def comment_create(topic_id): session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): text = request.form.get("text") topic = db.query(Topic).get(int(topic_id)) comment = Comment.create(topic=topic, text=text, author=user) return redirect( url_for('topic.topic_details', topic_id=topic_id, csrf_token=create_csrf_token(user.username))) else: return "CSRF Token ist not valid" #Handler comment_edit #Handler comment_delete
def topic_create(): # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # only logged in users can create a topic if not user: return redirect(url_for('auth.login')) if request.method == "GET": csrf_token = create_csrf_token(user.username) return render_template("topic/topic_create.html", user=user, csrf_token=csrf_token) elif request.method == "POST": csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): title = request.form.get("title") text = request.form.get("text") # create a Topic object topic = Topic.create(title=title, text=text, author=user) return redirect(url_for('topic.index')) else: return "CSRF token is not valid!"
def comment_edit(comment_id): comment = db.query(Comment).get(int(comment_id)) # get comment from db by ID # get current user session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token, verified=True).first() # check if user logged in & if user is author if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only edit your own comments!" # GET request if request.method == "GET": csrf_token = create_csrf_token(username=user.username) return render_template("comment/comment_edit.html", comment=comment, csrf_token=csrf_token) # POST request elif request.method == "POST": text = request.form.get("text") # check CSRF tokens csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): # if it validates, edit the comment comment.text = text db.add(comment) db.commit() return redirect(url_for('topic.topic_details', topic_id=comment.topic.id)) else: return "CSRF error: tokens don't match!"
def comment_delete(comment_id): comment = db.query(Comment).get(int(comment_id)) # get comment from db by ID # get current user session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token, verified=True).first() # check if user logged in & if user is author if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only delete your own comments!" # check CSRF tokens csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): # if it validates, delete the comment topic_id = comment.topic.id # save the topic ID in a variable before you delete the comment db.delete(comment) db.commit() return redirect(url_for('topic.topic_details', topic_id=topic_id)) else: return "CSRF error: tokens don't match!"
def topic_create(): user = user_from_session_token() # only logged in users can create topic if not user: return redirect(url_for('auth/login')) if request.method == "GET": csrf_token = create_csrf_token(user.username) return render_template( "topics/topic_create.html", user=user, csrf_token=csrf_token) # send CSRF token into HTML template elif request.method == "POST": csrf = request.form.get("csrf") # csrf from HTML if validate_csrf( csrf, user.username): # if they match, allow user to create a topic title = request.form.get("title") text = request.form.get("text") # create a topic object topic = Topic.create(title=title, text=text, author=user) return redirect(url_for('index')) else: return "CSRF token is not valid"
def comment_create(topic_id): session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if validate_csrf(csrf, user.username): text = request.form.get("text") topic = db.query(Topic).get(int(topic_id)) comment = Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id, csrf_token=create_csrf_token(user.username))) else: return "CSRF Token ist not valid" @classmethod def create(cls, text, author, topic): comment = cls(text=text, author=author, topic=topic) db.add(comment) db.commit() # only send of topic author has her/his email in the database if topic.author.email_address: send_email(receiver_email=topic.author.email_address, subject="New comment for your topic!", text="Your topic {} has a new comment.".format(topic.title)) return comment
def comment_create(topic_id): # get current user (comment author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # only logged in users can create a comment if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") # csrf from HTML if validate_csrf(csrf, user.username): text = request.form.get("text") # query the topic object from the database topic = db.query(Topic).get(int(topic_id)) # create a Comment object comment = Comment.create(topic=topic, text=text, author=user) return redirect( url_for('topic.topic_details', topic_id=topic_id, csrf_token=create_csrf_token(user.username))) else: return "CSRF token is not valid!"
def comment_create(topic_id): user = user_from_session_token() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if not validate_csrf(csrf, user.username): return "CSRF token is not valid!" text = request.form.get("text") topic = Topic.read(topic_id) Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id))
def card_create(): # get current user (author) session_token = request.cookies.get("session_token") user = db.query(User).filter_by(session_token=session_token).first() # only logged in users can create a topic if not user: return redirect(url_for('auth.login')) if request.method == "GET": csrf_token = create_csrf_token(user.email_adresse) return render_template("card/card_create.html", user=user, csrf_token=csrf_token) elif request.method == "POST": csrf = request.form.get("csrf") print("CSRF-Email_adresse: " + csrf) if validate_csrf(csrf, user.email_adresse): name = request.form.get("name") baujahr = request.form.get("baujahr") maschinennummer = request.form.get("maschinennummer") standort = request.form.get("standort") # create a Card object card = Card.create(name=name, baujahr=baujahr, maschinennummer=maschinennummer, standort=standort, author=user) return redirect(url_for('card.dashboard')) else: return "CSRF token is not valid"