Browse Source

Modifications en vrac

Dans User.valid_name, ajout de caractères non autorisés. Voir #19 pour
faire quelque chose de vraiment propre et safe.
Dans privs, j'ai shooté des règles en double. Répercussion sur les
autres routes.
Ajout du champ username dans le formulaire admin de modif d'un compte.
master
Dark-Storm 9 months ago
parent
commit
0c4f0f6748
Signed by: Dark-Storm <l.gatin@neuf.fr> GPG Key ID: F61F10FA138E797C

+ 1
- 0
app/forms/account.py View File

@@ -33,6 +33,7 @@ class DeleteAccountForm(FlaskForm):


class AdminUpdateAccountForm(FlaskForm):
username = StringField('Pseudonyme', validators=[DataRequired(), vd.name])
avatar = FileField('Avatar', validators=[Optional(), vd.avatar])
email = StringField('Adresse Email', validators=[Optional(), Email(), vd.email])
password = PasswordField('Mot de passe :', validators=[Optional(), vd.password])

+ 15
- 6
app/models/users.py View File

@@ -35,25 +35,34 @@ class User(UserMixin, db.Model):
def valid_name(name):
"""
Checks whether a string is a valid user name. The criteria are:
1. No whitespace-class character
2. At least one letter
3. At least 3 characters and no longer than 32 characters
1. At least 3 characters and no longer than 32 characters
2. No whitespace-class character
3. No special chars
4. At least one letter
5. Not in forbidden usernames

Possibily other intresting criteria:
4. Unicode restriction
6. Unicode restriction
"""

# Rule 1
if type(name) != str or len(name) < 3 or len(name) > 32:
return False
if name in V5Config.FORBIDDEN_USERNAMES:
return False
# Rule 2
# Reject all Unicode whitespaces. This is important to avoid the most
# common Unicode tricks!
if re.search(r'\s', name) is not None:
return False
# Rule 3
if re.search(V5Config.FORBIDDEN_CHARS_USERNAMES, name) is not None:
return False
# Rule 4
# There must be at least one letter (avoid complete garbage)
if re.search(r'\w', name) is None:
return False
# Rule 5
if name in V5Config.FORBIDDEN_USERNAMES:
return False

return True


+ 3
- 2
app/routes/admin.py View File

@@ -10,7 +10,7 @@ from app.utils.render import render
from app import app, db

@app.route('/admin', methods=['GET', 'POST'])
@priv_required('admin-panel')
@priv_required('access-admin-board')
def adm():
return render('admin/index.html')

@@ -45,7 +45,7 @@ default_groups = [
]

@app.route('/admin/groups', methods=['GET', 'POST'])
@priv_required('admin-manel')
@priv_required('access-admin-board')
def adm_groups():
class GroupRegenerationForm(FlaskForm):
submit = SubmitField('Régénérer les groupes, privilèges, et comptes communs')
@@ -113,6 +113,7 @@ def adm_edit_account(user_id):
f = form.avatar.data
f.save("./app/static/"+user.avatar)
user.update(
name = form.username.data or None,
email = form.email.data or None,
password = form.password.data or None,
birthday = form.birthday.data,

+ 7
- 0
app/templates/admin/edit_account.html View File

@@ -17,6 +17,13 @@
{{ form.avatar }}
</div>
</div>
<div>
{{ form.username.label }}
{{ form.username(placeholder=user.name) }}
{% for error in form.username.errors %}
<span class="msgerror">{{ error }}</span>
{% endfor %}
</div>
<div>
{{ form.email.label }}
{{ form.email(placeholder=user.email) }}

+ 1
- 1
app/templates/base/base.html View File

@@ -7,7 +7,7 @@

<div class=container>
<header>
<div class=title>{% block title %}(page title){% endblock %}</div>
<div class=title>{% block title %}<h1>Planète Casio</h1>{% endblock %}</div>
{% include "base/header.html" %}
</header>


+ 3
- 2
app/utils/validators.py View File

@@ -3,11 +3,12 @@ from wtforms.validators import ValidationError
from app.models.users import User, Member

def name(form, name):
if not User.valid_name(name.data):
raise ValidationError("Nom d'utilisateur invalide.")
# last check: do not ask db if useless
member = Member.query.filter_by(name=name.data).first()
if member is not None:
raise ValidationError('Pseudo indisponible.')
if not User.valid_name(name.data):
raise ValidationError("Nom d'utilisateur invalide.")

def email(form, email):
member = Member.query.filter_by(email=email.data).first()

+ 0
- 1
assets/privs.txt View File

@@ -36,6 +36,5 @@ Miscellaenous:
community-login Automatically login as a community account

Administration panel:
admin-panel Access administration panel (read-only as it is)
edt-account Edit details of any account
delete-account Remove member accounts

+ 2
- 0
config.py View File

@@ -13,5 +13,7 @@ class V5Config(object):
PRIVS_MAXLEN = 64
# Forbidden user names
FORBIDDEN_USERNAMES = [ "admin", "root", "webmaster", "contact" ]
# Forbidden chars in user names (regex)
FORBIDDEN_CHARS_USERNAMES = r"[/]"
# Unauthorized message (@priv_required)
UNAUTHORIZED_MSG = "Vous n'avez pas l'autorisation d'effectuer cette action !"

Loading…
Cancel
Save