bton/matekasse
2
1
Fork 2
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: bton:364dfb69b684f5cd5c97db135199630ca337d461
Branches Tags
bton:master
..
compare: bton:f4181ade0716fd86eaee56ff0019101598a4b7f4
Branches Tags
bton:master

3 commits
364dfb69b6 ... f4181ade07

Author SHA1 Message Date
bton
f4181ade07 Was Commite ich hier? 2024-03-06 20:43:48 +01:00
bton
f691e7534d AHHH escape 2024-03-06 20:41:45 +01:00
bton
ce009a278b new db system 2024-03-01 21:59:30 +01:00
3 changed files with 74 additions and 38 deletions
Show stats Expand all files Collapse all files

47
Website/__init__.py
View file

@ -3,7 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
from flask_socketio import SocketIO, join_room, leave_room from flask_socketio import SocketIO, join_room, leave_room
from flask_session import Session from flask_session import Session
from markupsafe import escape from markupsafe import escape
from .db import get_db, change_db from Website.db import get_db
import Website.db as db
from datetime import datetime from datetime import datetime
finished = None finished = None
preis = 150 #Ein Getraenk preis = 150 #Ein Getraenk
@ -63,7 +64,7 @@ def create_app(test_config=None):
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users") c.execute("SELECT * FROM users")
users = c.fetchall() users = c.fetchall()
return render_template("list.html", users=users, preis=preis/100) return render_template("list.html", users=escape(users), preis=escape(preis/100))
@app.route("/transactionlist") @app.route("/transactionlist")
def transactionlist(): def transactionlist():
@ -123,7 +124,7 @@ def create_app(test_config=None):
if user != None : if user != None :
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
tags = c.fetchall() tags = c.fetchall()
return render_template("user.html", user=user, tags=tags) return render_template("user.html", user=escape(user), tags=escape(tags))
else: else:
return render_template("error.html", error_code="043") return render_template("error.html", error_code="043")
@ -141,9 +142,9 @@ def create_app(test_config=None):
user = c.fetchone() user = c.fetchone()
if user != None: if user != None:
user_name = user[1] user_name = user[1]
change_db("removeuser", user_id=user_id, before=user_name) db.remove_user(user_id)
socketio.emit("update", "update") socketio.emit("update", "update")
return render_template("removeuser.html", user_name=user_name) return render_template("removeuser.html", user_name=escape(user_name))
else: else:
return render_template("error.html", error_code="043") return render_template("error.html", error_code="043")
@ -156,7 +157,7 @@ def create_app(test_config=None):
return render_template("error.html", error_code="418") return render_template("error.html", error_code="418")
c.execute("SELECT * FROM users WHERE username=?", [username]) c.execute("SELECT * FROM users WHERE username=?", [username])
if c.fetchall() == []: if c.fetchall() == []:
change_db("adduser", after=username) db.add_user(username)
socketio.emit("update", "update") socketio.emit("update", "update")
c.execute(f"SELECT * FROM users WHERE username=?", [username]) c.execute(f"SELECT * FROM users WHERE username=?", [username])
user = c.fetchone() user = c.fetchone()
@ -178,7 +179,7 @@ def create_app(test_config=None):
users = c.fetchall() users = c.fetchall()
if users != []: if users != []:
balance_old = users[0][2] balance_old = users[0][2]
change_db("balance", change=change, user_id=user_id) db.change_balance(user_id, change)
socketio.emit("update", "update") socketio.emit("update", "update")
return render_template("redirect.html") return render_template("redirect.html")
else: else:
@ -193,7 +194,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4() session_id = uuid.uuid4()
session[id] = session_id session[id] = session_id
user_queue.put([user_id, "add", session_id]) user_queue.put([user_id, "add", session_id])
return render_template("addtag.html", user=user_id) return render_template("addtag.html", user=escape(user_id))
@socketio.on('addtag') @socketio.on('addtag')
def request_addtag(data): def request_addtag(data):
@ -234,16 +235,14 @@ def create_app(test_config=None):
session_id = uuid.uuid4() session_id = uuid.uuid4()
session[id] = session_id session[id] = session_id
user_queue.put([user_id, "remove", session_id]) user_queue.put([user_id, "remove", session_id])
return render_template("removetag.html", user=user_id) return render_template("removetag.html", user=escape(user_id))
else: else:
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute(f"SELECT * FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id]) c.execute(f"SELECT * FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id])
if c.fetchall != []: if c.fetchall != []:
c.execute(f"DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id]) db.remove_tag(tag_id)
db.commit()
message = f"Removed {tag_id} from user {user_id}" message = f"Removed {tag_id} from user {user_id}"
log(type="removetag", userid=user_id, before=tag_id)
return render_template("redirect.html") return render_template("redirect.html")
else: else:
return render_template("error.html", error_code="054") return render_template("error.html", error_code="054")
@ -288,8 +287,8 @@ def create_app(test_config=None):
try: try:
change = int(request.args.get("change")) change = int(request.args.get("change"))
except: except:
change = preis change = preis
change_db("balance", user_id=userid, change=change) db.change_balance(user_id, change)
socketio.emit("update", "update") socketio.emit("update", "update")
return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user_new[2]})) return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user_new[2]}))
else: else:
@ -337,7 +336,7 @@ def create_app(test_config=None):
finished = queue_item finished = queue_item
return make_response(json.dumps({"mode":"error","error":"170"})) return make_response(json.dumps({"mode":"error","error":"170"}))
else: else:
change_db("addtag", after=tag_id, user_id=user_id) db.add_tag(user_id, tag_id)
message = f"Added {tag_id} to {username}" message = f"Added {tag_id} to {username}"
finished = queue_item finished = queue_item
return make_response(json.dumps({"mode":"message","username":"{}".format(username),"message":"A tag was added"})) return make_response(json.dumps({"mode":"message","username":"{}".format(username),"message":"A tag was added"}))
@ -364,7 +363,7 @@ def create_app(test_config=None):
if user_list != []: if user_list != []:
balance_old = user_list[0][2] balance_old = user_list[0][2]
if user_queue.qsize() == 0: if user_queue.qsize() == 0:
change_db("balance", user_id=tag[1], change=preis) db.change_balance(tag[1], preis)
c.execute(f"SELECT * FROM users WHERE id={tag[1]}") c.execute(f"SELECT * FROM users WHERE id={tag[1]}")
user = c.fetchone() user = c.fetchone()
socketio.emit("update", "update") socketio.emit("update", "update")
@ -382,7 +381,20 @@ def create_app(test_config=None):
before = request.form["before"] before = request.form["before"]
after = request.form["after"] after = request.form["after"]
change = request.form["change"] change = request.form["change"]
change_db(statement, user_id, before, after, change)
if statement == "adduser":
db.add_user(after)
elif statement == "removeuser":
db.remove_user(user_id)
elif statement == "addtag":
db.add_tag(user_id, after)
elif statement == "removetag":
db.remove_tag(befor)
elif statement == "balance":
db.change_balance(user_id, change)
else:
return make_response(json.dumps({"mode":"error", "error":"418"})) #Error code
socketio.emit("update", "update") socketio.emit("update", "update")
return render_template("index.html") return render_template("index.html")
@ -391,4 +403,5 @@ def create_app(test_config=None):
def documentation(): def documentation():
return render_template("documentation.html") return render_template("documentation.html")
return {"app":app,"socketio":socketio} return {"app":app,"socketio":socketio}

55
Website/db.py
View file

@ -10,24 +10,47 @@ def log(statement, user_id, before, after, change):
c.execute("INSERT INTO transaction_log (timestamp, type, user_id, before, after, change) VALUES (?, ?, ?, ?, ?, ?)", [datetime.now(), statement, user_id, before, after, change]) c.execute("INSERT INTO transaction_log (timestamp, type, user_id, before, after, change) VALUES (?, ?, ?, ?, ?, ?)", [datetime.now(), statement, user_id, before, after, change])
db.commit() db.commit()
def change_db(statement, user_id=None, before=None, after=None, change=None): def add_user(after):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
if statement == "adduser" and after != None: c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after])
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) user_id = c.lastrowid
user_id = c.lastrowid log("add_user", user_id=user_id, after=after)
elif statement == "removeuser" and user_id != None and before != None: db.commit()
c.execute("DELETE FROM tags WHERE userid=?", [user_id])
c.execute("DELETE FROM users WHERE id=?", [user_id]) def remove_user(user_id):
elif statement == "addtag" and after != None and user_id != None: db = get_db()
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [after, user_id]) c = db.cursor()
elif statement == "removetag" and before != None and user_id != None: c.execute("SELECT * FROM users WHERE id = ?", [user_id])
c.execute("DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [before, user_id]) user_name = c.fetchone()[1]
elif statement == "balance" and change != None and user_id != None: c.execute("SELECT * FROM tags WHERE userid = ?", [user_id])
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) for tag in c.fetchall():
else: remove_tag(tag[0])
raise Exception("wrong or missing argument for change_db") c.execute("DELETE FROM users WHERE id = ?", [user_id])
log(statement, user_id, before, after, change) log("remove_user", user_id=user_id, before=user_name)
db.commit()
def add_tag(user_id, tag_id):
db = get_db()
c = db.cursor()
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id])
db.commit()
log("addtag", after=tag_id, user_id=user_id)
def remove_tag(tag_id):
db = get_db()
c = db.cursor()
c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id])
user_id = c.fetchone()[1]
c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id])
log("removetag", before=tag_id, user_id=user_id)
db.commit()
def change_balance(user_id, change):
db = get_db()
c = db.cursor()
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id])
log("balance", user_id=user_id, change=change)
db.commit() db.commit()
def get_db(): def get_db():

10
tests/test_website.py
View file

@ -23,14 +23,14 @@ def test_index(client):
#/adduser #/adduser
def test_adduser(client): def test_adduser(client):
response = client.get('/adduser/user') response = client.post('/adduser/user', data={})
assert "418" in response.data.decode('utf-8') assert "418" in response.data.decode('utf-8')
def test_adduser_new(app, client): def test_adduser_new(app, client):
with app.app_context(): with app.app_context():
db = get_db() db = get_db()
assert db is get_db() assert db is get_db()
response = client.get('/adduser/user?username=test') response = client.post('/adduser/user', data={user_name:"test"})
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users WHERE username = ?", ["test"]) c.execute("SELECT * FROM users WHERE username = ?", ["test"])
data = c.fetchone() data = c.fetchone()
@ -40,7 +40,7 @@ def test_adduser_new(app, client):
assert data[2] == 0 assert data[2] == 0
def test_adduser_allreadyexists(client): def test_adduser_allreadyexists(client):
response = client.get('/adduser/user?username=test') response = client.post('/adduser/user', data={username:"test"})
assert "Error: 757" in response.data.decode('utf-8') assert "Error: 757" in response.data.decode('utf-8')
#/addtag #/addtag
@ -49,7 +49,7 @@ def test_addtag(client):
assert response.data.decode('utf-8') == "Error: 095" assert response.data.decode('utf-8') == "Error: 095"
def test_addtag_userid_nan(client): def test_addtag_userid_nan(client):
response = client.get('/addtag?id=test') response = client.post('/addtag', data={id:1})
assert response.data.decode('utf-8') == "Error: 095" assert response.data.decode('utf-8') == "Error: 095"
def test_add_tag_direktli(app): def test_add_tag_direktli(app):
@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client):
assert data[1] == i assert data[1] == i
assert data[2] == 0 assert data[2] == 0
assert "tag was sucsesfully added" in response.data.decode('utf-8') assert "tag was sucsesfully added" in response.data.decode('utf-8')
count += 1 count += 1