yusur/coriplus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

change credential access for /admin/, style changes, fix and deprecate get_current_user()

Browse source
This commit is contained in:
Yusur 2025-11-12 10:34:57 +01:00
parent c834424836
commit 9071f5ff7a
6 changed files with 24 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/coriplus/__init__.py
View file

@ -24,7 +24,7 @@ from flask_wtf import CSRFProtect
import dotenv import dotenv
import logging import logging
__version__ = '0.10.0-dev44' __version__ = '0.10.0-dev45'
# we want to support Python 3.10+ only. # we want to support Python 3.10+ only.
# Python 2 has too many caveats. # Python 2 has too many caveats.

7
src/coriplus/admin.py
View file

@ -13,17 +13,16 @@ from functools import wraps
bp = Blueprint('admin', __name__, url_prefix='/admin') bp = Blueprint('admin', __name__, url_prefix='/admin')
def _check_auth(username, password) -> bool: def _check_auth(username) -> bool:
try: try:
return User.select().where((User.username == username) & (User.password == pwdhash(password)) & (User.is_admin) return User.get((User.username == username)).is_admin
).exists()
except User.DoesNotExist: except User.DoesNotExist:
return False return False
def admin_required(f): def admin_required(f):
@wraps(f) @wraps(f)
def wrapped_view(**kwargs): def wrapped_view(**kwargs):
if not _check_auth(current_user.username, current_user.password): if not _check_auth(current_user.username):
abort(403) abort(403)
return f(**kwargs) return f(**kwargs)
return wrapped_view return wrapped_view

11
src/coriplus/static/style.css
View file

@ -2,6 +2,9 @@
--accent: #f0372e; --accent: #f0372e;
--link: #3399ff; --link: #3399ff;
} }
* {
box-sizing: border-box;
}
body, button, input, select, textarea { body, button, input, select, textarea {
font-family: Inter, Roboto, sans-serif; font-family: Inter, Roboto, sans-serif;
line-height: 1.6; line-height: 1.6;
@ -38,13 +41,13 @@ a:hover{text-decoration:underline}
#site-name {text-align: center;flex: 1} #site-name {text-align: center;flex: 1}
.header h1{margin:0;display:inline-block} .header h1{margin:0;display:inline-block}
.flash{background-color:#ff9;border:yellow 1px solid} .flash{background-color:#ff9;border:yellow 1px solid}
.infobox{padding:12px;border:#ccc 1px solid} .infobox{width: 50%; float: right;}
@media (min-width:640px) { @media (max-width:639px) {
.infobox{float:right;width:320px} .infobox{width: 100%;}
} }
.weak{opacity:.5} .weak{opacity:.5}
.field_desc{display:block} .field_desc{display:block}
ul.timeline{padding:0;margin:auto;max-width:960px} ul.timeline{padding:0;margin:auto;max-width:960px;clear: both}
ul.timeline > li{list-style:none;} ul.timeline > li{list-style:none;}
.message-visual img{max-width:100%;margin:auto} .message-visual img{max-width:100%;margin:auto}
.message-options-showhide::before{content:'\2026'} .message-options-showhide::before{content:'\2026'}

16
src/coriplus/templates/includes/infobox_profile.html
View file

@ -1,27 +1,15 @@
{% set profile = user.profile %} {% set profile = user.profile %}
<div class="infobox"> <div class="card infobox">
<h3>{{ profile.full_name }}</h3> <h3>{{ profile.full_name }}</h3>
<p>{{ profile.biography|enrich }}</p> <p>{{ profile.biography|enrich }}</p>
{% if profile.location %} {% if profile.location %}
<p><span class="weak">Location:</span> {{ profile.location|locationdata }}</p> <p><span class="weak">Location:</span> {{ profile.location|locationdata }}</p>
{% endif %} {% endif %}
{% if profile.year %}
<p><span class="weak">Year:</span> {{ profile.year }}</p>
{% endif %}
{% if profile.website %} {% if profile.website %}
{% set website = profile.website %} {% set website = profile.website %}
{% set website = website if website.startswith(('http://', 'https://')) else 'http://' + website %} {% set website = website if website.startswith(('http://', 'https://')) else 'http://' + website %}
<p><span class="weak">Website:</span> {{ profile.website|urlize }}</p> <p><span class="weak">Website:</span> {{ profile.website|urlize }}</p>
{% endif %} {% endif %}
{% if profile.instagram %}
<p><span class="weak">Instagram:</span> <a href="https://www.instagram.com/{{ profile.instagram }}">{{ profile.instagram }}</a></p>
{% endif %}
{% if profile.facebook %}
<p><span class="weak">Facebook:</span> <a href="https://facebook.com/{{ profile.facebook }}">{{ profile.facebook }}</a></p>
{% endif %}
{% if profile.telegram %}
<p><span class="weak">Telegram:</span> <a href="https://t.me/{{ profile.facebook }}">{{ profile.telegram }}</a></p>
{% endif %}
<p> <p>
<strong>{{ user.messages|count }}</strong> messages <strong>{{ user.messages|count }}</strong> messages
- -
@ -30,6 +18,6 @@
<a href="{{ url_for('website.user_following', username=user.username) }}"><strong>{{ user.following()|count }}</strong></a> following <a href="{{ url_for('website.user_following', username=user.username) }}"><strong>{{ user.following()|count }}</strong></a> following
</p> </p>
{% if user == current_user %} {% if user == current_user %}
<p><a href="/edit_profile/">{{ inline_svg('edit', 18) }} Edit profile</a></p> <p><a href="/edit_profile/">{{ inline_svg('edit') }} Edit profile</a></p>
{% endif %} {% endif %}
</div> </div>

9
src/coriplus/utils.py
View file

@ -3,6 +3,8 @@ A list of utilities used across modules.
''' '''
import datetime, re, base64, hashlib, string, sys, json import datetime, re, base64, hashlib, string, sys, json
from flask_login import current_user
from .models import User, Message, Notification, MSGPRV_PUBLIC, MSGPRV_UNLISTED, \ from .models import User, Message, Notification, MSGPRV_PUBLIC, MSGPRV_UNLISTED, \
MSGPRV_FRIENDS, MSGPRV_ONLYME MSGPRV_FRIENDS, MSGPRV_ONLYME
from flask import abort, render_template, request, session from flask import abort, render_template, request, session
@ -102,15 +104,14 @@ except OSError:
# get the user from the session # get the user from the session
# changed in 0.5 to comply with flask_login # changed in 0.5 to comply with flask_login
# DEPRECATED in 0.10; use current_user instead
def get_current_user(): def get_current_user():
# new in 0.7; need a different method to get current user id # new in 0.7; need a different method to get current user id
if request.path.startswith('/api/'): if request.path.startswith('/api/'):
# assume token validation is already done # assume token validation is already done
return User[request.args['access_token'].split(':')[0]] return User[request.args['access_token'].split(':')[0]]
else: elif current_user.is_authenticated:
user_id = session.get('user_id') return current_user
if user_id:
return User[user_id]
def push_notification(type, target, **kwargs): def push_notification(type, target, **kwargs):
try: try:

9
src/coriplus/website.py
View file

@ -7,7 +7,7 @@ from .models import *
from . import __version__ as app_version from . import __version__ as app_version
from sys import version as python_version from sys import version as python_version
from flask import Blueprint, abort, flash, redirect, render_template, request, url_for, __version__ as flask_version from flask import Blueprint, abort, flash, redirect, render_template, request, url_for, __version__ as flask_version
from flask_login import login_required, login_user, logout_user from flask_login import current_user, login_required, login_user, logout_user
import json import json
import logging import logging
@ -17,7 +17,7 @@ bp = Blueprint('website', __name__)
@bp.route('/') @bp.route('/')
def homepage(): def homepage():
if get_current_user(): if current_user and current_user.is_authenticated:
return private_timeline() return private_timeline()
else: else:
return render_template('homepage.html') return render_template('homepage.html')
@ -26,7 +26,7 @@ def private_timeline():
# the private timeline (aka feed) exemplifies the use of a subquery -- we are asking for # the private timeline (aka feed) exemplifies the use of a subquery -- we are asking for
# messages where the person who created the message is someone the current # messages where the person who created the message is someone the current
# user is following. these messages are then ordered newest-first. # user is following. these messages are then ordered newest-first.
user = get_current_user() user = current_user
messages = Visibility(Message messages = Visibility(Message
.select() .select()
.where((Message.user << user.following()) .where((Message.user << user.following())
@ -83,6 +83,9 @@ def register():
@bp.route('/login/', methods=['GET', 'POST']) @bp.route('/login/', methods=['GET', 'POST'])
def login(): def login():
if current_user and current_user.is_authenticated:
flash('You are already logged in')
return redirect(request.args.get('next', '/'))
if request.method == 'POST' and request.form['username']: if request.method == 'POST' and request.form['username']:
try: try:
username = request.form['username'] username = request.form['username']