1
0
mirror of https://github.com/spl0k/supysonic.git synced 2024-12-23 01:16:18 +00:00

Check when uid param isn't me

This commit is contained in:
Óscar García Amor 2017-07-27 10:06:51 +02:00
parent 97fb5232e5
commit fe5e966dbc

View File

@ -45,10 +45,10 @@ def user_profile(uid):
prefs = store.find(ClientPrefs, ClientPrefs.user_id == uuid.UUID(session.get('userid'))) prefs = store.find(ClientPrefs, ClientPrefs.user_id == uuid.UUID(session.get('userid')))
return render_template('profile.html', user = UserManager.get(store, session.get('userid'))[1], api_key = config.get('lastfm', 'api_key'), clients = prefs, admin = UserManager.get(store, session.get('userid'))[1].admin) return render_template('profile.html', user = UserManager.get(store, session.get('userid'))[1], api_key = config.get('lastfm', 'api_key'), clients = prefs, admin = UserManager.get(store, session.get('userid'))[1].admin)
else: else:
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
prefs = store.find(ClientPrefs, ClientPrefs.user_id == uuid.UUID(uid)) prefs = store.find(ClientPrefs, ClientPrefs.user_id == uuid.UUID(uid))
return render_template('profile.html', user = UserManager.get(store, uuid.UUID(uid))[1], api_key = config.get('lastfm', 'api_key'), clients = prefs, admin = UserManager.get(store, session.get('userid'))[1].admin) return render_template('profile.html', user = UserManager.get(store, uid)[1], api_key = config.get('lastfm', 'api_key'), clients = prefs, admin = UserManager.get(store, session.get('userid'))[1].admin)
@app.route('/user/<uid>', methods = [ 'POST' ]) @app.route('/user/<uid>', methods = [ 'POST' ])
def update_clients(uid): def update_clients(uid):
@ -60,7 +60,7 @@ def update_clients(uid):
if uid == 'me': if uid == 'me':
userid = uuid.UUID(session.get('userid')) userid = uuid.UUID(session.get('userid'))
else: else:
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
userid = uuid.UUID(uid) userid = uuid.UUID(uid)
@ -79,9 +79,9 @@ def update_clients(uid):
@app.route('/user/<uid>/changeusername', methods = [ 'GET', 'POST' ]) @app.route('/user/<uid>/changeusername', methods = [ 'GET', 'POST' ])
def change_username(uid): def change_username(uid):
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
user = UserManager.get(store, uuid.UUID(uid))[1] user = UserManager.get(store, uid)[1]
if request.method == 'POST': if request.method == 'POST':
username = request.form.get('user') username = request.form.get('user')
if username in ('', None): if username in ('', None):
@ -109,9 +109,9 @@ def change_mail(uid):
if uid == 'me': if uid == 'me':
user = UserManager.get(store, session.get('userid'))[1] user = UserManager.get(store, session.get('userid'))[1]
else: else:
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
user = UserManager.get(store, uuid.UUID(uid))[1] user = UserManager.get(store, uid)[1]
if request.method == 'POST': if request.method == 'POST':
mail = request.form.get('mail') mail = request.form.get('mail')
# No validation, lol. # No validation, lol.
@ -126,9 +126,9 @@ def change_password(uid):
if uid == 'me': if uid == 'me':
user = UserManager.get(store, session.get('userid'))[1].name user = UserManager.get(store, session.get('userid'))[1].name
else: else:
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
user = UserManager.get(store, uuid.UUID(uid))[1].name user = UserManager.get(store, uid)[1].name
if request.method == 'POST': if request.method == 'POST':
current, new, confirm = map(request.form.get, [ 'current', 'new', 'confirm' ]) current, new, confirm = map(request.form.get, [ 'current', 'new', 'confirm' ])
error = False error = False
@ -250,9 +250,9 @@ def lastfm_reg(uid):
if uid == 'me': if uid == 'me':
lfm = LastFm(UserManager.get(store, session.get('userid'))[1], app.logger) lfm = LastFm(UserManager.get(store, session.get('userid'))[1], app.logger)
else: else:
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
lfm = LastFm(UserManager.get(store, uuid.UUID(uid))[1], app.logger) lfm = LastFm(UserManager.get(store, uid)[1], app.logger)
status, error = lfm.link_account(token) status, error = lfm.link_account(token)
store.commit() store.commit()
flash(error if not status else 'Successfully linked LastFM account') flash(error if not status else 'Successfully linked LastFM account')
@ -264,9 +264,9 @@ def lastfm_unreg(uid):
if uid == 'me': if uid == 'me':
lfm = LastFm(UserManager.get(store, session.get('userid'))[1], app.logger) lfm = LastFm(UserManager.get(store, session.get('userid'))[1], app.logger)
else: else:
if not UserManager.get(store, session.get('userid'))[1].admin: if not UserManager.get(store, session.get('userid'))[1].admin or UserManager.get(store, uid)[0] in (UserManager.INVALID_ID, UserManager.NO_SUCH_USER):
return redirect(url_for('index')) return redirect(url_for('index'))
lfm = LastFm(UserManager.get(store, uuid.UUID(uid))[1], app.logger) lfm = LastFm(UserManager.get(store, uid)[1], app.logger)
lfm.unlink_account() lfm.unlink_account()
store.commit() store.commit()
flash('Unliked LastFM account') flash('Unliked LastFM account')