From 3caf17c861b6df6e02fd92cb3346347fb812eda9 Mon Sep 17 00:00:00 2001 From: Simon Pirkelmann Date: Sun, 30 Jan 2022 23:08:18 +0100 Subject: [PATCH] removed use of session cookie for token creation and modification --- imaginaerraum_door_admin/webapp.py | 93 ++++++++++++++---------------- 1 file changed, 44 insertions(+), 49 deletions(-) diff --git a/imaginaerraum_door_admin/webapp.py b/imaginaerraum_door_admin/webapp.py index 271b593..ba9facd 100644 --- a/imaginaerraum_door_admin/webapp.py +++ b/imaginaerraum_door_admin/webapp.py @@ -163,6 +163,7 @@ def promote_admin(username): db.session.commit() return redirect('/manage_admins') + @door_app.route('/demote_admin/') @roles_required('super_admin') def demote_admin(username): @@ -281,6 +282,26 @@ def token_log(): return redirect('/') +def store_token(token_data): + """Store token to the token file on disk. + + This will use the token id and the associated data and create/modify a + token and store the new token file to disk. + """ + token = token_data['token'] + tokens = current_app.door.get_tokens() + tokens[token] = {'name': token_data['name'], + 'email': token_data['email'], + 'valid_thru': token_data['valid_thru'], + 'inactive': token_data['inactive'], + 'organization': token_data['organization']} + try: + current_app.door.store_tokens(tokens) + current_app.logger.info(f"Token {token} stored in database by admin user {current_user.username}") + except Exception as e: + flash(f"Error during store_tokens. Exception: {e}") + + # routes for registering, editing and deleting tokens @door_app.route('/register-token', methods=['GET', 'POST']) @roles_required('admin') @@ -298,7 +319,7 @@ def register(): recent_token = {} if {'token', 'timestamp'}.issubset(set(token.keys())): dt = datetime.utcnow() - token['timestamp'] - if dt < timedelta(minutes=10): + if dt < timedelta(minutes=10): recent_token = token recent_token['timedelta_minutes'] = int(dt.total_seconds() / 60.0) @@ -307,22 +328,19 @@ def register(): # set default valid thru date to today to make sure form validity check passes # (will not be used if limited validity is disabled) form.valid_thru.data = date.today() - - return render_template('register.html', token=recent_token, form=form) elif request.method == 'POST' and form.validate(): - # store data in session cookie - session['token'] = current_app.door.get_most_recent_token()['token'] - session['name'] = form.name.data - session['email'] = form.email.data - session['organization'] = form.organization.data - if form.limit_validity.data: - session['valid_thru'] = form.valid_thru.data.isoformat() - else: - session['valid_thru'] = '' - session['inactive'] = not form.active.data - return redirect('/store-token') + token_data = { + 'token': current_app.door.get_most_recent_token()['token'], + 'name': form.name.data, 'email': form.email.data, + 'organization': form.organization.data, + 'inactive': not form.active.data, + 'valid_thru': form.valid_thru.data.isoformat() if form.limit_validity.data else '' + } + store_token(token_data) + return redirect('/tokens') else: - return render_template('register.html', token=recent_token, form=form) + flash(f'Token konnte nicht registiert werden. Fehler: {form.errors}') + return render_template('register.html', token=recent_token, form=form) @door_app.route('/edit-token/', methods=['GET', 'POST']) @@ -366,44 +384,21 @@ def edit_token(token): return redirect('/tokens') elif request.method == 'POST': if form.validate(): - # store data in session cookie - session['token'] = token - session['name'] = form.name.data - session['organization'] = form.organization.data - session['email'] = form.email.data - if form.limit_validity.data: - session['valid_thru'] = form.valid_thru.data.isoformat() - else: - session['valid_thru'] = '' - session['inactive'] = not form.active.data - return redirect(f'/store-token') + # store data in token_data cookie + token_data = {'token': token, + 'name': form.name.data, + 'organization': form.organization.data, + 'email': form.email.data, + 'inactive': not form.active.data, + 'valid_thru': form.valid_thru.data.isoformat() if form.limit_validity.data else '' + } + store_token(token_data) + return redirect('/tokens') else: + flash(f'Token konnte nicht editiert werden. Fehler: {form.errors}') return render_template('edit.html', token=token, form=form) -@door_app.route('/store-token') -@roles_required('admin') -def store_token(): - """Store token to the token file on disk. - - This will use the token id and the associated data stored in the session cookie (filled by register_token() or - edit_token()) and create/modify a token and store the new token file to disk. - """ - token = session['token'] - tokens = current_app.door.get_tokens() - tokens[token] = {'name': session['name'], - 'email': session['email'], - 'valid_thru': session['valid_thru'], - 'inactive': session['inactive'], - 'organization': session['organization']} - try: - current_app.door.store_tokens(tokens) - current_app.logger.info(f"Token {token} stored in database by admin user {current_user.username}") - except Exception as e: - flash(f"Error during store_tokens. Exception: {e}") - return redirect('/tokens') - - @door_app.route('/delete-token/', methods=['GET', 'POST']) @roles_required('admin') def delete_token(token):