From 5ea77aaf9066f858c20d987ecd3bf9db8fd75478 Mon Sep 17 00:00:00 2001 From: Prinex Date: Tue, 29 Nov 2022 18:06:50 +0000 Subject: [PATCH] Implemented a decorator function for protecting URL path routes and wrote some other if-statement for validating users when making different HTTP requests with the help of cookie sessions. --- app/views.py | 79 +++++++++++++++++++++++++++++----------------------- 1 file changed, 44 insertions(+), 35 deletions(-) diff --git a/app/views.py b/app/views.py index 4aaabd2..7b7971b 100644 --- a/app/views.py +++ b/app/views.py @@ -1,3 +1,5 @@ +import functools +from urllib import request from .meta import * import datetime @@ -5,14 +7,29 @@ import datetime import bcrypt #--* +#--* +# decorator function for protecting different routes +def login_required(view): + # accept and wrap a given view + @functools.wraps(view) + # can have 0 or >=1 arguments + def wrapped_view(*args, **kwargs): + # check if user has logged in the current session + if "user" not in flask.session: + flask.flash("You need to be logged in for this feature.") + return flask.redirect(flask.url_for("login")) + # return to the view function if yes + return view(*args, **kwargs) + # call the wrapped function + return wrapped_view +#--* + @app.route("/") def index(): """ Main Page. """ - #Get data from the DB using meta function - rows = query_db("SELECT * FROM product") app.logger.info(rows) @@ -29,11 +46,9 @@ def products(): if theItem: #We Do A Query for It - #itemQry = query_db(f"SELECT * FROM product WHERE id = ?",[theItem], one=True) - #-- theQry = "SELECT * FROM product WHERE id = ?" - args = (theItem) + args = (theItem,) itemQry = query_db(theQry, args, True) theQry1 = "SELECT * FROM review INNER JOIN user ON review.userID = user.id WHERE review.productID = ?;" @@ -166,6 +181,7 @@ def create(): return flask.redirect(flask.url_for("login")) @app.route("/user//settings") +@login_required def settings(userId): """ Update a users settings, @@ -175,9 +191,13 @@ def settings(userId): theQry = "Select * FROM User WHERE id = ?" args = (userId,) thisUser = query_db(theQry, args, one=True) - #-- - if not thisUser: + # the user shouldn't be able to access other accounts' settings + if thisUser['id'] != flask.session['user']: + flask.flash("Access denied: Unauthorized access to another account") + return flask.redirect(flask.url_for("settings", userId=flask.session['user'])) + #-- + elif not thisUser: flask.flash("No Such User") return flask.redirect(flask.url_for("index")) @@ -220,12 +240,11 @@ def updateUser(userId): #-- theQry = "Select * FROM User WHERE id = ?" args = (userId,) - thisUser = query_db(theQry, one=True) + thisUser = query_db(theQry, args, one=True) #-- - if not thisUser: flask.flash("No Such User") - return flask.redirect(flask_url_for("index")) + return flask.redirect(flask.flask_url_for("index")) #otherwise we want to do the checks if flask.request.method == "POST": @@ -249,10 +268,7 @@ def updateUser(userId): app.logger.info("Mismatch") flask.flash("Current Password is incorrect") return flask.redirect(flask.url_for("settings", - userId = thisUser['id'])) - - - + userId = thisUser['id'])) flask.flash("Update Error") return flask.redirect(flask.url_for("settings", userId=userId)) @@ -264,9 +280,17 @@ def updateUser(userId): # ------------------------------------------ @app.route("/review//", methods=["GET", "POST"]) +@login_required def reviewItem(userId, itemId): """Add a Review""" - + #-- + theQry = "Select * FROM User WHERE id = ?" + args = (userId,) + thisUser = query_db(theQry, args, one=True) + if thisUser['id'] != flask.session['user']: + flask.flash("Access denied: Unauthorized access to another account") + return flask.redirect(flask.url_for("settings", userId=flask.session['user'])) + #-- #Handle input if flask.request.method == "POST": reviewStars = flask.request.form.get("rating") @@ -284,12 +308,7 @@ def reviewItem(userId, itemId): app.logger.info("Update Existing") #-- - theSQL = """ - UPDATE review - SET stars = ? - review = ? - WHERE - id = ?""" + theSQL = "UPDATE review SET stars = ?, review = ? WHERE id = ?" args = (reviewStars, reviewComment, reviewId) app.logger.debug("%s", theSQL) write_db(theSQL, args) @@ -315,7 +334,7 @@ def reviewItem(userId, itemId): #-- theQry = "SELECT * FROM product WHERE id = ?;" args = (itemId,) - item = query_db(theQry, one=True) + item = query_db(theQry, args, one=True) theQry = "SELECT * FROM review WHERE userID = ? AND productID = ?;" args = (userId, itemId) @@ -337,14 +356,8 @@ def reviewItem(userId, itemId): @app.route("/basket", methods=["GET","POST"]) +@login_required def basket(): - - #Check for user - if not flask.session["user"]: - flask.flash("You need to be logged in") - return flask.redirect(flask.url_for("index")) - - theBasket = [] #Otherwise we need to work out the Basket #Get it from the session @@ -371,17 +384,13 @@ def basket(): total=totalPrice) @app.route("/basket/payment", methods=["GET", "POST"]) +@login_required def pay(): """ Fake paymeent. YOU DO NOT NEED TO IMPLEMENT PAYMENT """ - - if not flask.session["user"]: - flask.flash("You need to be logged in") - return flask.redirect(flask.url_for("index")) - #Get the total cost cost = flask.request.form.get("total") @@ -405,7 +414,7 @@ def pay(): theQry = "INSERT INTO PURCHASE (userID, productID, date) VALUES (?, ?, ?)" args = (theUser['id'], key, theDate) app.logger.debug(theQry) - write_db(theQry, args, theDate) + write_db(theQry, args) #-- #Clear the Session