Modifications en vrac

Dans User.valid_name, ajout de caractères non autorisés. Voir #19 pour
faire quelque chose de vraiment propre et safe.
Dans privs, j'ai shooté des règles en double. Répercussion sur les
autres routes.
Ajout du champ username dans le formulaire admin de modif d'un compte.

app/forms/account.py

@@ -33,6 +33,7 @@ class DeleteAccountForm(FlaskForm):
 
 
 class AdminUpdateAccountForm(FlaskForm):
+    username = StringField('Pseudonyme', validators=[DataRequired(), vd.name])
     avatar = FileField('Avatar', validators=[Optional(), vd.avatar])
     email = StringField('Adresse Email', validators=[Optional(), Email(), vd.email])
     password = PasswordField('Mot de passe :', validators=[Optional(), vd.password])

app/models/users.py

@@ -35,25 +35,34 @@ class User(UserMixin, db.Model):
     def valid_name(name):
         """
         Checks whether a string is a valid user name. The criteria are:
-        1. No whitespace-class character
-        2. At least one letter
-        3. At least 3 characters and no longer than 32 characters
+        1. At least 3 characters and no longer than 32 characters
+        2. No whitespace-class character
+        3. No special chars
+        4. At least one letter
+        5. Not in forbidden usernames
 
         Possibily other intresting criteria:
-        4. Unicode restriction
+        6. Unicode restriction
         """
 
+        # Rule 1
         if type(name) != str or len(name) < 3 or len(name) > 32:
             return False
-        if name in V5Config.FORBIDDEN_USERNAMES:
-            return False
+        # Rule 2
         # Reject all Unicode whitespaces. This is important to avoid the most
         # common Unicode tricks!
         if re.search(r'\s', name) is not None:
             return False
+        # Rule 3
+        if re.search(V5Config.FORBIDDEN_CHARS_USERNAMES, name) is not None:
+            return False
+        # Rule 4
         # There must be at least one letter (avoid complete garbage)
         if re.search(r'\w', name) is None:
             return False
+        # Rule 5
+        if name in V5Config.FORBIDDEN_USERNAMES:
+            return False
 
         return True
 

app/routes/admin.py

@@ -10,7 +10,7 @@ from app.utils.render import render
 from app import app, db
 
 @app.route('/admin', methods=['GET', 'POST'])
-@priv_required('admin-panel')
+@priv_required('access-admin-board')
 def adm():
     return render('admin/index.html')
 
@@ -45,7 +45,7 @@ default_groups = [
 ]
 
 @app.route('/admin/groups', methods=['GET', 'POST'])
-@priv_required('admin-manel')
+@priv_required('access-admin-board')
 def adm_groups():
     class GroupRegenerationForm(FlaskForm):
         submit = SubmitField('Régénérer les groupes, privilèges, et comptes communs')
@@ -113,6 +113,7 @@ def adm_edit_account(user_id):
                 f = form.avatar.data
                 f.save("./app/static/"+user.avatar)
             user.update(
+                name = form.username.data or None,
                 email = form.email.data or None,
                 password = form.password.data or None,
                 birthday = form.birthday.data,

app/templates/admin/edit_account.html

@@ -17,6 +17,13 @@
 				{{ form.avatar }}
 			</div>
 		</div>
+		<div>
+			{{ form.username.label }}
+			{{ form.username(placeholder=user.name) }}
+			{% for error in form.username.errors %}
+			<span class="msgerror">{{ error }}</span>
+			{% endfor %}
+		</div>
 		<div>
 			{{ form.email.label }}
 			{{ form.email(placeholder=user.email) }}

app/templates/base/base.html

@@ -7,7 +7,7 @@
 
 	<div class=container>
 		<header>
-			<div class=title>{% block title %}(page title){% endblock %}</div>
+			<div class=title>{% block title %}<h1>Planète Casio</h1>{% endblock %}</div>
    	 	{% include "base/header.html" %}
    	</header>
 

app/utils/validators.py

@@ -3,11 +3,12 @@ from wtforms.validators import ValidationError
 from app.models.users import User, Member
 
 def name(form, name):
+    if not User.valid_name(name.data):
+        raise ValidationError("Nom d'utilisateur invalide.")
+    # last check: do not ask db if useless
     member = Member.query.filter_by(name=name.data).first()
     if member is not None:
         raise ValidationError('Pseudo indisponible.')
-    if not User.valid_name(name.data):
-        raise ValidationError("Nom d'utilisateur invalide.")
 
 def email(form, email):
     member = Member.query.filter_by(email=email.data).first()

assets/privs.txt

@@ -36,6 +36,5 @@ Miscellaenous:
   community-login          Automatically login as a community account
 
 Administration panel:
-  admin-panel              Access administration panel (read-only as it is)
   edt-account              Edit details of any account
   delete-account           Remove member accounts

config.py

@@ -13,5 +13,7 @@ class V5Config(object):
     PRIVS_MAXLEN = 64
     # Forbidden user names
     FORBIDDEN_USERNAMES = [ "admin", "root", "webmaster", "contact" ]
+    # Forbidden chars in user names (regex)
+    FORBIDDEN_CHARS_USERNAMES = r"[/]"
     # Unauthorized message (@priv_required)
     UNAUTHORIZED_MSG = "Vous n'avez pas l'autorisation d'effectuer cette action !"