Fix: admin functions were accessible for regular users

2015-10-13 18:07:17 +02:00 · 2015-10-13 18:07:17 +02:00 · 6b4ddbe946
commit 6b4ddbe946
parent 0f7c129495
3 changed files with 80 additions and 29 deletions
--- a/cps/templates/register.html
+++ b/cps/templates/register.html
@ -3,17 +3,17 @@
 <div class="well col-sm-6 col-sm-offset-2">
  <h2 style="margin-top: 0">Register a new account</h2>
  <form method="POST" role="form">
-    <div class="form-group">
+    <div class="form-group required">
      <label for="nickname">Username</label>
-      <input type="text" class="form-control" id="nickname" name="nickname" placeholder="Choose a username">
+      <input type="text" class="form-control" id="nickname" name="nickname" placeholder="Choose a username" required>
    </div>
-    <div class="form-group">
+    <div class="form-group required">
      <label for="password">Password</label>
-      <input type="password" class="form-control" id="password" name="password" placeholder="Choose a password">
+      <input type="password" class="form-control" id="password" name="password" placeholder="Choose a password" required>
    </div>
-    <div class="form-group">
+    <div class="form-group required">
      <label for="email">Email address</label>
-      <input type="email" class="form-control" id="email" name="email" placeholder="Your email address">
+      <input type="email" class="form-control" id="email" name="email" placeholder="Your email address" required>
    </div>
    <button type="submit" class="btn btn-primary">Register</button>
  </form>
--- a/cps/templates/user_edit.html
+++ b/cps/templates/user_edit.html
@ -3,27 +3,31 @@
 <div class="discover">
  <h1>{{title}}</h1>
  <form role="form" method="POST">
+    {% if g.user and g.user.role and new_user %}
+    <div class="form-group required">
+      <label for="nickname">Username</label>
+      <input type="text" class="form-control" name="nickname" id="nickname" value="{{ content.nickname if content.nickname != None }}">
+    </div>
+    {% endif %}
    <div class="form-group">
-      <label for="email">e-mail</label>
-      <input type="email" class="form-control" name="email" id="email" value="{{ content.email if content.email != None }}"> 
+      <label for="email">Email address</label>
+      <input type="email" class="form-control" name="email" id="email" value="{{ content.email if content.email != None }}" required> 
    </div>
    <div class="form-group">
-      <label for="password">password</label>
+      <label for="password">Password</label>
      <input type="password" class="form-control" name="password" id="password" value="">
    </div>
    <div class="form-group">
      <label for="kindle_mail">Kindle E-Mail</label>
      <input type="text" class="form-control" name="kindle_mail" id="kindle_mail" value="{{ content.kindle_mail if content.kindle_mail != None }}">
    </div>
-    {% if g.user and g.user.role %}
+    {% if g.user and g.user.role and not profile %}
    <div class="form-group">
-      <label for="user_role">Admin user? 0 or 1</label>
-      <input type="text" class="form-control" name="user_role" id="user_role" value="{{ content.role if content.role != None }}">
-    </div>
-    <div class="form-group">
-      <label for="nickname">nickname</label>
-      <input type="text" class="form-control" name="nickname" id="nickname" value="{{ content.nickname if content.nickname != None }}">
+      <label for="user_role">Admin user</label>
+      <input type="checkbox" name="admin_user" id="admin_user" {% if content.role %}checked{% endif %}>
    </div>
+    {% endif %}
+    {% if g.user and g.user.role and not profile and not new_user %}
    <div class="checkbox">
      <label>
        <input type="checkbox" name="delete"> Delete this user
--- a/cps/web.py
+++ b/cps/web.py
@ -7,11 +7,13 @@ from flask import Flask, render_template, session, request, redirect, url_for, s
 from cps import db, config, ub, helper
 import os
 from sqlalchemy.sql.expression import func
+from sqlalchemy.exc import IntegrityError
 from math import ceil
 from flask.ext.login import LoginManager, login_user, logout_user, login_required, current_user
 from flask.ext.principal import Principal, Identity, AnonymousIdentity, identity_changed
 import requests, zipfile
 from werkzeug.security import generate_password_hash, check_password_hash
+from functools import wraps

 app = (Flask(__name__))

@ -82,6 +84,17 @@ def url_for_other_page(page):

 app.jinja_env.globals['url_for_other_page'] = url_for_other_page

+def admin_required(f):
+    """
+    Checks if current_user.role == 1
+    """
+    @wraps(f)
+    def inner(*args, **kwargs):
+        if int(current_user.role) == 1:
+            return f(*args, **kwargs)
+        abort(403)
+    return inner
+
@app.before_request
 def before_request():
    g.user = current_user
@ -236,7 +249,8 @@ def series(name):

@app.route("/admin/")
 def admin():
-    return "Admin ONLY!"
+    #return "Admin ONLY!"
+    abort(403)


@app.route("/search", methods=["GET"])
@ -462,13 +476,20 @@ def profile():
            content.password = generate_password_hash(to_save["password"])
        if to_save["kindle_mail"] and to_save["kindle_mail"] != content.kindle_mail:
            content.kindle_mail = to_save["kindle_mail"]
-        if to_save["user_role"]:
-            content.role = int(to_save["user_role"])
-        ub.session.commit()
-    return render_template("user_edit.html", content=content, downloads=downloads, title="%s's profile" % current_user.nickname)
+        if to_save["email"] and to_save["email"] != content.email:
+            content.email = to_save["email"]
+        try:
+            ub.session.commit()
+        except IntegrityError:
+            ub.session.rollback()
+            flash("Found an existing account for this email address.", category="error")
+            return render_template("user_edit.html", content=content, downloads=downloads, title="%s's profile" % current_user.nickname)
+        flash("Profile updated", category="success")
+    return render_template("user_edit.html", profile=1, content=content, downloads=downloads, title="%s's profile" % current_user.nickname)

@app.route("/admin/user")
@login_required
+@admin_required
 def user_list():
    content = ub.session.query(ub.User).all()
    settings = ub.session.query(ub.Settings).first()
@ -476,24 +497,34 @@ def user_list():

@app.route("/admin/user/new", methods = ["GET", "POST"])
@login_required
+@admin_required
 def new_user():
    content = ub.User()
    if request.method == "POST":
        to_save = request.form.to_dict()
+        if not to_save["nickname"] or not to_save["email"] or not to_save["password"]:
+            flash("Please fill out all fields!", category="error")
+            return render_template("user_edit.html", new_user=1, content=content, title="Add new user")
        content.password = generate_password_hash(to_save["password"])
        content.nickname = to_save["nickname"]
        content.email = to_save["email"]
-        content.role = int(to_save["user_role"])
+        if "admin_user" in to_save:
+            content.role = 1
+        else:
+            content.role = 0
        try:
            ub.session.add(content)
            ub.session.commit()
-            flash("User created", category="success")
-        except (e):
-            flash(e, category="error")
-    return render_template("user_edit.html", content=content, title="User list")
+            flash("User '%s' created" % content.nickname, category="success")
+            return redirect(url_for('user_list'))
+        except IntegrityError:
+            ub.session.rollback()
+            flash("Found an existing account for this email address or nickname.", category="error")
+    return render_template("user_edit.html", new_user=1, content=content, title="Add new user")

@app.route("/admin/user/mailsettings", methods = ["GET", "POST"])
@login_required
+@admin_required
 def edit_mailsettings():
    content = ub.session.query(ub.Settings).first()
    if request.method == "POST":
@ -512,6 +543,7 @@ def edit_mailsettings():

@app.route("/admin/user/<int:user_id>", methods = ["GET", "POST"])
@login_required
+@admin_required
 def edit_user(user_id):
    content = ub.session.query(ub.User).filter(ub.User.id == int(user_id)).first()
    downloads = list()
@ -521,15 +553,30 @@ def edit_user(user_id):
        to_save = request.form.to_dict()
        if "delete" in to_save:
            ub.session.delete(content)
+            flash("User '%s' deleted" % content.nickname, category="success")
            return redirect(url_for('user_list'))
        else:
-            if "password" in to_save:
+            if to_save["password"]:
                content.password == generate_password_hash(to_save["password"])
-        ub.session.commit()
-    return render_template("user_edit.html", content=content, downloads=downloads, title="Edit User %s" % current_user.nickname)
+            if "admin_user" in to_save and content.role != 1:
+                content.role = 1
+            elif not "admin_user" in to_save and content.role == 1:
+                content.role = 0
+            if to_save["email"] and to_save["email"] != content.email:
+                content.email = to_save["email"]
+            if to_save["kindle_mail"] and to_save["kindle_mail"] != content.kindle_mail:
+                content.kindle_mail = to_save["kindle_mail"]
+        try:
+            ub.session.commit()
+            flash("User '%s' updated" % content.nickname, category="success")
+        except IntegrityError:
+            ub.session.rollback()
+            flash("An unknown error occured.", category="error")
+    return render_template("user_edit.html", new_user=0, content=content, downloads=downloads, title="Edit User %s" % content.nickname)

@app.route("/admin/book/<int:book_id>", methods=['GET', 'POST'])
@login_required
+@admin_required
 def edit_book(book_id):
    ## create the function for sorting...
    db.session.connection().connection.connection.create_function("title_sort",1,db.title_sort)