NunoSempere/calibre-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrated some routes to POST

Browse Source 
- delete shelf, import ldap users
- delete_kobo token, kobo force full sync
- shutdown, reconnect, shutdown
This commit is contained in:
Ozzieisaacs 2021-12-25 10:09:11 +01:00
parent ec73558b03
commit 785726deee
7 changed files with 43 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cps/admin.py
View File

@ -129,11 +129,11 @@ def admin_forbidden():
abort(403) abort(403)
@admi.route("/shutdown") @admi.route("/shutdown", methods=["POST"])
@login_required @login_required
@admin_required @admin_required
def shutdown(): def shutdown():
task = int(request.args.get("parameter").strip()) task = request.get_json().get('parameter', -1)
showtext = {} showtext = {}
if task in (0, 1): # valid commandos received if task in (0, 1): # valid commandos received
# close all database connections # close all database connections
@ -906,7 +906,7 @@ def list_restriction(res_type, user_id):
response.headers["Content-Type"] = "application/json; charset=utf-8" response.headers["Content-Type"] = "application/json; charset=utf-8"
return response return response
@admi.route("/ajax/fullsync") @admi.route("/ajax/fullsync", methods=["POST"])
@login_required @login_required
def ajax_fullsync(): def ajax_fullsync():
count = ub.session.query(ub.KoboSyncedBooks).filter(current_user.id == ub.KoboSyncedBooks.user_id).delete() count = ub.session.query(ub.KoboSyncedBooks).filter(current_user.id == ub.KoboSyncedBooks.user_id).delete()
@ -1626,7 +1626,7 @@ def edit_user(user_id):
page="edituser") page="edituser")
@admi.route("/admin/resetpassword/<int:user_id>") @admi.route("/admin/resetpassword/<int:user_id>", methods=["POST"])
@login_required @login_required
@admin_required @admin_required
def reset_user_password(user_id): def reset_user_password(user_id):
@ -1802,7 +1802,7 @@ def ldap_import_create_user(user, user_data):
return 0, message return 0, message
@admi.route('/import_ldap_users') @admi.route('/import_ldap_users', methods=["POST"])
@login_required @login_required
@admin_required @admin_required
def import_ldap_users(): def import_ldap_users():

17
cps/editbooks.py
View File

@ -26,6 +26,8 @@ import json
from shutil import copyfile from shutil import copyfile
from uuid import uuid4 from uuid import uuid4
from markupsafe import escape from markupsafe import escape
from functools import wraps
try: try:
from lxml.html.clean import clean_html from lxml.html.clean import clean_html
except ImportError: except ImportError:
@ -51,13 +53,6 @@ from .tasks.upload import TaskUpload
from .render_template import render_title_template from .render_template import render_title_template
from .usermanagement import login_required_if_no_ano from .usermanagement import login_required_if_no_ano
try:
from functools import wraps
except ImportError:
pass # We're not using Python 3
editbook = Blueprint('editbook', __name__) editbook = Blueprint('editbook', __name__)
log = logger.create() log = logger.create()
@ -237,14 +232,14 @@ def modify_identifiers(input_identifiers, db_identifiers, db_session):
changed = True changed = True
return changed, error return changed, error
@editbook.route("/ajax/delete/<int:book_id>") @editbook.route("/ajax/delete/<int:book_id>", methods=["POST"])
@login_required @login_required
def delete_book_from_details(book_id): def delete_book_from_details(book_id):
return Response(delete_book_from_table(book_id, "", True), mimetype='application/json') return Response(delete_book_from_table(book_id, "", True), mimetype='application/json')
@editbook.route("/delete/<int:book_id>", defaults={'book_format': ""}) @editbook.route("/delete/<int:book_id>", defaults={'book_format': ""}, methods=["POST"])
@editbook.route("/delete/<int:book_id>/<string:book_format>") @editbook.route("/delete/<int:book_id>/<string:book_format>", methods=["POST"])
@login_required @login_required
def delete_book_ajax(book_id, book_format): def delete_book_ajax(book_id, book_format):
return delete_book_from_table(book_id, book_format, False) return delete_book_from_table(book_id, book_format, False)
@ -1014,7 +1009,7 @@ def move_coverfile(meta, db_book):
category="error") category="error")
@editbook.route("/upload", methods=["GET", "POST"]) @editbook.route("/upload", methods=["POST"])
@login_required_if_no_ano @login_required_if_no_ano
@upload_required @upload_required
def upload(): def upload():

8
cps/kobo_auth.py
View File

@ -62,6 +62,7 @@ particular calls to non-Kobo specific endpoints such as the CalibreWeb book down
from binascii import hexlify from binascii import hexlify
from datetime import datetime from datetime import datetime
from os import urandom from os import urandom
from functools import wraps
from flask import g, Blueprint, url_for, abort, request from flask import g, Blueprint, url_for, abort, request
from flask_login import login_user, current_user, login_required from flask_login import login_user, current_user, login_required
@ -70,11 +71,6 @@ from flask_babel import gettext as _
from . import logger, config, calibre_db, db, helper, ub, lm from . import logger, config, calibre_db, db, helper, ub, lm
from .render_template import render_title_template from .render_template import render_title_template
try:
from functools import wraps
except ImportError:
pass # We're not using Python 3
log = logger.create() log = logger.create()
@ -167,7 +163,7 @@ def generate_auth_token(user_id):
) )
@kobo_auth.route("/deleteauthtoken/<int:user_id>") @kobo_auth.route("/deleteauthtoken/<int:user_id>", methods=["POST"])
@login_required @login_required
def delete_auth_token(user_id): def delete_auth_token(user_id):
# Invalidate any prevously generated Kobo Auth token for this user. # Invalidate any prevously generated Kobo Auth token for this user.

9
cps/shelf.py
View File

@ -56,7 +56,7 @@ def check_shelf_view_permissions(cur_shelf):
return True return True
@shelf.route("/shelf/add/<int:shelf_id>/<int:book_id>") @shelf.route("/shelf/add/<int:shelf_id>/<int:book_id>", methods=["POST"])
@login_required @login_required
def add_to_shelf(shelf_id, book_id): def add_to_shelf(shelf_id, book_id):
xhr = request.headers.get('X-Requested-With') == 'XMLHttpRequest' xhr = request.headers.get('X-Requested-With') == 'XMLHttpRequest'
@ -112,7 +112,7 @@ def add_to_shelf(shelf_id, book_id):
return "", 204 return "", 204
@shelf.route("/shelf/massadd/<int:shelf_id>") @shelf.route("/shelf/massadd/<int:shelf_id>", methods=["POST"])
@login_required @login_required
def search_to_shelf(shelf_id): def search_to_shelf(shelf_id):
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
@ -164,7 +164,7 @@ def search_to_shelf(shelf_id):
return redirect(url_for('web.index')) return redirect(url_for('web.index'))
@shelf.route("/shelf/remove/<int:shelf_id>/<int:book_id>") @shelf.route("/shelf/remove/<int:shelf_id>/<int:book_id>", methods=["POST"])
@login_required @login_required
def remove_from_shelf(shelf_id, book_id): def remove_from_shelf(shelf_id, book_id):
xhr = request.headers.get('X-Requested-With') == 'XMLHttpRequest' xhr = request.headers.get('X-Requested-With') == 'XMLHttpRequest'
@ -323,12 +323,13 @@ def delete_shelf_helper(cur_shelf):
ub.session_commit("successfully deleted Shelf {}".format(cur_shelf.name)) ub.session_commit("successfully deleted Shelf {}".format(cur_shelf.name))
@shelf.route("/shelf/delete/<int:shelf_id>") @shelf.route("/shelf/delete/<int:shelf_id>", methods=["POST"])
@login_required @login_required
def delete_shelf(shelf_id): def delete_shelf(shelf_id):
cur_shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() cur_shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
try: try:
delete_shelf_helper(cur_shelf) delete_shelf_helper(cur_shelf)
flash(_("Shelf successfully deleted"), category="success")
except InvalidRequestError: except InvalidRequestError:
ub.session.rollback() ub.session.rollback()
log.error("Settings DB is not Writeable") log.error("Settings DB is not Writeable")

27
cps/static/js/main.js
View File

@ -179,7 +179,7 @@ $("#delete_confirm").click(function() {
if (ajaxResponse) { if (ajaxResponse) {
path = getPath() + "/ajax/delete/" + deleteId; path = getPath() + "/ajax/delete/" + deleteId;
$.ajax({ $.ajax({
method:"get", method:"post",
url: path, url: path,
timeout: 900, timeout: 900,
success:function(data) { success:function(data) {
@ -376,9 +376,11 @@ $(function() {
$("#restart").click(function() { $("#restart").click(function() {
$.ajax({ $.ajax({
method:"post",
contentType: "application/json; charset=utf-8",
dataType: "json", dataType: "json",
url: window.location.pathname + "/../../shutdown", url: getPath() + "/shutdown",
data: {"parameter":0}, data: JSON.stringify({"parameter":0}),
success: function success() { success: function success() {
$("#spinner").show(); $("#spinner").show();
setTimeout(restartTimer, 3000); setTimeout(restartTimer, 3000);
@ -387,9 +389,11 @@ $(function() {
}); });
$("#shutdown").click(function() { $("#shutdown").click(function() {
$.ajax({ $.ajax({
method:"post",
contentType: "application/json; charset=utf-8",
dataType: "json", dataType: "json",
url: window.location.pathname + "/../../shutdown", url: getPath() + "/shutdown",
data: {"parameter":1}, data: JSON.stringify({"parameter":1}),
success: function success(data) { success: function success(data) {
return alert(data.text); return alert(data.text);
} }
@ -447,9 +451,11 @@ $(function() {
$("#DialogContent").html(""); $("#DialogContent").html("");
$("#spinner2").show(); $("#spinner2").show();
$.ajax({ $.ajax({
method:"post",
contentType: "application/json; charset=utf-8",
dataType: "json", dataType: "json",
url: getPath() + "/shutdown", url: getPath() + "/shutdown",
data: {"parameter":2}, data: JSON.stringify({"parameter":2}),
success: function success(data) { success: function success(data) {
$("#spinner2").hide(); $("#spinner2").hide();
$("#DialogContent").html(data.text); $("#DialogContent").html(data.text);
@ -527,7 +533,7 @@ $(function() {
$(this).data('value'), $(this).data('value'),
function (value) { function (value) {
$.ajax({ $.ajax({
method: "get", method: "post",
url: getPath() + "/kobo_auth/deleteauthtoken/" + value, url: getPath() + "/kobo_auth/deleteauthtoken/" + value,
}); });
$("#config_delete_kobo_token").hide(); $("#config_delete_kobo_token").hide();
@ -574,7 +580,7 @@ $(function() {
function(value){ function(value){
path = getPath() + "/ajax/fullsync" path = getPath() + "/ajax/fullsync"
$.ajax({ $.ajax({
method:"get", method:"post",
url: path, url: path,
timeout: 900, timeout: 900,
success:function(data) { success:function(data) {
@ -685,7 +691,7 @@ $(function() {
"GeneralDeleteModal", "GeneralDeleteModal",
$(this).data('value'), $(this).data('value'),
function(value){ function(value){
window.location.href = window.location.pathname + "/../../shelf/delete/" + value $("#delete_shelf").closest("form").submit()
} }
); );
@ -734,7 +740,8 @@ $(function() {
$("#DialogContent").html(""); $("#DialogContent").html("");
$("#spinner2").show(); $("#spinner2").show();
$.ajax({ $.ajax({
method:"get", method:"post",
contentType: "application/json; charset=utf-8",
dataType: "json", dataType: "json",
url: getPath() + "/import_ldap_users", url: getPath() + "/import_ldap_users",
success: function success(data) { success: function success(data) {

22
cps/templates/shelf.html
View File

@ -2,14 +2,16 @@
{% block body %} {% block body %}
<div class="discover"> <div class="discover">
<h2>{{title}}</h2> <h2>{{title}}</h2>
<form action="{{url_for('shelf.delete_shelf', shelf_id=shelf.id)}}" method="post">
{% if g.user.role_download() %} {% if g.user.role_download() %}
<a id="shelf_down" href="{{ url_for('shelf.show_simpleshelf', shelf_id=shelf.id) }}" class="btn btn-primary">{{ _('Download') }} </a> <a id="shelf_down" href="{{ url_for('shelf.show_simpleshelf', shelf_id=shelf.id) }}" class="btn btn-primary">{{ _('Download') }} </a>
{% endif %} {% endif %}
{% if g.user.is_authenticated %} {% if g.user.is_authenticated %}
{% if (g.user.role_edit_shelfs() and shelf.is_public ) or not shelf.is_public %} {% if (g.user.role_edit_shelfs() and shelf.is_public ) or not shelf.is_public %}
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"> <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="btn btn-danger" id="delete_shelf" data-value="{{ shelf.id }}">{{ _('Delete this Shelf') }}</div> <div class="btn btn-danger" id="delete_shelf" data-value="{{ shelf.id }}">{{ _('Delete this Shelf') }}</div>
<a id="edit_shelf" href="{{ url_for('shelf.edit_shelf', shelf_id=shelf.id) }}" class="btn btn-primary">{{ _('Edit Shelf Properties') }} </a> <a id="edit_shelf" href="{{ url_for('shelf.edit_shelf', shelf_id=shelf.id) }}" class="btn btn-primary">{{ _('Edit Shelf Properties') }} </a>
</form>
{% if entries.__len__() %} {% if entries.__len__() %}
<a id="order_shelf" href="{{ url_for('shelf.order_shelf', shelf_id=shelf.id) }}" class="btn btn-primary">{{ _('Arrange books manually') }} </a> <a id="order_shelf" href="{{ url_for('shelf.order_shelf', shelf_id=shelf.id) }}" class="btn btn-primary">{{ _('Arrange books manually') }} </a>
<button id="toggle_order_shelf" type="button" data-alt-text="{{ _('Disable Change order') }}" class="btn btn-primary">{{ _('Enable Change order') }}</button> <button id="toggle_order_shelf" type="button" data-alt-text="{{ _('Disable Change order') }}" class="btn btn-primary">{{ _('Enable Change order') }}</button>
@ -84,22 +86,6 @@
{% endfor %} {% endfor %}
</div> </div>
</div> </div>
<!--div id="DeleteShelfDialog" class="modal fade" role="dialog">
<div class="modal-dialog modal-sm">
<div class="modal-content">
<div class="modal-header bg-danger text-center">
<span>{{_('Are you sure you want to delete this shelf?')}}</span>
</div>
<div class="modal-body text-center">
<span>{{_('Shelf will be deleted for all users')}}</span>
<p></p>
<a id="confirm" href="{{ url_for('shelf.delete_shelf', shelf_id=shelf.id) }}" class="btn btn-danger">{{_('OK')}}</a>
<button type="button" class="btn btn-default" data-dismiss="modal">{{_('Cancel')}}</button>
</div>
</div>
</div>
</div-->
{% endblock %} {% endblock %}
{% block modal %} {% block modal %}
{{ delete_confirm_modal() }} {{ delete_confirm_modal() }}

5
cps/web.py
View File

@ -1055,7 +1055,8 @@ def get_tasks_status():
return render_title_template('tasks.html', entries=answer, title=_(u"Tasks"), page="tasks") return render_title_template('tasks.html', entries=answer, title=_(u"Tasks"), page="tasks")
@app.route("/reconnect") # method is available without login and not protected by CSRF to make it easy reachable
@app.route("/reconnect", methods=['GET'])
def reconnect(): def reconnect():
calibre_db.reconnect_db(config, ub.app_DB_path) calibre_db.reconnect_db(config, ub.app_DB_path)
return json.dumps({}) return json.dumps({})
@ -1435,7 +1436,7 @@ def download_link(book_id, book_format, anyname):
return get_download_link(book_id, book_format, client) return get_download_link(book_id, book_format, client)
@web.route('/send/<int:book_id>/<book_format>/<int:convert>') @web.route('/send/<int:book_id>/<book_format>/<int:convert>', methods=["POST"])
@login_required @login_required
@download_required @download_required
def send_to_kindle(book_id, book_format, convert): def send_to_kindle(book_id, book_format, convert):