1
0
mirror of https://github.com/janeczku/calibre-web synced 2024-11-28 04:19:59 +00:00

Fix: admin functions were accessible for regular users

This commit is contained in:
Jan Broer 2015-10-13 18:07:17 +02:00
parent 0f7c129495
commit 6b4ddbe946
3 changed files with 80 additions and 29 deletions

View File

@ -3,17 +3,17 @@
<div class="well col-sm-6 col-sm-offset-2">
<h2 style="margin-top: 0">Register a new account</h2>
<form method="POST" role="form">
<div class="form-group">
<div class="form-group required">
<label for="nickname">Username</label>
<input type="text" class="form-control" id="nickname" name="nickname" placeholder="Choose a username">
<input type="text" class="form-control" id="nickname" name="nickname" placeholder="Choose a username" required>
</div>
<div class="form-group">
<div class="form-group required">
<label for="password">Password</label>
<input type="password" class="form-control" id="password" name="password" placeholder="Choose a password">
<input type="password" class="form-control" id="password" name="password" placeholder="Choose a password" required>
</div>
<div class="form-group">
<div class="form-group required">
<label for="email">Email address</label>
<input type="email" class="form-control" id="email" name="email" placeholder="Your email address">
<input type="email" class="form-control" id="email" name="email" placeholder="Your email address" required>
</div>
<button type="submit" class="btn btn-primary">Register</button>
</form>

View File

@ -3,27 +3,31 @@
<div class="discover">
<h1>{{title}}</h1>
<form role="form" method="POST">
{% if g.user and g.user.role and new_user %}
<div class="form-group required">
<label for="nickname">Username</label>
<input type="text" class="form-control" name="nickname" id="nickname" value="{{ content.nickname if content.nickname != None }}">
</div>
{% endif %}
<div class="form-group">
<label for="email">e-mail</label>
<input type="email" class="form-control" name="email" id="email" value="{{ content.email if content.email != None }}">
<label for="email">Email address</label>
<input type="email" class="form-control" name="email" id="email" value="{{ content.email if content.email != None }}" required>
</div>
<div class="form-group">
<label for="password">password</label>
<label for="password">Password</label>
<input type="password" class="form-control" name="password" id="password" value="">
</div>
<div class="form-group">
<label for="kindle_mail">Kindle E-Mail</label>
<input type="text" class="form-control" name="kindle_mail" id="kindle_mail" value="{{ content.kindle_mail if content.kindle_mail != None }}">
</div>
{% if g.user and g.user.role %}
{% if g.user and g.user.role and not profile %}
<div class="form-group">
<label for="user_role">Admin user? 0 or 1</label>
<input type="text" class="form-control" name="user_role" id="user_role" value="{{ content.role if content.role != None }}">
</div>
<div class="form-group">
<label for="nickname">nickname</label>
<input type="text" class="form-control" name="nickname" id="nickname" value="{{ content.nickname if content.nickname != None }}">
<label for="user_role">Admin user</label>
<input type="checkbox" name="admin_user" id="admin_user" {% if content.role %}checked{% endif %}>
</div>
{% endif %}
{% if g.user and g.user.role and not profile and not new_user %}
<div class="checkbox">
<label>
<input type="checkbox" name="delete"> Delete this user

View File

@ -7,11 +7,13 @@ from flask import Flask, render_template, session, request, redirect, url_for, s
from cps import db, config, ub, helper
import os
from sqlalchemy.sql.expression import func
from sqlalchemy.exc import IntegrityError
from math import ceil
from flask.ext.login import LoginManager, login_user, logout_user, login_required, current_user
from flask.ext.principal import Principal, Identity, AnonymousIdentity, identity_changed
import requests, zipfile
from werkzeug.security import generate_password_hash, check_password_hash
from functools import wraps
app = (Flask(__name__))
@ -82,6 +84,17 @@ def url_for_other_page(page):
app.jinja_env.globals['url_for_other_page'] = url_for_other_page
def admin_required(f):
"""
Checks if current_user.role == 1
"""
@wraps(f)
def inner(*args, **kwargs):
if int(current_user.role) == 1:
return f(*args, **kwargs)
abort(403)
return inner
@app.before_request
def before_request():
g.user = current_user
@ -236,7 +249,8 @@ def series(name):
@app.route("/admin/")
def admin():
return "Admin ONLY!"
#return "Admin ONLY!"
abort(403)
@app.route("/search", methods=["GET"])
@ -462,13 +476,20 @@ def profile():
content.password = generate_password_hash(to_save["password"])
if to_save["kindle_mail"] and to_save["kindle_mail"] != content.kindle_mail:
content.kindle_mail = to_save["kindle_mail"]
if to_save["user_role"]:
content.role = int(to_save["user_role"])
if to_save["email"] and to_save["email"] != content.email:
content.email = to_save["email"]
try:
ub.session.commit()
except IntegrityError:
ub.session.rollback()
flash("Found an existing account for this email address.", category="error")
return render_template("user_edit.html", content=content, downloads=downloads, title="%s's profile" % current_user.nickname)
flash("Profile updated", category="success")
return render_template("user_edit.html", profile=1, content=content, downloads=downloads, title="%s's profile" % current_user.nickname)
@app.route("/admin/user")
@login_required
@admin_required
def user_list():
content = ub.session.query(ub.User).all()
settings = ub.session.query(ub.Settings).first()
@ -476,24 +497,34 @@ def user_list():
@app.route("/admin/user/new", methods = ["GET", "POST"])
@login_required
@admin_required
def new_user():
content = ub.User()
if request.method == "POST":
to_save = request.form.to_dict()
if not to_save["nickname"] or not to_save["email"] or not to_save["password"]:
flash("Please fill out all fields!", category="error")
return render_template("user_edit.html", new_user=1, content=content, title="Add new user")
content.password = generate_password_hash(to_save["password"])
content.nickname = to_save["nickname"]
content.email = to_save["email"]
content.role = int(to_save["user_role"])
if "admin_user" in to_save:
content.role = 1
else:
content.role = 0
try:
ub.session.add(content)
ub.session.commit()
flash("User created", category="success")
except (e):
flash(e, category="error")
return render_template("user_edit.html", content=content, title="User list")
flash("User '%s' created" % content.nickname, category="success")
return redirect(url_for('user_list'))
except IntegrityError:
ub.session.rollback()
flash("Found an existing account for this email address or nickname.", category="error")
return render_template("user_edit.html", new_user=1, content=content, title="Add new user")
@app.route("/admin/user/mailsettings", methods = ["GET", "POST"])
@login_required
@admin_required
def edit_mailsettings():
content = ub.session.query(ub.Settings).first()
if request.method == "POST":
@ -512,6 +543,7 @@ def edit_mailsettings():
@app.route("/admin/user/<int:user_id>", methods = ["GET", "POST"])
@login_required
@admin_required
def edit_user(user_id):
content = ub.session.query(ub.User).filter(ub.User.id == int(user_id)).first()
downloads = list()
@ -521,15 +553,30 @@ def edit_user(user_id):
to_save = request.form.to_dict()
if "delete" in to_save:
ub.session.delete(content)
flash("User '%s' deleted" % content.nickname, category="success")
return redirect(url_for('user_list'))
else:
if "password" in to_save:
if to_save["password"]:
content.password == generate_password_hash(to_save["password"])
if "admin_user" in to_save and content.role != 1:
content.role = 1
elif not "admin_user" in to_save and content.role == 1:
content.role = 0
if to_save["email"] and to_save["email"] != content.email:
content.email = to_save["email"]
if to_save["kindle_mail"] and to_save["kindle_mail"] != content.kindle_mail:
content.kindle_mail = to_save["kindle_mail"]
try:
ub.session.commit()
return render_template("user_edit.html", content=content, downloads=downloads, title="Edit User %s" % current_user.nickname)
flash("User '%s' updated" % content.nickname, category="success")
except IntegrityError:
ub.session.rollback()
flash("An unknown error occured.", category="error")
return render_template("user_edit.html", new_user=0, content=content, downloads=downloads, title="Edit User %s" % content.nickname)
@app.route("/admin/book/<int:book_id>", methods=['GET', 'POST'])
@login_required
@admin_required
def edit_book(book_id):
## create the function for sorting...
db.session.connection().connection.connection.create_function("title_sort",1,db.title_sort)