Compare commits

..

3 commits

Author SHA1 Message Date
f4181ade07 Was Commite ich hier? 2024-03-06 20:43:48 +01:00
f691e7534d AHHH escape 2024-03-06 20:41:45 +01:00
ce009a278b new db system 2024-03-01 21:59:30 +01:00
3 changed files with 74 additions and 38 deletions

View file

@ -3,7 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
from flask_socketio import SocketIO, join_room, leave_room
from flask_session import Session
from markupsafe import escape
from .db import get_db, change_db
from Website.db import get_db
import Website.db as db
from datetime import datetime
finished = None
preis = 150 #Ein Getraenk
@ -63,7 +64,7 @@ def create_app(test_config=None):
c = db.cursor()
c.execute("SELECT * FROM users")
users = c.fetchall()
return render_template("list.html", users=users, preis=preis/100)
return render_template("list.html", users=escape(users), preis=escape(preis/100))
@app.route("/transactionlist")
def transactionlist():
@ -123,7 +124,7 @@ def create_app(test_config=None):
if user != None :
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
tags = c.fetchall()
return render_template("user.html", user=user, tags=tags)
return render_template("user.html", user=escape(user), tags=escape(tags))
else:
return render_template("error.html", error_code="043")
@ -141,9 +142,9 @@ def create_app(test_config=None):
user = c.fetchone()
if user != None:
user_name = user[1]
change_db("removeuser", user_id=user_id, before=user_name)
db.remove_user(user_id)
socketio.emit("update", "update")
return render_template("removeuser.html", user_name=user_name)
return render_template("removeuser.html", user_name=escape(user_name))
else:
return render_template("error.html", error_code="043")
@ -156,7 +157,7 @@ def create_app(test_config=None):
return render_template("error.html", error_code="418")
c.execute("SELECT * FROM users WHERE username=?", [username])
if c.fetchall() == []:
change_db("adduser", after=username)
db.add_user(username)
socketio.emit("update", "update")
c.execute(f"SELECT * FROM users WHERE username=?", [username])
user = c.fetchone()
@ -178,7 +179,7 @@ def create_app(test_config=None):
users = c.fetchall()
if users != []:
balance_old = users[0][2]
change_db("balance", change=change, user_id=user_id)
db.change_balance(user_id, change)
socketio.emit("update", "update")
return render_template("redirect.html")
else:
@ -193,7 +194,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4()
session[id] = session_id
user_queue.put([user_id, "add", session_id])
return render_template("addtag.html", user=user_id)
return render_template("addtag.html", user=escape(user_id))
@socketio.on('addtag')
def request_addtag(data):
@ -234,16 +235,14 @@ def create_app(test_config=None):
session_id = uuid.uuid4()
session[id] = session_id
user_queue.put([user_id, "remove", session_id])
return render_template("removetag.html", user=user_id)
return render_template("removetag.html", user=escape(user_id))
else:
db = get_db()
c = db.cursor()
c.execute(f"SELECT * FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id])
if c.fetchall != []:
c.execute(f"DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id])
db.commit()
db.remove_tag(tag_id)
message = f"Removed {tag_id} from user {user_id}"
log(type="removetag", userid=user_id, before=tag_id)
return render_template("redirect.html")
else:
return render_template("error.html", error_code="054")
@ -288,8 +287,8 @@ def create_app(test_config=None):
try:
change = int(request.args.get("change"))
except:
change = preis
change_db("balance", user_id=userid, change=change)
change = preis
db.change_balance(user_id, change)
socketio.emit("update", "update")
return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user_new[2]}))
else:
@ -337,7 +336,7 @@ def create_app(test_config=None):
finished = queue_item
return make_response(json.dumps({"mode":"error","error":"170"}))
else:
change_db("addtag", after=tag_id, user_id=user_id)
db.add_tag(user_id, tag_id)
message = f"Added {tag_id} to {username}"
finished = queue_item
return make_response(json.dumps({"mode":"message","username":"{}".format(username),"message":"A tag was added"}))
@ -364,7 +363,7 @@ def create_app(test_config=None):
if user_list != []:
balance_old = user_list[0][2]
if user_queue.qsize() == 0:
change_db("balance", user_id=tag[1], change=preis)
db.change_balance(tag[1], preis)
c.execute(f"SELECT * FROM users WHERE id={tag[1]}")
user = c.fetchone()
socketio.emit("update", "update")
@ -382,7 +381,20 @@ def create_app(test_config=None):
before = request.form["before"]
after = request.form["after"]
change = request.form["change"]
change_db(statement, user_id, before, after, change)
if statement == "adduser":
db.add_user(after)
elif statement == "removeuser":
db.remove_user(user_id)
elif statement == "addtag":
db.add_tag(user_id, after)
elif statement == "removetag":
db.remove_tag(befor)
elif statement == "balance":
db.change_balance(user_id, change)
else:
return make_response(json.dumps({"mode":"error", "error":"418"})) #Error code
socketio.emit("update", "update")
return render_template("index.html")
@ -391,4 +403,5 @@ def create_app(test_config=None):
def documentation():
return render_template("documentation.html")
return {"app":app,"socketio":socketio}

View file

@ -10,24 +10,47 @@ def log(statement, user_id, before, after, change):
c.execute("INSERT INTO transaction_log (timestamp, type, user_id, before, after, change) VALUES (?, ?, ?, ?, ?, ?)", [datetime.now(), statement, user_id, before, after, change])
db.commit()
def change_db(statement, user_id=None, before=None, after=None, change=None):
def add_user(after):
db = get_db()
c = db.cursor()
if statement == "adduser" and after != None:
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after])
user_id = c.lastrowid
elif statement == "removeuser" and user_id != None and before != None:
c.execute("DELETE FROM tags WHERE userid=?", [user_id])
c.execute("DELETE FROM users WHERE id=?", [user_id])
elif statement == "addtag" and after != None and user_id != None:
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [after, user_id])
elif statement == "removetag" and before != None and user_id != None:
c.execute("DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [before, user_id])
elif statement == "balance" and change != None and user_id != None:
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id])
else:
raise Exception("wrong or missing argument for change_db")
log(statement, user_id, before, after, change)
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after])
user_id = c.lastrowid
log("add_user", user_id=user_id, after=after)
db.commit()
def remove_user(user_id):
db = get_db()
c = db.cursor()
c.execute("SELECT * FROM users WHERE id = ?", [user_id])
user_name = c.fetchone()[1]
c.execute("SELECT * FROM tags WHERE userid = ?", [user_id])
for tag in c.fetchall():
remove_tag(tag[0])
c.execute("DELETE FROM users WHERE id = ?", [user_id])
log("remove_user", user_id=user_id, before=user_name)
db.commit()
def add_tag(user_id, tag_id):
db = get_db()
c = db.cursor()
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id])
db.commit()
log("addtag", after=tag_id, user_id=user_id)
def remove_tag(tag_id):
db = get_db()
c = db.cursor()
c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id])
user_id = c.fetchone()[1]
c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id])
log("removetag", before=tag_id, user_id=user_id)
db.commit()
def change_balance(user_id, change):
db = get_db()
c = db.cursor()
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id])
log("balance", user_id=user_id, change=change)
db.commit()
def get_db():

View file

@ -23,14 +23,14 @@ def test_index(client):
#/adduser
def test_adduser(client):
response = client.get('/adduser/user')
response = client.post('/adduser/user', data={})
assert "418" in response.data.decode('utf-8')
def test_adduser_new(app, client):
with app.app_context():
db = get_db()
assert db is get_db()
response = client.get('/adduser/user?username=test')
response = client.post('/adduser/user', data={user_name:"test"})
c = db.cursor()
c.execute("SELECT * FROM users WHERE username = ?", ["test"])
data = c.fetchone()
@ -40,7 +40,7 @@ def test_adduser_new(app, client):
assert data[2] == 0
def test_adduser_allreadyexists(client):
response = client.get('/adduser/user?username=test')
response = client.post('/adduser/user', data={username:"test"})
assert "Error: 757" in response.data.decode('utf-8')
#/addtag
@ -49,7 +49,7 @@ def test_addtag(client):
assert response.data.decode('utf-8') == "Error: 095"
def test_addtag_userid_nan(client):
response = client.get('/addtag?id=test')
response = client.post('/addtag', data={id:1})
assert response.data.decode('utf-8') == "Error: 095"
def test_add_tag_direktli(app):
@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client):
assert data[1] == i
assert data[2] == 0
assert "tag was sucsesfully added" in response.data.decode('utf-8')
count += 1
count += 1