diff --git a/Website/__init__.py b/Website/__init__.py index fce7d9f..e0978d3 100644 --- a/Website/__init__.py +++ b/Website/__init__.py @@ -3,8 +3,7 @@ from flask import Flask, render_template, render_template_string, request, make_ from flask_socketio import SocketIO, join_room, leave_room from flask_session import Session from markupsafe import escape -from Website.db import get_db -import Website.db as db +from .db import get_db, change_db from datetime import datetime finished = None preis = 150 #Ein Getraenk @@ -64,7 +63,7 @@ def create_app(test_config=None): c = db.cursor() c.execute("SELECT * FROM users") users = c.fetchall() - return render_template("list.html", users=escape(users), preis=escape(preis/100)) + return render_template("list.html", users=users, preis=preis/100) @app.route("/transactionlist") def transactionlist(): @@ -124,7 +123,7 @@ def create_app(test_config=None): if user != None : c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") tags = c.fetchall() - return render_template("user.html", user=escape(user), tags=escape(tags)) + return render_template("user.html", user=user, tags=tags) else: return render_template("error.html", error_code="043") @@ -142,9 +141,9 @@ def create_app(test_config=None): user = c.fetchone() if user != None: user_name = user[1] - db.remove_user(user_id) + change_db("removeuser", user_id=user_id, before=user_name) socketio.emit("update", "update") - return render_template("removeuser.html", user_name=escape(user_name)) + return render_template("removeuser.html", user_name=user_name) else: return render_template("error.html", error_code="043") @@ -157,7 +156,7 @@ def create_app(test_config=None): return render_template("error.html", error_code="418") c.execute("SELECT * FROM users WHERE username=?", [username]) if c.fetchall() == []: - db.add_user(username) + change_db("adduser", after=username) socketio.emit("update", "update") c.execute(f"SELECT * FROM users WHERE username=?", [username]) user = c.fetchone() @@ -179,7 +178,7 @@ def create_app(test_config=None): users = c.fetchall() if users != []: balance_old = users[0][2] - db.change_balance(user_id, change) + change_db("balance", change=change, user_id=user_id) socketio.emit("update", "update") return render_template("redirect.html") else: @@ -194,7 +193,7 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "add", session_id]) - return render_template("addtag.html", user=escape(user_id)) + return render_template("addtag.html", user=user_id) @socketio.on('addtag') def request_addtag(data): @@ -235,14 +234,16 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "remove", session_id]) - return render_template("removetag.html", user=escape(user_id)) + return render_template("removetag.html", user=user_id) else: db = get_db() c = db.cursor() c.execute(f"SELECT * FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id]) if c.fetchall != []: - db.remove_tag(tag_id) + c.execute(f"DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [tag_id, user_id]) + db.commit() message = f"Removed {tag_id} from user {user_id}" + log(type="removetag", userid=user_id, before=tag_id) return render_template("redirect.html") else: return render_template("error.html", error_code="054") @@ -287,8 +288,8 @@ def create_app(test_config=None): try: change = int(request.args.get("change")) except: - change = preis - db.change_balance(user_id, change) + change = preis + change_db("balance", user_id=userid, change=change) socketio.emit("update", "update") return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user_new[2]})) else: @@ -336,7 +337,7 @@ def create_app(test_config=None): finished = queue_item return make_response(json.dumps({"mode":"error","error":"170"})) else: - db.add_tag(user_id, tag_id) + change_db("addtag", after=tag_id, user_id=user_id) message = f"Added {tag_id} to {username}" finished = queue_item return make_response(json.dumps({"mode":"message","username":"{}".format(username),"message":"A tag was added"})) @@ -363,7 +364,7 @@ def create_app(test_config=None): if user_list != []: balance_old = user_list[0][2] if user_queue.qsize() == 0: - db.change_balance(tag[1], preis) + change_db("balance", user_id=tag[1], change=preis) c.execute(f"SELECT * FROM users WHERE id={tag[1]}") user = c.fetchone() socketio.emit("update", "update") @@ -381,20 +382,7 @@ def create_app(test_config=None): before = request.form["before"] after = request.form["after"] change = request.form["change"] - - if statement == "adduser": - db.add_user(after) - elif statement == "removeuser": - db.remove_user(user_id) - elif statement == "addtag": - db.add_tag(user_id, after) - elif statement == "removetag": - db.remove_tag(befor) - elif statement == "balance": - db.change_balance(user_id, change) - else: - return make_response(json.dumps({"mode":"error", "error":"418"})) #Error code - + change_db(statement, user_id, before, after, change) socketio.emit("update", "update") return render_template("index.html") @@ -403,5 +391,4 @@ def create_app(test_config=None): def documentation(): return render_template("documentation.html") - return {"app":app,"socketio":socketio} diff --git a/Website/db.py b/Website/db.py index f586494..9ad03a3 100644 --- a/Website/db.py +++ b/Website/db.py @@ -10,47 +10,24 @@ def log(statement, user_id, before, after, change): c.execute("INSERT INTO transaction_log (timestamp, type, user_id, before, after, change) VALUES (?, ?, ?, ?, ?, ?)", [datetime.now(), statement, user_id, before, after, change]) db.commit() -def add_user(after): +def change_db(statement, user_id=None, before=None, after=None, change=None): db = get_db() c = db.cursor() - c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) - user_id = c.lastrowid - log("add_user", user_id=user_id, after=after) - db.commit() - -def remove_user(user_id): - db = get_db() - c = db.cursor() - c.execute("SELECT * FROM users WHERE id = ?", [user_id]) - user_name = c.fetchone()[1] - c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) - for tag in c.fetchall(): - remove_tag(tag[0]) - c.execute("DELETE FROM users WHERE id = ?", [user_id]) - log("remove_user", user_id=user_id, before=user_name) - db.commit() - -def add_tag(user_id, tag_id): - db = get_db() - c = db.cursor() - c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) - db.commit() - log("addtag", after=tag_id, user_id=user_id) - -def remove_tag(tag_id): - db = get_db() - c = db.cursor() - c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) - user_id = c.fetchone()[1] - c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) - log("removetag", before=tag_id, user_id=user_id) - db.commit() - -def change_balance(user_id, change): - db = get_db() - c = db.cursor() - c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) - log("balance", user_id=user_id, change=change) + if statement == "adduser" and after != None: + c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) + user_id = c.lastrowid + elif statement == "removeuser" and user_id != None and before != None: + c.execute("DELETE FROM tags WHERE userid=?", [user_id]) + c.execute("DELETE FROM users WHERE id=?", [user_id]) + elif statement == "addtag" and after != None and user_id != None: + c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [after, user_id]) + elif statement == "removetag" and before != None and user_id != None: + c.execute("DELETE FROM tags WHERE (tagid = ? AND userid = ?)", [before, user_id]) + elif statement == "balance" and change != None and user_id != None: + c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) + else: + raise Exception("wrong or missing argument for change_db") + log(statement, user_id, before, after, change) db.commit() def get_db(): diff --git a/tests/test_website.py b/tests/test_website.py index 4f985b3..a8359a4 100644 --- a/tests/test_website.py +++ b/tests/test_website.py @@ -23,14 +23,14 @@ def test_index(client): #/adduser def test_adduser(client): - response = client.post('/adduser/user', data={}) + response = client.get('/adduser/user') assert "418" in response.data.decode('utf-8') def test_adduser_new(app, client): with app.app_context(): db = get_db() assert db is get_db() - response = client.post('/adduser/user', data={user_name:"test"}) + response = client.get('/adduser/user?username=test') c = db.cursor() c.execute("SELECT * FROM users WHERE username = ?", ["test"]) data = c.fetchone() @@ -40,7 +40,7 @@ def test_adduser_new(app, client): assert data[2] == 0 def test_adduser_allreadyexists(client): - response = client.post('/adduser/user', data={username:"test"}) + response = client.get('/adduser/user?username=test') assert "Error: 757" in response.data.decode('utf-8') #/addtag @@ -49,7 +49,7 @@ def test_addtag(client): assert response.data.decode('utf-8') == "Error: 095" def test_addtag_userid_nan(client): - response = client.post('/addtag', data={id:1}) + response = client.get('/addtag?id=test') assert response.data.decode('utf-8') == "Error: 095" def test_add_tag_direktli(app): @@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client): assert data[1] == i assert data[2] == 0 assert "tag was sucsesfully added" in response.data.decode('utf-8') - count += 1 + count += 1 \ No newline at end of file