def topic_create(): # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # only logged in users can create a topic if not user: return redirect(url_for('auth.login')) if request.method == "GET": csrf_token = create_csrf_token(user.username) return render_template("topic/topic_create.html", user=user, csrf_token=csrf_token) elif request.method == "POST": csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): title = request.form.get("title") text = request.form.get("text") # create a Topic object topic = Topic.create(title=title, text=text, author=user) return redirect(url_for('topic.index')) else: return "CSRF token is not valid!"
def comment_edit(comment_id): comment = db.query(Comment).get(int(comment_id)) # get comment from db by ID # get current user session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token, verified=True).first() # check if user logged in & if user is author if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only edit your own comments!" # GET request if request.method == "GET": csrf_token = create_csrf_token(username=user.username) return render_template("comment/comment_edit.html", comment=comment, csrf_token=csrf_token) # POST request elif request.method == "POST": text = request.form.get("text") # check CSRF tokens csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): # if it validates, edit the comment comment.text = text db.add(comment) db.commit() return redirect(url_for('topic.topic_details', topic_id=comment.topic.id)) else: return "CSRF error: tokens don't match!"
def comment_create(topic_id): session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): text = request.form.get("text") topic = db.query(Topic).get(int(topic_id)) comment = Comment.create(topic=topic, text=text, author=user) return redirect( url_for('topic.topic_details', topic_id=topic_id, csrf_token=create_csrf_token(user.username))) else: return "CSRF Token ist not valid" #Handler comment_edit #Handler comment_delete
def topic_create(): user = user_from_session_token() # only logged in users can create topic if not user: return redirect(url_for('auth/login')) if request.method == "GET": csrf_token = create_csrf_token(user.username) return render_template( "topics/topic_create.html", user=user, csrf_token=csrf_token) # send CSRF token into HTML template elif request.method == "POST": csrf = request.form.get("csrf") # csrf from HTML if validate_csrf( csrf, user.username): # if they match, allow user to create a topic title = request.form.get("title") text = request.form.get("text") # create a topic object topic = Topic.create(title=title, text=text, author=user) return redirect(url_for('index')) else: return "CSRF token is not valid"
def comment_create(topic_id): session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): text = request.form.get("text") topic = db.query(Topic).get(int(topic_id)) comment = Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id, csrf_token=create_csrf_token(user.username))) else: return "CSRF Token ist not valid" @classmethod def create(cls, text, author, topic): comment = cls(text=text, author=author, topic=topic) db.add(comment) db.commit() # only send of topic author has her/his email in the database if topic.author.email_address: send_email(receiver_email=topic.author.email_address, subject="New comment for your topic!", text="Your topic {} has a new comment.".format(topic.title)) return comment
def comment_create(topic_id): # get current user (comment author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # only logged in users can create a comment if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") # csrf from HTML if validate_csrf(csrf, user.username): text = request.form.get("text") # query the topic object from the database topic = db.query(Topic).get(int(topic_id)) # create a Comment object comment = Comment.create(topic=topic, text=text, author=user) return redirect( url_for('topic.topic_details', topic_id=topic_id, csrf_token=create_csrf_token(user.username))) else: return "CSRF token is not valid!"
def test_topic_create(client_logged_in): csrf_token = create_csrf_token("ramuta") # GET response_get = client_logged_in.get('/create-topic') assert b'Create a new topic' in response_get.data # POST response_post = client_logged_in.post('/create-topic', data={"csrf": csrf_token, "title": "My topic", "text": "Some text"}, follow_redirects=True) assert b'My topic' in response_post.data # topic title on the index page
def topic_details(topic_id): topic = db.query(Topic).get(int(topic_id)) # get topic from db by ID # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() comments = db.query(Comment).filter_by(topic=topic).all() return render_template("topic/topic_details.html", topic=topic, user=user, csrf_token=create_csrf_token(user.username), comments=comments)
def card_details(card_id): card = db.query(Card).get(int(card_id)) # get card from db by ID # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() machine = db.query(Machine).filter_by( name=name).all() #Verbindung zwischen machine und card db herstellen return render_template("card/card_details.html", card=card, user=user, csrf_token=create_csrf_token(user.email_adresse), machine=machine)
def topic_details(topic_id): topic = db.query(Topic).get(int(topic_id)) user = user_from_session_token() comments = db.query(Comment).filter_by(topic=topic).all() # START test background tasks (TODO: delete this code later) if os.getenv('REDIS_URL'): from task import get_random_num get_random_num() # END test background tasks €wsee¸dx;: return render_template("topics/topic_details.html", topic=topic, user=user, csrf_token=create_csrf_token(user.username), comments=comments)
def topic_details(topic_id): topic = db.query(Topic).get(int(topic_id)) # get topic from db by ID # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # get comments for this topic comments = db.query(Comment).filter_by(topic=topic).all() # START test background tasks (TODO: delete this code later) if os.getenv('REDIS_URL'): from tasks import get_random_num get_random_num() # END test background tasks return render_template("topic/topic_details.html", topic=topic, user=user, csrf_token=create_csrf_token(user.username), comments=comments)
def card_create(): # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # only logged in users can create a topic if not user: return redirect(url_for('auth.login')) if request.method == "GET": csrf_token = create_csrf_token(user.email_adresse) return render_template("card/card_create.html", user=user, csrf_token=csrf_token) elif request.method == "POST": csrf = request.form.get("csrf") print("CSRF-Email_adresse: " + csrf) if validate_csrf(csrf, user.email_adresse): name = request.form.get("name") baujahr = request.form.get("baujahr") maschinennummer = request.form.get("maschinennummer") standort = request.form.get("standort") # create a Card object card = Card.create(name=name, baujahr=baujahr, maschinennummer=maschinennummer, standort=standort, author=user) return redirect(url_for('card.dashboard')) else: return "CSRF token is not valid"