-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapp.py
144 lines (120 loc) · 4.35 KB
/
app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
from functools import wraps
from flask import Flask, request, redirect, url_for, session, render_template, flash
from flask_wtf import CSRFProtect
from flask_wtf.csrf import CSRFError
from db import Database
import os
from dotenv import load_dotenv
load_dotenv()
app = Flask(__name__)
app.secret_key = os.getenv("SECRET_KEY")
app.config['SESSION_COOKIE_SECURE'] = False
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['PERMANENT_SESSION_LIFETIME'] = 1800
app.config['WTF_CSRF_ENABLED'] = True
csrf = CSRFProtect(app)
dsn = os.getenv("DATABASE_URL")
db = Database(dsn)
@app.errorhandler(CSRFError)
def handle_csrf_error(e):
print("CSRF Token in session:", session.get('_csrf_token'))
return f"CSRF error: {e.description}", 400
def login_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if 'user_id' not in session:
return redirect(url_for('login'))
return f(*args, **kwargs)
return decorated_function
@app.route('/')
def index():
return render_template('index.html')
@app.route('/register', methods=['GET', 'POST'])
def register():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if db.register_user(username, password):
flash("Registration successful. Please log in.")
return redirect(url_for('login'))
else:
flash("Username already exists, please choose another one.")
return render_template('register.html')
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
user = db.login_user(username, password)
if user is not None:
session['user_id'] = user[0]
session['role'] = user[2]
return redirect(url_for('dashboard'))
else:
flash("Invalid credentials. Please try again.")
return render_template('login.html')
@app.route('/dashboard', methods=['GET', 'POST'])
@login_required
def dashboard():
user_id = session['user_id']
user_role = session.get('role', 'user')
if request.method == 'POST':
content = request.form['content']
db.add_note(user_id, content)
notes = db.get_user_notes(user_id)
return render_template('dashboard.html', notes=notes, user_role=user_role)
@app.route('/posts', methods=['GET', 'POST'])
@login_required
def posts():
user_id = session['user_id']
user_role = session.get('role', 'user')
if request.method == 'POST':
title = request.form['title']
content = request.form['content']
db.add_post(user_id, title, content)
all_posts = db.get_all_posts(include_hidden=(user_role == 'admin'))
return render_template('post.html', posts=all_posts)
@app.route('/admin/posts', methods=['GET', 'POST'])
@login_required
def admin_posts():
user_role = session.get('role')
if user_role != 'admin':
return "Unauthorized", 403
if request.method == 'POST':
post_id = request.form['post_id']
visibility = request.form['visibility'] == '1'
try:
db.set_post_visibility(post_id, visibility, user_role)
except PermissionError as e:
return str(e), 403
except Exception as e:
return "An error occurred while updating post visibility.", 500
all_posts = db.get_all_posts(include_hidden=True)
return render_template('admin_posts.html', posts=all_posts)
@app.route('/delete_post/<int:post_id>', methods=['POST'])
@login_required
def delete_post(post_id):
user_id = session['user_id']
user_role = session.get('role', 'user')
if not db.is_post_owner(user_id, post_id, user_role):
return "Unauthorized", 403
db.delete_post(post_id)
return redirect(url_for('posts'))
@app.route('/delete_note/<int:note_id>', methods=['POST'])
@login_required
def delete_note(note_id):
user_id = session['user_id']
if not db.is_note_owner(user_id, note_id):
return "Unauthorized", 403
db.delete_note(note_id)
return redirect(url_for('dashboard'))
@app.route('/logout')
def logout():
session.pop('user_id', None)
session.pop('role', None)
return redirect(url_for('login'))
@app.errorhandler(400)
def bad_request(error):
return f"Bad Request: {error}", 400
if __name__ == '__main__':
app.run(port=5000)