Пример #1
0
def test_generate_csrf_token_length():
    """
    We still want at least 20 characters of Base64 as for 2016
    http://security.stackexchange.com/questions/6957/length-of-csrf-token
    """
    token = security.generate_csrf_token()
    assert len(token) >= 20
def item_add_route(category_id):
    """
    Route to add new item
    """

    target_category = get_category(category_id)

    if target_category is None:
        abort(404)

    # adding some protection
    csrf = generate_csrf_token()

    if request.method == 'POST':
        if csrf != request.form['csrf_token']:
            abort(403)
        else:
            add_item(category_id)
            flash('Item added')
            return redirect(
                url_for('category.category_route', category_id=category_id))

    if request.method == 'GET':
        return render_template('item_edit.html',
                               page={'title': 'Add category'},
                               user=user_info(),
                               content={
                                   'is_edit': False,
                                   'csrf_token': csrf,
                                   'category': target_category
                               })
Пример #3
0
def category_delete_route(category_id):
    """
    Deleting category from DB
    """

    target_category = get_category(category_id)

    # checking access rights
    if target_category.owner != user_info()['id']:
        flash('Only owner can delete category')
        return redirect(url_for('category.categories_route'))

    if target_category is None:
        abort(404)

    # adding some protection
    csrf = generate_csrf_token()

    if request.method == 'POST':
        if csrf != request.form['csrf_token']:
            abort(403)
        else:
            delete_category(category_id)
            flash('Category deleted')
            # sending user to list of categories after all he has done
            return redirect(url_for('category.categories_route'))

    # as polite people we will ask some configmation first,
    # also we need it for CSRF check
    if request.method == 'GET':
        return render_template('confirm.html',
                               page={'title': 'Delete category'},
                               user=user_info(),
                               content={
                                   'csrf_token':
                                   csrf,
                                   'message':
                                   'Do you really want delete category ' +
                                   target_category.name + '?'
                               })
def item_delete_route(item_id):
    """
    Route to delete item
    """

    target_item = get_item(item_id)

    # checking access rights
    if target_item.owner != user_info()['id']:
        flash('Only owner can delete item')
        return redirect(url_for('item.item_route', item_id=item_id))

    if target_item is None:
        abort(404)

    # some protection
    csrf = generate_csrf_token()

    if request.method == 'POST':
        if csrf != request.form['csrf_token']:
            abort(403)
        else:
            delete_item(item_id)
            flash('Item deleted')
            # sending user to categories page for he has done
            return redirect(url_for('category.categories_route'))

    if request.method == 'GET':
        return render_template('confirm.html',
                               page={'title': 'Delete item'},
                               user=user_info(),
                               content={
                                   'csrf_token':
                                   csrf,
                                   'message':
                                   'Do you really want delete item ' +
                                   target_item.name + '?'
                               })
def item_edit_route(item_id):
    """
    Route to edit item
    """

    target_item = get_item(item_id)

    # checking access rights
    if target_item.owner != user_info()['id']:
        flash('Only owner can edit item')
        return redirect(url_for('item.item_route', item_id=item_id))

    if target_item is None:
        abort(404)

    # some protection
    csrf = generate_csrf_token()

    if request.method == 'POST':
        if csrf != request.form['csrf_token']:
            abort(403)
        else:
            update_item(item_id)
            flash('Item updated')
            # sending user to item page after edit is done
            return redirect(url_for('item.item_route', item_id=item_id))

    if request.method == 'GET':
        return render_template('item_edit.html',
                               page={'title': 'Edit item'},
                               user=user_info(),
                               content={
                                   'is_edit': True,
                                   'csrf_token': csrf,
                                   'item': target_item
                               })
Пример #6
0
def category_edit_route(category_id):
    """
    Updating category info
    """

    target_category = get_category(category_id)

    # checking access rights
    if target_category.owner != user_info()['id']:
        flash('Only owner can edit category')
        return redirect(url_for('category.categories_route'))

    if target_category is None:
        abort(404)

    csrf = generate_csrf_token()

    if request.method == 'POST':
        if csrf != request.form['csrf_token']:
            abort(403)
        else:
            update_category(category_id)
            flash('Category updated')
            return redirect(url_for('category.categories_route'))

    if request.method == 'GET':
        return render_template(
            'category_edit.html',
            page={'title': 'Add category'},
            user=user_info(),
            content={
                'is_edit':
                True,  # changing template appearance from add to edit
                'csrf_token': csrf,
                'category': target_category
            })
Пример #7
0
def category_add_route():
    """
    Add new category to data base
    """

    # adding some protection
    csrf = generate_csrf_token()

    if request.method == 'POST':
        if csrf != request.form['csrf_token']:
            abort(403)
        else:
            add_category()
            flash('Category added')
            return redirect(url_for('category.categories_route'))

    if request.method == 'GET':
        return render_template('category_edit.html',
                               page={'title': 'Add category'},
                               user=user_info(),
                               content={
                                   'is_edit': False,
                                   'csrf_token': csrf
                               })
Пример #8
0
def test_generate_csrf_token():
    token = security.generate_csrf_token()
    assert token
Пример #9
0
def new_csrf_token():
    """Create CSRF token for the session or return one (if already exists)."""

    if '_csrf_token' not in session:
        session['_csrf_token'] = generate_csrf_token()
    return session['_csrf_token']