From c3a7f3cf16986fd6d501f41a34c1e27f328bb557 Mon Sep 17 00:00:00 2001
From: s3lph <account-gitlab-ideynizv@kernelpanic.lol>
Date: Wed, 11 Jul 2018 12:30:27 +0200
Subject: [PATCH] Fixed: Check if all required arguments are set in change
 requests from the admin panel.  Also removed the requirement to enter the
 current password in order to change the touchkey.

---
 matemat/webserver/pagelets/admin.py      | 17 +++++++++++++++--
 matemat/webserver/pagelets/modproduct.py |  2 ++
 matemat/webserver/pagelets/moduser.py    |  2 ++
 templates/admin_all.html                 |  3 ---
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/matemat/webserver/pagelets/admin.py b/matemat/webserver/pagelets/admin.py
index 70b7560..3d45fb4 100644
--- a/matemat/webserver/pagelets/admin.py
+++ b/matemat/webserver/pagelets/admin.py
@@ -40,6 +40,8 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
         change = str(args.change)
 
         if change == 'account':
+            if 'username' not in args or 'email' not in args:
+                return
             username = str(args.username)
             email = str(args.email)
             if len(email) == 0:
@@ -55,6 +57,8 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
                 user.email = oldmail
 
         elif change == 'password':
+            if 'oldpass' not in args or 'newpass' not in args or 'newpass2' not in args:
+                return
             oldpass = str(args.oldpass)
             newpass = str(args.newpass)
             newpass2 = str(args.newpass2)
@@ -63,13 +67,16 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
             db.change_password(user, oldpass, newpass)
 
         elif change == 'touchkey':
-            oldpass = str(args.oldpass)
+            if 'touchkey' not in args:
+                return
             touchkey = str(args.touchkey)
             if len(touchkey) == 0:
                 touchkey = None
-            db.change_touchkey(user, oldpass, touchkey)
+            db.change_touchkey(user, '', touchkey, verify_password=False)
 
         elif change == 'avatar':
+            if 'avatar' not in args:
+                return
             avatar = bytes(args.avatar)
             os.makedirs('./static/img/thumbnails/users/', exist_ok=True)
             with open(f'./static/img/thumbnails/users/{user.id}.png', 'wb') as f:
@@ -84,6 +91,8 @@ def handle_admin_change(args: RequestArguments, db: MatematDatabase):
         change = str(args.adminchange)
 
         if change == 'newuser':
+            if 'username' not in args or 'email' not in args or 'password' not in args:
+                return
             username = str(args.username)
             email = str(args.email)
             if len(email) == 0:
@@ -94,6 +103,8 @@ def handle_admin_change(args: RequestArguments, db: MatematDatabase):
             db.create_user(username, password, email, member=is_member, admin=is_admin)
 
         elif change == 'newproduct':
+            if 'name' not in args or 'price_member' not in args or 'price_non_member' not in args:
+                return
             name = str(args.name)
             price_member = int(str(args.pricemember))
             price_non_member = int(str(args.pricenonmember))
@@ -105,6 +116,8 @@ def handle_admin_change(args: RequestArguments, db: MatematDatabase):
                     f.write(image)
 
         elif change == 'restock':
+            if 'productid' not in args or 'amount' not in args:
+                return
             productid = int(str(args.productid))
             amount = int(str(args.amount))
             product = db.get_product(productid)
diff --git a/matemat/webserver/pagelets/modproduct.py b/matemat/webserver/pagelets/modproduct.py
index a8b4b6e..9acf911 100644
--- a/matemat/webserver/pagelets/modproduct.py
+++ b/matemat/webserver/pagelets/modproduct.py
@@ -52,6 +52,8 @@ def handle_change(args: RequestArguments, product: Product, db: MatematDatabase)
             pass
 
     elif change == 'update':
+        if 'name' not in args or 'pricemember' not in args or 'pricenonmember' not in args or 'stock' not in args:
+            return
         name = str(args.name)
         price_member = int(str(args.pricemember))
         price_non_member = int(str(args.pricenonmember))
diff --git a/matemat/webserver/pagelets/moduser.py b/matemat/webserver/pagelets/moduser.py
index 7836e0f..edacc99 100644
--- a/matemat/webserver/pagelets/moduser.py
+++ b/matemat/webserver/pagelets/moduser.py
@@ -52,6 +52,8 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
             pass
 
     elif change == 'update':
+        if 'username' not in args or 'email' not in args or 'password' not in args or 'balance' not in args:
+            return
         username = str(args.username)
         email = str(args.email)
         password = str(args.password)
diff --git a/templates/admin_all.html b/templates/admin_all.html
index a8f51a3..2c24de8 100644
--- a/templates/admin_all.html
+++ b/templates/admin_all.html
@@ -52,9 +52,6 @@
     <h2>Touchkey</h2>
 
     <form id="admin-touchkey-form" method="post" action="/admin?change=touchkey" accept-charset="UTF-8">
-        <label for="admin-touchkey-oldpass">Current password: </label>
-        <input id="admin-touchkey-oldpass" type="password" name="oldpass" /><br/>
-
         Draw a new touchkey (leave empty to disable):
         <br/>
         {% include "touchkey.svg" %}