mirror of
https://codeberg.org/catask-org/catask.git
synced 2025-04-19 21:33:41 -05:00
improve blacklist, secure routes, add more routes...
This commit is contained in:
mystie
parent
82c6a8b67b
commit
0a98041a23
1 changed files with 35 additions and 32 deletions
67
app.py
67
app.py
|
|
@ -3,6 +3,7 @@ from flask_compress import Compress
|
|||
from dotenv import load_dotenv
|
||||
from mysql.connector import errorcode
|
||||
from functools import wraps
|
||||
from werkzeug.utils import secure_filename
|
||||
import mysql.connector
|
||||
import urllib
|
||||
import functions as func
|
||||
|
|
@ -79,7 +80,7 @@ def loginRequired(f):
|
|||
@wraps(f)
|
||||
def login_required(*args, **kwargs):
|
||||
if not logged_in:
|
||||
return abort(403)
|
||||
return abort(404)
|
||||
return f(*args, **kwargs)
|
||||
return login_required
|
||||
|
||||
|
|
@ -95,6 +96,8 @@ def before_request():
|
|||
@app.context_processor
|
||||
def inject_stuff():
|
||||
cfg = func.loadJSON(const.configFile)
|
||||
# for 1.6.0 or later
|
||||
# questionCount = getQuestionCount()
|
||||
return dict(metadata=func.generateMetadata(), len=len, str=str, const=const, cfg=cfg, logged_in=logged_in, version_id=const.version_id, version=const.version, appName=const.appName)
|
||||
|
||||
# -- template filters --
|
||||
|
|
@ -256,9 +259,11 @@ def addQuestion():
|
|||
return {'error': 'An error has occurred'}, 500
|
||||
|
||||
blacklist = func.readPlainFile(const.blacklistFile, split=True)
|
||||
if (question in blacklist) or (from_who in blacklist):
|
||||
# return a generic error message so bad actors wouldn't figure out the blacklist
|
||||
return {'error': 'An error has occurred'}, 500
|
||||
|
||||
for bad_word in blacklist:
|
||||
if bad_word in question or bad_word in from_who:
|
||||
# return a generic error message so bad actors wouldn't figure out the blacklist
|
||||
return {'error': 'An error has occurred'}, 500
|
||||
|
||||
conn = func.connectToDb()
|
||||
cursor = conn.cursor()
|
||||
|
|
@ -309,6 +314,7 @@ def returnToInbox():
|
|||
return {'message': 'Successfully returned question to inbox.'}, 200
|
||||
|
||||
@api_bp.route('/pin_question/', methods=['POST'])
|
||||
@loginRequired
|
||||
def pinQuestion():
|
||||
question_id = request.args.get('question_id', '')
|
||||
if not question_id:
|
||||
|
|
@ -323,6 +329,7 @@ def pinQuestion():
|
|||
return {'message': 'Successfully pinned question.'}, 200
|
||||
|
||||
@api_bp.route('/unpin_question/', methods=['POST'])
|
||||
@loginRequired
|
||||
def unpinQuestion():
|
||||
question_id = request.args.get('question_id', '')
|
||||
if not question_id:
|
||||
|
|
@ -363,45 +370,39 @@ def addAnswer():
|
|||
|
||||
return jsonify({'message': 'Answer added successfully!'}), 201
|
||||
|
||||
# reserved for 1.6.0 or later
|
||||
"""
|
||||
@api_bp.route('/question_count/', methods=['GET'])
|
||||
def questionCount():
|
||||
@api_bp.route('/upload_favicon/', methods=['POST'])
|
||||
@loginRequired
|
||||
def uploadFavicon():
|
||||
favicon = request.files.get('favicon')
|
||||
|
||||
if favicon and func.allowedFile(favicon.filename):
|
||||
filename = secure_filename(favicon.filename)
|
||||
favicon_path = const.faviconDir / filename
|
||||
favicon.save(favicon_path)
|
||||
|
||||
func.generateFavicon(filename)
|
||||
|
||||
return {'message': 'Successfully updated favicon!'}, 201
|
||||
elif favicon and not func.allowedFile(favicon.filename):
|
||||
return {'error': 'File type is not supported'}, 400
|
||||
elif not favicon:
|
||||
return {'error': "favicon is not specified"}, 400
|
||||
|
||||
@api_bp.route('/get_question_count/', methods=['GET'])
|
||||
def getQuestionCount():
|
||||
conn = func.connectToDb()
|
||||
cursor = conn.cursor()
|
||||
cursor.execute("SELECT COUNT(*) FROM questions WHERE answered=%s", (False,))
|
||||
cursor.execute("SELECT COUNT(id) FROM questions WHERE answered=%s", (False,))
|
||||
question_count = cursor.fetchone()
|
||||
|
||||
cursor.close()
|
||||
conn.close()
|
||||
return str(question_count[0])
|
||||
"""
|
||||
|
||||
# unused
|
||||
"""
|
||||
@api_bp.route('/all_questions/', methods=['GET'])
|
||||
def listQuestions():
|
||||
answered = request.args.get('answered', False)
|
||||
conn = func.connectToDb()
|
||||
cursor = conn.cursor(dictionary=True)
|
||||
cursor.execute("SELECT id, from_who, creation_date, content, answered, answer_id FROM questions WHERE answered=%s", (answered,))
|
||||
questions = cursor.fetchall()
|
||||
cursor.close()
|
||||
conn.close()
|
||||
return jsonify(questions)
|
||||
|
||||
@api_bp.route('/all_answers/', methods=['GET'])
|
||||
def listAnswers():
|
||||
conn = func.connectToDb()
|
||||
cursor = conn.cursor(dictionary=True)
|
||||
cursor.execute("SELECT id, question_id, creation_date, content FROM answers")
|
||||
answers = cursor.fetchall()
|
||||
cursor.close()
|
||||
conn.close()
|
||||
return jsonify(answers)
|
||||
"""
|
||||
|
||||
@api_bp.route('/view_question/', methods=['GET'])
|
||||
@loginRequired
|
||||
def viewQuestion():
|
||||
question_id = request.args.get('question_id', '')
|
||||
if not question_id:
|
||||
|
|
@ -416,6 +417,7 @@ def viewQuestion():
|
|||
return jsonify(question)
|
||||
|
||||
@api_bp.route('/view_answer/', methods=['GET'])
|
||||
@loginRequired
|
||||
def viewAnswer():
|
||||
answer_id = request.args.get('answer_id', '')
|
||||
if not answer_id:
|
||||
|
|
@ -428,6 +430,7 @@ def viewAnswer():
|
|||
cursor.close()
|
||||
conn.close()
|
||||
return jsonify(answer)
|
||||
"""
|
||||
|
||||
@api_bp.route('/update_config/', methods=['POST'])
|
||||
@loginRequired
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue