2019-06-07 01:44:04 +02:00
|
|
|
from flask import request, flash, redirect, url_for
|
2019-06-06 23:24:14 +02:00
|
|
|
from app.utils.priv_required import priv_required
|
2020-08-06 21:19:01 +02:00
|
|
|
from app.models.trophy import Trophy, Title
|
|
|
|
from app.forms.trophy import TrophyForm, DeleteTrophyForm
|
2019-06-06 23:24:14 +02:00
|
|
|
from app.utils.render import render
|
|
|
|
from app import app, db
|
|
|
|
|
|
|
|
|
2019-12-16 23:57:50 +01:00
|
|
|
@app.route('/admin/trophees', methods=['GET', 'POST'])
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
@priv_required('misc.admin-panel', 'edit.trophies')
|
2019-06-06 23:24:14 +02:00
|
|
|
def adm_trophies():
|
2019-06-07 01:44:04 +02:00
|
|
|
form = TrophyForm()
|
2019-06-06 23:24:14 +02:00
|
|
|
if request.method == "POST":
|
|
|
|
if form.validate_on_submit():
|
2019-06-11 00:15:23 +02:00
|
|
|
is_title = form.title.data
|
2019-06-07 01:44:04 +02:00
|
|
|
if is_title:
|
2020-07-20 19:35:05 +02:00
|
|
|
trophy = Title(form.name.data, form.desc.data,
|
|
|
|
form.hidden.data, form.css.data)
|
2019-06-06 23:24:14 +02:00
|
|
|
else:
|
2020-07-20 19:35:05 +02:00
|
|
|
trophy = Trophy(form.name.data, form.desc.data,
|
|
|
|
form.hidden.data)
|
2019-06-06 23:24:14 +02:00
|
|
|
db.session.add(trophy)
|
|
|
|
db.session.commit()
|
2019-06-07 01:44:04 +02:00
|
|
|
flash(f'Nouveau {["trophée", "titre"][is_title]} ajouté', 'ok')
|
2019-06-06 23:24:14 +02:00
|
|
|
else:
|
|
|
|
flash('Erreur lors de la création du trophée', 'error')
|
|
|
|
|
|
|
|
trophies = Trophy.query.all()
|
|
|
|
return render('admin/trophies.html', trophies=trophies,
|
|
|
|
form=form)
|
2019-06-07 01:44:04 +02:00
|
|
|
|
|
|
|
|
2019-12-16 23:57:50 +01:00
|
|
|
@app.route('/admin/trophees/<trophy_id>/editer', methods=['GET', 'POST'])
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
@priv_required('misc.admin-panel', 'edit.trophies')
|
2019-06-07 01:44:04 +02:00
|
|
|
def adm_edit_trophy(trophy_id):
|
|
|
|
trophy = Trophy.query.filter_by(id=trophy_id).first_or_404()
|
|
|
|
|
|
|
|
form = TrophyForm()
|
|
|
|
if request.method == "POST":
|
|
|
|
if form.validate_on_submit():
|
|
|
|
is_title = form.title.data != ""
|
|
|
|
if is_title:
|
|
|
|
trophy.name = form.name.data
|
2020-07-20 19:35:05 +02:00
|
|
|
trophy.description = form.desc.data
|
2019-06-07 01:44:04 +02:00
|
|
|
trophy.title = form.title.data
|
2020-07-20 19:35:05 +02:00
|
|
|
trophy.hidden = form.hidden.data
|
2019-06-07 01:44:04 +02:00
|
|
|
trophy.css = form.css.data
|
|
|
|
else:
|
|
|
|
trophy.name = form.name.data
|
2020-07-20 19:35:05 +02:00
|
|
|
trophy.description = form.desc.data
|
|
|
|
trophy.hidden = form.hidden.data
|
2019-06-07 01:44:04 +02:00
|
|
|
db.session.merge(trophy)
|
|
|
|
db.session.commit()
|
|
|
|
flash(f'{["Trophée", "Titre"][is_title]} modifié', 'ok')
|
|
|
|
return redirect(url_for('adm_trophies'))
|
|
|
|
else:
|
|
|
|
flash('Erreur lors de la création du trophée', 'error')
|
|
|
|
return render('admin/edit_trophy.html', trophy=trophy, form=form)
|
|
|
|
|
|
|
|
|
2019-12-16 23:57:50 +01:00
|
|
|
@app.route('/admin/trophees/<trophy_id>/supprimer', methods=['GET', 'POST'])
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
@priv_required('misc.admin-panel', 'edit.trophies')
|
2019-06-07 01:44:04 +02:00
|
|
|
def adm_delete_trophy(trophy_id):
|
|
|
|
trophy = Trophy.query.filter_by(id=trophy_id).first_or_404()
|
|
|
|
|
|
|
|
# TODO: Add an overview of what will be deleted.
|
|
|
|
del_form = DeleteTrophyForm()
|
|
|
|
if request.method == "POST":
|
|
|
|
if del_form.validate_on_submit():
|
2021-07-07 21:23:35 +02:00
|
|
|
trophy.delete()
|
2019-06-07 01:44:04 +02:00
|
|
|
db.session.commit()
|
|
|
|
flash('Trophée supprimé', 'ok')
|
|
|
|
return redirect(url_for('adm_trophies'))
|
|
|
|
else:
|
|
|
|
flash('Erreur lors de la suppression du trophée', 'error')
|
2019-06-07 19:48:12 +02:00
|
|
|
del_form.delete.data = False # Force to tick to delete the trophy
|
2019-06-07 01:44:04 +02:00
|
|
|
return render('admin/delete_trophy.html', trophy=trophy, del_form=del_form)
|