From f06cc9e4a49b3a2ba3cc2dde3e74eab0335f4ed4 Mon Sep 17 00:00:00 2001 From: simon Date: Wed, 25 Apr 2018 13:30:54 -0400 Subject: [PATCH] Unauthorised pages are blocked --- crawler.py | 1 - run.py | 262 ++++++++++++++++++++++++--------------- templates/dashboard.html | 2 +- templates/user.html | 2 +- 4 files changed, 161 insertions(+), 106 deletions(-) diff --git a/crawler.py b/crawler.py index ff425d8..d182043 100644 --- a/crawler.py +++ b/crawler.py @@ -12,7 +12,6 @@ from thumbnail import ThumbnailGenerator from storage import Directory import shutil import config -from ctypes import c_char_p class RunningTask: diff --git a/run.py b/run.py index 4bfa00f..aa5a4ef 100644 --- a/run.py +++ b/run.py @@ -57,7 +57,6 @@ def login(): session["username"] = username session["admin"] = storage.users()[username].admin - print(session["admin"]) flash("Successfully logged in", "success") else: flash("Invalid username or password", "danger") @@ -68,23 +67,31 @@ def login(): @app.route("/user") def user_page(): - return render_template("user.html", users=storage.users()) + if "admin" in session and session["admin"]: + return render_template("user.html", users=storage.users()) + else: + flash("You are not authorized to access this page") + return redirect("/") @app.route("/user/add", methods=['POST']) def user_add(): - username = request.form["username"] - password = bcrypt.hashpw(request.form["password"].encode("utf-8"), bcrypt.gensalt(config.bcrypt_rounds)) - is_admin = True if "is_admin" in request.form else False + if "admin" in session and session["admin"]: + username = request.form["username"] + password = bcrypt.hashpw(request.form["password"].encode("utf-8"), bcrypt.gensalt(config.bcrypt_rounds)) + is_admin = True if "is_admin" in request.form else False - try: - storage.save_user(User(username, password, is_admin)) - flash("Created new user", "success") - except DuplicateUserException: - flash("Couldn't create user Make sure that the username is unique", "danger") + try: + storage.save_user(User(username, password, is_admin)) + flash("Created new user", "success") + except DuplicateUserException: + flash("Couldn't create user Make sure that the username is unique", "danger") - return redirect("/user") + return redirect("/user") + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/suggest") @@ -220,183 +227,232 @@ def scroll_route(): @app.route("/directory") def dir_list(): - return render_template("directory.html", directories=storage.dirs()) + if "admin" in session and session["admin"]: + return render_template("directory.html", directories=storage.dirs()) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/directory/add") def directory_add(): - path = request.args.get("path") - name = request.args.get("name") + if "admin" in session and session["admin"]: + path = request.args.get("path") + name = request.args.get("name") - if path is not None and name is not None: - d = Directory(path, True, [], name) + if path is not None and name is not None: + d = Directory(path, True, [], name) - try: - d.set_default_options() - storage.save_directory(d) - flash("Created directory", "success") - except DuplicateDirectoryException: - flash("Couldn't create directory Make sure that the path is unique", "danger") + try: + d.set_default_options() + storage.save_directory(d) + flash("Created directory", "success") + except DuplicateDirectoryException: + flash("Couldn't create directory Make sure that the path is unique", "danger") - return redirect("/directory") + return redirect("/directory") + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/directory/") def directory_manage(dir_id): - directory = storage.dirs()[dir_id] - tn_size = get_dir_size("static/thumbnails/" + str(dir_id)) - tn_size_formatted = humanfriendly.format_size(tn_size) + if "admin" in session and session["admin"]: + directory = storage.dirs()[dir_id] + tn_size = get_dir_size("static/thumbnails/" + str(dir_id)) + tn_size_formatted = humanfriendly.format_size(tn_size) - return render_template("directory_manage.html", directory=directory, tn_size=tn_size, - tn_size_formatted=tn_size_formatted) + return render_template("directory_manage.html", directory=directory, tn_size=tn_size, + tn_size_formatted=tn_size_formatted) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/directory//update") def directory_update(dir_id): - directory = storage.dirs()[dir_id] + if "admin" in session and session["admin"]: + directory = storage.dirs()[dir_id] - name = request.args.get("name") - name = directory.name if name is None else name + name = request.args.get("name") + name = directory.name if name is None else name - enabled = request.args.get("enabled") - enabled = directory.enabled if enabled is None else int(enabled) + enabled = request.args.get("enabled") + enabled = directory.enabled if enabled is None else int(enabled) - path = request.args.get("path") - path = directory.path if path is None else path + path = request.args.get("path") + path = directory.path if path is None else path - # Only name and enabled status can be updated - updated_dir = Directory(path, enabled, directory.options, name) - updated_dir.id = dir_id + # Only name and enabled status can be updated + updated_dir = Directory(path, enabled, directory.options, name) + updated_dir.id = dir_id - try: - storage.update_directory(updated_dir) - flash("Updated directory", "success") + try: + storage.update_directory(updated_dir) + flash("Updated directory", "success") - except DuplicateDirectoryException: - flash("Couldn't update directory Make sure that the path is unique", "danger") + except DuplicateDirectoryException: + flash("Couldn't update directory Make sure that the path is unique", "danger") - return redirect("/directory/" + str(dir_id)) + return redirect("/directory/" + str(dir_id)) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/directory//update_opt") def directory_update_opt(dir_id): - opt_id = request.args.get("id") - opt_key = request.args.get("key") - opt_value = request.args.get("value") + if "admin" in session and session["admin"]: + opt_id = request.args.get("id") + opt_key = request.args.get("key") + opt_value = request.args.get("value") - storage.update_option(Option(opt_key, opt_value, dir_id, opt_id)) + storage.update_option(Option(opt_key, opt_value, dir_id, opt_id)) - return redirect("/directory/" + str(dir_id)) + return redirect("/directory/" + str(dir_id)) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/directory//del") def directory_del(dir_id): + if "admin" in session and session["admin"]: + search.delete_directory(dir_id) + if os.path.exists("static/thumbnails/" + str(dir_id)): + shutil.rmtree("static/thumbnails/" + str(dir_id)) - search.delete_directory(dir_id) - if os.path.exists("static/thumbnails/" + str(dir_id)): - shutil.rmtree("static/thumbnails/" + str(dir_id)) + storage.remove_directory(dir_id) + flash("Deleted directory", "success") - storage.remove_directory(dir_id) - flash("Deleted directory", "success") - - return redirect("/directory") + return redirect("/directory") + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/directory//reset") def directory_reset(dir_id): - directory = storage.dirs()[dir_id] - for opt in directory.options: - storage.del_option(opt.id) + if "admin" in session and session["admin"]: + directory = storage.dirs()[dir_id] - directory.set_default_options() + for opt in directory.options: + storage.del_option(opt.id) - for opt in directory.options: - opt.dir_id = dir_id - storage.save_option(opt) + directory.set_default_options() - storage.dir_cache_outdated = True + for opt in directory.options: + opt.dir_id = dir_id + storage.save_option(opt) - search.delete_directory(dir_id) + storage.dir_cache_outdated = True - flash("Reset directory options to default settings", "success") - return redirect("directory/" + str(dir_id)) + search.delete_directory(dir_id) + + flash("Reset directory options to default settings", "success") + return redirect("directory/" + str(dir_id)) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/task") def task(): - - return render_template("task.html", tasks=storage.tasks(), directories=storage.dirs(), - task_list=json.dumps(list(storage.tasks().keys()))) - # return render_template("task.html", tasks=storage.tasks(), directories=storage.dirs()) + if "admin" in session and session["admin"]: + return render_template("task.html", tasks=storage.tasks(), directories=storage.dirs(), + task_list=json.dumps(list(storage.tasks().keys()))) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/task/current") def get_current_task(): + if "admin" in session and session["admin"]: - if tm and tm.current_task: - return tm.current_task.to_json() + if tm and tm.current_task: + return tm.current_task.to_json() + else: + return "" else: - return "" + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/task/add") def task_add(): - type = request.args.get("type") - directory = request.args.get("directory") + if "admin" in session and session["admin"]: + task_type = request.args.get("type") + directory = request.args.get("directory") - storage.save_task(Task(type, directory)) + storage.save_task(Task(task_type, directory)) - return redirect("/task") + return redirect("/task") + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/task//del") def task_del(task_id): - storage.del_task(task_id) + if "admin" in session and session["admin"]: + storage.del_task(task_id) - if tm.current_task is not None and task_id == tm.current_task.task.id: - tm.cancel_task() + if tm.current_task is not None and task_id == tm.current_task.task.id: + tm.cancel_task() - return redirect("/task") + return redirect("/task") + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/reset_es") def reset_es(): + if "admin" in session and session["admin"]: + flash("Elasticsearch index has been reset. Modifications made in config.py have been applied.", "success") - flash("Elasticsearch index has been reset. Modifications made in config.py have been applied.", "success") + tm.indexer.init() + if os.path.exists("static/thumbnails"): + shutil.rmtree("static/thumbnails") - tm.indexer.init() - if os.path.exists("static/thumbnails"): - shutil.rmtree("static/thumbnails") - - return redirect("/dashboard") + return redirect("/dashboard") + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") @app.route("/dashboard") def dashboard(): + if "admin" in session and session["admin"]: + tn_sizes = {} + tn_size_total = 0 + for directory in storage.dirs(): + tn_size = get_dir_size("static/thumbnails/" + str(directory)) + tn_size_formatted = humanfriendly.format_size(tn_size) - tn_sizes = {} - tn_size_total = 0 - for directory in storage.dirs(): - tn_size = get_dir_size("static/thumbnails/" + str(directory)) - tn_size_formatted = humanfriendly.format_size(tn_size) + tn_sizes[directory] = tn_size_formatted + tn_size_total += tn_size - tn_sizes[directory] = tn_size_formatted - tn_size_total += tn_size + tn_size_total_formatted = humanfriendly.format_size(tn_size_total) - tn_size_total_formatted = humanfriendly.format_size(tn_size_total) + return render_template("dashboard.html", version=config.VERSION, tn_sizes=tn_sizes, + tn_size_total=tn_size_total_formatted, + doc_size=humanfriendly.format_size(search.get_doc_size()), + doc_count=search.get_doc_count(), + db_path=config.db_path, + elasticsearch_url=config.elasticsearch_url, + index_size=humanfriendly.format_size(search.get_index_size())) - return render_template("dashboard.html", version=config.VERSION, tn_sizes=tn_sizes, - tn_size_total=tn_size_total_formatted, - doc_size=humanfriendly.format_size(search.get_doc_size()), - doc_count=search.get_doc_count(), - db_path=config.db_path, - elasticsearch_url=config.elasticsearch_url, - index_size=humanfriendly.format_size(search.get_index_size())) + else: + flash("You are not authorized to access this page", "warning") + return redirect("/") if __name__ == "__main__": diff --git a/templates/dashboard.html b/templates/dashboard.html index 5716451..74cb443 100644 --- a/templates/dashboard.html +++ b/templates/dashboard.html @@ -5,7 +5,7 @@
-
FSE Information
+
Global Information
diff --git a/templates/user.html b/templates/user.html index ee92f40..4ff73d6 100644 --- a/templates/user.html +++ b/templates/user.html @@ -44,7 +44,7 @@ {% for user in users %} - +
{{ user }}{{ user }} Manage