diff --git a/Website/__init__.py b/Website/__init__.py index e0978d3..fce7d9f 100644 --- a/Website/__init__.py +++ b/Website/__init__.py @@ -3,7 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_ from flask_socketio import SocketIO, join_room, leave_room from flask_session import Session from markupsafe import escape -from .db import get_db, change_db +from Website.db import get_db +import Website.db as db from datetime import datetime finished = None preis = 150 #Ein Getraenk @@ -63,7 +64,7 @@ def create_app(test_config=None): c = db.cursor() c.execute("SELECT * FROM users") users = c.fetchall() - return render_template("list.html", users=users, preis=preis/100) + return render_template("list.html", users=escape(users), preis=escape(preis/100)) @app.route("/transactionlist") def transactionlist(): @@ -123,7 +124,7 @@ def create_app(test_config=None): if user != None : c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") tags = c.fetchall() - return render_template("user.html", user=user, tags=tags) + return render_template("user.html", user=escape(user), tags=escape(tags)) else: return render_template("error.html", error_code="043") @@ -141,9 +142,9 @@ def create_app(test_config=None): user = c.fetchone() if user != None: user_name = user[1] - change_db("removeuser", user_id=user_id, before=user_name) + db.remove_user(user_id) socketio.emit("update", "update") - return render_template("removeuser.html", user_name=user_name) + return render_template("removeuser.html", user_name=escape(user_name)) else: return render_template("error.html", error_code="043") @@ -156,7 +157,7 @@ def create_app(test_config=None): return render_template("error.html", error_code="418") c.execute("SELECT * FROM users WHERE username=?", [username]) if c.fetchall() == []: - change_db("adduser", after=username) + db.add_user(username) socketio.emit("update", "update") c.execute(f"SELECT * FROM users WHERE username=?", [username]) user = c.fetchone() @@ -178,7 +179,7 @@ def create_app(test_config=None): users = c.fetchall() if users != []: balance_old = users[0][2] - change_db("balance", change=change, user_id=user_id) + db.change_balance(user_id, change) socketio.emit("update", "update") return render_template("redirect.html") else: @@ -193,7 +194,7 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "add", session_id]) - return render_template("addtag.html", user=user_id) + return render_template("addtag.html", user=escape(user_id)) @socketio.on('addtag') def request_addtag(data): @@ -234,16 +235,14 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "remove", session_id]) - return render_template("removetag.html", user=user_id) + return render_template("removetag.html", user=escape(user_id)) else: db = get_db() c = db.cursor() c.execute(f"SELECT * FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id]) if c.fetchall != []: - c.execute(f"DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id]) - db.commit() + db.remove_tag(tag_id) message = f"Removed {tag_id} from user {user_id}" - log(type="removetag", userid=user_id, before=tag_id) return render_template("redirect.html") else: return render_template("error.html", error_code="054") @@ -288,8 +287,8 @@ def create_app(test_config=None): try: change = int(request.args.get("change")) except: - change = preis - change_db("balance", user_id=userid, change=change) + change = preis + db.change_balance(user_id, change) socketio.emit("update", "update") return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user_new[2]})) else: @@ -337,7 +336,7 @@ def create_app(test_config=None): finished = queue_item return make_response(json.dumps({"mode":"error","error":"170"})) else: - change_db("addtag", after=tag_id, user_id=user_id) + db.add_tag(user_id, tag_id) message = f"Added {tag_id} to {username}" finished = queue_item return make_response(json.dumps({"mode":"message","username":"{}".format(username),"message":"A tag was added"})) @@ -364,7 +363,7 @@ def create_app(test_config=None): if user_list != []: balance_old = user_list[0][2] if user_queue.qsize() == 0: - change_db("balance", user_id=tag[1], change=preis) + db.change_balance(tag[1], preis) c.execute(f"SELECT * FROM users WHERE id={tag[1]}") user = c.fetchone() socketio.emit("update", "update") @@ -382,7 +381,20 @@ def create_app(test_config=None): before = request.form["before"] after = request.form["after"] change = request.form["change"] - change_db(statement, user_id, before, after, change) + + if statement == "adduser": + db.add_user(after) + elif statement == "removeuser": + db.remove_user(user_id) + elif statement == "addtag": + db.add_tag(user_id, after) + elif statement == "removetag": + db.remove_tag(befor) + elif statement == "balance": + db.change_balance(user_id, change) + else: + return make_response(json.dumps({"mode":"error", "error":"418"})) #Error code + socketio.emit("update", "update") return render_template("index.html") @@ -391,4 +403,5 @@ def create_app(test_config=None): def documentation(): return render_template("documentation.html") + return {"app":app,"socketio":socketio} diff --git a/Website/db.py b/Website/db.py index 9ad03a3..f586494 100644 --- a/Website/db.py +++ b/Website/db.py @@ -10,24 +10,47 @@ def log(statement, user_id, before, after, change): c.execute("INSERT INTO transaction_log (timestamp, type, user_id, before, after, change) VALUES (?, ?, ?, ?, ?, ?)", [datetime.now(), statement, user_id, before, after, change]) db.commit() -def change_db(statement, user_id=None, before=None, after=None, change=None): +def add_user(after): db = get_db() c = db.cursor() - if statement == "adduser" and after != None: - c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) - user_id = c.lastrowid - elif statement == "removeuser" and user_id != None and before != None: - c.execute("DELETE FROM tags WHERE userid=?", [user_id]) - c.execute("DELETE FROM users WHERE id=?", [user_id]) - elif statement == "addtag" and after != None and user_id != None: - c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [after, user_id]) - elif statement == "removetag" and before != None and user_id != None: - c.execute("DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [before, user_id]) - elif statement == "balance" and change != None and user_id != None: - c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) - else: - raise Exception("wrong or missing argument for change_db") - log(statement, user_id, before, after, change) + c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) + user_id = c.lastrowid + log("add_user", user_id=user_id, after=after) + db.commit() + +def remove_user(user_id): + db = get_db() + c = db.cursor() + c.execute("SELECT * FROM users WHERE id = ?", [user_id]) + user_name = c.fetchone()[1] + c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) + for tag in c.fetchall(): + remove_tag(tag[0]) + c.execute("DELETE FROM users WHERE id = ?", [user_id]) + log("remove_user", user_id=user_id, before=user_name) + db.commit() + +def add_tag(user_id, tag_id): + db = get_db() + c = db.cursor() + c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) + db.commit() + log("addtag", after=tag_id, user_id=user_id) + +def remove_tag(tag_id): + db = get_db() + c = db.cursor() + c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) + user_id = c.fetchone()[1] + c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) + log("removetag", before=tag_id, user_id=user_id) + db.commit() + +def change_balance(user_id, change): + db = get_db() + c = db.cursor() + c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) + log("balance", user_id=user_id, change=change) db.commit() def get_db(): diff --git a/tests/test_website.py b/tests/test_website.py index a8359a4..4f985b3 100644 --- a/tests/test_website.py +++ b/tests/test_website.py @@ -23,14 +23,14 @@ def test_index(client): #/adduser def test_adduser(client): - response = client.get('/adduser/user') + response = client.post('/adduser/user', data={}) assert "418" in response.data.decode('utf-8') def test_adduser_new(app, client): with app.app_context(): db = get_db() assert db is get_db() - response = client.get('/adduser/user?username=test') + response = client.post('/adduser/user', data={user_name:"test"}) c = db.cursor() c.execute("SELECT * FROM users WHERE username = ?", ["test"]) data = c.fetchone() @@ -40,7 +40,7 @@ def test_adduser_new(app, client): assert data[2] == 0 def test_adduser_allreadyexists(client): - response = client.get('/adduser/user?username=test') + response = client.post('/adduser/user', data={username:"test"}) assert "Error: 757" in response.data.decode('utf-8') #/addtag @@ -49,7 +49,7 @@ def test_addtag(client): assert response.data.decode('utf-8') == "Error: 095" def test_addtag_userid_nan(client): - response = client.get('/addtag?id=test') + response = client.post('/addtag', data={id:1}) assert response.data.decode('utf-8') == "Error: 095" def test_add_tag_direktli(app): @@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client): assert data[1] == i assert data[2] == 0 assert "tag was sucsesfully added" in response.data.decode('utf-8') - count += 1 \ No newline at end of file + count += 1