diasporadiaries

a platform for writing stories with personal accounts and messages
git clone git://parazyd.org/diasporadiaries.git
Log | Files | Refs | Submodules | README | LICENSE

commit c6d2a2f9c38a9ae3fe4a55711fc5cd6b2da59902
parent 209e719c8e922f9d333c76fa1e4e5ea84622b7eb
Author: parazyd <parazyd@dyne.org>
Date:   Tue, 22 Jan 2019 17:15:48 +0100

Add some wishful security and lint.

Diffstat:
Mdiaspora.py | 71++++++++++++++++++++++++++++++++++++++---------------------------------
Mutils.py | 10+++++++---
2 files changed, 45 insertions(+), 36 deletions(-)

diff --git a/diaspora.py b/diaspora.py @@ -97,7 +97,7 @@ def login(): User login route. """ if request.method == 'POST': - if request.form['42']: + if request.form.get('42'): return render_template('fail.html', msg='You robot!') username = request.form['username'] @@ -126,6 +126,9 @@ def login(): @app.route('/changepass', methods=['GET', 'POST']) @login_required def changepass(): + """ + Route for changing passwords. + """ user = find_user_by_email(current_user.username) if request.method != 'POST': @@ -135,11 +138,11 @@ def changepass(): return render_template('fail.html', msg='You robot!') old_in_db = user['password'] - old_in_pg = request.form['oldpassword'] - new_in_pg = request.form['newpassword'] + old_in_pg = request.form.get('oldpassword') + new_in_pg = request.form.get('newpassword') if not old_in_pg or not new_in_pg: return render_template('fail.html', - 'Please input both old and new passwords!') + msg='Please input both old and new passwords!') old_hashed = hashpw(old_in_pg.encode(), old_in_db) if old_hashed == old_in_db: @@ -184,9 +187,9 @@ def sendmsg(): """ Route for sending a single message. """ - send_message(request.form['Id'], request.form['Message'], - request.form['Us']) - return redirect('/messages?from=%s' % request.form['Id']) + send_message(request.form.get('Id'), request.form.get('Message'), + request.form.get('Us')) + return redirect('/messages?from=%s' % request.form.get('Id')) @app.route('/write', methods=['GET', 'POST']) @@ -197,18 +200,18 @@ def write(): if request.method != 'POST': return render_template('write.html') - if request.form['42']: + if request.form.get('42'): return render_template('fail.html', msg='Are you a robot?') delkey = randomstring(32) storyargs = [ None, - request.form['Name'], - request.form['Embark'], - request.form['Disembark'], - request.form['Email'], - request.form['City'], - request.form['Story'], + request.form.get('Name', 'Anonymous writer'), + request.form.get('Embark', 'nn'), + request.form.get('Disembark', 'nn'), + request.form.get('Email'), + request.form.get('City'), + request.form.get('Story', 'foobar'), int(time()), 0, delkey, @@ -218,10 +221,12 @@ def write(): sql_insert(storyargs) new_account = False - if request.form['Email']: - new_account = make_profile(request.form['Name'], request.form['Email']) + if request.form.get('Email'): + new_account = make_profile(request.form.get('Name', 'Anonymous user'), + request.form.get('Email')) - return render_template('success_write.html', delkey=delkey, new=new_account) + return render_template('success_write.html', delkey=delkey, + new=new_account) @app.route('/edit', methods=['GET', 'POST']) @@ -240,15 +245,16 @@ def edit(): return render_template('fail.html', msg='No story with this story id.') vals = [ - ('name', request.form['Name']), - ('embark', request.form['Embark']), - ('disembark', request.form['Disembark']), - ('email', request.form['Email']), - ('city', request.form['City']), - ('story', request.form['Story']), - ('abstract', request.form['Abstract']), + ('name', request.form.get('Name', 'Anonymous user')), + ('embark', request.form.get('Embark', 'nn')), + ('disembark', request.form('Disembark', 'nn')), + ('email', request.form.get('Email')), + ('city', request.form.get('City')), + ('story', request.form.get('Story', 'foo')), + ('abstract', request.form.get('Abstract', 'foo')), ] - sql_update_row_where(vals, 'id', request.form['Id']) + if request.form.get('Id'): + sql_update_row_where(vals, 'id', request.form.get('Id')) return render_template('success.html', msg='Story redacted!') @@ -393,17 +399,16 @@ def users(): if request.method == 'POST': vals = [] - if request.form['password']: + if request.form.get('password'): vals.append(('password', - hashpw(request.form['password'].encode(), + hashpw(request.form.get('password').encode(), gensalt()))) - if request.form['cap']: - vals.append(('cap', request.form['cap'])) - - if vals: - sql_update_row_where(vals, 'id', request.form['id'], table='users') + if request.form.get('cap'): + vals.append(('cap', request.form.get('cap'))) - print(vals) + if vals and request.form.get('id'): + sql_update_row_where(vals, 'id', request.form.get('id'), + table='users') if request.args.get('delid'): delete_user(request.args.get('delid')) diff --git a/utils.py b/utils.py @@ -28,8 +28,7 @@ from time import gmtime, strftime, time from bcrypt import gensalt, hashpw from flask import Markup -from db import (sql_select_col_where, sql_insert, sql_delete_row_where, - sql_select_col) +from db import (sql_select_col_where, sql_insert, sql_delete_row_where) COUNTRYMAP = {} @@ -225,7 +224,7 @@ def make_profile(name, email): Helper function to generate and insert a profile into the database. """ if sql_select_col_where('email', 'email', email, table='users'): - return + return None plain_pw = randomstring(24) @@ -316,6 +315,8 @@ def send_message(id_to, msg, id_us): """ Function for sending/recieving a message. """ + if not id_to or not msg or not id_us: + return ours = find_user_by_id(id_us) if not ours: return @@ -359,6 +360,9 @@ def send_message(id_to, msg, id_us): def delete_user(user_id): + """ + Deletes a user and their messages directory. + """ user = find_user_by_id(user_id) rmtree(join('messages', user['email']), ignore_errors=True) sql_delete_row_where('id', user_id, table='users')