Fixed: Check if all required arguments are set in change requests from the admin panel. Also removed the requirement to enter the current password in order to change the touchkey.

This commit is contained in:
s3lph 2018-07-11 12:30:27 +02:00
parent c74a0d734e
commit c3a7f3cf16
4 changed files with 19 additions and 5 deletions

View file

@ -40,6 +40,8 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
change = str(args.change)
if change == 'account':
if 'username' not in args or 'email' not in args:
return
username = str(args.username)
email = str(args.email)
if len(email) == 0:
@ -55,6 +57,8 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
user.email = oldmail
elif change == 'password':
if 'oldpass' not in args or 'newpass' not in args or 'newpass2' not in args:
return
oldpass = str(args.oldpass)
newpass = str(args.newpass)
newpass2 = str(args.newpass2)
@ -63,13 +67,16 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
db.change_password(user, oldpass, newpass)
elif change == 'touchkey':
oldpass = str(args.oldpass)
if 'touchkey' not in args:
return
touchkey = str(args.touchkey)
if len(touchkey) == 0:
touchkey = None
db.change_touchkey(user, oldpass, touchkey)
db.change_touchkey(user, '', touchkey, verify_password=False)
elif change == 'avatar':
if 'avatar' not in args:
return
avatar = bytes(args.avatar)
os.makedirs('./static/img/thumbnails/users/', exist_ok=True)
with open(f'./static/img/thumbnails/users/{user.id}.png', 'wb') as f:
@ -84,6 +91,8 @@ def handle_admin_change(args: RequestArguments, db: MatematDatabase):
change = str(args.adminchange)
if change == 'newuser':
if 'username' not in args or 'email' not in args or 'password' not in args:
return
username = str(args.username)
email = str(args.email)
if len(email) == 0:
@ -94,6 +103,8 @@ def handle_admin_change(args: RequestArguments, db: MatematDatabase):
db.create_user(username, password, email, member=is_member, admin=is_admin)
elif change == 'newproduct':
if 'name' not in args or 'price_member' not in args or 'price_non_member' not in args:
return
name = str(args.name)
price_member = int(str(args.pricemember))
price_non_member = int(str(args.pricenonmember))
@ -105,6 +116,8 @@ def handle_admin_change(args: RequestArguments, db: MatematDatabase):
f.write(image)
elif change == 'restock':
if 'productid' not in args or 'amount' not in args:
return
productid = int(str(args.productid))
amount = int(str(args.amount))
product = db.get_product(productid)

View file

@ -52,6 +52,8 @@ def handle_change(args: RequestArguments, product: Product, db: MatematDatabase)
pass
elif change == 'update':
if 'name' not in args or 'pricemember' not in args or 'pricenonmember' not in args or 'stock' not in args:
return
name = str(args.name)
price_member = int(str(args.pricemember))
price_non_member = int(str(args.pricenonmember))

View file

@ -52,6 +52,8 @@ def handle_change(args: RequestArguments, user: User, db: MatematDatabase) -> No
pass
elif change == 'update':
if 'username' not in args or 'email' not in args or 'password' not in args or 'balance' not in args:
return
username = str(args.username)
email = str(args.email)
password = str(args.password)

View file

@ -52,9 +52,6 @@
<h2>Touchkey</h2>
<form id="admin-touchkey-form" method="post" action="/admin?change=touchkey" accept-charset="UTF-8">
<label for="admin-touchkey-oldpass">Current password: </label>
<input id="admin-touchkey-oldpass" type="password" name="oldpass" /><br/>
Draw a new touchkey (leave empty to disable):
<br/>
{% include "touchkey.svg" %}