def log_in():
if current_user.is_authenticated:
return redirect(url_for('index'))
form = LoginForm()
if form.validate_on_submit():
username = request.form.get('username')
password = request.form.get('password')
db.valid_username(username)
username_count = db.fetch_one()
user = User()
if not username_count[0]:
flash('Login Unsuccessful. Username does not exist.', 'danger')
return render_template('log_in.html', title='Login', form=form)
db.get_password_from_username(username)
check_password = db.fetch_one()
if request.form.get('password') == check_password[0]:
user.id = username
login_user(user)
flash('You have been logged in!', 'success')
next_page = request.args.get('next')
return redirect(next_page) if next_page else redirect(
url_for('index'))
else:
flash('Login Unsuccessful. Please check username and password',
'danger')
return render_template('log_in.html', title='Login', form=form)
def assign_employee_to_property():
try:
if (current_user.title == "Branch Manager"):
assign_map = {}
form = AssignEmployeeToProperty()
if form.validate_on_submit():
assign_map['employeeusername'] = request.form.get(
'employeeusername')
assign_map['propertyname'] = request.form.get('propertyname')
#ensure employee and property are from this branch manager's branch (country)
db.get_property_country(assign_map['propertyname'])
property_country = db.fetch_one()
db.get_employee_country(assign_map['employeeusername'])
employee_country = db.fetch_one()
if employee_country == None:
raise Exception("This user is not an employee!")
if property_country == None:
raise Exception("This property is not part of your branch")
property_country = property_country[0]
employee_country = employee_country[0]
if (current_user.country != property_country):
raise Exception(
"This property is not part of your branch!")
if (current_user.country != employee_country):
raise Exception(
"This employee is not part of your branch!")
db.assign_employee_to_property(assign_map['employeeusername'],
assign_map['propertyname'])
db.commit()
flash(
'Success! ' + assign_map['employeeusername'] +
' has been assigned to the property ' +
assign_map['propertyname'], 'success')
return render_template('assign_employee_to_property.html',
form=form)
else:
abort(404)
except Exception as e:
db.close()
db.new_connection()
print(e)
flash('Error: ' + str(e), 'danger')
return render_template('assign_employee_to_property.html', form=form)
return render_template('assign_employee_to_property.html', form=form)
def inject_stats():
db.get_total_users()
total_users = db.fetch_one()[0]
db.get_total_properties()
total_properties = db.fetch_one()[0]
db.get_total_completed_stays()
total_completed_stays = db.fetch_one()[0]
db.get_total_countrys()
total_countrys = db.fetch_one()[0]
return dict(total_users=total_users,
total_properties=total_properties,
total_completed_stays=total_completed_stays,
total_countrys=total_countrys)
def user_properties(username):
property_columns = [
'propertyname', 'street_number', 'street_name', 'apt_number',
'province', 'postal_code', 'rent_rate', 'type', 'max_guests',
'number_beds', 'number_baths', 'accesible', 'pets_allowed', 'country',
'hostusername', 'picture'
]
properties = []
db.get_users_properties(username)
property_rows = db.fetch_all()
for row in property_rows:
property_map = {}
for k in range(len(property_columns)):
property_map[property_columns[k]] = row[k]
properties.append(property_map)
db.get_picture(username)
host_picture = db.fetch_one()[0]
return render_template('user_properties.html',
properties=properties,
host_picture=host_picture,
username=username)
def validate_employeeusername(self, employeeusername):
db.valid_username(employeeusername.data)
employeeusername_count = db.fetch_one()
if not employeeusername_count[0]:
raise ValidationError("That employeeusername does not exist.")
if " " in list(employeeusername.data):
raise ValidationError("No whitespace in employeeusernames.")
def register():
if current_user.is_authenticated:
return redirect(url_for('index'))
account_details = {}
form = RegistrationForm()
try:
user = User()
if form.validate_on_submit():
account_details['first_name'] = request.form.get('first_name')
account_details['middle_name'] = request.form.get('middle_name',
default='NULL')
account_details['last_name'] = request.form.get('last_name')
account_details['username'] = request.form.get('username')
account_details['password'] = request.form.get('password')
account_details['street_number'] = request.form.get(
'street_number')
account_details['street_name'] = request.form.get('street_name')
account_details['apt_number'] = request.form.get('apt_number',
default='NaN')
account_details['postal_code'] = request.form.get('postal_code')
account_details['date_of_birth'] = request.form.get(
'date_of_birth')
account_details['country'] = request.form.get('country')
account_details['province'] = request.form.get('province')
account_details['email'] = request.form.get('email')
account_details['phone_number'] = request.form.get('phone_number')
#deal with weird cases for optional (can be null) arguments
db.valid_country(account_details['country'])
country_count = db.fetch_one()
if not country_count[0]:
raise Exception(
'Sorry, we are not operating in that country yet!')
if account_details['middle_name'] == "":
account_details['middle_name'] = "NULL"
if account_details['apt_number'] == "":
account_details['apt_number'] = "NaN"
if account_details['country'] == "-1" or len(
account_details['province']) == 0:
raise Exception('Please enter a country or province')
db.create_user(
account_details['first_name'], account_details['middle_name'],
account_details['last_name'], account_details['username'],
account_details['password'], account_details['street_number'],
account_details['street_name'], account_details['apt_number'],
account_details['postal_code'],
account_details['date_of_birth'], account_details['country'],
account_details['province'], account_details['email'],
account_details['phone_number'])
flash(f'Account created for {form.username.data}!', 'success')
db.commit()
return redirect(url_for('index'))
except Exception as e:
db.close()
db.new_connection()
print(e)
flash('Error: ' + str(e), 'danger')
return render_template('register.html', title='Register', form=form)
return render_template('register.html', title='Register', form=form)
def validate_branch_propertyname(self, propertyname):
db.valid_propertyname(propertyname.data)
propertyname_count = db.fetch_one()
if not propertyname_count[0]:
raise ValidationError(
"That property does not exist, please choose another.")
if " " in list(property_name.data):
raise ValidationError("No whitespace in property names.")
def validate_username(self, username):
db.valid_username(username.data)
username_count = db.fetch_one()
if username_count[0]:
raise ValidationError(
"That username is taken. Please choose another username.")
if " " in list(username.data):
raise ValidationError("No whitespace in usernames.")
def validate_property_name(self, property_name):
db.valid_propertyname(property_name.data)
propertyname_count = db.fetch_one()
if propertyname_count[0]:
raise ValidationError(
"That property name is taken. Please choose another propertyname."
)
if " " in list(property_name.data):
raise ValidationError("No whitespace in property names.")
def analyze(self, callback):
for pattern in self.list_patterns:
try:
db.query("SELECT DISTINCT ip FROM %s JOIN %s WHERE %s.id = %s.visitor_id AND REGEXP(?, HEX(%s)) == 1" %(tbl_visitor, tbl_request, tbl_visitor, tbl_request, pattern.field), [pattern.pattern])
while 1:
data = db.fetch_one()
if data:
callback(data[0], self.action, "Shell_shock attack detected")
else:
break
except:
raise
def analyze(self, callback):
for pattern in self.list_patterns:
try:
db.query("SELECT ip, count(*) FROM %s JOIN %s WHERE %s.id = %s.visitor_id AND REGEXP(?, HEX(%s)) == 1 GROUP BY %s.ip" %(tbl_visitor, tbl_request, tbl_visitor, tbl_request, pattern.field, tbl_visitor), [pattern.pattern])
while 1:
data = db.fetch_one()
if data:
callback(data[0], self.action, pattern.description)
else:
break
except:
raise
def user_profile(username):
user_columns = [
'username', 'join_date', 'verified', 'about', 'languages', 'work',
'profile_picture'
]
db.get_user(username)
user_rows = db.fetch_one()
if user_rows == None:
abort(404)
return
user_map = {}
for i, column in enumerate(user_rows, 0):
user_map[user_columns[i]] = column
return render_template('user_profile.html', user_map=user_map)
def analyze(self, callback):
for pattern in self.list_patterns:
try:
db.query("SELECT ip, path FROM %s JOIN %s WHERE %s.id = %s.visitor_id AND REGEXP(?, HEX(%s)) == 1" %(tbl_visitor, tbl_request, tbl_visitor, tbl_request, pattern.field), [pattern.pattern])
while 1:
data = db.fetch_one()
if data:
if pattern.pattern == "\.\./":
lfi_file = re.search("[^&=]*\.\./[^&]*", data[1]).group(0)
description = "LFI attack detected: Trying to read '%s'"%lfi_file
else:
description = "LFI attack detected: Using php filter"
callback(data[0], self.action, description)
else:
break
except:
raise
def analyze(self, callback):
"""
Default analyze method for ATTACK modules
It just search pattern in the field
This method should be overwriten by modules, if need
"""
for pattern in self.list_patterns:
try:
db.query("SELECT ip, count(*) FROM %s JOIN %s WHERE %s.id = %s.visitor_id AND REGEXP(?, HEX(%s)) == 1 GROUP BY %s.ip" %(tbl_visitor, tbl_request, tbl_visitor, tbl_request, pattern.field, tbl_visitor), [pattern.pattern])
while 1:
data = db.fetch_one()
if data:
callback(data[0], self.action, pattern.description)
else:
break
except:
raise
def _init_filter(self):
# Get start time and stop time of log file
start_time = QtCore.QDateTime()
stop_time = QtCore.QDateTime()
try:
db.query("SELECT MIN(timestamp), MAX(timestamp) FROM %s;"%tbl_request)
log_start_time, log_stop_time = db.fetch_one()
except:
raise DBError
else:
if log_start_time != None:
start_time.setTime_t(log_start_time)
self.filter_start_time.setDateTime(start_time)
if log_stop_time != None:
stop_time.setTime_t(log_stop_time)
self.filter_stop_time.setDateTime(stop_time)
self.update_filter(start=log_start_time, stop=log_stop_time)
self.filter_ip.setText("")
self.filter_path.setText("")
def index():
property_columns = [
'propertyname', 'street_number', 'street_name', 'apt_number',
'province', 'postal_code', 'rent_rate', 'type', 'max_guests',
'number_beds', 'number_baths', 'accesible', 'pets_allowed', 'country',
'hostusername', 'picture'
]
properties = []
db.get_homepage_properties()
property_rows = db.fetch_all()
for row in property_rows:
property_map = {}
for k in range(len(property_columns)):
property_map[property_columns[k]] = row[k]
properties.append(property_map)
for prop in properties:
db.get_picture(prop['hostusername'])
picture = db.fetch_one()[0]
prop['profile_picture'] = picture
return render_template("homepage.html", properties=properties)
def user_loader(username):
db.valid_username(username)
username_count = db.fetch_one()
user = User()
if username_count[0]:
user.id = username
#do a bunch of initializations????
#peron table
db.select_from_person(username, 'first_name')
user.first_name = db.fetch_one()[0]
db.select_from_person(username, 'middle_name')
user.middle_name = db.fetch_one()[0]
db.select_from_person(username, 'last_name')
user.last_name = db.fetch_one()[0]
db.select_from_person(username, 'password')
user.password = db.fetch_one()[0]
db.select_from_person(username, 'street_number')
user.street_number = db.fetch_one()[0]
db.select_from_person(username, 'street_name')
user.street_name = db.fetch_one()[0]
db.select_from_person(username, 'apt_number')
user.apt_number = db.fetch_one()[0]
db.select_from_person(username, 'postal_code')
user.postal_code = db.fetch_one()[0]
db.select_from_person(username, 'date_of_birth')
user.date_of_birth = db.fetch_one()[0]
db.select_from_person(username, 'country')
user.country = db.fetch_one()[0]
db.select_from_person(username, 'province')
user.province = db.fetch_one()[0]
db.select_from_person_email(username)
user.email = db.fetch_all()
db.select_from_person_phone(username)
user.phone_number = db.fetch_all()
#users table
db.get_join_date(username)
user.join_date = db.fetch_one()[0]
db.get_verified(username)
user.verified = db.fetch_one()[0]
db.get_about(username)
user.about = db.fetch_one()[0]
db.get_languages(username)
user.languages = db.fetch_one()[0]
db.get_work(username)
user.work = db.fetch_one()[0]
db.get_picture(username)
user.picture = db.fetch_one()[0]
#check if admin
db.check_admin(username)
admin_count = db.fetch_one()
if admin_count[0]:
user.admin = True
else:
user.admin = False
#check employee
db.check_employee(username)
employee_count = db.fetch_one()
if employee_count[0]:
user.employee = True
#check what kind of employee
db.get_title(username)
user.title = db.fetch_one()[0]
#get manager
db.get_manager(username)
user.manager = db.fetch_one()[0]
else:
user.employee = False
return user
return
def search():
property_columns = [
'propertyname', 'street_number', 'street_name', 'apt_number',
'province', 'postal_code', 'rent_rate', 'type', 'max_guests',
'number_beds', 'number_baths', 'accesible', 'pets_allowed', 'country',
'hostusername', 'picture'
]
form = SearchProperty()
property_details = {}
if form.validate_on_submit():
try:
property_details['hostusername'] = request.form.get('hostusername',
default='null')
property_details['propertyname'] = request.form.get('propertyname',
default='null')
property_details['rent_rate'] = request.form.get('rent_rate',
default='-1')
property_details['country'] = request.form.get('country',
default='null')
property_details['province'] = request.form.get('province',
default='null')
property_details['property_type'] = request.form.get(
'property_type', default='null').lower()
property_details['max_guests'] = request.form.get('max_guests',
default='-1')
property_details['number_beds'] = request.form.get('number_beds',
default='-1')
property_details['number_baths'] = request.form.get('number_baths',
default='-1')
property_details['accessible'] = request.form.get('accessible',
default='null')
property_details['pets_allowed'] = request.form.get('pets_allowed',
default='null')
#deal with weird cases for optional (can be null) arguments
for key in property_details:
if property_details[key] in ['null', '-1', 'None', ""]:
property_details[key] = key
else:
property_details[key] = "'" + str(
property_details[key]) + "'"
properties = []
db.get_search_properties(property_details['hostusername'],
property_details['propertyname'],
property_details['rent_rate'],
property_details['country'],
property_details['province'],
property_details['property_type'],
property_details['max_guests'],
property_details['number_beds'],
property_details['number_baths'],
property_details['accessible'],
property_details['pets_allowed'])
property_rows = db.fetch_all()
for row in property_rows:
property_map = {}
for k in range(len(property_columns)):
property_map[property_columns[k]] = row[k]
properties.append(property_map)
for prop in properties:
db.get_picture(prop['hostusername'])
picture = db.fetch_one()[0]
prop['profile_picture'] = picture
flash('Successful search. Here are your results:', 'success')
return render_template("search_results.html",
properties=properties)
except Exception as e:
db.close()
db.new_connection()
print(e)
flash('Opps, something went wrong. Try again.', 'danger')
return render_template("search.html", form=form)
def individual_property(propertyname):
property_columns = [
'propertyname', 'street_number', 'street_name', 'apt_number',
'province', 'postal_code', 'rent_rate', 'type', 'max_guests',
'number_beds', 'number_baths', 'accesible', 'pets_allowed', 'country',
'hostusername', 'picture'
]
db.get_property(propertyname)
property_rows = db.fetch_one()
if property_rows == None:
abort(404)
return
property_map = {}
for i, column in enumerate(property_rows, 0):
property_map[property_columns[i]] = column
host_username = property_map['hostusername']
db.get_picture(host_username)
host_picture = db.fetch_one()[0]
form = AvailableDates()
if request.method == 'POST':
try:
available_dates = {}
available_dates['start_date'] = request.form.get('start_date')
available_dates['end_date'] = request.form.get('end_date')
if available_dates['start_date'] in [None, ""]:
raise Exception("Please choose a Start Date")
if available_dates['end_date'] in [None, ""]:
raise Exception("Please choose an End Date")
start_month, start_day, start_year = [
int(x) for x in str(available_dates['start_date']).split('/')
]
end_month, end_day, end_year = [
int(x) for x in str(available_dates['end_date']).split('/')
]
start_date = datetime.date(start_year, start_month, start_day)
end_date = datetime.date(end_year, end_month, end_day)
if start_date > end_date:
raise Exception("Start date cannot be greater than end date!")
date_difference = end_date - start_date
if date_difference.days > 13:
raise Exception(
"You can only stay at one property for a maximum of 14 days!"
)
delta = datetime.timedelta(days=1)
dates = []
while start_date <= end_date:
dates.append(start_date)
start_date += delta
taken_dates = db.check_dates(property_map['propertyname'], dates)
if len(taken_dates) == 0:
flash('The property is available during those dates!',
'success')
else:
error_message = ""
for date in taken_dates:
error_message += date.strftime('%Y-%m-%d') + ", "
flash(
'Sorry, the property is not available on the following dates: '
+ error_message, 'danger')
except Exception as e:
db.close()
db.new_connection()
flash('Error: ' + str(e), 'danger')
return render_template('property.html',
property_map=property_map,
host_picture=host_picture,
form=form)
