hotfix: unauthorized access to admin dashboard

app.py

@@ -13,6 +13,7 @@ db = client.flask_db
 posts_collection = db.posts_collection
 users_collection = db.users_collection
 nuke_counter = db.nuke_counter
+isAdmin = False
 
 #app routes
 @app.route('/', methods=['GET'])
@@ -35,12 +36,10 @@ def board(board_name):
     
     posts = posts_collection.find({'board_name': board_name}).sort('timestamp', -1)
     display_name = next((link['display_name'] for link in links if link['name'] == board_name), board_name)
-    admin_user = users_collection.find_one({'username': 'admin'})
-    if admin_user and session.get('user_id') == str(admin_user['_id']):
-        return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=True)
+    if isAdmin == True or ('username' in session and session['username'] == 'admin'):
+        return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=admin)
     else:
-        admin=False
-    return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=admin)
+        return render_template('board.html', title=board_name, header=display_name, links=links, posts=posts, admin=None)
 #posting API
 @app.route('/post', methods=['POST'])
 def post():
@@ -95,8 +94,9 @@ def login_post():
         return redirect(url_for('index'))
     elif user == 'admin' and check_password_hash(user['password'], password):
         session['user_id'] = str(user['_id'])
-        session['username'] = username
-        return redirect(url_for('admin'))
+        session['username'] = 'admin'
+        isAdmin = True
+        return redirect(url_for('admin', isAdmin=isAdmin))
     else:
         return redirect(url_for('login'))
     
@@ -126,7 +126,6 @@ def register_post():
 #admin dashboard
 @app.route('/admin', methods=['GET'])
 def admin():
-    admin_user = users_collection.find_one({'username': 'admin'})
     users = users_collection.find({})
     success1 = request.args.get('success1', '')
     success2 = request.args.get('success2', '')
@@ -134,44 +133,42 @@ def admin():
     total_users = users_collection.count_documents({})
     total_posts = posts_collection.count_documents({})
     nuke_count = nuke_counter.count_documents({})
-    if admin_user or session['user_id'] != str(admin_user['_id']):
+    isAdmin = request.args.get('isAdmin', False)
+    if isAdmin == True or ('username' in session and session['username'] == 'admin'):
         return render_template('admin.html', success1=success1, success2=success2, success3=success3, total_users=total_users, total_posts=total_posts, nuke_count=nuke_count, users=users)
     else:
         return url_for('index')
 #admin functions
 @app.route('/deletepost', methods=['POST'])
 def deletepost():
-    admin_user = users_collection.find_one({'username': 'admin'})
-    if not admin_user or session['user_id'] != str(admin_user['_id']):
-        return redirect(url_for('index'))
-    else:
+    if isAdmin == True or ('username' in session and session['username'] == 'admin'):
         post_id = request.form['post_id']
         posts_collection.delete_one({'_id': ObjectId(post_id)})
         success = 'post deleted!'
         return redirect(url_for('admin', success1=success))
+    else:
+        return redirect(url_for('index'))
     
 @app.route('/deleteuser', methods=['POST'])
 def deleteuser():
-    admin_user = users_collection.find_one({'username': 'admin'})
-    if not admin_user or session['user_id'] != str(admin_user['_id']):
-        return redirect(url_for('index'))
-    else:
+    if isAdmin == True or ('username' in session and session['username'] == 'admin'):
         user_id = request.form['user_id']
         users_collection.delete_one({'_id': ObjectId(user_id)})
         success = 'user deleted!'
         return redirect(url_for('admin', success2=success))
+    else:
+        return redirect(url_for('index'))
     
 @app.route('/nukeboard', methods=['POST'])
 def nukeboard():
-    admin_user = users_collection.find_one({'username': 'admin'})
-    if not admin_user or session['user_id'] != str(admin_user['_id']):
-        return redirect(url_for('index'))
-    else:
+    if isAdmin == True or ('username' in session and session['username'] == 'admin'):
         board_name = request.form['board_name']
         posts_collection.delete_many({'board_name': board_name})
         success = 'board nuked!'
         nuke_counter.insert_one({'board_name': board_name}, {'date': datetime.now()})
         return redirect(url_for('admin', success3=success))
+    else:
+        return redirect(url_for('index'))
 
 #logout API
 @app.route('/logout')

templates/admin.html

@@ -1,3 +1,4 @@
+<!DOCTYPE html>
 <html lang="en">
     <head>
         <meta charset="UTF-8">

templates/board.html

@@ -1,4 +1,4 @@
-
+<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">

templates/index.html

@@ -1,3 +1,4 @@
+<!DOCTYPE html>
 <html>
   <head>
     <title>wirechan</title>