def register_post(): if g.redis.exists("register:" + request.headers.get("X-Forwarded-For", request.remote_addr)): return redirect(referer_or_home() + "?register_error=ip") # Don't accept blank fields. if request.form["username"] == "" or request.form["password"] == "": return redirect(referer_or_home() + "?register_error=blank") # Make sure the two passwords match. if request.form["password"] != request.form["password_again"]: return redirect(referer_or_home() + "?register_error=passwords_didnt_match") # Check email address against email_validator. # Silently truncate it because the only way it can be longer is if they've hacked the front end. email_address = request.form.get("email_address").strip()[:100] if not email_address: return redirect(referer_or_home() + "?register_error=blank_email") if email_validator.match(email_address) is None: return redirect(referer_or_home() + "?register_error=invalid_email") # Check username against username_validator. # Silently truncate it because the only way it can be longer is if they've hacked the front end. username = request.form["username"][:50] if username_validator.match(username) is None: return redirect(referer_or_home() + "?register_error=invalid_username") # Make sure this username hasn't been taken before. # Also check against reserved usernames. if username.startswith("guest_") or g.db.query(User.id).filter( func.lower(User.username) == username.lower() ).count() == 1 or username.lower() in reserved_usernames: return redirect(referer_or_home() + "?register_error=username_taken") new_user = User( username=username, email_address=email_address, group="new", last_ip=request.headers.get("X-Forwarded-For", request.remote_addr), ) new_user.set_password(request.form["password"]) g.db.add(new_user) g.db.flush() g.redis.set("session:" + g.session_id, new_user.id, 2592000) g.redis.setex("register:" + request.headers.get("X-Forwarded-For", request.remote_addr), 86400, 1) g.user = new_user send_email("welcome", email_address) g.db.commit() redirect_url = referer_or_home() # Make sure we don't go back to the log in page. if redirect_url == url_for("register", _external=True): return redirect(url_for("home")) return redirect(redirect_url)
def validate_character_form(form): try: search_character_id = int(form["search_character_id"]) g.db.query(SearchCharacter).filter(SearchCharacter.id == search_character_id).one() except (KeyError, ValueError, NoResultFound): # id 1 always exists so fall back to that. search_character_id = 1 shortcut = form.get("shortcut", "").strip() if shortcut and not username_validator.match(shortcut): abort(400) # Don't allow a blank name. if form["name"] == "": abort(400) # Validate color. # <input type="color"> always prefixes with a #. color = form.get("color", "000000") if color and color[0] == "#": color = color[1:] if not color_validator.match(color): abort(400) # Validate case. case = form.get("case", "normal") if case not in case_options: abort(400) # XXX PUT LENGTH LIMIT ON REPLACEMENTS? # Zip replacements. replacements = list(zip( form.getlist("quirk_from"), form.getlist("quirk_to"), )) # Strip out any rows where from is blank or the same as to. replacements = [_ for _ in replacements if _[0] != "" and _[0] != _[1]] # And encode as JSON. json_replacements = json.dumps(replacements) # XXX PUT LENGTH LIMIT ON REGEXES? # Zip regexes. regexes = list(zip( form.getlist("regex_from"), form.getlist("regex_to"), )) # Strip out any rows where from is blank or the same as to. regexes = [_ for _ in regexes if _[0] != "" and _[0] != _[1]] # And encode as JSON. json_regexes = json.dumps(regexes) return { # There are length limits on the front end so silently truncate these. "title": form["title"][:50] if "title" in form else "", "search_character_id": search_character_id, "shortcut": shortcut if len(shortcut) != 0 else None, "name": form["name"][:50], "acronym": form["acronym"][:15], "color": color, "quirk_prefix": form.get("quirk_prefix", "")[:2000], "quirk_suffix": form.get("quirk_suffix", "")[:2000], "case": case, "replacements": json_replacements, "regexes": json_regexes, }