hotfix: unauthorized access to admin dashboard
This commit is contained in:
hornet
parent
0a644cf9de
commit
c9e4f02454
4 changed files with 21 additions and 22 deletions
39
app.py
39
app.py
|
|
@ -13,6 +13,7 @@ db = client.flask_db
|
||||||
posts_collection = db.posts_collection
|
posts_collection = db.posts_collection
|
||||||
users_collection = db.users_collection
|
users_collection = db.users_collection
|
||||||
nuke_counter = db.nuke_counter
|
nuke_counter = db.nuke_counter
|
||||||
|
isAdmin = False
|
||||||
|
|
||||||
#app routes
|
#app routes
|
||||||
@app.route('/', methods=['GET'])
|
@app.route('/', methods=['GET'])
|
||||||
|
|
@ -35,12 +36,10 @@ def board(board_name):
|
||||||
|
|
||||||
posts = posts_collection.find({'board_name': board_name}).sort('timestamp', -1)
|
posts = posts_collection.find({'board_name': board_name}).sort('timestamp', -1)
|
||||||
display_name = next((link['display_name'] for link in links if link['name'] == board_name), board_name)
|
display_name = next((link['display_name'] for link in links if link['name'] == board_name), board_name)
|
||||||
admin_user = users_collection.find_one({'username': 'admin'})
|
if isAdmin == True or ('username' in session and session['username'] == 'admin'):
|
||||||
if admin_user and session.get('user_id') == str(admin_user['_id']):
|
return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=admin)
|
||||||
return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=True)
|
|
||||||
else:
|
else:
|
||||||
admin=False
|
return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=None)
|
||||||
return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=admin)
|
|
||||||
#posting API
|
#posting API
|
||||||
@app.route('/post', methods=['POST'])
|
@app.route('/post', methods=['POST'])
|
||||||
def post():
|
def post():
|
||||||
|
|
@ -95,8 +94,9 @@ def login_post():
|
||||||
return redirect(url_for('index'))
|
return redirect(url_for('index'))
|
||||||
elif user == 'admin' and check_password_hash(user['password'], password):
|
elif user == 'admin' and check_password_hash(user['password'], password):
|
||||||
session['user_id'] = str(user['_id'])
|
session['user_id'] = str(user['_id'])
|
||||||
session['username'] = username
|
session['username'] = 'admin'
|
||||||
return redirect(url_for('admin'))
|
isAdmin = True
|
||||||
|
return redirect(url_for('admin', isAdmin=isAdmin))
|
||||||
else:
|
else:
|
||||||
return redirect(url_for('login'))
|
return redirect(url_for('login'))
|
||||||
|
|
||||||
|
|
@ -126,7 +126,6 @@ def register_post():
|
||||||
#admin dashboard
|
#admin dashboard
|
||||||
@app.route('/admin', methods=['GET'])
|
@app.route('/admin', methods=['GET'])
|
||||||
def admin():
|
def admin():
|
||||||
admin_user = users_collection.find_one({'username': 'admin'})
|
|
||||||
users = users_collection.find({})
|
users = users_collection.find({})
|
||||||
success1 = request.args.get('success1', '')
|
success1 = request.args.get('success1', '')
|
||||||
success2 = request.args.get('success2', '')
|
success2 = request.args.get('success2', '')
|
||||||
|
|
@ -134,44 +133,42 @@ def admin():
|
||||||
total_users = users_collection.count_documents({})
|
total_users = users_collection.count_documents({})
|
||||||
total_posts = posts_collection.count_documents({})
|
total_posts = posts_collection.count_documents({})
|
||||||
nuke_count = nuke_counter.count_documents({})
|
nuke_count = nuke_counter.count_documents({})
|
||||||
if admin_user or session['user_id'] != str(admin_user['_id']):
|
isAdmin = request.args.get('isAdmin', False)
|
||||||
|
if isAdmin == True or ('username' in session and session['username'] == 'admin'):
|
||||||
return render_template('admin.html', success1=success1, success2=success2, success3=success3, total_users=total_users, total_posts=total_posts, nuke_count=nuke_count, users=users)
|
return render_template('admin.html', success1=success1, success2=success2, success3=success3, total_users=total_users, total_posts=total_posts, nuke_count=nuke_count, users=users)
|
||||||
else:
|
else:
|
||||||
return url_for('index')
|
return url_for('index')
|
||||||
#admin functions
|
#admin functions
|
||||||
@app.route('/deletepost', methods=['POST'])
|
@app.route('/deletepost', methods=['POST'])
|
||||||
def deletepost():
|
def deletepost():
|
||||||
admin_user = users_collection.find_one({'username': 'admin'})
|
if isAdmin == True or ('username' in session and session['username'] == 'admin'):
|
||||||
if not admin_user or session['user_id'] != str(admin_user['_id']):
|
|
||||||
return redirect(url_for('index'))
|
|
||||||
else:
|
|
||||||
post_id = request.form['post_id']
|
post_id = request.form['post_id']
|
||||||
posts_collection.delete_one({'_id': ObjectId(post_id)})
|
posts_collection.delete_one({'_id': ObjectId(post_id)})
|
||||||
success = 'post deleted!'
|
success = 'post deleted!'
|
||||||
return redirect(url_for('admin', success1=success))
|
return redirect(url_for('admin', success1=success))
|
||||||
|
else:
|
||||||
|
return redirect(url_for('index'))
|
||||||
|
|
||||||
@app.route('/deleteuser', methods=['POST'])
|
@app.route('/deleteuser', methods=['POST'])
|
||||||
def deleteuser():
|
def deleteuser():
|
||||||
admin_user = users_collection.find_one({'username': 'admin'})
|
if isAdmin == True or ('username' in session and session['username'] == 'admin'):
|
||||||
if not admin_user or session['user_id'] != str(admin_user['_id']):
|
|
||||||
return redirect(url_for('index'))
|
|
||||||
else:
|
|
||||||
user_id = request.form['user_id']
|
user_id = request.form['user_id']
|
||||||
users_collection.delete_one({'_id': ObjectId(user_id)})
|
users_collection.delete_one({'_id': ObjectId(user_id)})
|
||||||
success = 'user deleted!'
|
success = 'user deleted!'
|
||||||
return redirect(url_for('admin', success2=success))
|
return redirect(url_for('admin', success2=success))
|
||||||
|
else:
|
||||||
|
return redirect(url_for('index'))
|
||||||
|
|
||||||
@app.route('/nukeboard', methods=['POST'])
|
@app.route('/nukeboard', methods=['POST'])
|
||||||
def nukeboard():
|
def nukeboard():
|
||||||
admin_user = users_collection.find_one({'username': 'admin'})
|
if isAdmin == True or ('username' in session and session['username'] == 'admin'):
|
||||||
if not admin_user or session['user_id'] != str(admin_user['_id']):
|
|
||||||
return redirect(url_for('index'))
|
|
||||||
else:
|
|
||||||
board_name = request.form['board_name']
|
board_name = request.form['board_name']
|
||||||
posts_collection.delete_many({'board_name': board_name})
|
posts_collection.delete_many({'board_name': board_name})
|
||||||
success = 'board nuked!'
|
success = 'board nuked!'
|
||||||
nuke_counter.insert_one({'board_name': board_name}, {'date': datetime.now()})
|
nuke_counter.insert_one({'board_name': board_name}, {'date': datetime.now()})
|
||||||
return redirect(url_for('admin', success3=success))
|
return redirect(url_for('admin', success3=success))
|
||||||
|
else:
|
||||||
|
return redirect(url_for('index'))
|
||||||
|
|
||||||
#logout API
|
#logout API
|
||||||
@app.route('/logout')
|
@app.route('/logout')
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
<html lang="en">
|
<html lang="en">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="UTF-8">
|
<meta charset="UTF-8">
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
<html lang="en">
|
<html lang="en">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="UTF-8">
|
<meta charset="UTF-8">
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<title>wirechan</title>
|
<title>wirechan</title>
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue