From f6be314ed7dd55f697c2a65d9cb8b80640ce5172 Mon Sep 17 00:00:00 2001
From: Darks <l.gatin@neuf.fr>
Date: Wed, 4 Dec 2019 12:22:16 +0100
Subject: [PATCH] =?UTF-8?q?Correction=20d'une=20m=C3=A9ga=20faille=20de=20?=
 =?UTF-8?q?s=C3=A9cu=20Ajout=20d'un=20fail-safe=20si=20la=20cl=C3=A9=20est?=
 =?UTF-8?q?=20celle=20par=20d=C3=A9faut?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/__init__.py         |  4 ++++
 config.py               | 14 ++++++++++++--
 local_config.py.default |  1 +
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 2d20ff9..4f19735 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -8,6 +8,10 @@ import time
 app = Flask(__name__)
 app.config.from_object(Config)
 
+# Check security of secret
+if Config.SECRET_KEY == "a-random-secret-key":
+    raise Exception("Please use a strong secret key!")
+
 db = SQLAlchemy(app)
 migrate = Migrate(app, db)
 
diff --git a/config.py b/config.py
index 1501d3b..892ccd5 100644
--- a/config.py
+++ b/config.py
@@ -1,14 +1,16 @@
 import os
 import datetime
-from local_config import DB_NAME
+from local_config import DB_NAME, SECRET_KEY
 
 
 class Config(object):
-    SECRET_KEY = os.environ.get('SECRET_KEY') or 'a-random-secret-key'
+    SECRET_KEY = os.environ.get('SECRET_KEY') or SECRET_KEY
     SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URL') or \
         'postgresql+psycopg2://' + os.environ.get('USER') + ':@/' + DB_NAME
     SQLALCHEMY_TRACK_MODIFICATIONS = False
     UPLOAD_FOLDER = './app/static/avatars'
+    SESSION_COOKIE_SECURE = True
+    REMEMBER_COOKIE_SECURE = True
 
 
 class V5Config(object):
@@ -27,3 +29,11 @@ class V5Config(object):
     THREAD_NAME_MAXLEN = 32
     # Remember-me cookie duration time
     REMEMBER_COOKIE_DURATION = datetime.timedelta(days=7)
+    # XP points for content posting (and deletion)
+    XP_POINTS = {
+        'topic': 2,
+        'program': 5,
+        'tutorial': 5,
+        'comment': 1,
+        'contest': 10,
+    }
diff --git a/local_config.py.default b/local_config.py.default
index b6dfff2..e21a830 100644
--- a/local_config.py.default
+++ b/local_config.py.default
@@ -2,3 +2,4 @@ DB_NAME = "pcv5"
 USE_LDAP = False
 LDAP_PASSWORD = "openldap"
 LDAP_ORGANIZATION = "o=planet-casio"
+SECRET_KEY = "a-random-secret-key" # CHANGE THIS VALUE *NOW*