %s, FALSE, %s, %s)", (post_id, userid, thread_id, now, now, post_content_id)) cursor.execute( "INSERT INTO post_content VALUES (" "%s, %s, %s, %s, %s)", (post_content_id, post_id, renderer, content, now)) cnx.commit() write_log("new_reply", userid, { "success": True, "post_id": post_id, "content_id": post_content_id }) finally: cnx.close() return flask.redirect(flask.request.referrer)
def thread_delete(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") thread_id = flask.request.args.get("id") if thread_id == None: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute("UPDATE thread SET hidden = TRUE WHERE thread_id = %s", (thread_id, )) cnx.commit() finally: cnx.close() return flask.redirect("/dashboard/threads")
def log(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT log.*, users.name FROM log, users WHERE users.user_id = log.operator ORDER BY log.datetime DESC" ) logs = cursor.fetchall() finally: cnx.close() return render_template("/dashboard/logs.tmpl", logs=logs, log_type_to_string=log_type_to_string, log_data_simple=log_data_simple)
def posts_restore(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") post_id = flask.request.args.get("/dashboard/sudo") if post_id == None: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute("UPDATE post SET hidden = FALSE WHERE post_id = %s", (post_id, )) cnx.commit() finally: cnx.close() return flask.redirect("/dashboard/posts")
def threads(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") query_string = flask.request.args.get("s") if query_string == None: return render_template("dashboard/threads.tmpl") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT title, hidden, thread_id FROM thread WHERE title &@~ %s", (query_string, )) threads = cursor.fetchall() finally: cnx.close() return render_template("dashboard/threads.tmpl", threads=threads)
def check_permission(): session = flask.request.cookies.get("session") if session == None or read_cookie(session) == None: write_log("dashboard_access", "", {"success": False}) flask.abort(401) user = read_cookie(session) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT * FROM users WHERE user_id = %s AND admin = TRUE", (user, )) result = (cursor.fetchone() != None) finally: cnx.close() if not result: write_log("dashboard_access", user, {"success": False}) flask.abort(401) return user
def users(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") query_string = flask.request.args.get("s") if query_string == None: return render_template("dashboard/user.tmpl") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT user_id, name, nick FROM users WHERE nick LIKE %s", ("%{}%".format(query_string), )) users = cursor.fetchall() finally: cnx.close() return render_template("dashboard/user.tmpl", users=users)
def log_detail(id): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") try: id = int(id) except: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT log.*, users.name FROM log, users WHERE users.user_id = log.operator AND log.log_id = %s", (id, )) details = cursor.fetchone() finally: cnx.close() return render_template("/dashboard/log_details.tmpl", details=details, log_type_to_string=log_type_to_string)
def deleted_post(post_id): user = flask.request.cookies.get("session") if user != None and read_cookie(user) != None: user = read_cookie(user) cnx = get_pg_connection() try: if user: cursor = cnx.cursor() cursor.execute("SELECT admin FROM users WHERE user_id = %s", (user, )) admin, = cursor.fetchone() else: admin = False if not admin: flask.abort(404) cursor = cnx.cursor() cursor.execute( "select post.post_id, users.nick, post.author, " "LOWER(MD5(TRIM(LOWER(users.email)))), " "post_content.content, post_content.datetime, post_content.renderer FROM post, users, post_content " "WHERE post.author = users.user_id " "AND post.content = post_content.content_id " "AND post.post_id = %s", (post_id, )) posts = cursor.fetchall() finally: cnx.close() return render_template("post.tmpl", posts=posts, page=1, post_per_page=1, total_pages=1, render_content=render_content, title="被删除的回复")
def categories_new(): user = check_permission() sudo = check_sudo(user) if not sudo: return flask.redirect("/dashboard/sudo") name = flask.request.form.get("name") if not name: flask.abort(400) category_id = str(uuid.uuid4()).replace('-', '').upper() cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute("INSERT INTO category VALUES (%s, %s)", (category_id, name)) cnx.commit() finally: cnx.close() write_log("category_new", user, {"success": True, "category": name}) return flask.redirect('/dashboard/category')
def edit(edit_type, target_id): try: user = read_cookie(flask.request.cookies["session"]) except: user = None if user == None: flask.abort(401) cnx = get_pg_connection() try: cursor = cnx.cursor() if edit_type == 'thread': cursor.execute( "SELECT thread.title, thread.category, thread.draft, users.admin FROM thread, users " "WHERE thread.thread_id = %s AND users.user_id = %s AND (thread.author = users.user_id OR users.admin = TRUE)", (target_id, user)) title, category, is_draft, _ = cursor.fetchone() cursor.execute( "SELECT post.post_id, users.admin FROM post, users " "WHERE post.thread = %s AND users.user_id = %s AND (post.author = users.user_id OR users.admin = TRUE) " "ORDER BY datetime LIMIT 1 OFFSET 0", (target_id, user)) post_id = cursor.fetchone() if not post_id: flask.abort(404) post_id = post_id[0] else: post_id = target_id except: cnx.close() raise try: cursor = cnx.cursor() cursor.execute( "SELECT content, renderer FROM post_content WHERE post = %s ORDER BY datetime DESC LIMIT 1 OFFSET 0", (post_id, )) content, renderer = cursor.fetchone() finally: cnx.close() kwargs = { "renderer": renderer, "referrer": flask.request.referrer, "content": content, "post_id": post_id } if edit_type == "thread": print(title) kwargs["type"] = "edit_thread" kwargs["title"] = "编辑主题:" + title kwargs["current_category_id"] = category kwargs["draft"] = is_draft kwargs["thread_id"] = target_id else: kwargs["type"] = "edit_post" kwargs["title"] = "编辑回复" return render_template("edit.tmpl", **kwargs)
def list_threads(order, page, category=None, author=None, draft=False): order_sql = { 'publish': 'publish_datetime', 'reply': 'reply_count', 'last_modified': 'last_modified', 'random': 'RAND()' } category_sql = "AND thread.category = %s" if category else '' author_sql = "AND thread.author = %s" if author else '' try: sudo_mode = read_cookie(flask.request.cookies["sudo_mode"]) except KeyError: sudo_mode = None hidden = bool(sudo_mode) query = ( "SELECT thread.thread_id, thread.title, thread.datetime AS publish_datetime, " "users.nick, MAX(post.last_modified) AS last_modified, " "(SELECT COUNT(*) FROM post WHERE post.thread = thread.thread_id) AS reply_count FROM thread, post, users " "WHERE thread.hidden = FALSE " "AND post.thread = thread.thread_id " "AND users.user_id = thread.author " "AND thread.draft = %s {} {} " "GROUP BY thread.thread_id, users.nick " "ORDER BY {} DESC " "LIMIT {} " "OFFSET %s ").format(category_sql, author_sql, order_sql[order], config["paginator"]["thread_per_page"]) page_query = "SELECT COUNT(*) FROM thread WHERE hidden = FALSE AND draft = %s {} {}".format( category_sql, author_sql) category_query = "SELECT name FROM category WHERE category_id = %s" cnx = get_pg_connection() try: cursor = cnx.cursor() page_cursor = cnx.cursor() if category: category_cursor = cnx.cursor() if author: cursor.execute( query, (draft, category, author, (page - 1) * config["paginator"]["thread_per_page"])) else: cursor.execute( query, (draft, category, (page - 1) * config["paginator"]["thread_per_page"])) if author: page_cursor.execute(page_query, (draft, category, author)) else: page_cursor.execute(page_query, ( draft, category, )) category_cursor.execute(category_query, (category, )) category_name, = category_cursor.fetchone() title = "分类: " + category_name else: if author: cursor.execute( query, (draft, author, (page - 1) * config["paginator"]["thread_per_page"])) else: cursor.execute( query, (draft, (page - 1) * config["paginator"]["thread_per_page"])) if author: page_cursor.execute(page_query, (draft, author)) else: page_cursor.execute(page_query, (draft, )) title = "主页" total_pages, = page_cursor.fetchone() total_pages = int((total_pages - 1) / config["paginator"]["thread_per_page"] + 1) if draft: baseurl = "/drafts" elif category: baseurl = "/category/{}/{}".format(category, order) else: baseurl = "/index/" + order ret = render_template('list.tmpl', cursor=cursor, title=title, page=page, total_pages=total_pages, order=order, baseurl=baseurl) finally: cnx.close() return ret
def post(thread, page): user = flask.request.cookies.get("session") if user != None and read_cookie(user) != None: user = read_cookie(user) cnx = get_pg_connection() try: if user: cursor = cnx.cursor() cursor.execute("SELECT admin FROM users WHERE user_id = %s", (user, )) admin, = cursor.fetchone() else: admin = False cursor = cnx.cursor() cursor.execute("SELECT title FROM thread WHERE thread_id = %s", (thread, )) title = cursor.fetchone()[0] cursor = cnx.cursor() cursor.execute("SELECT COUNT(*) FROM post WHERE thread = %s", (thread, )) post_count = cursor.fetchone()[0] cursor = cnx.cursor() cursor.execute("SELECT hidden FROM thread WHERE thread_id = %s", (thread, )) hidden, = cursor.fetchone() if hidden and not admin: flask.abort(404) query = ( "SELECT post.post_id, users.nick, post.author, " "LOWER(MD5(TRIM(LOWER(users.email)))), " "post_content.content, post_content.datetime, post_content.renderer FROM post, users, thread, post_content " "WHERE post.thread = %s AND post.hidden = FALSE " "AND post.thread = thread.thread_id " "AND post.author = users.user_id " "AND post.content = post_content.content_id " "ORDER BY post.datetime LIMIT {} OFFSET %s".format( config["paginator"]["post_per_page"])) cursor = cnx.cursor() cursor.execute( query, (thread, int( (int(page) - 1) * config["paginator"]["post_per_page"]))) posts = list(cursor) cursor = cnx.cursor() cursor.execute("SELECT thread.author FROM thread WHERE thread_id = %s", (thread, )) thread_author_id = cursor.fetchone()[0] finally: cnx.close() total_pages = int((post_count - 1) / config["paginator"]["post_per_page"] + 1) return render_template("post.tmpl", posts=posts, thread_hidden=hidden, page=int(page), total_pages=total_pages, thread_author_id=thread_author_id, baseurl="/thread/view/{}".format(thread), post_per_page=config["paginator"]["post_per_page"], render_content=render_content, title=title, thread_id=thread)
def userinfo(): try: user = read_cookie(flask.request.cookies["session"]) except KeyError: return flask.redirect("/") if not user: flask.redirect("/") cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( 'SELECT name, email, nick, salt FROM users WHERE user_id = %s', (user, )) name, email, nick, salt = cursor.fetchone() finally: cnx.close() if flask.request.method == "GET": return render_template("userinfo.tmpl", error=False, name=name, email=email, nick=nick, title="User Info") else: try: new_email = flask.request.form["email"] new_nick = flask.request.form["nick"] old_password = flask.request.form["old_password"] new_password = flask.request.form["new_password"] except: return flask.abort(400) if new_password != "": cnx = get_pg_connection() cursor = cnx.cursor() try: hashed_old_password = hashlib.sha256( (old_password + salt).encode()).hexdigest().upper() cursor.execute( "SELECT user_id FROM users WHERE user_id = %s AND password = %s", (user, hashed_old_password)) if not cursor.fetchone(): cnx.close() write_log("update_userinfo", user, { "success": False, "reason": "wrong password" }) return render_template("userinfo.tmpl", error=True, name=name, email=email, nick=nick, title="User Info") except: cnx.close() raise salt = crypt.mksalt(crypt.METHOD_SHA256) hashed_password = hashlib.sha256( (new_password + salt).encode()).hexdigest().upper() else: hashed_password = None cnx = get_pg_connection() try: cursor = cnx.cursor() if hashed_password: cursor.execute( "UPDATE users SET email = %s, nick = %s, password = %s, salt = %s WHERE user_id = %s", (new_email, new_nick, hashed_password, salt, user)) else: cursor.execute( "UPDATE users SET email = %s, nick = %s WHERE user_id = %s", (new_email, new_nick, user)) cnx.commit() finally: cnx.close() log_data = { "success": True, "nick": [nick, new_nick], "email": [email, new_email], "password_changed": new_password != "" } write_log("update_userinfo", user, log_data) return flask.redirect("/userinfo")
def edit(edit_type): try: renderer = flask.request.form["renderer"] content = flask.request.form["content"] referrer = flask.request.form["referrer"] post_id = flask.request.form["post_id"] except KeyError: flask.abort(400) user = read_cookie(flask.request.cookies["session"]) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT post.author, users.admin, post.content FROM post, users " "WHERE post.post_id = %s AND users.user_id = %s " "AND (post.author = users.user_id OR users.admin = TRUE)", (post_id, user)) post_ret = cursor.fetchone() if not post_ret: cnx.close() flask.abort(401) _, _, old_content_id = post_ret except: cnx.close() raise if edit_type == "thread": try: thread_id = flask.request.form["thread_id"] title = flask.request.form["title"] category = flask.request.form["category"] is_draft = bool(int(flask.request.form["draft"])) except KeyError: flask.abort(400) cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "SELECT title, category, draft FROM thread " "WHERE thread_id = %s", (thread_id, )) old_title, old_category, old_draft = cursor.fetchone() except TypeError: flask.abort(400) new_content_id = str(uuid.uuid4()).replace('-', '') cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute( "INSERT INTO post_content VALUES (" "%s, %s, %s, %s, NOW())", (new_content_id, post_id, renderer, content)) cursor.execute( "UPDATE post SET content = %s, last_modified = NOW() WHERE post_id = %s", (new_content_id, post_id)) if edit_type == "thread": cursor.execute( "UPDATE thread SET title = %s, category = %s, draft = %s " "WHERE thread_id = %s", (title, category, is_draft, thread_id)) cnx.commit() except: traceback.print_exc() finally: cnx.close() log_data = { "success": True, "post_id": post_id, "type": edit_type, "rev": [old_content_id, new_content_id] } if edit_type == "thread": log_data["thread"] = { "title": [old_title, title], "category": [old_category, category], "draft": [old_draft, is_draft] } write_log("edit", user, log_data) return flask.redirect(referrer)
def login(): if flask.request.method == "GET": referrer = flask.request.referrer else: referrer = flask.request.form["referrer"] try: referrer.index("/login") except ValueError: pass else: referrer = "/" if flask.request.method == "GET": return render_template("login.tmpl", title="登录", referrer=flask.request.referrer, error=None, type="login") else: username = flask.request.form["username"] password = flask.request.form["password"] cnx = get_pg_connection() try: cursor = cnx.cursor() cursor.execute("SELECT salt FROM users WHERE name = %s", (username, )) salt = cursor.fetchone() if salt: salt = salt[0] else: error = "用户名或密码错误" write_log( "login", "", { "success": False, "username": username, "reason": "user does not exist" }) return render_template("login.tmpl", referrer=referrer, error=error, title="Login", type="login") hashed_password = hashlib.sha256( (password + salt).encode()).hexdigest().upper() cursor.execute( "SELECT user_id AS uid FROM users WHERE name = %s AND password = %s", (username, hashed_password)) ret = cursor.fetchone() if not ret: cnx.close() error = "用户名或密码错误" write_log( "login", "", { "success": False, "username": username, "reason": "wrong password" }) return render_template("login.tmpl", referrer=referrer, error=error, title="Login", type="login") finally: cnx.close() userid = ret[0] cookie = create_cookie(userid) response = flask.make_response(flask.redirect(referrer)) response.set_cookie("session", cookie, expires=32503680000) write_log("login", userid, {"success": True, "username": username}) return response