better structure

2020-04-30 22:38:33 +02:00 · 2020-04-30 22:38:33 +02:00 · 033ccda95f
commit 033ccda95f
parent 0d8946bf56
2 changed files with 92 additions and 73 deletions
--- a/list.tpl
+++ b/list.tpl
@ -1,11 +1,6 @@
+<h2>Liste</h2>
 <ul>
-% for user in mongodb_database['users'].find():
-    <li>{{user}}</li>
-% end
-</ul>
-
-<ul>
-% for form in mongodb_database['forms'].find():
-    <li>{{form}}</li>
+% for item in data:
+    <li>{{item}}</li>
 % end
 </ul>
--- a/main.py
+++ b/main.py
@ -112,17 +112,19 @@ def submission ():
    else:
        response.status = 400
        return 'Le jeton d’autentification est requis'
+
    if 'mail' in request.forms:
        from_address = request.forms.getunicode('mail')
    else:
-        response.status = 400
-        return 'Le mail est requis'
+        #response.status = 400
+        #return 'Le mail est requis'
+        from_address = ''

    try:
        form = mongodb_database['forms'].find({'token': token})[0]
    except IndexError as e:
        response.status = 400
-        return 'L’authentification a échouée'
+        return 'Le formulaire est introuvable'

    try:
        subject_fields = fill_fields(request, get_fields(form['subject']))
@ -141,8 +143,9 @@ def submission ():
    # Redirection
    #redirect(success_redirect_default)
    origin = request.headers.get('origin')
-    return 'Mail envoyé !' + ('Retour au <a href="{}">formulaire de contact</a>'.format(origin) if origin else '')
+    return '<p>Mail envoyé !</p>' + ('<p>Retour au <a href="{}">formulaire de contact</a></p>'.format(origin) if origin else '')

+##################################################### Helpers ############################################$
 def get_fields (string):
    """ Parse the string looking for template elements and create an array with template to fill and their default values. None if mandatory. """
    result = {}
@ -187,6 +190,26 @@ def send_mail(from_address, to, subject, content):
        return False
    return True

+def login(request):
+    """
+    Check if user is admin or simple user. Return a disct with _privilege key. dict is also a user if _privilege == 1
+    Privileges : 0=admin 1=loggedIn 1000=guest
+    """
+    if 'admin_pass' in request.forms and request.forms['admin_pass'] == admin_password:
+        return {'_privilege':0}
+    if 'token' in request.forms:
+        token = request.forms.getunicode('token')
+        try:
+            user = mongodb_database['users'].find({'token': token})[0]
+            user['_privilege'] = 1
+            return user
+        except IndexError as e:
+            pass
+
+    return {'_privilege': 1000} # anonymous
+
+
+##################################################### Forms ############################################$

@app.post('/form')
@app.post('/form/')
@ -214,18 +237,10 @@ def create_form ():
        response.status = 400
        return 'Le champs « adresse » est requis'

-    # Getting auth token
-    if 'token' in request.forms:
-        token = request.forms.getunicode('token')
-    else:
+    user = login(request)
+    if user['_privilege'] > 1:
        response.status = 400
-        return 'Le jeton d’autentification n’a pas été envoyé'
-
-    try:
-        user = mongodb_database['users'].find({'token': token})[0]
-    except IndexError as e:
-        response.status = 400
-        return 'L’authentification a échouée'
+        return 'Privilèges insufisants'

    # TODO limit the insertion rate
    token = ''.join(random.sample(token_chars, token_len))
@ -239,42 +254,81 @@ def create_form ():

    return 'Créé : ' + token

-
-
-##################################################### Admin ############################################$
-@app.post('/admin/list')
-@app.post('/admin/list/')
-def admin_list ():
-    if not ('admin_pass' in request.forms and request.forms['admin_pass'] == admin_password):
+@app.post('/form/list')
+@app.post('/form/list/')
+def list_forms ():
+    user = login(request)
+    if user['_privilege'] == 0:
+        filt = {}
+    elif user['_privilege'] == 1:
+        filt = {'user_id': user['_id']}
+    else:
        response.status = 400
-        return 'Le champs « admin_pass » est requis'
-    return bottle.template("list.tpl", mongodb_database=mongodb_database)
+        return 'Privilèges insufisants'
+    return bottle.template("list.tpl", data=mongodb_database['forms'].find(filt))


+@app.delete('/form/<token>')
+@app.delete('/form/<token>/')
+def delete_form(token):
+    # If admin or form owner
+    user = login(request)
+    if user['_privilege'] > 1:
+        response.status = 400
+        return 'Privilèges insufisants'
+
+    # Actually delete
+    try:
+        form = mongodb_database['forms'].find({'token':token })[0]
+    except IndexError as e:
+        response.status = 400
+        return 'Le token n’est pas valide'
+
+    if user['_privilege'] == 0 or (form['user_id'] == user['_id']):
+        mongodb_database['forms'].delete_one({
+            'token': token,
+        })
+        return 'Supprimé ' + token
+    response.status = 400
+    return 'Privilèges insufisants'
+
+
+##################################################### Users ############################################$
+
+@app.post('/user/list')
+@app.post('/user/list/')
+def list_users ():
+    user = login(request)
+    if user['_privilege'] > 0:
+        response.status = 400
+        return 'Privilèges insufisants'
+    return bottle.template("list.tpl", data=mongodb_database['users'].find())
+
@app.put('/user/<username>')
@app.put('/user/<username>/')
 def create_user (username):
-    if not ('admin_pass' in request.forms and request.forms['admin_pass'] == admin_password):
+    user = login(request)
+    if user['_privilege'] > 0:
        response.status = 400
-        return 'Le champs « admin_pass » est requis'
+        return 'Privilèges insufisants'
    try:
        mongodb_database['users'].find({'username': username})[0]
        return 'L’utilisateur existe déjà'
    except IndexError as e:
-        pass
-    inserted = mongodb_database['users'].insert_one({
-        'username': username,
-        'token': ''.join(random.sample(token_chars, token_len))
-    })
-    return 'Créé : ' + username
+        inserted = mongodb_database['users'].insert_one({
+            'username': username,
+            'token': ''.join(random.sample(token_chars, token_len))
+        })
+        return 'Créé : ' + username


@app.delete('/user/<username>')
@app.delete('/user/<username>/')
 def delete_user (username):
-    if not ('admin_pass' in request.forms and request.forms['admin_pass'] == admin_password):
+    user = login(request)
+    if user['_privilege'] > 0:
        response.status = 400
-        return 'Le champs « admin_pass » est requis'
+        return 'Privilèges insufisants'
    try:
        mongodb_database['users'].find({'username': username})[0]
    except IndexError as e:
@ -286,37 +340,7 @@ def delete_user (username):
    return 'Supprimé ' + username


-@app.delete('/form/<token>')
-@app.delete('/form/<token>/')
-def delete_form(token):
-    # If admin or form owner
-    admin = False
-    if 'admin_pass' in request.forms and request.forms['admin_pass'] == admin_password:
-        admin = True
-
-    user_token = False
-    if 'token' in request.forms:
-        try:
-            user = mongodb_database['users'].find({'token':request.forms['token']})[0]
-            user_token = True
-        except IndexError as e:
-            pass
-
-    # Actually delete
-    try:
-        form = mongodb_database['forms'].find({'token':token })[0]
-    except IndexError as e:
-        response.status = 400
-        return 'Le token n’est pas valide'
-
-    if (user_token and form['user_id'] == user['_id']) or admin:
-        mongodb_database['forms'].delete_one({
-            'token': token,
-        })
-        return 'Supprimé ' + token
-    response.status = 400
-    return 'Vous n’avez pas les droits pour supprimer ce formulaire'
-
+##################################################### Bottle stuff ############################################$

 class StripPathMiddleware(object):
    '''