def topic_create():
# get current user (author)
user = user_from_session_token()
if request.method == "GET":
csrf_token = set_csrf_token(
username=user.username) # create CSRF token
return render_template("topic/create.html", csrf_token=csrf_token)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
csrf = request.form.get("csrf") # csrf from HTML
# only logged in users can create a topic
if not user:
return redirect(url_for('login'))
if not is_valid_csrf(csrf=csrf, username=user.username):
return "CSRF token is not valid!"
# create a Topic object
Topic.create(title=title, text=text, author=user)
return redirect(url_for('index'))
def comment_edit(comment_id):
comment = Comment.get_comment(comment_id)
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only edit your own comments!"
if request.method == "GET":
csrf_token = set_csrf_token(username=user.username)
return render_template("comment/comment_edit.html",
comment=comment,
csrf_token=csrf_token)
elif request.method == "POST":
text = request.form.get("text")
csrf = request.form.get("csrf")
if is_valid_csrf(csrf, user.username):
comment.text = text
db.add(comment)
db.commit()
return redirect(
url_for('topic.topic_details', topic_id=comment.topic.id))
else:
return "CSRF error: tokens don't match!"
def comment_create(topic_id):
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
csrf = request.form.get("csrf")
if not is_valid_csrf(csrf, user.username):
return "CSRF token is not valid!"
text = request.form.get("text")
topic = Topic.read(topic_id)
Comment.create(topic=topic, text=text, author=user)
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def comment_create(topic_id):
user = user_from_session_token()
# only logged in users can create a comment
if not user:
return redirect(url_for('auth.login'))
csrf = request.form.get("csrf")
if not is_valid_csrf(csrf, user.username):
return "CSRF token is not valid!"
text = request.form.get("text")
# query the topic object from the database
topic = Topic.read(topic_id)
# create a Comment object
Comment.create(topic=topic, text=text, author=user)
return redirect(url_for('topic.topic_details', topic_id=topic_id))
def comment_delete(comment_id):
comment = Comment.get_comment(comment_id)
user = user_from_session_token()
if not user:
return redirect(url_for('auth.login'))
elif comment.author.id != user.id:
return "You can only delete your own comments!"
csrf = request.form.get("csrf")
if is_valid_csrf(csrf, user.username):
topic_id = comment.topic.id
db.delete(comment)
db.commit()
return redirect(url_for('topic.topic_details', topic_id=topic_id))
else:
return "CSRF error: tokens don't match!"
def topic_create():
user = user_from_session_token()
if request.method == "GET":
csrf_token = set_csrf_token(username=user.username)
return render_template("topic/create.html", csrf_token=csrf_token)
elif request.method == "POST":
title = request.form.get("title")
text = request.form.get("text")
csrf = request.form.get("csrf")
if not user:
return redirect(url_for('login'))
if not is_valid_csrf(csrf=csrf, username=user.username):
return "CSRF token is not valid!"
Topic.create(title=title, text=text, author=user)
return redirect(url_for('index'))