From 0c4f0f6748aac83b47d25f5f0e0e41d18a64e0ad Mon Sep 17 00:00:00 2001 From: Dark-Storm Date: Mon, 11 Feb 2019 00:15:09 +0100 Subject: [PATCH] =?UTF-8?q?Modifications=20en=20vrac=20Dans=20User.valid?= =?UTF-8?q?=5Fname,=20ajout=20de=20caract=C3=A8res=20non=20autoris=C3=A9s.?= =?UTF-8?q?=20Voir=20#19=20pour=20faire=20quelque=20chose=20de=20vraiment?= =?UTF-8?q?=20propre=20et=20safe.=20Dans=20privs,=20j'ai=20shoot=C3=A9=20d?= =?UTF-8?q?es=20r=C3=A8gles=20en=20double.=20R=C3=A9percussion=20sur=20les?= =?UTF-8?q?=20autres=20routes.=20Ajout=20du=20champ=20username=20dans=20le?= =?UTF-8?q?=20formulaire=20admin=20de=20modif=20d'un=20compte.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/forms/account.py | 1 + app/models/users.py | 21 +++++++++++++++------ app/routes/admin.py | 5 +++-- app/templates/admin/edit_account.html | 7 +++++++ app/templates/base/base.html | 2 +- app/utils/validators.py | 5 +++-- assets/privs.txt | 1 - config.py | 2 ++ 8 files changed, 32 insertions(+), 12 deletions(-) diff --git a/app/forms/account.py b/app/forms/account.py index a700f76..f965237 100644 --- a/app/forms/account.py +++ b/app/forms/account.py @@ -33,6 +33,7 @@ class DeleteAccountForm(FlaskForm): class AdminUpdateAccountForm(FlaskForm): + username = StringField('Pseudonyme', validators=[DataRequired(), vd.name]) avatar = FileField('Avatar', validators=[Optional(), vd.avatar]) email = StringField('Adresse Email', validators=[Optional(), Email(), vd.email]) password = PasswordField('Mot de passe :', validators=[Optional(), vd.password]) diff --git a/app/models/users.py b/app/models/users.py index 806ae5e..91d90b9 100644 --- a/app/models/users.py +++ b/app/models/users.py @@ -35,25 +35,34 @@ class User(UserMixin, db.Model): def valid_name(name): """ Checks whether a string is a valid user name. The criteria are: - 1. No whitespace-class character - 2. At least one letter - 3. At least 3 characters and no longer than 32 characters + 1. At least 3 characters and no longer than 32 characters + 2. No whitespace-class character + 3. No special chars + 4. At least one letter + 5. Not in forbidden usernames Possibily other intresting criteria: - 4. Unicode restriction + 6. Unicode restriction """ + # Rule 1 if type(name) != str or len(name) < 3 or len(name) > 32: return False - if name in V5Config.FORBIDDEN_USERNAMES: - return False + # Rule 2 # Reject all Unicode whitespaces. This is important to avoid the most # common Unicode tricks! if re.search(r'\s', name) is not None: return False + # Rule 3 + if re.search(V5Config.FORBIDDEN_CHARS_USERNAMES, name) is not None: + return False + # Rule 4 # There must be at least one letter (avoid complete garbage) if re.search(r'\w', name) is None: return False + # Rule 5 + if name in V5Config.FORBIDDEN_USERNAMES: + return False return True diff --git a/app/routes/admin.py b/app/routes/admin.py index 070b46a..ccd22f0 100644 --- a/app/routes/admin.py +++ b/app/routes/admin.py @@ -10,7 +10,7 @@ from app.utils.render import render from app import app, db @app.route('/admin', methods=['GET', 'POST']) -@priv_required('admin-panel') +@priv_required('access-admin-board') def adm(): return render('admin/index.html') @@ -45,7 +45,7 @@ default_groups = [ ] @app.route('/admin/groups', methods=['GET', 'POST']) -@priv_required('admin-manel') +@priv_required('access-admin-board') def adm_groups(): class GroupRegenerationForm(FlaskForm): submit = SubmitField('Régénérer les groupes, privilèges, et comptes communs') @@ -113,6 +113,7 @@ def adm_edit_account(user_id): f = form.avatar.data f.save("./app/static/"+user.avatar) user.update( + name = form.username.data or None, email = form.email.data or None, password = form.password.data or None, birthday = form.birthday.data, diff --git a/app/templates/admin/edit_account.html b/app/templates/admin/edit_account.html index f7ca4b0..f743d81 100644 --- a/app/templates/admin/edit_account.html +++ b/app/templates/admin/edit_account.html @@ -17,6 +17,13 @@ {{ form.avatar }} +
+ {{ form.username.label }} + {{ form.username(placeholder=user.name) }} + {% for error in form.username.errors %} + {{ error }} + {% endfor %} +
{{ form.email.label }} {{ form.email(placeholder=user.email) }} diff --git a/app/templates/base/base.html b/app/templates/base/base.html index 4e03c4e..1ff4744 100644 --- a/app/templates/base/base.html +++ b/app/templates/base/base.html @@ -7,7 +7,7 @@
-
{% block title %}(page title){% endblock %}
+
{% block title %}

Planète Casio

{% endblock %}
{% include "base/header.html" %}
diff --git a/app/utils/validators.py b/app/utils/validators.py index 3f58c3b..7a34e5c 100644 --- a/app/utils/validators.py +++ b/app/utils/validators.py @@ -3,11 +3,12 @@ from wtforms.validators import ValidationError from app.models.users import User, Member def name(form, name): + if not User.valid_name(name.data): + raise ValidationError("Nom d'utilisateur invalide.") + # last check: do not ask db if useless member = Member.query.filter_by(name=name.data).first() if member is not None: raise ValidationError('Pseudo indisponible.') - if not User.valid_name(name.data): - raise ValidationError("Nom d'utilisateur invalide.") def email(form, email): member = Member.query.filter_by(email=email.data).first() diff --git a/assets/privs.txt b/assets/privs.txt index 9945a39..16b20f7 100644 --- a/assets/privs.txt +++ b/assets/privs.txt @@ -36,6 +36,5 @@ Miscellaenous: community-login Automatically login as a community account Administration panel: - admin-panel Access administration panel (read-only as it is) edt-account Edit details of any account delete-account Remove member accounts diff --git a/config.py b/config.py index 238124b..2824b8f 100644 --- a/config.py +++ b/config.py @@ -13,5 +13,7 @@ class V5Config(object): PRIVS_MAXLEN = 64 # Forbidden user names FORBIDDEN_USERNAMES = [ "admin", "root", "webmaster", "contact" ] + # Forbidden chars in user names (regex) + FORBIDDEN_CHARS_USERNAMES = r"[/]" # Unauthorized message (@priv_required) UNAUTHORIZED_MSG = "Vous n'avez pas l'autorisation d'effectuer cette action !"