def topic_create(): # get current user (author) user = user_from_session_token() if request.method == "GET": csrf_token = set_csrf_token( username=user.username) # create CSRF token return render_template("topic/create.html", csrf_token=csrf_token) elif request.method == "POST": title = request.form.get("title") text = request.form.get("text") csrf = request.form.get("csrf") # csrf from HTML # only logged in users can create a topic if not user: return redirect(url_for('login')) if not is_valid_csrf(csrf=csrf, username=user.username): return "CSRF token is not valid!" # create a Topic object Topic.create(title=title, text=text, author=user) return redirect(url_for('index'))
def comment_edit(comment_id): comment = Comment.get_comment(comment_id) user = user_from_session_token() if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only edit your own comments!" if request.method == "GET": csrf_token = set_csrf_token(username=user.username) return render_template("comment/comment_edit.html", comment=comment, csrf_token=csrf_token) elif request.method == "POST": text = request.form.get("text") csrf = request.form.get("csrf") if is_valid_csrf(csrf, user.username): comment.text = text db.add(comment) db.commit() return redirect( url_for('topic.topic_details', topic_id=comment.topic.id)) else: return "CSRF error: tokens don't match!"
def comment_create(topic_id): user = user_from_session_token() if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if not is_valid_csrf(csrf, user.username): return "CSRF token is not valid!" text = request.form.get("text") topic = Topic.read(topic_id) Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id))
def comment_create(topic_id): user = user_from_session_token() # only logged in users can create a comment if not user: return redirect(url_for('auth.login')) csrf = request.form.get("csrf") if not is_valid_csrf(csrf, user.username): return "CSRF token is not valid!" text = request.form.get("text") # query the topic object from the database topic = Topic.read(topic_id) # create a Comment object Comment.create(topic=topic, text=text, author=user) return redirect(url_for('topic.topic_details', topic_id=topic_id))
def comment_delete(comment_id): comment = Comment.get_comment(comment_id) user = user_from_session_token() if not user: return redirect(url_for('auth.login')) elif comment.author.id != user.id: return "You can only delete your own comments!" csrf = request.form.get("csrf") if is_valid_csrf(csrf, user.username): topic_id = comment.topic.id db.delete(comment) db.commit() return redirect(url_for('topic.topic_details', topic_id=topic_id)) else: return "CSRF error: tokens don't match!"
def topic_create(): user = user_from_session_token() if request.method == "GET": csrf_token = set_csrf_token(username=user.username) return render_template("topic/create.html", csrf_token=csrf_token) elif request.method == "POST": title = request.form.get("title") text = request.form.get("text") csrf = request.form.get("csrf") if not user: return redirect(url_for('login')) if not is_valid_csrf(csrf=csrf, username=user.username): return "CSRF token is not valid!" Topic.create(title=title, text=text, author=user) return redirect(url_for('index'))